forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathsuspicious_wmi.yml
More file actions
62 lines (60 loc) · 2.74 KB
/
suspicious_wmi.yml
File metadata and controls
62 lines (60 loc) · 2.74 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
category:
- Adversary Tactics
channel: ESCU
creation_date: '2017-01-13'
description: Attackers are increasingly abusing Windows Management Instrumentation
(WMI), a framework and associated utilities available on all modern Windows operating
systems. Because WMI can be leveraged to manage both local and remote systems, it
is important to identify the processes executed and the user context within which
the activity occurred.
detections:
- detection_id: 272df6de-61f1-4784-877c-1fbc3e2d0838
name: Remote WMI Command Attempt
type: splunk
- detection_id: d25d2c3d-d9d8-40ec-8fdf-e86fe155a3da
name: Remote Process Instantiation via WMI
type: splunk
- detection_id: 71bfdb13-f200-4c6c-b2c9-a2e07adf437d
name: WMI Permanent Event Subscription
type: splunk
- detection_id: ad05aae6-3b2a-4f73-af97-57bd26cee3b9
name: WMI Permanent Event Subscription - Sysmon
type: splunk
- detection_id: 38cbd42c-1098-41bb-99cf-9d6d2b296d83
name: WMI Temporary Event Subscription
type: splunk
- detection_id: 24869767-8579-485d-9a4f-d9ddfd8f0cac
name: Process Execution via WMI
type: splunk
- detection_id: aa73f80d-d728-4077-b226-81ea0c8be589
name: Script Execution via WMI
type: splunk
id: c8ddc5be-69bc-4202-b3ab-4010b27d7ad5
maintainers:
- company: Splunk
email: rvaldez@splunk.com
name: Rico Valdez
modification_date: '2018-10-23'
name: Suspicious WMI Use
narrative: 'WMI is a Microsoft infrastructure for management data and operations on
Windows operating systems. It includes of a set of utilities that can be leveraged
to manage both local and remote Windows systems. Attackers are increasingly turning
to WMI abuse in their efforts to conduct nefarious tasks, such as reconnaissance,
detection of antivirus and virtual machines, code execution, lateral movement, persistence,
and data exfiltration. \
The detection searches included in this Analytic Story are used to look for suspicious
use of WMI commands that attackers may leverage to interact with remote systems.
The searches specifically look for the use of WMI to run processes on remote systems.\
In the event that unauthorized WMI execution occurs, it will be important for analysts
and investigators to determine the context of the event. These details may provide
insights related to how WMI was used and to what end.'
original_authors:
- company: Splunk
email: rvaldez@splunk.com
name: Rico Valdez
references:
- https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
- https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html
spec_version: 2
usecase: Advanced Threat Detection
version: '2.0'