1{ 2 "author": [ 3 "Elastic" 4 ], 5 "description": "An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.", 6 "from": "now-9m", 7 "index": [ 8 "logs-endpoint.events.*", 9 "winlogbeat-*", 10 "logs-windows.*" 11 ], 12 "language": "eql", 13 "license": "Elastic License v2", 14 "name": "Persistence via WMI Event Subscription", 15 "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"create\" and\n process.args : (\"ActiveScriptEventConsumer\", \"CommandLineEventConsumer\")\n", 16 "risk_score": 21, 17 "rule_id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c", 18 "severity": "low", 19 "tags": [ 20 "Elastic", 21 "Host", 22 "Windows", 23 "Threat Detection", 24 "Persistence" 25 ], 26 "threat": [ 27 { 28 "framework": "MITRE ATT&CK", 29 "tactic": { 30 "id": "TA0003", 31 "name": "Persistence", 32 "reference": "https://attack.mitre.org/tactics/TA0003/" 33 }, 34 "technique": [ 35 { 36 "id": "T1546", 37 "name": "Event Triggered Execution", 38 "reference": "https://attack.mitre.org/techniques/T1546/", 39 "subtechnique": [ 40 { 41 "id": "T1546.003", 42 "name": "Windows Management Instrumentation Event Subscription", 43 "reference": "https://attack.mitre.org/techniques/T1546/003/" 44 } 45 ] 46 } 47 ] 48 } 49 ], 50 "timestamp_override": "event.ingested", 51 "type": "eql", 52 "version": 4 53} 54