/
windows_wmi_impersonate_token.yml
69 lines (69 loc) · 2.66 KB
/
windows_wmi_impersonate_token.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
name: Windows WMI Impersonate Token
id: cf192860-2d94-40db-9a51-c04a2e8a8f8b
version: 1
date: '2022-10-24'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
description: The following analytic identifies a possible wmi token impersonation
activities in a process or command. This technique was seen in Qakbot malware where
it will execute a vbscript code contains wmi impersonation object to gain privilege
escalation or as defense evasion. This Anomaly detection looks for wmiprvse.exe
SourceImage having a duplicate handle or full granted access in a target process.
data_source:
- Sysmon EventID 10
search: '`sysmon` EventCode=10 SourceImage = "*\\wmiprvse.exe" GrantedAccess IN ("0x1478",
"0x1fffff") | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage
TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId
GrantedAccess CallTrace dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
| `windows_wmi_impersonate_token_filter`'
how_to_implement: This search requires Sysmon Logs and a Sysmon configuration, which
includes EventCode 10. This search uses an input macro named `sysmon`. We strongly
recommend that you specify your environment-specific configurations (index, source,
sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations
for your Splunk environment. The search also uses a post-filter macro designed to
filter out known false positives.
known_false_positives: administrator may execute impersonate wmi object script for
auditing. Filter is needed.
references:
- https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/process-access.md
- https://www.joesandbox.com/analysis/278341/0/html
tags:
analytic_story:
- Qakbot
asset_type: Endpoint
confidence: 50
impact: 50
message: wmiprvse.exe process having a duplicate or full Granted Access $GrantedAccess$
to $TargetImage$ process in $dest$
mitre_attack_id:
- T1047
observable:
- name: dest
type: Endpoint
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- SourceImage
- TargetImage
- SourceProcessGUID
- TargetProcessGUID
- SourceProcessId
- TargetProcessId
- GrantedAccess
- CallTrace
- dest
risk_score: 25
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/wmi_impersonate/sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
update_timestamp: true