Find sigma rule
Attack: Event Triggered Execution: Windows Management Instrumentation Event Subscription
Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user login, or the computer’s uptime.(Citation: Mandiant M-Trends 2015)
Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.(Citation: FireEye WMI SANS 2015)(Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts – using mofcomp.exe
–into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription.(Citation: Dell WMI Persistence)(Citation: Microsoft MOF May 2018)
WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.
MITRE
Tactic
- privilege-escalation
- persistence
technique
- T1546.003
Test : Persistence via WMI Event Subscription - ActiveScriptEventConsumer
OS
- windows
Description:
Run from an administrator powershell window. After running, reboot the victim machine. After it has been online for 4 minutes you should see notepad.exe running as SYSTEM.
Code references
https://gist.github.com/mgreen27/ef726db0baac5623dc7f76bfa0fc494c
Executor
powershell
Sigma Rule
-
sysmon_wmi_event_subscription.yml (id: 0f06a3a5-6a09-413f-8743-e6cf35561297)
-
sysmon_wmi_event_subscription.yml (id: 0f06a3a5-6a09-413f-8743-e6cf35561297)
-
sysmon_wmi_susp_scripting.yml (id: fe21810c-2a8c-478f-8dd3-5a287fb2a0e0)
-
win_wmi_persistence.yml (id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b)