Persistence via WMI Event Subscription

  1[metadata]
  2creation_date = "2020/12/04"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and
 11bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an
 12event and execute arbitrary code when that event occurs, providing persistence on a system.
 13"""
 14from = "now-9m"
 15index = [
 16    "endgame-*",
 17    "logs-crowdstrike.fdr*",
 18    "logs-endpoint.events.process-*",
 19    "logs-m365_defender.event-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21    "logs-system.security*",
 22    "logs-windows.forwarded*",
 23    "logs-windows.sysmon_operational-*",
 24    "winlogbeat-*",
 25]
 26language = "eql"
 27license = "Elastic License v2"
 28name = "Persistence via WMI Event Subscription"
 29note = """## Triage and analysis
 30
 31> **Disclaimer**:
 32> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 33
 34### Investigating Persistence via WMI Event Subscription
 35
 36Windows Management Instrumentation (WMI) is a powerful framework for managing data and operations on Windows systems. Adversaries exploit WMI by creating event subscriptions that trigger malicious code execution, ensuring persistence. The detection rule identifies suspicious use of `wmic.exe` to create event consumers, signaling potential abuse of WMI for persistence by monitoring specific process activities and arguments.
 37
 38### Possible investigation steps
 39
 40- Review the process execution details for `wmic.exe` to confirm the presence of suspicious arguments such as "create", "ActiveScriptEventConsumer", or "CommandLineEventConsumer" that indicate potential WMI event subscription abuse.
 41- Examine the parent process of `wmic.exe` to determine how it was launched and assess whether this aligns with expected behavior or if it suggests malicious activity.
 42- Investigate the user account associated with the `wmic.exe` process to determine if it has the necessary privileges to create WMI event subscriptions and whether the account activity is consistent with normal operations.
 43- Check for any recent changes or additions to WMI event filters, consumers, or bindings on the affected system to identify unauthorized modifications that could indicate persistence mechanisms.
 44- Correlate the alert with other security events or logs from data sources like Microsoft Defender for Endpoint or Sysmon to gather additional context and identify any related suspicious activities or patterns.
 45
 46### False positive analysis
 47
 48- Legitimate administrative tasks using wmic.exe may trigger the rule, such as system monitoring or configuration changes. To handle this, identify and document routine administrative scripts and exclude them from triggering alerts.
 49- Software installations or updates that use WMI for legitimate event subscriptions can be mistaken for malicious activity. Maintain a list of trusted software and their expected behaviors to create exceptions in the detection rule.
 50- Automated system management tools that rely on WMI for event handling might cause false positives. Review and whitelist these tools by verifying their source and purpose to prevent unnecessary alerts.
 51- Security software or monitoring solutions that utilize WMI for legitimate purposes can be flagged. Collaborate with IT and security teams to identify these tools and adjust the rule to exclude their known benign activities.
 52
 53### Response and remediation
 54
 55- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement.
 56- Terminate any suspicious processes related to `wmic.exe` that are identified as creating event consumers, specifically those involving "ActiveScriptEventConsumer" or "CommandLineEventConsumer".
 57- Remove any unauthorized WMI event subscriptions by using tools like `wevtutil` or PowerShell scripts to list and delete suspicious event filters, consumers, and bindings.
 58- Conduct a thorough review of the system's WMI repository to ensure no other malicious or unauthorized configurations exist.
 59- Restore the system from a known good backup if the integrity of the system is compromised and cannot be assured through manual remediation.
 60- Update and patch the system to the latest security standards to mitigate any vulnerabilities that may have been exploited.
 61- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected."""
 62references = ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"]
 63risk_score = 21
 64rule_id = "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c"
 65severity = "low"
 66tags = [
 67    "Domain: Endpoint",
 68    "OS: Windows",
 69    "Use Case: Threat Detection",
 70    "Tactic: Persistence",
 71    "Tactic: Execution",
 72    "Data Source: Elastic Endgame",
 73    "Data Source: Elastic Defend",
 74    "Data Source: Windows Security Event Logs",
 75    "Data Source: Microsoft Defender for Endpoint",
 76    "Data Source: Sysmon",
 77    "Data Source: SentinelOne",
 78    "Data Source: Crowdstrike",
 79    "Resources: Investigation Guide",
 80]
 81timestamp_override = "event.ingested"
 82type = "eql"
 83
 84query = '''
 85process where host.os.type == "windows" and event.type == "start" and
 86  (process.name : "wmic.exe" or ?process.pe.original_file_name == "wmic.exe") and
 87  process.args : "create" and
 88  process.args : ("ActiveScriptEventConsumer", "CommandLineEventConsumer")
 89'''
 90
 91
 92[[rule.threat]]
 93framework = "MITRE ATT&CK"
 94[[rule.threat.technique]]
 95id = "T1546"
 96name = "Event Triggered Execution"
 97reference = "https://attack.mitre.org/techniques/T1546/"
 98[[rule.threat.technique.subtechnique]]
 99id = "T1546.003"
100name = "Windows Management Instrumentation Event Subscription"
101reference = "https://attack.mitre.org/techniques/T1546/003/"
102
103
104
105[rule.threat.tactic]
106id = "TA0003"
107name = "Persistence"
108reference = "https://attack.mitre.org/tactics/TA0003/"
109[[rule.threat]]
110framework = "MITRE ATT&CK"
111[[rule.threat.technique]]
112id = "T1047"
113name = "Windows Management Instrumentation"
114reference = "https://attack.mitre.org/techniques/T1047/"
115
116
117[rule.threat.tactic]
118id = "TA0002"
119name = "Execution"
120reference = "https://attack.mitre.org/tactics/TA0002/"