security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Suspicious WMI Event Subscription Created (#4618)

Browse Source 
* [Rule Tuning] Suspicious Execution via Scheduled Task

* [Rule Tuning] Suspicious WMI Event Subscription Created
This commit is contained in:
Jonhnathan
2025-04-16 10:05:20 -03:00
committed by GitHub
parent 3eed0f5b6a
commit e11fe78846
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/persistence_sysmon_wmi_event_subscription.toml
+4 -4
View File
@@ -2,7 +2,7 @@
creation_date = "2023/02/02"
integration = ["windows", "endpoint"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/04/15"
min_stack_version = "8.15.0"
min_stack_comments = "Elastic Defend WMI events were added in Elastic Defend 8.15.0."
@@ -40,10 +40,10 @@ query = '''
any where
(
(event.dataset == "windows.sysmon_operational" and event.code == "21" and
winlog.event_data.Operation : "Created" and winlog.event_data.Consumer : ("*subscription:CommandLineEventConsumer*", "*subscription:ActiveScriptEventConsumer*")) or
?winlog.event_data.Operation : "Created" and ?winlog.event_data.Consumer : ("*subscription:CommandLineEventConsumer*", "*subscription:ActiveScriptEventConsumer*")) or
(event.dataset == "endpoint.events.api" and event.provider == "Microsoft-Windows-WMI-Activity" and process.Ext.api.name == "IWbemServices::PutInstance" and
process.Ext.api.parameters.consumer_type in ("ActiveScriptEventConsumer", "CommandLineEventConsumer"))
(event.dataset == "endpoint.events.api" and event.provider == "Microsoft-Windows-WMI-Activity" and ?process.Ext.api.name == "IWbemServices::PutInstance" and
?process.Ext.api.parameters.consumer_type in ("ActiveScriptEventConsumer", "CommandLineEventConsumer"))
)
'''
note = """## Triage and analysis