LoFP / some software may create wmi temporary event subscriptions for various purposes. the included search contains an exception for two of these that occur by default on windows 10 systems. you may need to modify the search to create exceptions for other legitimate events.

Techniques

• T1047

Sample rules

WMI Temporary Event Subscription

• source: splunk
• technicques:
  • T1047

Description

The following analytic detects the creation of WMI temporary event subscriptions. It leverages Windows Event Logs, specifically EventCode 5860, to identify these activities. This detection is significant because attackers often use WMI to execute commands, gather information, or maintain persistence within a compromised system. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, escalate privileges, or persist in the environment. Analysts should review the specific WMI queries and assess their intent, considering potential false positives from legitimate administrative tasks.

Detection logic

`wmi` EventCode=5860 Temporary 
| rex field=Message "NotificationQuery =\s+(?<query>[^;
|^$]+)" 
| search query!="SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = 'wsmprovhost.exe'" AND query!="SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'" 
| stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, query  
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `wmi_temporary_event_subscription_filter`