detection.wiki

Detection rules › Sigma

WMI Persistence

Severity
medium
Author
Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community
Source
upstream

Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription
Privilege EscalationT1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

Event coverage

ProviderEvent IDTitle
WMI-Activity5859Namespace = Operation_EssStarted.NamespaceName; NotificationQuery = Operation_EssStarted.Query; OwnerName = Operation_EssStarted.User; HostProcessID = Operation_EssStarted.Processid; Provider= Oper...
WMI-Activity5861Namespace = Operation_ESStoConsumerBinding.Namespace; Eventfilter = Operation_ESStoConsumerBinding.ESS (refer to its activate eventid:5859); Consumer = Operation_ESStoConsumerBinding.CONSUMER; Poss...

Stages and Predicates

Stage 1: wmi_filter_to_consumer_binding

Stage 2: consumer_keywords

None: [ActiveScriptEventConsumer, CommandLineEventConsumer, CommandLineTemplate]

Stage 3: wmi_filter_registration

Stage 4: not filter_scmevent

PossibleCause: Permanent
Provider: 'SCM Event Provider'
Query|contains: 'select * from MSFT_SCMEventLogEvent'
User: S-1-5-32-544

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
PossibleCauseeq
  • Permanent
Providereq
  • SCM Event Provider
Querywildcard
  • select * from MSFT_SCMEventLogEvent
Usereq
  • S-1-5-32-544