detection.wiki

Microsoft-Windows-Sysmon › Event 19

Event ID 19 — WmiEvent (WmiEventFilter activity detected)

Provider
Microsoft-Windows-Sysmon
Channel
Operational
Level
Informational
Collection Priority
Recommended (Olaf Hartong, others)
Task
WmiEventFilter activity detected (rule: WmiEvent)
Opcode
Info

Description

When a WMI event filter is registered, this event logs the WMI namespace, filter name and filter expression.

Message #

WmiEventFilter activity detected:
RuleName: %1
EventType: %2
UtcTime: %3
Operation: %4
User: %5
EventNamespace: %6
Name: %7
Query: %8

Fields #

NameDescription
RuleName UnicodeString → stringCustom tag mapped to event, i.e. ATT&CK technique ID
EventType UnicodeString → stringWMI event type
UtcTime UnicodeString → stringTime in UTC when event was created
Operation UnicodeString → stringWMI event filter operation
Known values
%%2456
Open key file.
%%2457
Delete key file.
%%2458
Read persisted key from file.
%%2459
Write persisted key to file.
%%2464
Export of persistent cryptographic key.
%%2465
Import of persistent cryptographic key.
%%2480
Open Key.
%%2481
Create Key.
%%2482
Delete Key.
%%2483
Encrypt.
%%2484
Decrypt.
%%2485
Sign hash.
%%2486
Secret agreement.
%%2487
Domain settings.
%%2488
Local settings.
%%2489
Add provider.
%%2490
Remove provider.
%%2491
Add context.
%%2492
Remove context.
%%2493
Add function.
%%2494
Remove function.
%%2495
Add function provider.
%%2496
Remove function provider.
%%2497
Add function property.
%%2498
Remove function property.
%%2499
Machine key.
%%2500
User key.
%%2501
Key Derivation.
%%2502
Claim Creation.
%%2503
Claim Verification.
User UnicodeString → stringUser that created the WMI filter
EventNamespace UnicodeString → stringEvent namespace where the WMI class is registered
Name UnicodeString → stringWMI filter name being created
Query UnicodeString → stringWMI filter query

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
    "event_source_name": "",
    "event_id": 19,
    "version": 3,
    "level": 4,
    "task": 19,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2019-07-19T14:54:57.044623Z",
    "event_record_id": 4055,
    "correlation": {},
    "execution": {
      "process_id": 2796,
      "thread_id": 1776
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "MSEDGEWIN10",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "",
    "EventType": "WmiFilterEvent",
    "UtcTime": "2019-07-19 14:54:57.041",
    "Operation": "Created",
    "User": "MSEDGEWIN10\\IEUser",
    "EventNamespace": " \"root\\\\CimV2\"",
    "Name": " \"AtomicRedTeam-WMIPersistence-Example\"",
    "Query": " \"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325\""
  }
}

Detection Patterns #

WMI Consumer

Sysmon Event ID 19: WmiEventOREvent ID 20: WmiEventOREvent ID 21: WmiEvent
3 rules

Sigma

Suspicious Encoded Scripts in a WMI Consumer (source)
Florian Roth (Nextron Systems)
Suspicious Scripting in a WMI Consumer (source)
Florian Roth (Nextron Systems), Jonhnathan Ribeiro
WMI Event Subscription (source)
Tom Ueltschi (@c_APT_ure)

References #