Suspicious WMI Event Subscription Created

  1[metadata]
  2creation_date = "2023/02/02"
  3integration = ["windows", "endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.15.0"
  7min_stack_comments = "Elastic Defend WMI events were added in Elastic Defend 8.15.0."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Detects the creation of a WMI Event Subscription. Attackers can abuse this mechanism for persistence or to elevate to
 13SYSTEM privileges.
 14"""
 15from = "now-9m"
 16index = ["winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-endpoint.events.api-*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Suspicious WMI Event Subscription Created"
 20references = [
 21    "https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf",
 22    "https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96",
 23]
 24risk_score = 47
 25rule_id = "e72f87d0-a70e-4f8d-8443-a6407bc34643"
 26severity = "medium"
 27tags = [
 28    "Domain: Endpoint",
 29    "OS: Windows",
 30    "Use Case: Threat Detection",
 31    "Tactic: Persistence",
 32    "Data Source: Sysmon",
 33    "Data Source: Elastic Defend",
 34    "Resources: Investigation Guide"
 35]
 36timestamp_override = "event.ingested"
 37type = "eql"
 38
 39query = '''
 40any where
 41 (
 42   (event.dataset == "windows.sysmon_operational" and event.code == "21" and
 43    winlog.event_data.Operation : "Created" and winlog.event_data.Consumer : ("*subscription:CommandLineEventConsumer*", "*subscription:ActiveScriptEventConsumer*")) or
 44
 45   (event.dataset == "endpoint.events.api" and event.provider == "Microsoft-Windows-WMI-Activity" and process.Ext.api.name == "IWbemServices::PutInstance" and
 46    process.Ext.api.parameters.consumer_type in ("ActiveScriptEventConsumer", "CommandLineEventConsumer"))
 47 )
 48'''
 49note = """## Triage and analysis
 50
 51> **Disclaimer**:
 52> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 53
 54### Investigating Suspicious WMI Event Subscription Created
 55
 56Windows Management Instrumentation (WMI) is a powerful framework for managing data and operations on Windows systems. It allows for event subscriptions that can trigger actions based on system events. Adversaries exploit this for persistence by creating event subscriptions that execute malicious scripts or commands. The detection rule identifies such abuse by monitoring specific event codes and API calls related to the creation of suspicious WMI event consumers, flagging potential threats.
 57
 58### Possible investigation steps
 59
 60- Review the event logs for event code 21 in the windows.sysmon_operational dataset to identify the specific WMI event subscription created, focusing on the winlog.event_data.Operation and winlog.event_data.Consumer fields.
 61- Examine the process details associated with the IWbemServices::PutInstance API call in the endpoint.events.api dataset, particularly the process.Ext.api.parameters.consumer_type, to determine the nature of the consumer created.
 62- Investigate the source and context of the command or script associated with the CommandLineEventConsumer or ActiveScriptEventConsumer to assess its legitimacy and potential malicious intent.
 63- Check for any related processes or activities around the time of the event to identify potential lateral movement or further persistence mechanisms.
 64- Correlate the findings with other security alerts or logs to determine if this event is part of a broader attack pattern or campaign.
 65
 66### False positive analysis
 67
 68- Legitimate administrative scripts or tools may create WMI event subscriptions for system monitoring or automation. Review the source and context of the event to determine if it aligns with known administrative activities.
 69- Software installations or updates might use WMI event subscriptions as part of their setup or configuration processes. Verify if the event coincides with recent software changes and consider excluding these specific events if they are routine.
 70- Security software or management tools often use WMI for legitimate purposes. Identify and document these tools in your environment, and create exceptions for their known behaviors to reduce noise.
 71- Scheduled tasks or system maintenance scripts may trigger similar events. Cross-reference with scheduled task logs or maintenance windows to confirm if these are expected activities.
 72- Custom scripts developed in-house for system management might inadvertently match the detection criteria. Ensure these scripts are documented and consider excluding their specific signatures from the rule.
 73
 74### Response and remediation
 75
 76- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement.
 77- Terminate any suspicious processes associated with the WMI event subscription, specifically those linked to CommandLineEventConsumer or ActiveScriptEventConsumer.
 78- Remove the malicious WMI event subscription by using WMI management tools or scripts to delete the identified event consumer.
 79- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any additional threats.
 80- Review and reset any compromised credentials, especially if SYSTEM privileges were potentially accessed or escalated.
 81- Monitor the network for any signs of similar activity or attempts to recreate the WMI event subscription, using enhanced logging and alerting mechanisms.
 82- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network."""
 83
 84
 85[[rule.threat]]
 86framework = "MITRE ATT&CK"
 87[[rule.threat.technique]]
 88id = "T1546"
 89name = "Event Triggered Execution"
 90reference = "https://attack.mitre.org/techniques/T1546/"
 91[[rule.threat.technique.subtechnique]]
 92id = "T1546.003"
 93name = "Windows Management Instrumentation Event Subscription"
 94reference = "https://attack.mitre.org/techniques/T1546/003/"
 95
 96
 97
 98[rule.threat.tactic]
 99id = "TA0003"
100name = "Persistence"
101reference = "https://attack.mitre.org/tactics/TA0003/"