WMI Persistence - Security

Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.

Sigma rule (View on GitHub)

 1title: WMI Persistence - Security
 2id: f033f3f3-fd24-4995-97d8-a3bb17550a88
 3related:
 4    - id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b
 5      type: derived
 6status: test
 7description: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
 8references:
 9    - https://twitter.com/mattifestation/status/899646620148539397
10    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
11author: Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community
12date: 2017-08-22
13modified: 2022-11-29
14tags:
15    - attack.persistence
16    - attack.privilege-escalation
17    - attack.t1546.003
18logsource:
19    product: windows
20    service: security
21detection:
22    selection:
23        EventID: 4662
24        ObjectType: 'WMI Namespace'
25        ObjectName|contains: 'subscription'
26    condition: selection
27falsepositives:
28    - Unknown (data set is too small; further testing needed)
29level: medium

References

Related rules

to-top