WMI Persistence - Security

 1title: WMI Persistence - Security
 2id: f033f3f3-fd24-4995-97d8-a3bb17550a88
 3related:
 4    - id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b
 5      type: derived
 6status: test
 7description: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
 8references:
 9    - https://twitter.com/mattifestation/status/899646620148539397
10    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
11author: Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community
12date: 2017/08/22
13modified: 2022/11/29
14tags:
15    - attack.persistence
16    - attack.privilege_escalation
17    - attack.t1546.003
18logsource:
19    product: windows
20    service: security
21detection:
22    selection:
23        EventID: 4662
24        ObjectType: 'WMI Namespace'
25        ObjectName|contains: 'subscription'
26    condition: selection
27falsepositives:
28    - Unknown (data set is too small; further testing needed)
29level: medium

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Tales of a Threat Hunter 2

  

  Following the trace of WMI Backdoors & other nastiness

  
  Read More

Related rules

• WMI Persistence - Script Event Consumer
• Code Injection by ld.so Preload
• Malicious Service Installations
• Suspicious Encoded Scripts in a WMI Consumer
• Loading of Kernel Module via Insmod