Windows WMI Impersonate Token

Try in Splunk Security Cloud

Description

The following analytic identifies a possible wmi token impersonation activities in a process or command. This technique was seen in Qakbot malware where it will execute a vbscript code contains wmi impersonation object to gain privilege escalation or as defense evasion. This Anomaly detection looks for wmiprvse.exe SourceImage having a duplicate handle or full granted access in a target process.

• Type: Anomaly
• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• Last Updated: 2022-10-24
• Author: Teoderick Contreras, Splunk
• ID: cf192860-2d94-40db-9a51-c04a2e8a8f8b

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1047	Windows Management Instrumentation	Execution

Kill Chain Phase

• Exploitation

NIST

• DE.CM

CIS20

• CIS 3
• CIS 5
• CIS 16

CVE

Search

`sysmon` EventCode=10 SourceImage = "*\\wmiprvse.exe"  GrantedAccess IN ("0x1478", "0x1fffff") 
| stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace Computer 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_wmi_impersonate_token_filter`

Macros

The SPL above uses the following Macros:

• security_content_ctime
• sysmon

windows_wmi_impersonate_token_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• _time
• SourceImage
• TargetImage
• SourceProcessGUID
• TargetProcessGUID
• SourceProcessId
• TargetProcessId
• GrantedAccess
• CallTrace
• Computer

How To Implement

This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10. This search uses an input macro named sysmon. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.

Known False Positives

administrator may execute impersonate wmi object script for auditing. Filter is needed.

Associated Analytic Story

• Qakbot

RBA

Risk Score	Impact	Confidence	Message
25.0	50	50	wmiprvse.exe process having a duplicate or full Granted Access $GrantedAccess$ to $TargetImage$ process in $dest$

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/process-access.md
• https://www.joesandbox.com/analysis/278341/0/html

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

• https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/wmi_impersonate/sysmon.log

source | version: 1