Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

WMI Persistence

Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.communityCreated Tue Aug 22Updated Thu Feb 100b7889b4-5577-4521-a60a-3376ee7f9f7bwindows
Log Source
Windowswmi
ProductWindows← raw: windows
Servicewmi← raw: wmi

Definition

WMI Namespaces Auditing and SACL should be configured, EventID 5861 and 5859 detection requires Windows 10, 2012 and higher

Detection Logic
Detection Logic4 selectors
detection:
    wmi_filter_to_consumer_binding:
        EventID: 5861
    consumer_keywords:
        - 'ActiveScriptEventConsumer'
        - 'CommandLineEventConsumer'
        - 'CommandLineTemplate'
        # - 'Binding EventFilter'  # too many false positive with HP Health Driver
    wmi_filter_registration:
        EventID: 5859
    filter_scmevent:
        Provider: 'SCM Event Provider'
        Query: 'select * from MSFT_SCMEventLogEvent'
        User: 'S-1-5-32-544'
        PossibleCause: 'Permanent'
    condition: ( (wmi_filter_to_consumer_binding and consumer_keywords) or (wmi_filter_registration) ) and not filter_scmevent
False Positives

Unknown (data set is too small; further testing needed)

References
1
Resolving title…
twitter.com
2
Resolving title…
eideon.com
MITRE ATT&CK
Rule Metadata
Rule ID
0b7889b4-5577-4521-a60a-3376ee7f9f7b
Status
test
Level
medium
Type
Detection
Created
Tue Aug 22
Modified
Thu Feb 10
Author
Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community
Path
rules/windows/builtin/wmi/win_wmi_persistence.yml
Raw Tags
attack.persistenceattack.privilege-escalationattack.t1546.003
View on GitHub