WMI/ PowerShell

WMI

WmiPrvSE.exe is used to execute commands on a remote machine. WmiPrvSE facilitates the interface been WMI and operating system.

WMI also will use the following Consumers:

  • CommandLine - cmd execution

  • ActiveScriptEventConsumer - persistence

When ActiveScriptEventConsumer is executed, it spawn a process called 'scrcons.exe' worth digging into this process

PowerShell

wsmprovhost.exe is used to open PSRemoting sessions on the host

If 'PowerShell.exe' is executed with a parent process of 'svchost.exe' it is a good indicator that an admin session was spawned.

If 'cmd.exe' is a parent - it's worth looking at as likely code injection

PreviousRootkitsNextPersistence & Lateral movement

Last updated