From d45b693e208bc8cbdedfea5c4a79efb5c7337ef9 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Tue, 29 Aug 2023 16:42:19 -0300 Subject: [PATCH] [New Rule] Suspicious WMI Event Subscription Created (#1860) * Suspicious WMI Event Subscription Initial rule * Use EQL sequence * Update non-ecs-schema * Update persistence_sysmon_wmi_event_subscription.toml * update description Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * update query too look for even code 21 only * update to case sensitive compare * Update rules/windows/persistence_sysmon_wmi_event_subscription.toml Co-authored-by: Mika Ayenson * Update persistence_sysmon_wmi_event_subscription.toml * Update non-ecs-schema.json * Update rules/windows/persistence_sysmon_wmi_event_subscription.toml * Update non-ecs-schema.json * Update persistence_sysmon_wmi_event_subscription.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Justin Ibarra Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Mika Ayenson Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> (cherry picked from commit 6d7df50d78906a43143274152dcbbf7946671858) --- detection_rules/etc/non-ecs-schema.json | 4 +- ...istence_sysmon_wmi_event_subscription.toml | 53 +++++++++++++++++++ 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 rules/windows/persistence_sysmon_wmi_event_subscription.toml diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index 77d17936c..22153ef2a 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -19,6 +19,7 @@ "CallerProcessName": "keyword", "CallTrace": "keyword", "ClientProcessId": "keyword", + "Consumer": "keyword", "GrantedAccess": "keyword", "NewTargetUserName": "keyword", "ObjectClass": "keyword", @@ -50,7 +51,8 @@ "ImagePath": "keyword", "TaskName": "keyword", "Status": "keyword", - "EnabledPrivilegeList": "keyword", + "EnabledPrivilegeList": "keyword", + "Operation": "keyword", "OperationType": "keyword" } }, diff --git a/rules/windows/persistence_sysmon_wmi_event_subscription.toml b/rules/windows/persistence_sysmon_wmi_event_subscription.toml new file mode 100644 index 000000000..161a2ff8a --- /dev/null +++ b/rules/windows/persistence_sysmon_wmi_event_subscription.toml @@ -0,0 +1,53 @@ +[metadata] +creation_date = "2023/02/02" +integration = ["windows"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/08" + +[rule] +author = ["Elastic"] +description = """ +Detects the creation of a WMI Event Subscription. Attackers can abuse this mechanism for persistence or to elevate to +SYSTEM privileges. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-windows.*"] +language = "eql" +license = "Elastic License v2" +name = "Suspicious WMI Event Subscription Created" +references = [ + "https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", + "https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96", +] +risk_score = 47 +rule_id = "e72f87d0-a70e-4f8d-8443-a6407bc34643" +severity = "medium" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Sysmon Only"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +any where event.dataset == "windows.sysmon_operational" and event.code == "21" and + winlog.event_data.Operation : "Created" and winlog.event_data.Consumer : ("*subscription:CommandLineEventConsumer*", "*subscription:ActiveScriptEventConsumer*") +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + + [[rule.threat.technique.subtechnique]] + id = "T1546.003" + name = "Windows Management Instrumentation Event Subscription" + reference = "https://attack.mitre.org/techniques/T1546/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +