From 419e5c1ad3963a947fbc487685fa03e35d762473 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 6 Jan 2025 12:40:26 +0000 Subject: [PATCH] [Tuning] Suspicious WMI Event Subscription Created (#4327) * Update persistence_sysmon_wmi_event_subscription.toml * Update non-ecs-schema.json * Update persistence_sysmon_wmi_event_subscription.toml * Update detection_rules/etc/non-ecs-schema.json * Update pyproject.toml --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --- detection_rules/etc/non-ecs-schema.json | 4 ++++ pyproject.toml | 2 +- ...istence_sysmon_wmi_event_subscription.toml | 21 ++++++++++++------- 3 files changed, 19 insertions(+), 8 deletions(-) diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index ef82fd537..293290153 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -84,6 +84,10 @@ "Target.process.name": "keyword", "process.Ext.api.name": "keyword" }, + "logs-endpoint.events.api-*": { + "process.Ext.api.parameters.consumer_type": "keyword", + "process.Ext.api.name": "keyword" + }, "logs-endpoint.events.file-*": { "file.Ext.header_bytes": "keyword", "file.Ext.windows.zone_identifier": "long" diff --git a/pyproject.toml b/pyproject.toml index 8ef7db211..b1977c087 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "0.3.6" +version = "0.3.7" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12" diff --git a/rules/windows/persistence_sysmon_wmi_event_subscription.toml b/rules/windows/persistence_sysmon_wmi_event_subscription.toml index 586426af0..3a2b3cca7 100644 --- a/rules/windows/persistence_sysmon_wmi_event_subscription.toml +++ b/rules/windows/persistence_sysmon_wmi_event_subscription.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2023/02/02" -integration = ["windows"] +integration = ["windows", "endpoint"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2024/12/23" +min_stack_version = "8.15.0" +min_stack_comments = "Elastic Defend WMI events were added in Elastic Defend 8.15.0." [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Detects the creation of a WMI Event Subscription. Attackers can abuse this mecha SYSTEM privileges. """ from = "now-9m" -index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"] +index = ["winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-endpoint.events.api-*"] language = "eql" license = "Elastic License v2" name = "Suspicious WMI Event Subscription Created" @@ -30,13 +30,20 @@ tags = [ "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Sysmon", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" query = ''' -any where event.dataset == "windows.sysmon_operational" and event.code == "21" and - winlog.event_data.Operation : "Created" and winlog.event_data.Consumer : ("*subscription:CommandLineEventConsumer*", "*subscription:ActiveScriptEventConsumer*") +any where + ( + (event.dataset == "windows.sysmon_operational" and event.code == "21" and + winlog.event_data.Operation : "Created" and winlog.event_data.Consumer : ("*subscription:CommandLineEventConsumer*", "*subscription:ActiveScriptEventConsumer*")) or + + (event.dataset == "endpoint.events.api" and event.provider == "Microsoft-Windows-WMI-Activity" and process.Ext.api.name == "IWbemServices::PutInstance" and + process.Ext.api.parameters.consumer_type in ("ActiveScriptEventConsumer", "CommandLineEventConsumer")) + ) '''