💪
YJ's Internship/Visualise "Normal" Use-Cases/9. Investigate what processes are able to do/
Register WMI event filter (WmiEvent)

Register WMI event filter (WmiEvent)

What is WMI?

WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), which is an industry initiative to develop a standard technology for accessing management information in an enterprise environment. An event filter is a WMI class that describes which events WMI delivers to an event consumer. An event filter also describes the conditions under which WMI delivers the events.
Windows Management Instrumentation (WMI) Event Subscription is a popular technique to establish persistence on an endpoint. Attackers may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.

WmiEvent (WmiEventFilter activity detected)

When a WMI event filter is registered, which is a method used by malware to execute, this event logs the WMI namespace, filter name and filter expression.

WmiEvent (WmiEventConsumer activity detected)

This event logs the registration of WMI consumers, recording the consumer name, log, and destination.

WmiEvent (WmiEventConsumerToFilter activity detected)

When a consumer binds to a filter, this event logs the consumer name and filter path.
Resources about Wmi:
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-19-wmievent-wmieventfilter-activity-detected
https://www.netsurion.com/articles/catch-malware-hiding-in-wmi-with-sysmon
 
One thing I noted was that no entries were found in WmiEvent.
WmiEvent is for catching WMI Filter and Consumer Activity as well as the binding which makes them active. By default, the WmiEvent is split into 3 events in Sysmon i.e. creation of filter, creation of consumer and binding of consumer to filter. As for openEDR, it combines these 3 events into 1.

Creating a WMI filter for GPO (To trigger WmiEvent)

Reference: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo#create-wmi-filters-for-the-gpo
Current Issue: When I opened GPO, a popup appeared saying that I needed to log in with a domain user account to manage Group Policy.
notion image
When I clicked on OK, GPO interface appeared with a small windows that says "GPO is loading...". GPO interface has nothing i.e. no forest, no domain. GPO loading window does not seem to ever load finish. Been waiting for 20mins and still loading...I doubt its due to the VM being slow.
notion image
Initial thought is that it does not work without using a domain user account. Link provided also mentioned that you must be a member of the Domain Administrators group to modify the GPOs.
 
Solution: Since UI cannot be used, use powershell instead to create WMI Event Subscriptions
Reference: https://learn-powershell.net/2013/08/14/powershell-and-events-permanent-wmi-event-subscriptions/
Follow steps in Option 1 from the link above and check OrientDB for WmiEvent:
notion image
As you can see from the screenshot above, all 3 WmiEvent were generated.
Â