Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
status testauthor Florian Roth (Nextron Systems)id 797011dc-44f4-4e6f-9f10-a8ceefbe566b
view Sigma YAML
title: WMI Backdoor Exchange Transport Agent
id: 797011dc-44f4-4e6f-9f10-a8ceefbe566b
status: test
description: Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
references:
- https://twitter.com/cglyer/status/1182389676876980224
- https://twitter.com/cglyer/status/1182391019633029120
author: Florian Roth (Nextron Systems)
date: 2019-10-11
modified: 2023-02-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.003
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\EdgeTransport.exe'
filter_conhost:
Image: 'C:\Windows\System32\conhost.exe'
filter_oleconverter: # FP also documented in https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=18
Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
Image|endswith: '\Bin\OleConverter.exe'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: critical
high
New ActiveScriptEventConsumer Created Via Wmic.EXE
Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence
status testauthor Florian Roth (Nextron Systems)id ebef4391-1a81-4761-a40a-1db446c0e625
view Sigma YAML
title: New ActiveScriptEventConsumer Created Via Wmic.EXE
id: ebef4391-1a81-4761-a40a-1db446c0e625
status: test
description: Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence
references:
- https://twitter.com/johnlatwc/status/1408062131321270282?s=12
- https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
author: Florian Roth (Nextron Systems)
date: 2021-06-25
modified: 2023-02-14
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.003
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'ActiveScriptEventConsumer'
- ' CREATE '
condition: selection
falsepositives:
- Legitimate software creating script event consumers
level: high
high
Suspicious Encoded Scripts in a WMI Consumer
Detects suspicious encoded payloads in WMI Event Consumers
status testauthor Florian Roth (Nextron Systems)id 83844185-1c5b-45bc-bcf3-b5bf3084ca5b
view Sigma YAML
title: Suspicious Encoded Scripts in a WMI Consumer
id: 83844185-1c5b-45bc-bcf3-b5bf3084ca5b
status: test
description: Detects suspicious encoded payloads in WMI Event Consumers
references:
- https://github.com/RiccardoAncarani/LiquidSnake
author: Florian Roth (Nextron Systems)
date: 2021-09-01
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.execution
- attack.t1047
- attack.persistence
- attack.t1546.003
logsource:
product: windows
category: wmi_event
detection:
selection_destination:
Destination|base64offset|contains:
- 'WriteProcessMemory'
- 'This program cannot be run in DOS mode'
- 'This program must be run under Win32'
condition: selection_destination
falsepositives:
- Unknown
level: high
high
WMI Persistence - Command Line Event Consumer
Detects WMI command line event consumers
status testauthor Thomas Patzkeid 05936ce2-ee05-4dae-9d03-9a391cf2d2c6
view Sigma YAML
title: WMI Persistence - Command Line Event Consumer
id: 05936ce2-ee05-4dae-9d03-9a391cf2d2c6
status: test
description: Detects WMI command line event consumers
references:
- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
author: Thomas Patzke
date: 2018-03-07
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.t1546.003
- attack.persistence
logsource:
category: image_load
product: windows
detection:
selection:
Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
ImageLoaded|endswith: '\wbemcons.dll'
condition: selection
falsepositives:
- Unknown (data set is too small; further testing needed)
level: high
status testauthor Thomas Patzkeid 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4
view Sigma YAML
title: WMI Persistence - Script Event Consumer File Write
id: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4
status: test
description: Detects file writes of WMI script event consumer
references:
- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
author: Thomas Patzke
date: 2018-03-07
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.t1546.003
- attack.persistence
logsource:
product: windows
category: file_event
detection:
selection:
Image: 'C:\WINDOWS\system32\wbem\scrcons.exe'
condition: selection
falsepositives:
- Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe)
level: high
medium
Powershell WMI Persistence
Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.
status testauthor frack113id 9e07f6e7-83aa-45c6-998e-0af26efd0a85
view Sigma YAML
title: Powershell WMI Persistence
id: 9e07f6e7-83aa-45c6-998e-0af26efd0a85
status: test
description: Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md
- https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545
author: frack113
date: 2021-08-19
modified: 2022-12-25
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_ioc:
- ScriptBlockText|contains|all:
- 'New-CimInstance '
- '-Namespace root/subscription '
- '-ClassName __EventFilter '
- '-Property ' # is a variable name
- ScriptBlockText|contains|all:
- 'New-CimInstance '
- '-Namespace root/subscription '
- '-ClassName CommandLineEventConsumer '
- '-Property ' # is a variable name
condition: selection_ioc
falsepositives:
- Unknown
level: medium
medium
WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load
Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.
status testauthor Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)id b439f47d-ef52-4b29-9a2f-57d8a96cb6b8
view Sigma YAML
title: WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load
id: b439f47d-ef52-4b29-9a2f-57d8a96cb6b8
status: test
description: Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.
references:
- https://twitter.com/HunterPlaybook/status/1301207718355759107
- https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/
- https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-09-02
modified: 2023-02-22
tags:
- attack.lateral-movement
- attack.privilege-escalation
- attack.persistence
- attack.t1546.003
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\scrcons.exe'
ImageLoaded|endswith:
- '\vbscript.dll'
- '\wbemdisp.dll'
- '\wshom.ocx'
- '\scrrun.dll'
condition: selection
falsepositives:
- Legitimate event consumers
- Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button
level: medium
medium
WMI Event Subscription
Detects creation of WMI event subscription persistence method
status testauthor Tom Ueltschi (@c_APT_ure)id 0f06a3a5-6a09-413f-8743-e6cf35561297
view Sigma YAML
title: WMI Event Subscription
id: 0f06a3a5-6a09-413f-8743-e6cf35561297
status: test
description: Detects creation of WMI event subscription persistence method
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-19-wmievent-wmieventfilter-activity-detected
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-20-wmievent-wmieventconsumer-activity-detected
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-21-wmievent-wmieventconsumertofilter-activity-detected
author: Tom Ueltschi (@c_APT_ure)
date: 2019-01-12
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.003
logsource:
product: windows
category: wmi_event
detection:
selection:
EventID:
- 19
- 20
- 21
condition: selection
falsepositives:
- Exclude legitimate (vetted) use of WMI event subscription in your network
level: medium
medium
WMI Persistence
Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
status testauthor Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.communityid 0b7889b4-5577-4521-a60a-3376ee7f9f7b
view Sigma YAML
title: WMI Persistence
id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b
status: test
description: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
references:
- https://twitter.com/mattifestation/status/899646620148539397
- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
author: Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community
date: 2017-08-22
modified: 2022-02-10
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.003
logsource:
product: windows
service: wmi
definition: 'WMI Namespaces Auditing and SACL should be configured, EventID 5861 and 5859 detection requires Windows 10, 2012 and higher'
detection:
wmi_filter_to_consumer_binding:
EventID: 5861
consumer_keywords:
- 'ActiveScriptEventConsumer'
- 'CommandLineEventConsumer'
- 'CommandLineTemplate'
# - 'Binding EventFilter' # too many false positive with HP Health Driver
wmi_filter_registration:
EventID: 5859
filter_scmevent:
Provider: 'SCM Event Provider'
Query: 'select * from MSFT_SCMEventLogEvent'
User: 'S-1-5-32-544'
PossibleCause: 'Permanent'
condition: ( (wmi_filter_to_consumer_binding and consumer_keywords) or (wmi_filter_registration) ) and not filter_scmevent
falsepositives:
- Unknown (data set is too small; further testing needed)
level: medium
medium
WMI Persistence - Script Event Consumer
Detects WMI script event consumers
status testauthor Thomas Patzkeid ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e
view Sigma YAML
title: WMI Persistence - Script Event Consumer
id: ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e
status: test
description: Detects WMI script event consumers
references:
- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
author: Thomas Patzke
date: 2018-03-07
modified: 2022-10-11
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.003
logsource:
category: process_creation
product: windows
detection:
selection:
Image: C:\WINDOWS\system32\wbem\scrcons.exe
ParentImage: C:\Windows\System32\svchost.exe
condition: selection
falsepositives:
- Legitimate event consumers
- Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button
level: medium
medium
WMI Persistence - Security
Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
status testauthor Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.communityid f033f3f3-fd24-4995-97d8-a3bb17550a88
view Sigma YAML
title: WMI Persistence - Security
id: f033f3f3-fd24-4995-97d8-a3bb17550a88
related:
- id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b
type: derived
status: test
description: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
references:
- https://twitter.com/mattifestation/status/899646620148539397
- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
author: Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community
date: 2017-08-22
modified: 2022-11-29
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.003
logsource:
product: windows
service: security
detection:
selection:
EventID: 4662
ObjectType: 'WMI Namespace'
ObjectName|contains: 'subscription'
condition: selection
falsepositives:
- Unknown (data set is too small; further testing needed)
level: medium