Active Script Event Consumers

Overview

Evidence: Active Script Event Consumers Description: Dump WMI Active Script Event Consumers Category: Persistence Platform: Windows Short Name: wmiasc Is Parsed: Yes - WMI consumers parsed into structured format Sent to Investigation Hub: Yes Collect File(s): No

Background

WMI ActiveScript Event Consumers execute VBScript or JScript code when specific WMI events occur. This is a powerful persistence mechanism that allows attackers to run arbitrary scripts with SYSTEM privileges in response to system events.

ActiveScript consumers are particularly dangerous because they don't require a file on disk (fileless persistence) and run with high privileges.

Data Collected

Field

Description

Example

Name

Consumer name

MaliciousConsumer

PayloadScriptEngine

Scripting engine

VBScript

PayloadScriptText

Script code

Set objShell = CreateObject("WScript.Shell")...

Collection Method

This collector queries WMI for ActiveScriptEventConsumer instances in multiple namespaces:

ROOT\Subscription
ROOT\DEFAULT
ROOT\CIMV2

Usage

ActiveScript consumers are a common advanced persistence technique. Investigators use this data to detect WMI script-based persistence, identify malicious VBScript/JScript payloads, and track fileless malware techniques.

Known Limitations

Only shows current consumers
Can be in non-standard namespaces
Requires WMI service

Notes

Any ActiveScriptEventConsumer should be carefully investigated as this is a common ATT&CK technique (T1546.003). The script content should be analyzed for malicious behavior.

PreviousARP Table NextAmcache

Last updated 45 minutes ago

Was this helpful?