scrons.exe Rare Child Process

The Cortex XDR – Analytics scrons.exe Rare Child Process alert indicates a scrons.exe spawned a child process, which may indicate remote code execution abuse by an attacker.

Synopsis

10 minutes.
3 days.
14 days.
10 minutes.
Traps endpoint data.
Execution.

Description

The Windows Management Instrumentation (WMI) standard event consumer scrcons.exe executed a rare VBScript or PowerShell script. Executing a rare script can be an indication of local or remote code execution abuse by an attacker.

Related Documentation