00:47 Panelist Introduction
01:20 Webinar Agenda
01:45 Detection Test Challenge: Question 1
Under what conditions will notepad.exe launch?
02:42 Detection Test Challenge: Question 2
Assuming the conditions are met to execute notepad.exe, will it launch as a child process of explorer.exe, svchost.exe, powershell.exe, or wmiprvse.exe?
02:53 Detection Test Challenge: Question 3
Assuming WMI persistence was successfully performed on a Windows 10 host with WMI logging enabled in Sysmon, what Sysmon events will be created to indicate that WMI persistence was performed?
03:10 Detection Test Challenge: Question 4
Assuming WMI persistence was successfully performed on a Windows 10 host with WMI logging enabled in Sysmon, what Microsoft-Windows-WMI-Activity/Operational event will be created to indicate that WMI persistence was performed?
04:21 – 07:12 Answer 1
After system startup
06:18 “How could an attacker actually come up with [query]? WMI eventing often requires creativity, and in this place there’s no straightforward WMI class that represents system startup time, so…this was a good candidate because of the SystemUpTime property.” – Matt
07:41 – 08:30 Answer 2
08:08 “You’ll find this very consistently whether we’re talking about WMI persistence using these techniques or in the case of lateral movement, any child process that’s created as a result of WMI will launch as a child process of wmiprvse.exe.” – Matt
08:31 – 10:00 Answer 3
Microsoft-Windows-Sysmon/Operational Event ID 19, Event ID 20, and Event ID 21
08:45 “Event ID 19 will cover the creation of the Event Filter. Event ID 20 will capture the context around the Event Consumer. And finally Event ID 21 represents the Filter to Consumer Binding. As a defender if you’re investigating this, you can correlate these names to the corresponding Consumer Event, Event ID 20, and the corresponding Filter Event, Event ID 19.” – Matt
10:01 – 11:30 Answer 4
Microsoft-Windows-WMI-Activity/Operational Event ID 5861
11:15 “The benefit you get from [Event ID 5961] is that it’s extremely resilient and it’s also built in, so it’ll be logged automatically…and there’s no configuration required.” – Matt
14:15 “[Microsoft Defender for Endpoint] is bubbling up all the suspicious events to the top, so rather than having to look through everything inside Event Viewer and trying to determine the boundaries around where the malicious activity took place, Microsoft is doing their best to try and draw those boundaries for you and guide your investigation.” – Joe
15:01 ‘See in Timeline’ View
17:18 Advanced Hunting Dashboard
17:40 Advanced Threat Hunting for WMI Baselining
17:52 “We’re using the Microsoft Defender Security Center platform to do this investigation, but these [threat hunting] concepts are going to apply to any EDR solution you’re using in your environment.” – Julie
18:26 “The question that we’re asking for baselining an environment is: what are all of the child processes of WMI related binaries in my environment, and do all those child processes make sense? Are those all things I want to be running in my environment?” – Julie
21:57 “This is a useful exercise just to ask ‘Am I aware of what’s happening in my environment? Do I approve of each of these use cases?’ This also gives you a baseline to refer back to if something ever does hit the fan and you do see persistence via WMI in your environment.” – Julie
22:43 Practical Takeaways
22:56 “WMI is a super powerful tool for attackers. There is very little that you can’t do across the kill chain or MITRE ATT&CK framework in WMI, whether its discovery, lateral movement or persistence.” – Matt
23:44 “It’s really key to understand what happened in the persistence. For example: what the EventFilter and EventConsumer consist of, but also how that was created in the first place?” – Matt
25:01 “Fortunately for defenders, [WMI persistence] is a relatively low volume event and when it does occur legitimately across your fleet, you’ll likely have the telemetry available to you to quickly triage that and determine whether or not that was expected.” – Matt
25:34 Extended Q&A
25:55 Question: Does WMI require administrative access?
26:00 It depends. If we’re talking about doing WMI tradecraft locally, you usually don’t require administrative access. There are definitely exceptions to that, and one notable one is performing WMI persistence. Where permissions really start to come into play is with remote WMI operations; in which case, by default, you would have to be in the administrators group.
29:31 Question: Will all WMI activity be shown via Sysmon logging?
29:36 No. Event ID 19, 20, and 21 only pertains to WMI permanent event subscriptions or WMI persistence. Considering the wide range of WMI tradecraft, Sysmon unfortunately is not built to detect every conceivable method of WMI tradecraft.
31:36 Question: Do these executions always spawn under the system context, or can you bind to a user account?
31:47 Those child processes, in the case of WMI persistence specifically, will always spawn under system context.
32:56 Question: Is WMI limited to what you can get if you’re not an administrator?
33:09 You can be any authenticated user to do most WMI actions.
34:23 Question: Would there be any options to log without using Sysmon?
34:28 Yes, as mentioned in the WMI activity log, there’s Event ID 5861 in Windows 10, and that is a fantastic source of logging for just WMI persistence.
40:22 Question: How would you detect custom objects in WMI?
41:22 There is no built-in logging that would surface those kinds of events, like a new WMI class being created and inserted into the WMI repository. But you can create a query to action on new WMI classes being created.
43:03 Question: What are your thoughts on the current detections available for WMI-based persistence?
43:09 The state of WMI-based persistence detection is good. In the case of Defender for Endpoint, there was an alert that was generated, and even in the case where an alert was not generated, there’s still opportunities to detect this using the telemetry at your disposal.
44:11 Question: Could there be another parent process besides wmiprvse.exe?
44:23 [scrcons.exe] would be another process that you could use in baselining to see what’s going on in your environment.
46:45 Question: Does WMIC have any different artifacts?
46:50 wmic.exe is a tool that’s used legitimately by administrators and also attackers to perform WMI tradecraft. wmic.exe is like a client executable where the server component, the components that actually do the WMI operations, execute in the context of the WMI service.
48:47 Question: Can mofcomp.exe be used to register consumers in WMI, and would Sysmon/Defender WMI event logging see that?
49:00 Yes, mofcomp.exe is an older utility that can be used to insert and instantiate permanent WMI class instances within the WMI repository. So that is one alternative that attackers have been known to use to perform WMI persistence.