security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7be96ec64dc12ed3d2849bb408e4eecfde40dc02
sigma-rules/rules/windows/persistence_sysmon_wmi_event_subscription.toml
T
Samirbous 419e5c1ad3 [Tuning] Suspicious WMI Event Subscription Created (#4327) 
* Update persistence_sysmon_wmi_event_subscription.toml

* Update non-ecs-schema.json

* Update persistence_sysmon_wmi_event_subscription.toml

* Update detection_rules/etc/non-ecs-schema.json

* Update pyproject.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
2025-01-06 09:40:26 -03:00

68 lines
2.2 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2023/02/02"
integration = ["windows", "endpoint"]
maturity = "production"
updated_date = "2024/12/23"
min_stack_version = "8.15.0"
min_stack_comments = "Elastic Defend WMI events were added in Elastic Defend 8.15.0."
[rule]
author = ["Elastic"]
description = """
Detects the creation of a WMI Event Subscription. Attackers can abuse this mechanism for persistence or to elevate to
SYSTEM privileges.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-endpoint.events.api-*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious WMI Event Subscription Created"
references = [
"https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf",
"https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96",
]
risk_score = 47
rule_id = "e72f87d0-a70e-4f8d-8443-a6407bc34643"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Data Source: Sysmon",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
any where
(
(event.dataset == "windows.sysmon_operational" and event.code == "21" and
winlog.event_data.Operation : "Created" and winlog.event_data.Consumer : ("*subscription:CommandLineEventConsumer*", "*subscription:ActiveScriptEventConsumer*")) or
(event.dataset == "endpoint.events.api" and event.provider == "Microsoft-Windows-WMI-Activity" and process.Ext.api.name == "IWbemServices::PutInstance" and
process.Ext.api.parameters.consumer_type in ("ActiveScriptEventConsumer", "CommandLineEventConsumer"))
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"
[[rule.threat.technique.subtechnique]]
id = "T1546.003"
name = "Windows Management Instrumentation Event Subscription"
reference = "https://attack.mitre.org/techniques/T1546/003/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
Reference in New Issue View Git Blame Copy Permalink