WMI-Activity Operations

EID
Description

5857

tracks loaded DLLs - wbemcons.dll is loaded when cmdline event consumer started

5858

query errors - logs hostname and username

5859

shows the event triggers

5860

5861

records permanent consumer - identifying what will be executed on trigger of event filter - BEST PLACE TO LOOK

Common Consumer names (normal consumers, but can be used to avoid detection):

  • SCM Event Log

  • BVTFilter

  • TSLogonEvent.vbs

  • TSLogonFilter.vbs

  • RAevent.vbs

  • RmAssistEventFilter.vbs

  • KernCap,vbs

  • NTEventLogConsumer

  • WSCEAA.exe (dell)

Also search the logs for:

PowerShell, Eval, .vbs, .ps1, ActiveXObject

PreviousSecurity logsNextPowerShell/WinRM Operational

Last updated