Detection: WMI Permanent Event Subscription

EXPERIMENTAL DETECTION

This detection status is set to experimental. The Splunk Threat Research team has not yet fully tested, simulated, or built comprehensive datasets for this detection. As such, this analytic is not officially supported. If you have any questions or concerns, please reach out to us at research@splunk.com.

Updated Date: 2024-05-26 ID: 71bfdb13-f200-4c6c-b2c9-a2e07adf437d Author: Rico Valdez, Splunk Type: TTP Product: Splunk Enterprise Security

Description

The following analytic detects the creation of permanent event subscriptions using Windows Management Instrumentation (WMI). It leverages Sysmon Event ID 5 data to identify instances where the event consumers are not the expected "NTEventLogEventConsumer." This activity is significant because it suggests an attacker is attempting to achieve persistence by running malicious scripts or binaries in response to specific system events. If confirmed malicious, this could lead to severe impacts such as data theft, ransomware deployment, or other damaging outcomes. Investigate the associated scripts or binaries to identify the source of the attack.

1`wmi` EventCode=5861 Binding 
2| rex field=Message "Consumer =\s+(?<consumer>[^;
3|^$]+)" 
4| search consumer!="NTEventLogEventConsumer=\"SCM Event Log Consumer\"" 
5| stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, consumer, Message 
6| `security_content_ctime(firstTime)`
7| `security_content_ctime(lastTime)` 
8| rename ComputerName as dest 
9| `wmi_permanent_event_subscription_filter`

Data Source

Name Platform Sourcetype Source Supported App
N/A N/A N/A N/A N/A

Macros Used

Name Value
security_content_ctime convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)
wmi_permanent_event_subscription_filter search *
wmi_permanent_event_subscription_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1047 Windows Management Instrumentation Execution
KillChainPhase.INSTALLATION
NistCategory.DE_CM
Cis18Value.CIS_10
APT29
APT32
APT41
Blue Mockingbird
Chimera
Cinnamon Tempest
Deep Panda
Earth Lusca
FIN13
FIN6
FIN7
FIN8
GALLIUM
Gamaredon Group
Indrik Spider
Lazarus Group
Leviathan
Magic Hound
MuddyWater
Mustang Panda
Naikon
OilRig
Sandworm Team
Stealth Falcon
TA2541
Threat Group-3390
ToddyCat
Volt Typhoon
Windshift
Wizard Spider
menuPass

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Notable Yes
Rule Title %name%
Rule Description %description%
Notable Event Fields user, dest
Creates Risk Event True
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.

Implementation

To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational].

Known False Positives

Although unlikely, administrators may use event subscriptions for legitimate purposes.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message Risk Score Impact Confidence
tbd 25 50 50
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Not Applicable N/A N/A N/A
Unit ❌ Failing N/A N/A N/A
Integration ❌ Failing N/A N/A N/A

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 2