logo

Query Exchange

Built off the open source project Osquery

The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Find malicious scripts in WMI Event Customer

Status: Approved Submitted by on ‎06-02-2019 09:34 AM

Description:

This query looks for malicious Event Consumers which are using powershell or cmd to execute payload.

What The Data Shows:

Scripts utilising powershell or cmd are rarely found in command line template of Event Consumer. Thus, when we found one, most likely this was created by  malware for persistence.

SQL: 

select * from wmi_cli_event_consumers 

where command_line_template like '%powershell%' or command_line_template like '%cmd%'
2 Comments
esullivan
Carbon Black Employee
‎06-05-2019 04:16 AM
‎06-05-2019 04:16 AM

Hello @christofersimba thank you for your contribution!  We'll vet this submission and if it runs as expected we'll change this status of your query from Under Review to CB Approved.

Thanks again!

Ed Sullivan

tmccormack
Carbon Black Employee
‎06-06-2019 01:55 PM
‎06-06-2019 01:55 PM
Status changed to: Approved

This is awesome, thanks for taking the time to share. We have updated the status to CB Approved. Congrats!

logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.