WMI Persistence - Security

Hunt Hypothesis

Adversaries may use WMI event filters and command line event consumers to establish persistent access and execute arbitrary code on compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term persistence mechanisms used by advanced threats.

Detection Rule

Sigma (Original)

title: WMI Persistence - Security
id: f033f3f3-fd24-4995-97d8-a3bb17550a88
related:
    - id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b
      type: derived
status: test
description: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
references:
    - https://twitter.com/mattifestation/status/899646620148539397
    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
author: Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community
date: 2017-08-22
modified: 2022-11-29
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1546.003
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4662
        ObjectType: 'WMI Namespace'
        ObjectName|contains: 'subscription'
    condition: selection
falsepositives:
    - Unknown (data set is too small; further testing needed)
level: medium

KQL (Azure Sentinel)

imRegistry
| where RegistryKey contains "subscription"

False Positive Guidance

• Scenario: Scheduled Task Creation via schtasks.exe
  Description: A legitimate system administrator creates a scheduled task using schtasks.exe to run a maintenance script.
  Filter/Exclusion: EventID=100 AND TaskName contains “Maintenance” OR CommandLine contains “schtasks.exe /create”

• Scenario: WMI Event Filter for System Monitoring
  Description: A security tool like Microsoft Defender for Endpoint or Splunk uses a WMI event filter to monitor system events for security purposes.
  Filter/Exclusion: EventID=100 AND FilterName contains “Defender” OR FilterName contains “Splunk”

• Scenario: PowerShell Script Execution via WMI Consumer
  Description: A PowerShell script is executed via a WMI event consumer as part of a legitimate automation process, such as PowerShell Desired State Configuration (DSC).
  Filter/Exclusion: EventID=100 AND ConsumerName contains “PowerShell” OR ConsumerName contains “DSC”

• Scenario: System Event Logging via WMI
  Description: A system event log is being written to disk using a WMI event consumer as part of a standard logging process.
  Filter/Exclusion: EventID=100 AND ConsumerName contains “EventLog” OR ConsumerName contains “LogWriter”

• Scenario: Windows Update Scheduled Job
  Description: A Windows Update job is scheduled via WMI to ensure systems stay up to date.
  Filter/Exclusion: EventID=100 AND TaskName contains “WindowsUpdate” OR CommandLine contains “wuauclt.exe”

MITRE ATT&CK Context

• Tactic: Persistence
• Tactic: Privilege Escalation
• Technique: T1546.003