Skip to content

[Tuning] Suspicious WMI Event Subscription Created #4327

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 8 commits into from
Jan 6, 2025
Merged

[Tuning] Suspicious WMI Event Subscription Created #4327

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
afd17a6
Update persistence_sysmon_wmi_event_subscription.toml
Samirbous Dec 23, 2024
701f3a4
Update non-ecs-schema.json
Samirbous Dec 23, 2024
cac8fa7
Update persistence_sysmon_wmi_event_subscription.toml
Samirbous Dec 23, 2024
e0a6d62
Update detection_rules/etc/non-ecs-schema.json
w0rk3r Dec 24, 2024
58f45a1
Merge branch 'main' into Samirbous-patch-1
w0rk3r Jan 3, 2025
6273521
Merge branch 'main' into Samirbous-patch-1
w0rk3r Jan 3, 2025
af22f44
Merge branch 'main' into Samirbous-patch-1
Samirbous Jan 3, 2025
cec5c8e
Update pyproject.toml
w0rk3r Jan 6, 2025
File filter

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion detection_rules/etc/non-ecs-schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,8 @@
"process.Ext.relative_file_name_modify_time": "double",
"process.Ext.relative_file_creation_time": "double",
"Target.process.name": "keyword",
"process.Ext.api.name": "keyword"
"process.Ext.api.name": "keyword",
"process.Ext.api.parameters.consumer_type": "keyword"
},
"logs-endpoint.events.file-*": {
"file.Ext.header_bytes": "keyword",
Expand Down
21 changes: 14 additions & 7 deletions rules/windows/persistence_sysmon_wmi_event_subscription.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
[metadata]
creation_date = "2023/02/02"
integration = ["windows"]
integration = ["windows", "endpoint"]
maturity = "production"
updated_date = "2024/10/15"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
updated_date = "2024/12/23"
min_stack_version = "8.15.0"
min_stack_comments = "Elastic Defend WMI events were added in Elastic Defend 8.15.0."

[rule]
author = ["Elastic"]
Expand All @@ -13,7 +13,7 @@ Detects the creation of a WMI Event Subscription. Attackers can abuse this mecha
SYSTEM privileges.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
index = ["winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-endpoint.events.api-*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious WMI Event Subscription Created"
Expand All @@ -30,13 +30,20 @@ tags = [
"Use Case: Threat Detection",
"Tactic: Persistence",
"Data Source: Sysmon",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
any where event.dataset == "windows.sysmon_operational" and event.code == "21" and
winlog.event_data.Operation : "Created" and winlog.event_data.Consumer : ("*subscription:CommandLineEventConsumer*", "*subscription:ActiveScriptEventConsumer*")
any where
(
(event.dataset == "windows.sysmon_operational" and event.code == "21" and
winlog.event_data.Operation : "Created" and winlog.event_data.Consumer : ("*subscription:CommandLineEventConsumer*", "*subscription:ActiveScriptEventConsumer*")) or

(event.dataset == "endpoint.events.api" and event.provider == "Microsoft-Windows-WMI-Activity" and process.Ext.api.name == "IWbemServices::PutInstance" and
process.Ext.api.parameters.consumer_type in ("ActiveScriptEventConsumer", "CommandLineEventConsumer"))
)
'''


Expand Down
Loading