Detect Suspicious WMI Event Subscription Creation for Persistence

Attackers abuse Windows Management Instrumentation (WMI) event subscriptions to establish persistence on compromised systems. By creating WMI event subscriptions that trigger malicious actions based on system events, adversaries can ensure their code executes automatically. This technique is particularly effective because WMI is a legitimate system administration tool, making malicious activity harder to detect. This rule focuses on detecting suspicious WMI event consumers, specifically CommandLineEventConsumer and ActiveScriptEventConsumer. The detection leverages Sysmon event code 21 and endpoint API events related to IWbemServices::PutInstance calls. The timeframe for the rule is set to look back 9 minutes.

Attack Chain

1. Attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).
2. The attacker uses PowerShell or another scripting language to interact with the WMI service.
3. The attacker creates a new WMI event filter to monitor for a specific system event.
4. The attacker creates a WMI event consumer, such as CommandLineEventConsumer or ActiveScriptEventConsumer, to execute a malicious payload.
5. The attacker links the event filter and consumer by creating a WMI event subscription.
6. The malicious WMI event subscription persists across reboots.
7. When the specified event occurs, the malicious consumer executes the attacker’s payload.
8. The attacker maintains persistent access and can perform further malicious activities, such as data exfiltration or lateral movement.

Impact

Successful exploitation allows attackers to maintain persistent access to the compromised system, even after reboots or other system changes. This can lead to long-term data theft, system compromise, or the deployment of ransomware. While the number of victims is unknown, this technique can be used against a wide range of Windows systems.

Recommendation

• Enable Sysmon WMI event logging to capture event code 21, which is crucial for detecting WMI event subscription creation.
• Deploy the Sigma rule “Detect Suspicious WMI Event Subscription Creation” to your SIEM to identify potentially malicious WMI activity.
• Investigate any process associated with the IWbemServices::PutInstance API call, particularly those using CommandLineEventConsumer or ActiveScriptEventConsumer, as indicated in the Attack Chain section.
• Monitor for processes or activities around the time of the event to identify potential lateral movement or further persistence mechanisms as outlined in the overview.