Windows WMI Impersonate Token
Description
The following analytic identifies a possible wmi token impersonation activities in a process or command. This technique was seen in Qakbot malware where it will execute a vbscript code contains wmi impersonation object to gain privilege escalation or as defense evasion. This Anomaly detection looks for wmiprvse.exe SourceImage having a duplicate handle or full granted access in a target process.
- Type: Anomaly
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2022-10-24
- Author: Teoderick Contreras, Splunk
- ID: cf192860-2d94-40db-9a51-c04a2e8a8f8b
Annotations
Kill Chain Phase
- Installation
NIST
- DE.AE
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
`sysmon` EventCode=10 SourceImage = "*\\wmiprvse.exe" GrantedAccess IN ("0x1478", "0x1fffff")
| stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace Computer
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_wmi_impersonate_token_filter`
Macros
The SPL above uses the following Macros:
windows_wmi_impersonate_token_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- SourceImage
- TargetImage
- SourceProcessGUID
- TargetProcessGUID
- SourceProcessId
- TargetProcessId
- GrantedAccess
- CallTrace
- Computer
How To Implement
This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10. This search uses an input macro named sysmon
. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.
Known False Positives
administrator may execute impersonate wmi object script for auditing. Filter is needed.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
25.0 | 50 | 50 | wmiprvse.exe process having a duplicate or full Granted Access $GrantedAccess$ to $TargetImage$ process in $dest$ |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/process-access.md
- https://www.joesandbox.com/analysis/278341/0/html
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1