WMI Eventing
Contents
WMI Eventing#
Hypothesis#
Adversaries might be leveraging WMI eventing for persistence in my environment.
Technical Context#
WMI is the Microsoft implementation of the Web-Based Enterprise Management (WBEM) and Common Information Model (CIM). Both standards aim to provide an industry-agnostic means of collecting and transmitting information related to any managed component in an enterprise. An example of a managed component in WMI would be a running process, registry key, installed service, file information, etc. At a high level, Microsoft implementation of these standards can be summarized as follows > Managed Components Managed components are represented as WMI objects — class instances representing highly structured operating system data. Microsoft provides a wealth of WMI objects that communicate information related to the operating system. E.g. Win32_Process, Win32_Service, AntiVirusProduct, Win32_StartupCommand, etc.
Offensive Tradecraft#
From an offensive perspective WMI has the ability to trigger off nearly any conceivable event, making it a good technique for persistence.
Three requirements
Filter - An action to trigger off of
Consumer - An action to take upon triggering the filter
Binding - Registers a FilterConsumer
Pre-Recorded Security Datasets#
Metadata |
Value |
---|---|
docs |
https://securitydatasets.com/notebooks/atomic/windows/persistence/SDWIN-190518184306.html |
link |
Download Dataset#
import requests
from zipfile import ZipFile
from io import BytesIO
url = 'https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/persistence/host/empire_wmi_local_event_subscriptions_elevated_user.zip'
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])
Read Dataset#
Analytics#
A few initial ideas to explore your data and validate your detection logic:
Analytic I#
Look for WMI event filters registered.
Data source |
Event Provider |
Relationship |
Event |
---|---|---|---|
WMI object |
Microsoft-Windows-Sysmon/Operational |
User created Wmi filter |
19 |
Logic#
Pandas Query#
Analytic II#
Look for WMI event consumers registered.
Data source |
Event Provider |
Relationship |
Event |
---|---|---|---|
WMI object |
Microsoft-Windows-Sysmon/Operational |
User created Wmi consumer |
20 |
Logic#
Pandas Query#
Analytic III#
Look for WMI consumers binding to filters.
Data source |
Event Provider |
Relationship |
Event |
---|---|---|---|
WMI object |
Microsoft-Windows-Sysmon/Operational |
User created Wmi subscription |
21 |