Powershell WMI Persistence
Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.
Sigma rule (View on GitHub)
1title: Powershell WMI Persistence
2id: 9e07f6e7-83aa-45c6-998e-0af26efd0a85
3status: test
4description: Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md
7 - https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545
8author: frack113
9date: 2021-08-19
10modified: 2022-12-25
11tags:
12 - attack.persistence
13 - attack.privilege-escalation
14 - attack.t1546.003
15logsource:
16 product: windows
17 category: ps_script
18 definition: 'Requirements: Script Block Logging must be enabled'
19detection:
20 selection_ioc:
21 - ScriptBlockText|contains|all:
22 - 'New-CimInstance '
23 - '-Namespace root/subscription '
24 - '-ClassName __EventFilter '
25 - '-Property ' # is a variable name
26 - ScriptBlockText|contains|all:
27 - 'New-CimInstance '
28 - '-Namespace root/subscription '
29 - '-ClassName CommandLineEventConsumer '
30 - '-Property ' # is a variable name
31 condition: selection_ioc
32falsepositives:
33 - Unknown
34level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Related rules
- New ActiveScriptEventConsumer Created Via Wmic.EXE
- Suspicious Encoded Scripts in a WMI Consumer
- WMI Backdoor Exchange Transport Agent
- WMI Event Subscription
- WMI Persistence - Command Line Event Consumer