This query looks for malicious Event Consumers which are using powershell or cmd to execute payload.
What The Data Shows:
Scripts utilising powershell or cmd are rarely found in command line template of Event Consumer. Thus, when we found one, most likely this was created by malware for persistence.
select * from wmi_cli_event_consumers
where command_line_template like '%powershell%' or command_line_template like '%cmd%'
Hello @christofersimba thank you for your contribution! We'll vet this submission and if it runs as expected we'll change this status of your query from Under Review to CB Approved.
This is awesome, thanks for taking the time to share. We have updated the status to CB Approved. Congrats!