rules/windows/powershell/powershell_script/powershell_wmi_persistence.yml

title: Powershell WMI Persistence
id: 9e07f6e7-83aa-45c6-998e-0af26efd0a85
status: experimental
author: frack113
date: 2021/08/19
description: Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. 
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md
    - https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545
tags:
    - attack.privilege_escalation
    - attack.t1546.003
logsource:
    product: windows
    service: powershell
    definition: EnableScriptBlockLogging must be set to enable
detection:
    selection_id:
        EventID: 4104
    selection_ioc:
        - ScriptBlockText|contains|all: 
            - 'New-CimInstance '
            - '-Namespace root/subscription '
            - '-ClassName __EventFilter '
            - '-Property ' #is a variable name 
        - ScriptBlockText|contains|all:
            - 'New-CimInstance '
            - '-Namespace root/subscription '
            - '-ClassName CommandLineEventConsumer '
            - '-Property ' #is a variable name 
    condition: selection_id and selection_ioc
falsepositives:
    - Unknown
level: medium
$frack113$ fix title 2021-08-19 16:09:31 +02:00			`title: Powershell WMI Persistence`
$frack113$ add powershell_wmi_persistence.yml 2021-08-19 15:37:28 +02:00			`id: 9e07f6e7-83aa-45c6-998e-0af26efd0a85`
			`status: experimental`
			`author: frack113`
			`date: 2021/08/19`
			`description: Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.`
			`references:`
			`- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md`
			`- https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545`
			`tags:`
			`- attack.privilege_escalation`
			`- attack.t1546.003`
			`logsource:`
			`product: windows`
			`service: powershell`
			`definition: EnableScriptBlockLogging must be set to enable`
			`detection:`
			`selection_id:`
			`EventID: 4104`
			`selection_ioc:`
			`- ScriptBlockText\|contains\|all:`
			`- 'New-CimInstance '`
			`- '-Namespace root/subscription '`
$frack113$ powershell_wmi_persistence fix errors 2021-08-19 15:42:19 +02:00			`- '-ClassName __EventFilter '`
$frack113$ add powershell_wmi_persistence.yml 2021-08-19 15:37:28 +02:00			`- '-Property ' #is a variable name`
			`- ScriptBlockText\|contains\|all:`
			`- 'New-CimInstance '`
			`- '-Namespace root/subscription '`
			`- '-ClassName CommandLineEventConsumer '`
			`- '-Property ' #is a variable name`
$frack113$ Cleanup selection name 2021-10-10 10:17:24 +02:00			`condition: selection_id and selection_ioc`
$frack113$ add powershell_wmi_persistence.yml 2021-08-19 15:37:28 +02:00			`falsepositives:`
			`- Unknown`
			`level: medium`