10. WMIPersistence
It is difficult to detect malicious WMIPersistence
objects. The detection
methods are based on whitelists and a blacklist with keywords from APT reports.
The whitelists are extended every time our analysts detect false positives in
a customer's environment. The black lists are extended every time an APT report
states a certain WMI persistence method with specific event filer or event file name.
10.1. References
10.2. Samples
Aug 26 23:16:41 server44.local.net/10.23.3.1
THOR: Warning: MODULE: WMIPersistence
MESSAGE: Suspicious WMI element
KEY: Binding 91
FILTERTYPE: HealthDriverEventConsumer
EVENTFILTERNAME: HP_TempSensorFailureEvent
EVENTCONSUMER: Health Event Consumer
EVENTFILTER: select * from HP_TempSensorFailureEvent
EVENTCONSUMER: -
SCORE: 75
Aug 26 23:16:41 server44.local.net/1.253.103.134
THOR: Warning: MODULE: WMIPersistence
MESSAGE: Suspicious WMI element
KEY: Binding 93
FILTERTYPE: HealthDriverEventConsumer
EVENTFILTERNAME: HP_ASRStateChangeEvent
EVENTCONSUMER: Health Event Consumer
EVENTFILTER: select * from HP_ASRStateChangeEvent
EVENTCONSUMER: -
SCORE: 75
10.3. Typical False Positives
Legitimate entries caused by system management software (e.g. HP services)
10.4. Attribute Evaluation
Attribute |
Question |
Answer |
Indication |
Weight |
---|---|---|---|---|
EVENTFILTER |
Does the Eventfilter content related to the EventFilterName? (e.g. |
Yes |
Good |
Medium |
No |
Bad |
Medium |
||
EVENTFILTERNAME |
Does a google search on the EventFilerName show no result at all? |
Yes |
Bad |
Medium |
EVENTFILTERNAME |
Does a google search on the EventFilterName result in results that seem legitimate? |
Yes |
Good |
Medium |