valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 17:45:23 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
c556bbf7ea
atomic-threat-coverage/data_needed/DN_0080_5859_wmi_activity.yml
yugoslavskiy 012c1cf712 changed LP
2019-02-13 21:20:06 +01:00

56 lines
2.0 KiB
YAML
Raw Blame History

title: DN_0080_5859_wmi_activity
description: >
WMI Event which provide ability to catch Timer-based WMI Events and provide
usefult information for identification of suspicious WMI activity
loggingpolicy:
- None
references:
- https://www.darkoperator.com/blog/2017/10/14/basics-of-tracking-wmi-activity
- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
category: OS Logs
platform: Windows
type: Applications and Services Logs
channel: Microsoft-Windows-WMI-Activity/Operational
provider: Microsoft-Windows-WMI-Activity
fields:
- EventID
- Computer
- Hostname # redundant
- NamespaceName
- Query
- ProcessID
- Provider
- queryid
- PossibleCause
- CorrelationActivityID
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-WMI-Activity" Guid="{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}" />
<EventID>5859</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-08T09:37:37.108925700Z" />
<EventRecordID>57003</EventRecordID>
<Correlation ActivityID="{10490123-32E3-0000-B1F0-46D991BFD401}" />
<Execution ProcessID="436" ThreadID="3076" />
<Channel>Microsoft-Windows-WMI-Activity/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <UserData>
- <Operation_EssStarted xmlns="http://manifests.microsoft.com/win/2006/windows/WMI">
<NamespaceName>//./root/cimv2</NamespaceName>
<Query>select * from MSFT_SCMEventLogEvent</Query>
<User>S-1-5-32-544</User>
<Processid>436</Processid>
<Provider>SCM Event Provider</Provider>
<queryid>0</queryid>
<PossibleCause>Permanent</PossibleCause>
</Operation_EssStarted>
</UserData>
</Event>
Reference in New Issue View Git Blame Copy Permalink