Showing results for 
Search instead for 
Did you mean: 

Find malicious scripts in WMI Event Customer


This query looks for malicious Event Consumers which are using powershell or cmd to execute payload.

What The Data Shows:

Scripts utilising powershell or cmd are rarely found in command line template of Event Consumer. Thus, when we found one, most likely this was created by  malware for persistence.


select * from wmi_cli_event_consumers 
where command_line_template like '%powershell%' or command_line_template like '%cmd%'
Community Manager
Community Manager

Hello @christofersimba thank you for your contribution!  We'll vet this submission and if it runs as expected we'll change this status of your query from Under Review to CB Approved.

Thanks again!

Ed Sullivan

Carbon Black Employee
Status changed to: Approved

This is awesome, thanks for taking the time to share. We have updated the status to CB Approved. Congrats!