10. WMIPersistence

It is difficult to detect malicious WMIPersistence objects. The detection methods are based on whitelists and a blacklist with keywords from APT reports. The whitelists are extended every time our analysts detect false positives in a customer's environment. The black lists are extended every time an APT report states a certain WMI persistence method with specific event filer or event file name.

10.1. References

10.2. Samples

Aug 26 23:16:41 server44.local.net/10.23.3.1
THOR: Warning: MODULE: WMIPersistence
MESSAGE: Suspicious WMI element
KEY: Binding 91
FILTERTYPE: HealthDriverEventConsumer
EVENTFILTERNAME: HP_TempSensorFailureEvent
EVENTCONSUMER: Health Event Consumer
EVENTFILTER: select * from HP_TempSensorFailureEvent
EVENTCONSUMER: -
SCORE: 75
Aug 26 23:16:41 server44.local.net/1.253.103.134
THOR: Warning: MODULE: WMIPersistence
MESSAGE: Suspicious WMI element
KEY: Binding 93
FILTERTYPE: HealthDriverEventConsumer
EVENTFILTERNAME: HP_ASRStateChangeEvent
EVENTCONSUMER: Health Event Consumer
EVENTFILTER: select * from HP_ASRStateChangeEvent
EVENTCONSUMER: -
SCORE: 75

10.3. Typical False Positives

  • Legitimate entries caused by system management software (e.g. HP services)

10.4. Attribute Evaluation

Attribute

Question

Answer

Indication

Weight

EVENTFILTER

Does the Eventfilter content related to the EventFilterName? (e.g. HP_TempSensorFailureEvent and select * from HP_TempSensorFailureEvent)

Yes

Good

Medium

No

Bad

Medium

EVENTFILTERNAME

Does a google search on the EventFilerName show no result at all?

Yes

Bad

Medium

EVENTFILTERNAME

Does a google search on the EventFilterName result in results that seem legitimate?

Yes

Good

Medium