suspicious WMI Event Consumer creates named pipe

Author: Neo23x0

sysmonconfig-export.xml

@@ -958,6 +958,7 @@
 				<PipeName condition="begin with">\wkssvc</PipeName>
 				<!-- Other specific named pipes -->
 				<PipeName condition="contains">6e7645c4-32c5-4fe3-aabf-e94c2f4370e7</PipeName> <!-- LiquidSnake hacktool https://github.com/RiccardoAncarani/LiquidSnake -->
+				<Image condition="end with">\scrcons.exe</Image> <!-- Susupicious WMI Event Consumer creating a named pipe -->
 			</PipeEvent>
 		</RuleGroup>
 		<!-- we skip the connect pipe event since they could be to noisy and a CreatePipe event should come before these -->