/
wmi_permanent_event_subscription___sysmon.yml
84 lines (79 loc) · 3.2 KB
/
wmi_permanent_event_subscription___sysmon.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
name: WMI Permanent Event Subscription - Sysmon
id: ad05aae6-3b2a-4f73-af97-57bd26cee3b9
version: 2
date: '2023-11-07'
author: Rico Valdez, Michael Haag, Splunk
status: production
type: TTP
description: 'This analytic looks for the creation of WMI permanent event subscriptions.
The following analytic identifies the use of WMI Event Subscription to establish
persistence or perform privilege escalation. WMI can be used to install event filters,
providers, consumers, and bindings that execute code when a defined event occurs.
WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe)
and thus may result in elevated SYSTEM privileges. This analytic is restricted by
commonly added process execution and a path. If the volume is low enough, remove
the values and flag on any new subscriptions.
All event subscriptions have three components
1. Filter - WQL Query for the events we want. EventID = 19
1. Consumer - An action to take upon triggering the filter. EventID = 20
1. Binding - Registers a filter to a consumer. EventID = 21
Monitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding.
It may be pertinent to review all 3 to identify the flow of execution. In addition,
EventCode 4104 may assist with any other PowerShell script usage that registered
the subscription.'
data_source:
- Sysmon EventID 21
search: '`sysmon` EventCode=21 | rename host as dest | table _time, dest, user, Operation,
EventType, Query, Consumer, Filter | `wmi_permanent_event_subscription___sysmon_filter`'
how_to_implement: To successfully implement this search, you must be collecting Sysmon
data using Sysmon version 6.1 or greater and have Sysmon configured to generate
alerts for WMI activity (eventID= 19, 20, 21). In addition, you must have at least
version 6.0.4 of the Sysmon TA installed to properly parse the fields.
known_false_positives: Although unlikely, administrators may use event subscriptions
for legitimate purposes.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md
- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
- https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/WMI-events.md
- https://in.security/2019/04/03/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/
tags:
analytic_story:
- Suspicious WMI Use
asset_type: Endpoint
confidence: 100
impact: 30
message: WMI Permanent Event Subscription detected on $dest$ by $user$
mitre_attack_id:
- T1546.003
- T1546
observable:
- name: dest
type: Endpoint
role:
- Victim
- name: user
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- EventCode
- host
- user
- Operation
- EventType
- Query
- Consumer
- Filter
risk_score: 30
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/windows-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog