Built off the open source project Osquery
Description:
This query looks for malicious Event Consumers which are using powershell or cmd to execute payload.
What The Data Shows:
Scripts utilising powershell or cmd are rarely found in command line template of Event Consumer. Thus, when we found one, most likely this was created by malware for persistence.
SQL:
select * from wmi_cli_event_consumers
where command_line_template like '%powershell%' or command_line_template like '%cmd%'
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.