Are you detecting WMI abuse the right way?

"WMI gives you the freedom to hide, move around and take control against million dollar defense mechanisms"

What is WMI?

Windows Management Instrumentation (WMI) is the infrastructure for management data and operations on Windows-based operating systems.
WMI provides an abstracted, unified object-oriented model, which contains classes representing elements such as the system registry, processes, threads and hardware components. WMI allows scripting languages like VBScript or Windows PowerShell to automate administrative tasks on Windows computers locally and remotely. It allows users, administrators and developers (as well as attackers) to enumerate, manipulate and interact with various managed components in the OS.

WMI consists of three major components:

WMI service(handles all requests)
WMI providers(objects that monitor events and data)
The WMI Repository(centralized storage)

Should I break my head about it ?

An adversary can use WMI to interact with systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files. It has access to a lot of system data, so adversaries are able to perform various types of discovery and reconnaissance through WMI.
It's so popular that MITRE ATT&CK framework has a technique exclusively for WMI. [T1047] is an execution technique that adversaries use for lateral movement and persistence. In recent times, it has been observed that a lot of threat actors are using WMI in their attacks and campaigns.

Agent Tesla - Agent Tesla has used wmi queries to gather information from the system
APT29 - Steal credentials and execute backdoors
Astaroth - Astaroth uses WMIC to execute payloads
Bazar - Gather information about the installed antivirus engine
Cobalt Strike - CS can use WMI to deliver a payload to a remote host
Emotnet - Emotnet has used WMI to execute powershell.exe

WMI Abuse

Discovering sysinfo
Scheduling persistence
Launching WMI from Office documents to invoke Poweshell
WMI Lateral Movement
Credential Theft using WMI
Deletion of shadow copies, likely to avoid using vssadmin

Let's take a look at some of the WMI(T1047) Use Cases using Atomic Tests

WMI Reconnaissance

Users

wmic useraccount get Name, Description /format:csv

Software

wmic qfe get Name, HotFixID /format:csv

Remote Services

wmic /node:"127.0.0.1" service where (caption like "%service%")

WMI Execution

Execute Local Process

wmic process call create notepad.exe

Execute Remote Process

wmic /user:DOMAIN\User /password:password /node:"10.10.10.10" process call create "powershell.exe ls"

Execution using obfuscated Win32_Process

$Class = New-Object Management.ManagementClass(New-Object Management.ManagementPath("Win32_Process"))
$NewClass = $Class.Derive("Win32_ABC")
$NewClass.Put()
Invoke-WmiMethod -Path Win32_ABC -Name create -ArgumentList "powershell -exec bypass XYZ"

Note: Enable powershell scriptblock logging(EventID:4104) to log these events.

Detection Strategies

We'll use Sysmon(A Windows system service and device driver that monitor and log system activity to the Windows event log) and Windows event log(A detailed record of system, security and application notifications) to power our detection rules. WMI can be a potential fileless method of persistence in Windows. WMI persistence relies on three components: Filter, (e.g. when this condition happens), Consumer (e.g. do this), and Binding (links Filter to Consumer). Sysmon EventID 19, 20, and 21 only pertains to WMI permanent event subscriptions or WMI persistence.

Event ID 1: Process Creation
The process creation event provides extended information about a newly created process.
Event ID 10: Process Access
The process accessed event reports when a process opens another process, an operation that’s often followed by information queries or reading and writing the address space of the target process.
Event ID 19: WmiEvent (WmiEventFilter activity detected)
When a WMI event filter is registered, which is a method used by malware to execute, this event logs the WMI namespace, filter name and filter expression.
Event ID 20: WmiEvent (WmiEventConsumer activity detected)
This event logs the registration of WMI consumers, recording the consumer name, log, and destination.
Event ID 21: WmiEvent (WmiEventConsumerToFilter activity detected)
When a consumer binds to a filter, this event logs the consumer name and filter path.
Windows EventID 5861 logs generate a permanent record of WMI event subscriptions.

Detection Query:

Below are some general templates for writing detection queries. Depending on the SIEM/Monitoring tool the parsing and fields needs to be modified. Things to keep in mind while creating detection queries:

Use regex instead of wildcards
Don't nest too much and mind the Aggregations
Filter out legit events by using valid Suppressions

Credential Theft using WMI

event_id:1 AND event_data.CommandLine:(*wmic* AND (*samlib.dll* OR *vaultcli.dll* OR *lsass.exe* ))

WMI Lateral Movement

event_id:1 AND event_data.CommandLine:(wmic* AND process* AND create*)

WMI execution

event_id:1 AND (event_data.Image:(*\WmiPrvSE.exe) OR event_data.ParentImage:(*\WmiPrvSE.exe))