Channels:
Security.
Event: 4688.
Microsoft-Windows-WMI-Activity/Operational.
Events: 5857, 5858, 5859, 5860, 5861.
Security.
Event: 4688.
Microsoft-Windows-WMI-Activity/Operational.
Events: 5857, 5858, 5859, 5860, 5861.
Process execution
Tracking process execution is the only way to natively detect lateral movement
leveraging WMI. With out Audit process tracking enabled to log process
creation event 4688 (or a dedicated product tracking process creation, such
as Sysmon or an EDR), lateral movement over WMI cannot be reliably
detected or investigated.
| Channel | Conditions | Events |
|---|---|---|
Security |
Requires Audit Process Creation to be enabled. Requires ProcessCreationIncludeCmdLine_Enabled to be enabled for the command line to be logged. |
Event 4688: A new process has been created. Refer to the ETW - Process creation page for more general information on the event. The event can be used to track the execution of programs related to WMI. For instance, the execution of wmic [...] /node:<REMOTE_HOST> can be an indicator of outgoing lateral movement using WMI on the source host, and process with WmiPrvSE.exe as a parent-process can be an indicator of incoming lateral movement using WMI on the destination host. |
WMI Event subscription
| Channel | Conditions | Events |
|---|---|---|
Microsoft-Windows-WMI-Activity/Operational |
Introduced in Windows Sever 2012R2. Default configuration. |
Event 5858: Operation_ClientFailure. Logged for error in a WMI operation, such as, for example, a WMI query (IWbemServices::ExecQuery or IWbemServices::ExecNotificationQuery), an object retrieval (IWbemServices::GetObject), or a CIM-object exported method execution (IWbemServices::ExecMethod). Information of interest: - Domain and username of the user that conducted the WMI operation. - The result code of the failed operation. - The Process ID (PID) of the process that conducted the operation. - Details on the operation that raised the error. For WMI query, the query string is included. For example: Start IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct. For method execution, the WMI namespace, the class, and the method called are included, in the following format IWbemServices::ExecMethod - <NAMESPACE> : <CLASS>::<METHOD>. For example: IWbemServices::ExecMethod - ROOT\Microsoft\Windows\Smb : MSFT_SmbShare::FireShareChangeEvent. |
Microsoft-Windows-WMI-Activity/Operational |
Introduced in Windows Sever 2012R2. Default configuration. |
Event 5857: <PROVIDER_NAME> provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = <PID>; ProviderPath = <PROVIDER_DLL_PATH>. Logged whenever a provider is loaded by WMI. WMI uses providers to access system components (that it then exposes as classes). As providers are loaded under NT AUTHORITY\SYSTEM, they can be a way to maintain elevated persistence on the system. Information of interest: - Provider name and DLL full path. - The Process ID (PID) of the wmiprvse.exe process that loaded the provided. |
Microsoft-Windows-WMI-Activity/Operational |
Introduced in Windows Sever 2012R2. Default configuration. |
Event 5860: Operation_TemporaryEssStarted. Logged whenever a temporary WMI Event Subscription is configured. Information of interest: - Domain and username of the user executing the temporary subscription. - Process ID (PID) of the process under which the subscription is executed. - WMI namespace and query of the temporary subscription. |
Microsoft-Windows-WMI-Activity/Operational |
Introduced in Windows Sever 2012R2. Default configuration. |
Event 5861: Operation_ESStoConsumerBinding. Logged whenever a permanent WMI Event Subscription is configured (more precisely when a filter to consumer binding is configured). Information of interest: - Details on the event filter: name, creator SID, WMI namespace, WMI query language and query. - Details on the event consumer: name, type of consumer (such as CommandLineEventConsumer for program execution), creator SID, and consumer parameters (such as the program path and command line for CommandLineEventConsumer consumer). |
Microsoft-Windows-WMI-Activity/Operational |
Introduced in Windows Sever 2012R2. Default configuration. |
Event 5859: Operation_EssStarted. Appears to be logged in relation with some permanent WMI Event Subscriptions. Information of interest: - WMI query assocatied with a permanent subscription. |
References
View on GitHub