LoFP / although unlikely, administrators may use event subscriptions for legitimate purposes.

Techniques

• T1047
• T1546
• T1546.003

Sample rules

WMI Permanent Event Subscription - Sysmon

• source: splunk
• technicques:
  • T1546.003
  • T1546

Description

The following analytic identifies the creation of WMI permanent event subscriptions, which can be used to establish persistence or perform privilege escalation. It leverages Sysmon data, specifically EventCodes 19, 20, and 21, to detect the creation of WMI EventFilters, EventConsumers, and FilterToConsumerBindings. This activity is significant as it may indicate an attacker setting up mechanisms to execute code with elevated SYSTEM privileges when specific events occur. If confirmed malicious, this could allow the attacker to maintain persistence, escalate privileges, and execute arbitrary code, posing a severe threat to the environment.

Detection logic

`sysmon` EventCode=21 
| rename host as dest 
| table _time, dest, user, Operation, EventType, Query, Consumer, Filter 
| `wmi_permanent_event_subscription___sysmon_filter`

WMI Permanent Event Subscription

• source: splunk
• technicques:
  • T1047

Description

The following analytic detects the creation of permanent event subscriptions using Windows Management Instrumentation (WMI). It leverages Sysmon EventID 5 data to identify instances where the event consumers are not the expected “NTEventLogEventConsumer.” This activity is significant because it suggests an attacker is attempting to achieve persistence by running malicious scripts or binaries in response to specific system events. If confirmed malicious, this could lead to severe impacts such as data theft, ransomware deployment, or other damaging outcomes. Investigate the associated scripts or binaries to identify the source of the attack.

Detection logic

`wmi` EventCode=5861 Binding 
| rex field=Message "Consumer =\s+(?<consumer>[^;
|^$]+)" 
| search consumer!="NTEventLogEventConsumer=\"SCM Event Log Consumer\"" 
| stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, consumer, Message 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| rename ComputerName as dest 
| `wmi_permanent_event_subscription_filter`