windows_wmi_impersonate_token.yml

name: Windows WMI Impersonate Token
id: cf192860-2d94-40db-9a51-c04a2e8a8f8b
version: 1
date: '2022-10-24'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
description: The following analytic identifies a possible wmi token impersonation
  activities in a process or command. This technique was seen in Qakbot malware where
  it will execute a vbscript code contains wmi impersonation object to gain privilege
  escalation or as defense evasion. This Anomaly detection looks for wmiprvse.exe
  SourceImage having a duplicate handle or full granted access in a target process.
data_source:
- Sysmon EventID 10
search: '`sysmon` EventCode=10 SourceImage = "*\\wmiprvse.exe"  GrantedAccess IN ("0x1478",
  "0x1fffff") | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage
  TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId
  GrantedAccess CallTrace dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
  | `windows_wmi_impersonate_token_filter`'
how_to_implement: This search requires Sysmon Logs and a Sysmon configuration, which
  includes EventCode 10. This search uses an input macro named `sysmon`. We strongly
  recommend that you specify your environment-specific configurations (index, source,
  sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations
  for your Splunk environment. The search also uses a post-filter macro designed to
  filter out known false positives.
known_false_positives: administrator may execute impersonate wmi object script for
  auditing. Filter is needed.
references:
- https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/process-access.md
- https://www.joesandbox.com/analysis/278341/0/html
tags:
  analytic_story:
  - Qakbot
  asset_type: Endpoint
  confidence: 50
  impact: 50
  message: wmiprvse.exe process having a duplicate or full Granted Access $GrantedAccess$
    to $TargetImage$ process in $dest$
  mitre_attack_id:
  - T1047
  observable:
  - name: dest
    type: Endpoint
    role:
    - Victim
  product:
  - Splunk Enterprise
  - Splunk Enterprise Security
  - Splunk Cloud
  required_fields:
  - _time
  - SourceImage
  - TargetImage
  - SourceProcessGUID
  - TargetProcessGUID
  - SourceProcessId
  - TargetProcessId
  - GrantedAccess
  - CallTrace
  - dest
  risk_score: 25
  security_domain: endpoint
tests:
- name: True Positive Test
  attack_data:
  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/wmi_impersonate/sysmon.log
    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
    sourcetype: xmlwineventlog
    update_timestamp: true