Suspicious WMI Event Subscription Created

 1[metadata]
 2creation_date = "2023/02/02"
 3integration = ["windows"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Detects the creation of a WMI Event Subscription. Attackers can abuse this mechanism for persistence or to elevate to
11SYSTEM privileges.
12"""
13from = "now-9m"
14index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Suspicious WMI Event Subscription Created"
18references = [
19    "https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf",
20    "https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96",
21]
22risk_score = 47
23rule_id = "e72f87d0-a70e-4f8d-8443-a6407bc34643"
24severity = "medium"
25tags = [
26    "Domain: Endpoint",
27    "OS: Windows",
28    "Use Case: Threat Detection",
29    "Tactic: Persistence",
30    "Data Source: Sysmon",
31]
32timestamp_override = "event.ingested"
33type = "eql"
34
35query = '''
36any where event.dataset == "windows.sysmon_operational" and event.code == "21" and
37    winlog.event_data.Operation : "Created" and winlog.event_data.Consumer : ("*subscription:CommandLineEventConsumer*", "*subscription:ActiveScriptEventConsumer*")
38'''
39
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1546"
45name = "Event Triggered Execution"
46reference = "https://attack.mitre.org/techniques/T1546/"
47[[rule.threat.technique.subtechnique]]
48id = "T1546.003"
49name = "Windows Management Instrumentation Event Subscription"
50reference = "https://attack.mitre.org/techniques/T1546/003/"
51
52
53
54[rule.threat.tactic]
55id = "TA0003"
56name = "Persistence"
57reference = "https://attack.mitre.org/tactics/TA0003/"