Powershell WMI Persistence
Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.
Sigma rule (View on GitHub)
1title: Powershell WMI Persistence
2id: 9e07f6e7-83aa-45c6-998e-0af26efd0a85
3status: test
4description: Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md
7 - https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545
8author: frack113
9date: 2021/08/19
10modified: 2022/12/25
11tags:
12 - attack.privilege_escalation
13 - attack.t1546.003
14logsource:
15 product: windows
16 category: ps_script
17 definition: 'Requirements: Script Block Logging must be enabled'
18detection:
19 selection_ioc:
20 - ScriptBlockText|contains|all:
21 - 'New-CimInstance '
22 - '-Namespace root/subscription '
23 - '-ClassName __EventFilter '
24 - '-Property ' # is a variable name
25 - ScriptBlockText|contains|all:
26 - 'New-CimInstance '
27 - '-Namespace root/subscription '
28 - '-ClassName CommandLineEventConsumer '
29 - '-Property ' # is a variable name
30 condition: selection_ioc
31falsepositives:
32 - Unknown
33level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Related rules
- WMI Persistence
- Remote WMI ActiveScriptEventConsumers
- WMI Persistence - Security
- WMI Persistence - Script Event Consumer
- AWS Glue Development Endpoint Activity