LoFP / although unlikely, administrators may use event subscriptions for legitimate purposes.

Techniques

• T1047
• T1546
• T1546.003

Sample rules

WMI Permanent Event Subscription - Sysmon

• source: splunk
• technicques:
  • T1546.003
  • T1546

Description

This analytic looks for the creation of WMI permanent event subscriptions. The following analytic identifies the use of WMI Event Subscription to establish persistence or perform privilege escalation. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges. This analytic is restricted by commonly added process execution and a path. If the volume is low enough, remove the values and flag on any new subscriptions. All event subscriptions have three components

1. Filter - WQL Query for the events we want. EventID = 19
2. Consumer - An action to take upon triggering the filter. EventID = 20
3. Binding - Registers a filter to a consumer. EventID = 21 Monitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding. It may be pertinent to review all 3 to identify the flow of execution. In addition, EventCode 4104 may assist with any other PowerShell script usage that registered the subscription.

Detection logic

`sysmon` EventCode=21 
| rename host as dest 
| table _time, dest, user, Operation, EventType, Query, Consumer, Filter 
| `wmi_permanent_event_subscription___sysmon_filter`

WMI Permanent Event Subscription

• source: splunk
• technicques:
  • T1047

Description

The following analytic detects the creation of permanent event subscriptions using Windows Management Instrumentation (WMI), which is used by attackers to achieve persistence in a compromised system. By creating a permanent event subscription, an attacker can run malicious scripts or binaries in response to specific system events that enables them to maintain access to the system undetected. The detection is made by using Sysmon Event ID 5 data to detect instances where the consumers of these events are not the expected “NTEventLogEventConsumer.” The detection is important because it identifies unusual or unexpected subscription creation, which suggests that an attacker is attempting to achieve persistence within the environment and might be executing malicious scripts or binaries in response to specific system events. The impact of such an attack can be severe, potentially leading to data theft, ransomware, or other damaging outcomes. False positives might occur since False positives might occur since WMI event subscriptions can be used for legitimate purposes by system administrators. You must have a thorough understanding of WMI activity within the context of the monitored environment to effectively differentiate between legitimate and malicious activity.Next steps include investigating the associated scripts or binaries and identifying the source of the attack.

Detection logic

`wmi` EventCode=5861 Binding 
| rex field=Message "Consumer =\s+(?<consumer>[^;
|^$]+)" 
| search consumer!="NTEventLogEventConsumer=\"SCM Event Log Consumer\"" 
| stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, consumer, Message 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| rename ComputerName as dest 
| `wmi_permanent_event_subscription_filter`