[New Rule] Suspicious WMI Event Subscription Created (#1860)

* Suspicious WMI Event Subscription Initial rule

* Use EQL sequence

* Update non-ecs-schema

* Update persistence_sysmon_wmi_event_subscription.toml

* update description

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* update query too look for even code 21 only

* update to case sensitive compare

* Update rules/windows/persistence_sysmon_wmi_event_subscription.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update persistence_sysmon_wmi_event_subscription.toml

* Update non-ecs-schema.json

* Update rules/windows/persistence_sysmon_wmi_event_subscription.toml

* Update non-ecs-schema.json

* Update persistence_sysmon_wmi_event_subscription.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 6d7df50d78)

detection_rules/etc/non-ecs-schema.json

@@ -19,6 +19,7 @@
         "CallerProcessName": "keyword",
         "CallTrace": "keyword",
         "ClientProcessId": "keyword",
+        "Consumer": "keyword",
         "GrantedAccess": "keyword",
         "NewTargetUserName": "keyword",
         "ObjectClass": "keyword",
@@ -50,7 +51,8 @@
         "ImagePath": "keyword",
         "TaskName": "keyword",
         "Status": "keyword",
-        "EnabledPrivilegeList": "keyword",
+        "EnabledPrivilegeList": "keyword", 
+        "Operation": "keyword",
         "OperationType": "keyword"
       }
     },

rules/windows/persistence_sysmon_wmi_event_subscription.toml

@@ -0,0 +1,53 @@
+[metadata]
+creation_date = "2023/02/02"
+integration = ["windows"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/08"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects the creation of a WMI Event Subscription. Attackers can abuse this mechanism for persistence or to elevate to
+SYSTEM privileges.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-windows.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Suspicious WMI Event Subscription Created"
+references = [
+  "https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf",
+  "https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96",
+]
+risk_score = 47
+rule_id = "e72f87d0-a70e-4f8d-8443-a6407bc34643"
+severity = "medium"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Sysmon Only"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+any where event.dataset == "windows.sysmon_operational" and event.code == "21" and
+    winlog.event_data.Operation : "Created" and winlog.event_data.Consumer : ("*subscription:CommandLineEventConsumer*", "*subscription:ActiveScriptEventConsumer*")
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1546"
+name = "Event Triggered Execution"
+reference = "https://attack.mitre.org/techniques/T1546/"
+
+    [[rule.threat.technique.subtechnique]]
+    id = "T1546.003"
+    name = "Windows Management Instrumentation Event Subscription"
+    reference = "https://attack.mitre.org/techniques/T1546/003/"
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+