Sysmon Event ID 19
19: WmiEventFilter activity detected
This is an event from
Sysmon.
On this page
Attackers have developed a particularly sophisticated way to persist malware perhaps elevate privileges with WMI Event Filters and Consumers.
WMI allows you to link these 2 objects in order to execute a custom action whenever specified things happen in Windows. WMI events are related to but more general than the events we all know and love in the event log. WMI events include system startup, time intervals, program execution and many, many other things. You can define a __EventFilter which is basically a WQL query that specifies what events you want to catch in WMI. This is a permanent object saved in the WMI repository. It’s passive until you create a consumer and link them with a binding. The WMI event consumer defines what the system should do with any events caught by the filter. There are different kinds of event consumers for action like running a script, executing a command line, sending an email or writing to a log file. Finally, you link the filter and consumer with a __FilterToConsumerBinding. After saving the binding, everything is now active and whenever events matching the filter occur, they are fed to the consumer.
This event tells you when a WMI event filter is registered documenting the WMI namespace, filter name and filter expression. In an attack this is the first of 3 steps. The filter defines the system activity that will be emitted as an event to trigger the persistent (recurring) execution of malware. Event ID 20 and Event ID 21 provide further information.
To learn more about this kind of attack see my blog https://www.ultimatewindowssecurity.com/blog/default.aspx?d=06/2018
Free Security Log Resources by Randy
- Log Name
- Source
- Date
- Event ID
- Task Category
- Level
- Keywords
- User
- Computer
- Description
- EventType
- UtcTime
- Operation
- User
- EventNamespace
- Name
- Query
Supercharger Free Edition
Centrally manage WEC subscriptions.
Free.
Log Name: Microsoft-Windows-Sysmon/Operational
Source: Microsoft-Windows-Sysmon
Date: 4/11/2018 9:26:16 AM
Event ID: 19
Task Category: WmiEventFilter activity detected (rule: WmiEvent)
Level: Information
Keywords:
User: SYSTEM
Computer: rfsh.lab.local
Description:
WmiEventFilter activity detected:
EventType: WmiFilterEvent
UtcTime: 2018-04-11 16:26:16.327
Operation: Created
User: LAB\rsmith
EventNamespace: "root\\cimv2"
Name: "BotFilter82"
Query: "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 200 AND TargetInstance.SystemUpTime < 320"
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>19</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>19</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2018-04-11T16:26:16.327698700Z" />
<EventRecordID>63551</EventRecordID>
<Correlation />
<Execution ProcessID="7620" ThreadID="21880" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>rfsh.lab.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="EventType">WmiFilterEvent</Data>
<Data Name="UtcTime">2018-04-11 16:26:16.327</Data>
<Data Name="Operation">Created</Data>
<Data Name="User">LAB\rsmith</Data>
<Data Name="EventNamespace"> "root\\cimv2"</Data>
<Data Name="Name"> "BotFilter82"</Data>
<Data Name="Query"> "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 200 AND TargetInstance.SystemUpTime < 320"</Data>
</EventData>
</Event>
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection