Active Script Event Consumers
Overview
Evidence: WMI Active Script Description: Dump WMI Active Script Event Consumers Category: System Platform: windows Short Name: wmiasc Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No
Background
WMI ActiveScript Event Consumers execute VBScript or JScript code when specific WMI events occur. This is a powerful persistence mechanism that allows attackers to run arbitrary scripts with SYSTEM privileges in response to system events.
ActiveScript consumers are particularly dangerous because they don't require a file on disk (fileless persistence) and run with high privileges.
Data Collected
This collector gathers structured data about wmi active script.
WMI Active Script Data
Name
Consumer name
MaliciousConsumer
PayloadScriptEngine
Scripting engine
VBScript
PayloadScriptText
Script code
Set objShell = CreateObject("WScript.Shell")...
Collection Method
This collector queries WMI for ActiveScriptEventConsumer instances in multiple namespaces:
ROOT\SubscriptionROOT\DEFAULTROOT\CIMV2
Forensic Value
ActiveScript consumers are a common advanced persistence technique. Investigators use this data to detect WMI script-based persistence, identify malicious VBScript/JScript payloads, and track fileless malware techniques.
Last updated
Was this helpful?