Analytics Story: Suspicious WMI Use

Date: 2018-10-23 ID: c8ddc5be-69bc-4202-b3ab-4010b27d7ad5 Author: Rico Valdez, Splunk Product: Splunk Enterprise Security

Description

Attackers are increasingly abusing Windows Management Instrumentation (WMI), a framework and associated utilities available on all modern Windows operating systems. Because WMI can be leveraged to manage both local and remote systems, it is important to identify the processes executed and the user context within which the activity occurred.

Why it matters

WMI is a Microsoft infrastructure for management data and operations on Windows operating systems. It includes of a set of utilities that can be leveraged to manage both local and remote Windows systems. Attackers are increasingly turning to WMI abuse in their efforts to conduct nefarious tasks, such as reconnaissance, detection of antivirus and virtual machines, code execution, lateral movement, persistence, and data exfiltration. The detection searches included in this Analytic Story are used to look for suspicious use of WMI commands that attackers may leverage to interact with remote systems. The searches specifically look for the use of WMI to run processes on remote systems. In the event that unauthorized WMI execution occurs, it will be important for analysts and investigators to determine the context of the event. These details may provide insights related to how WMI was used and to what end.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Detect WMI Event Subscription Persistence Windows Management Instrumentation Event Subscription, Event Triggered Execution TTP
PowerShell Invoke WmiExec Usage Windows Management Instrumentation TTP
Process Execution via WMI Windows Management Instrumentation TTP
Remote Process Instantiation via WMI Windows Management Instrumentation TTP
Remote WMI Command Attempt Windows Management Instrumentation TTP
Script Execution via WMI Windows Management Instrumentation TTP
Windows WMI Process Call Create Windows Management Instrumentation Hunting
WMI Permanent Event Subscription Windows Management Instrumentation TTP
WMI Permanent Event Subscription - Sysmon Windows Management Instrumentation Event Subscription, Event Triggered Execution TTP
WMI Temporary Event Subscription Windows Management Instrumentation TTP
WMIC XSL Execution via URL XSL Script Processing TTP
XSL Script Execution With WMIC XSL Script Processing TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 20 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 21 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 2