REVIEWED by Sophos
"Windows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs" (T1084). The Sophos MTR Operations team has investigated and responded to client incidents where malicious persistence was established with WMI Event Subscriptions. Now in Sophos Central you can quickly query and review WMI filters, consumers, and bindings for any suspicious entries with Live Discover.
Queries:
WMI Event Filters:
SELECT wmi_event_filters.name, wmi_event_filters.query, wmi_event_filters.query_language, wmi_event_filters.class, wmi_event_filters.relative_path FROM wmi_event_filters;
WMI Event Command Line Consumers:
SELECT wmi_cli_event_consumers.name, wmi_cli_event_consumers.command_line_template, wmi_cli_event_consumers.executable_path, wmi_cli_event_consumers.relative_path, wmi_cli_event_consumers.class FROM wmi_cli_event_consumers;
WMI Event Filter/Consumer Bindings:
SELECT wmi_filter_consumer_binding.consumer, wmi_filter_consumer_binding.filter, wmi_filter_consumer_binding.class, wmi_filter_consumer_binding.relative_path FROM wmi_filter_consumer_binding;
Example of WMI Persistence and Live Discover Results:
WMI Filter triggers shortly after system startup time
WMI Command Line Consumer executes malicious PowerShell
WMI Filter/Consumer Binding
