Persistence via WMI Event Subscription

calendarMar 6, 2023  ·
Share on: linkedincopy

An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/12/04"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/03/06"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and
13bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an
14event and execute arbitrary code when that event occurs, providing persistence on a system.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Persistence via WMI Event Subscription"
21note = """## Setup
22
23If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
24"""
25references = ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"]
26risk_score = 21
27rule_id = "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c"
28severity = "low"
29tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"]
30timestamp_override = "event.ingested"
31type = "eql"
32
33query = '''
34process where host.os.type == "windows" and event.type == "start" and
35  (process.name : "wmic.exe" or process.pe.original_file_name == "wmic.exe") and
36  process.args : "create" and
37  process.args : ("ActiveScriptEventConsumer", "CommandLineEventConsumer")
38'''
39
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1546"
45name = "Event Triggered Execution"
46reference = "https://attack.mitre.org/techniques/T1546/"
47[[rule.threat.technique.subtechnique]]
48id = "T1546.003"
49name = "Windows Management Instrumentation Event Subscription"
50reference = "https://attack.mitre.org/techniques/T1546/003/"
51
52
53
54[rule.threat.tactic]
55id = "TA0003"
56name = "Persistence"
57reference = "https://attack.mitre.org/tactics/TA0003/"

Setup

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.

to-top