From 8ee24bf150ce0d586d2d3cc5e00c00e8dd3ff5ea Mon Sep 17 00:00:00 2001
From: Thomas Patzke <thomas@patzke.org>
Date: Wed, 7 Mar 2018 23:05:10 +0100
Subject: [PATCH] WMI persistence rules derived from blog article

https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/#so-to-summarize
---
 ..._wmi_persistence_script_event_consumer.yml | 32 +++++++++++++++++++
 rules/windows/other/win_wmi_persistence.yml   |  8 +++--
 ...persistence_commandline_event_consumer.yml | 19 +++++++++++
 ...ersistence_script_event_consumer_write.yml | 18 +++++++++++
 4 files changed, 75 insertions(+), 2 deletions(-)
 create mode 100644 rules/windows/builtin/win_wmi_persistence_script_event_consumer.yml
 create mode 100644 rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml
 create mode 100644 rules/windows/sysmon/win_wmi_persistence_script_event_consumer_write.yml

diff --git a/rules/windows/builtin/win_wmi_persistence_script_event_consumer.yml b/rules/windows/builtin/win_wmi_persistence_script_event_consumer.yml
new file mode 100644
index 000000000..185efc25f
--- /dev/null
+++ b/rules/windows/builtin/win_wmi_persistence_script_event_consumer.yml
@@ -0,0 +1,32 @@
+---
+action: global
+title: WMI Persistence - Script Event Consumer
+status: experimental
+description: Detects WMI script event consumers
+references:
+    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+author: Thomas Patzke
+date: 2018/03/07
+detection:
+    selection:
+        Image: 'C:\WINDOWS\system32\wbem\scrcons.exe'
+        ParentImage: 'C:\Windows\System32\svchost.exe'
+    condition: selection
+falsepositives: 
+    - Legitimate event consumers
+level: high
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml
index e48c3779b..111a6b6df 100644
--- a/rules/windows/other/win_wmi_persistence.yml
+++ b/rules/windows/other/win_wmi_persistence.yml
@@ -1,9 +1,10 @@
 title: WMI Persistence
 status: experimental
-description: Detects suspicious WMI event filter and command line event consumer based on event id 5861 (Windows 10, 2012 and higher)
+description: Detects suspicious WMI event filter and command line event consumer based on event id 5861 and 5859 (Windows 10, 2012 and higher)
 author: Florian Roth
 references:
     - https://twitter.com/mattifestation/status/899646620148539397
+    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
 logsource:
     product: windows
     service: wmi
@@ -11,10 +12,13 @@ detection:
     selection:
         EventID: 5861
     keywords:
+        - 'ActiveScriptEventConsumer'
         - 'CommandLineEventConsumer'
         - 'CommandLineTemplate'
         - 'Binding EventFilter'
-    condition: selection and 1 of keywords
+    selection2:
+        EventID: 5859
+    condition: selection and 1 of keywords or selection2
 falsepositives:
     - Unknown (data set is too small; further testing needed)
 level: high
diff --git a/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml b/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml
new file mode 100644
index 000000000..28ab41d07
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml
@@ -0,0 +1,19 @@
+title: WMI Persistence - Command Line Event Consumer
+status: experimental
+description: Detects WMI command line event consumers
+references:
+    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+author: Thomas Patzke
+date: 2018/03/07
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 7
+        Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
+        ImageLoaded: 'wbemcons.dll'
+    condition: selection
+falsepositives: 
+    - Unknown (data set is too small; further testing needed)
+level: high
diff --git a/rules/windows/sysmon/win_wmi_persistence_script_event_consumer_write.yml b/rules/windows/sysmon/win_wmi_persistence_script_event_consumer_write.yml
new file mode 100644
index 000000000..f62077082
--- /dev/null
+++ b/rules/windows/sysmon/win_wmi_persistence_script_event_consumer_write.yml
@@ -0,0 +1,18 @@
+title: WMI Persistence - Script Event Consumer File Write
+status: experimental
+description: Detects file writes of WMI script event consumer
+references:
+    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+author: Thomas Patzke
+date: 2018/03/07
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 11
+        Image: 'C:\WINDOWS\system32\wbem\scrcons.exe'
+    condition: selection
+falsepositives: 
+    - Unknown (data set is too small; further testing needed)
+level: high