WMI persistence rules derived from blog article

https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/#so-to-summarize

rules/windows/builtin/win_wmi_persistence_script_event_consumer.yml

@@ -0,0 +1,32 @@
+---
+action: global
+title: WMI Persistence - Script Event Consumer
+status: experimental
+description: Detects WMI script event consumers
+references:
+    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+author: Thomas Patzke
+date: 2018/03/07
+detection:
+    selection:
+        Image: 'C:\WINDOWS\system32\wbem\scrcons.exe'
+        ParentImage: 'C:\Windows\System32\svchost.exe'
+    condition: selection
+falsepositives: 
+    - Legitimate event consumers
+level: high
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688

rules/windows/other/win_wmi_persistence.yml

@@ -1,9 +1,10 @@
 title: WMI Persistence
 status: experimental
-description: Detects suspicious WMI event filter and command line event consumer based on event id 5861 (Windows 10, 2012 and higher)
+description: Detects suspicious WMI event filter and command line event consumer based on event id 5861 and 5859 (Windows 10, 2012 and higher)
 author: Florian Roth
 references:
     - https://twitter.com/mattifestation/status/899646620148539397
+    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
 logsource:
     product: windows
     service: wmi
@@ -11,10 +12,13 @@ detection:
     selection:
         EventID: 5861
     keywords:
+        - 'ActiveScriptEventConsumer'
         - 'CommandLineEventConsumer'
         - 'CommandLineTemplate'
         - 'Binding EventFilter'
-    condition: selection and 1 of keywords
+    selection2:
+        EventID: 5859
+    condition: selection and 1 of keywords or selection2
 falsepositives:
     - Unknown (data set is too small; further testing needed)
 level: high

rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml

@@ -0,0 +1,19 @@
+title: WMI Persistence - Command Line Event Consumer
+status: experimental
+description: Detects WMI command line event consumers
+references:
+    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+author: Thomas Patzke
+date: 2018/03/07
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 7
+        Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
+        ImageLoaded: 'wbemcons.dll'
+    condition: selection
+falsepositives: 
+    - Unknown (data set is too small; further testing needed)
+level: high

rules/windows/sysmon/win_wmi_persistence_script_event_consumer_write.yml

@@ -0,0 +1,18 @@
+title: WMI Persistence - Script Event Consumer File Write
+status: experimental
+description: Detects file writes of WMI script event consumer
+references:
+    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+author: Thomas Patzke
+date: 2018/03/07
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 11
+        Image: 'C:\WINDOWS\system32\wbem\scrcons.exe'
+    condition: selection
+falsepositives: 
+    - Unknown (data set is too small; further testing needed)
+level: high