[Tuning] Suspicious WMI Event Subscription Created (#4327)

* Update persistence_sysmon_wmi_event_subscription.toml

* Update non-ecs-schema.json

* Update persistence_sysmon_wmi_event_subscription.toml

* Update detection_rules/etc/non-ecs-schema.json

* Update pyproject.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

detection_rules/etc/non-ecs-schema.json

@@ -84,6 +84,10 @@
     "Target.process.name": "keyword",
     "process.Ext.api.name": "keyword"
   },
+  "logs-endpoint.events.api-*": {
+    "process.Ext.api.parameters.consumer_type": "keyword",
+    "process.Ext.api.name": "keyword"
+  },
   "logs-endpoint.events.file-*": {
     "file.Ext.header_bytes": "keyword",
     "file.Ext.windows.zone_identifier": "long"

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "0.3.6"
+version = "0.3.7"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"

rules/windows/persistence_sysmon_wmi_event_subscription.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2023/02/02"
-integration = ["windows"]
+integration = ["windows", "endpoint"]
 maturity = "production"
-updated_date = "2024/10/15"
-min_stack_version = "8.14.0"
-min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
+updated_date = "2024/12/23"
+min_stack_version = "8.15.0"
+min_stack_comments = "Elastic Defend WMI events were added in Elastic Defend 8.15.0."
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Detects the creation of a WMI Event Subscription. Attackers can abuse this mecha
 SYSTEM privileges.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-endpoint.events.api-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious WMI Event Subscription Created"
@@ -30,13 +30,20 @@ tags = [
     "Use Case: Threat Detection",
     "Tactic: Persistence",
     "Data Source: Sysmon",
+    "Data Source: Elastic Defend"
 ]
 timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-any where event.dataset == "windows.sysmon_operational" and event.code == "21" and
-    winlog.event_data.Operation : "Created" and winlog.event_data.Consumer : ("*subscription:CommandLineEventConsumer*", "*subscription:ActiveScriptEventConsumer*")
+any where 
+ (
+   (event.dataset == "windows.sysmon_operational" and event.code == "21" and
+    winlog.event_data.Operation : "Created" and winlog.event_data.Consumer : ("*subscription:CommandLineEventConsumer*", "*subscription:ActiveScriptEventConsumer*")) or 
+
+   (event.dataset == "endpoint.events.api" and event.provider == "Microsoft-Windows-WMI-Activity" and process.Ext.api.name == "IWbemServices::PutInstance" and 
+    process.Ext.api.parameters.consumer_type in ("ActiveScriptEventConsumer", "CommandLineEventConsumer"))
+ )
 '''