WMI Active Script
Overview
Section titled “Overview”Evidence: WMI Active Script
Description: Dump WMI Active Script Event Consumers
Category: System
Platform: windows
Short Name: wmiasc
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”WMI ActiveScript Event Consumers execute VBScript or JScript code when specific WMI events occur. This is a powerful persistence mechanism that allows attackers to run arbitrary scripts with SYSTEM privileges in response to system events.
ActiveScript consumers are particularly dangerous because they don’t require a file on disk (fileless persistence) and run with high privileges.
Data Collected
Section titled “Data Collected”This collector gathers structured data about wmi active script.
WMI Active Script Data
Section titled “WMI Active Script Data”| Field | Description | Example |
|---|---|---|
Name | Consumer name | MaliciousConsumer |
PayloadScriptEngine | Scripting engine | VBScript |
PayloadScriptText | Script code | Set objShell = CreateObject(“WScript.Shell”)… |
Collection Method
Section titled “Collection Method”This collector queries WMI for ActiveScriptEventConsumer instances in multiple namespaces:
ROOT\SubscriptionROOT\DEFAULTROOT\CIMV2
Forensic Value
Section titled “Forensic Value”ActiveScript consumers are a common advanced persistence technique. Investigators use this data to detect WMI script-based persistence, identify malicious VBScript/JScript payloads, and track fileless malware techniques.