{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/event-subscription/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["persistence","wmi","windows","event-subscription"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eAttackers abuse Windows Management Instrumentation (WMI) event subscriptions to establish persistence on compromised systems. By creating WMI event subscriptions that trigger malicious actions based on system events, adversaries can ensure their code executes automatically. This technique is particularly effective because WMI is a legitimate system administration tool, making malicious activity harder to detect. This rule focuses on detecting suspicious WMI event consumers, specifically \u003ccode\u003eCommandLineEventConsumer\u003c/code\u003e and \u003ccode\u003eActiveScriptEventConsumer\u003c/code\u003e. The detection leverages Sysmon event code 21 and endpoint API events related to \u003ccode\u003eIWbemServices::PutInstance\u003c/code\u003e calls. The timeframe for the rule is set to look back 9 minutes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell or another scripting language to interact with the WMI service.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new WMI event filter to monitor for a specific system event.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a WMI event consumer, such as \u003ccode\u003eCommandLineEventConsumer\u003c/code\u003e or \u003ccode\u003eActiveScriptEventConsumer\u003c/code\u003e, to execute a malicious payload.\u003c/li\u003e\n\u003cli\u003eThe attacker links the event filter and consumer by creating a WMI event subscription.\u003c/li\u003e\n\u003cli\u003eThe malicious WMI event subscription persists across reboots.\u003c/li\u003e\n\u003cli\u003eWhen the specified event occurs, the malicious consumer executes the attacker\u0026rsquo;s payload.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access and can perform further malicious activities, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain persistent access to the compromised system, even after reboots or other system changes. This can lead to long-term data theft, system compromise, or the deployment of ransomware. While the number of victims is unknown, this technique can be used against a wide range of Windows systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon WMI event logging to capture event code 21, which is crucial for detecting WMI event subscription creation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious WMI Event Subscription Creation\u0026rdquo; to your SIEM to identify potentially malicious WMI activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any process associated with the \u003ccode\u003eIWbemServices::PutInstance\u003c/code\u003e API call, particularly those using \u003ccode\u003eCommandLineEventConsumer\u003c/code\u003e or \u003ccode\u003eActiveScriptEventConsumer\u003c/code\u003e, as indicated in the Attack Chain section.\u003c/li\u003e\n\u003cli\u003eMonitor for processes or activities around the time of the event to identify potential lateral movement or further persistence mechanisms as outlined in the overview.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-wmi-event-subscription/","summary":"This threat brief details the detection of malicious Windows Management Instrumentation (WMI) event subscriptions, a technique used by attackers for persistence and privilege escalation on Windows systems.","title":"Detect Suspicious WMI Event Subscription Creation for Persistence","url":"https://feed.craftedsignal.io/briefs/2024-01-wmi-event-subscription/"}],"language":"en","title":"CraftedSignal Threat Feed — Event-Subscription","version":"https://jsonfeed.org/version/1.1"}