Skip to content

[Osquery_manager] WMI artifacts saved query #16227

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tomsonpl wants to merge 6 commits into
base: temporary-osquery-artifacts-branch
Choose a base branch
from
Open

[Osquery_manager] WMI artifacts saved query #16227

tomsonpl wants to merge 6 commits into from
+116 −10

Conversation

@tomsonpl
Copy link
Contributor

@tomsonpl tomsonpl commented Dec 3, 2025
edited
Loading

WMI Persistence Event Subscriptions

Summary

This PR adds an osquery saved query to detect WMI Event Subscription persistence (MITRE ATT&CK T1546.003) on Windows systems. WMI eventing is a powerful persistence mechanism that allows attackers to execute arbitrary commands or scripts when specific system events occur, making it difficult to detect without specialized tooling.

The query provides complete forensic visibility by detecting:

  • Bound subscriptions - Active persistence (filter + consumer + binding)
  • Orphaned components - Residual artifacts from partially removed malware

Results are enriched with file hashes and code signatures for referenced executables and scripts.

Core Forensic Artifacts Coverage

# Artifact OS Query File Description
1 WMI Event Subscriptions Windows wmi_persistence_event_subscriptions_windows_elastic 40033716 Detects WMI persistence including bound subscriptions and orphaned components

MITRE ATT&CK Coverage

Technique ID Technique Name Tactic
T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription Persistence (TA0003)

Queries by Platform

🪟 Windows - WMI Event Subscription Persistence Detection

Description

Detects WMI event subscriptions used for persistence (MITRE ATT&CK T1546.003). Includes bound subscriptions (active persistence) AND orphaned components (filters/consumers without bindings) which may indicate residual or partially removed malware. WMI eventing allows attackers to execute arbitrary commands or scripts when specific system events occur. Enriched with file hashes and code signatures for referenced executables and scripts.

Detection Focus:

  • Bound subscriptions - Complete filter-consumer chains indicating active persistence
  • CommandLineEventConsumer - Executes arbitrary commands/executables on trigger
  • ActiveScriptEventConsumer - Executes VBScript/JScript on trigger
  • Orphaned consumers - Consumers without bindings (possible residual malware)
  • Orphaned filters - Filters without bindings (possible residual malware)
  • File hash enrichment - MD5/SHA256 for referenced executables
  • Code signature verification - Authenticode validation for executables

Result

Screenshot 2025-12-08 at 16 08 29

Query returns WMI subscription components with their relationships and enrichment data:

Status Description
bound Active persistence - filter and consumer are linked
orphaned_consumer Consumer exists without binding (residual malware artifact)
orphaned_filter Filter exists without binding (residual malware artifact)

Platform

windows

Interval

3600 seconds (1 hour)

Query ID

wmi_persistence_event_subscriptions_windows_elastic

ECS Field Mappings

Event Context:

  • event.category["configuration"]
  • event.type["info"]
  • event.kind"state"
  • event.module"osquery"
  • event.dataset"osquery.wmi_persistence"
  • host.os.type"windows"

Process/Executable Fields:

  • process.command_linecommand_line_template
  • process.executableexecutable_path
  • process.hash.md5md5
  • process.hash.sha256sha256
  • process.code_signature.subject_namesignature_signer
  • process.code_signature.statussignature_status

File Fields:

  • file.pathscript_file_name

Threat Context:

  • threat.framework"MITRE ATT&CK"
  • threat.tactic.id["TA0003"]
  • threat.tactic.name["Persistence"]
  • threat.technique.id["T1546.003"]
  • threat.technique.name["Event Triggered Execution: Windows Management Instrumentation Event Subscription"]

Tags:

  • osquery, persistence, wmi, event_subscription, mitre_t1546_003, windows

SQL Query

-- WMI Persistence Event Subscriptions - Complete Coverage (T1546.003)
-- Detects bound subscriptions and orphaned components for full forensic visibility
-- Fixed: Uses relative_path for proper JOIN matching per osquery schema

WITH wmi_subscriptions AS (
    -- Part 1: Bound subscriptions (complete filter-consumer chains)
    SELECT
        'bound' AS status,
        filter.name AS filter_name,
        filter.query AS filter_query,
        filter.query_language,
        filter.class AS filter_class,
        COALESCE(cli.name, script.name) AS consumer_name,
        CASE
            WHEN cli.name IS NOT NULL THEN 'CommandLineEventConsumer'
            WHEN script.name IS NOT NULL THEN 'ActiveScriptEventConsumer'
            ELSE 'Unknown'
        END AS consumer_type,
        COALESCE(cli.class, script.class) AS consumer_class,
        COALESCE(cli.relative_path, script.relative_path) AS consumer_relative_path,
        cli.command_line_template,
        cli.executable_path,
        script.scripting_engine,
        script.script_file_name,
        script.script_text,
        COALESCE(
            NULLIF(cli.executable_path, ''),
            NULLIF(cli.command_line_template, ''),
            NULLIF(script.script_file_name, '')
        ) AS hashable_path
    FROM wmi_filter_consumer_binding binding
    LEFT JOIN wmi_event_filters filter ON binding.filter = filter.relative_path
    LEFT JOIN wmi_cli_event_consumers cli ON binding.consumer = cli.relative_path
    LEFT JOIN wmi_script_event_consumers script ON binding.consumer = script.relative_path

    UNION ALL

    -- Part 2: Orphaned CLI consumers (possible residual malware)
    SELECT
        'orphaned_consumer' AS status,
        '' AS filter_name,
        '' AS filter_query,
        '' AS query_language,
        '' AS filter_class,
        cli.name AS consumer_name,
        'CommandLineEventConsumer' AS consumer_type,
        cli.class AS consumer_class,
        cli.relative_path AS consumer_relative_path,
        cli.command_line_template,
        cli.executable_path,
        '' AS scripting_engine,
        '' AS script_file_name,
        '' AS script_text,
        COALESCE(NULLIF(cli.executable_path, ''), NULLIF(cli.command_line_template, '')) AS hashable_path
    FROM wmi_cli_event_consumers cli
    WHERE NOT EXISTS (
        SELECT 1 FROM wmi_filter_consumer_binding binding
        WHERE binding.consumer = cli.relative_path
    )

    UNION ALL

    -- Part 3: Orphaned Script consumers (possible residual malware)
    SELECT
        'orphaned_consumer' AS status,
        '' AS filter_name,
        '' AS filter_query,
        '' AS query_language,
        '' AS filter_class,
        script.name AS consumer_name,
        'ActiveScriptEventConsumer' AS consumer_type,
        script.class AS consumer_class,
        script.relative_path AS consumer_relative_path,
        '' AS command_line_template,
        '' AS executable_path,
        script.scripting_engine,
        script.script_file_name,
        script.script_text,
        NULLIF(script.script_file_name, '') AS hashable_path
    FROM wmi_script_event_consumers script
    WHERE NOT EXISTS (
        SELECT 1 FROM wmi_filter_consumer_binding binding
        WHERE binding.consumer = script.relative_path
    )

    UNION ALL

    -- Part 4: Orphaned filters (possible residual malware)
    SELECT
        'orphaned_filter' AS status,
        filter.name AS filter_name,
        filter.query AS filter_query,
        filter.query_language,
        filter.class AS filter_class,
        '' AS consumer_name,
        '' AS consumer_type,
        '' AS consumer_class,
        '' AS consumer_relative_path,
        '' AS command_line_template,
        '' AS executable_path,
        '' AS scripting_engine,
        '' AS script_file_name,
        '' AS script_text,
        '' AS hashable_path
    FROM wmi_event_filters filter
    WHERE NOT EXISTS (
        SELECT 1 FROM wmi_filter_consumer_binding binding
        WHERE binding.filter = filter.relative_path
    )
)

SELECT
    ws.status,
    ws.filter_name,
    ws.filter_query,
    ws.query_language,
    ws.filter_class,
    ws.consumer_name,
    ws.consumer_type,
    ws.consumer_class,
    ws.consumer_relative_path,
    ws.command_line_template,
    ws.executable_path,
    ws.scripting_engine,
    ws.script_file_name,
    ws.script_text,
    h.md5,
    h.sha256,
    a.subject_name AS signature_signer,
    a.result AS signature_status
FROM wmi_subscriptions ws
LEFT JOIN hash h ON h.path = ws.hashable_path AND ws.hashable_path != ''
LEFT JOIN authenticode a ON a.path = ws.hashable_path AND ws.hashable_path != ''

@tomsonpl
Add WMI persistence event subscriptions query (T1546.003)
6c17fd7 
Comprehensive osquery query detecting WMI-based persistence:
- Bound subscriptions (active filter-consumer chains)
- Orphaned consumers (residual malware indicators)
- Orphaned filters (incomplete cleanup detection)
- Hash and authenticode enrichment for executables
- Supports CommandLineEventConsumer and ActiveScriptEventConsumer

Uses relative_path JOINs per osquery schema for accurate binding
correlation. ECS mappings included for Elastic Security integration.
@tomsonpl
Update artifacts matrix with WMI persistence coverage
d8f08b1 
- Mark WMI Config & Used Apps (#23) as available
- Mark WMI Providers & Filters (#24) as available
- Add wmi_persistence_event_subscriptions to Additional Queries
- Update coverage statistics: 2/46 artifacts now fully supported (4.3%)
@tomsonpl tomsonpl changed the title Osquery vmi artifact [Osquery_manager] WMI artifacts saved query Dec 3, 2025
@tomsonpl tomsonpl marked this pull request as ready for review December 3, 2025 11:59
@tomsonpl tomsonpl requested a review from a team as a code owner December 3, 2025 11:59
@tomsonpl tomsonpl requested review from ashokaditya and parkiino and removed request for a team December 3, 2025 11:59
@andrewkroh andrewkroh added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:osquery_manager Osquery Manager Team:Defend Workflows Security team for Endpoint and OSQuery workflows [elastic/security-defend-workflows] labels Dec 3, 2025
@tomsonpl
Enhance WMI persistence query with comprehensive ECS mappings and MIT…
bd68b93 
…RE ATT&CK coverage

- Add event.kind, event.module, event.dataset, host.os.type ECS fields
- Add MITRE ATT&CK T1546.003 (Event Triggered Execution: WMI Event Subscription) threat context
- Fix ECS mapping: subject_name→signature_signer for process.code_signature.subject_name
- Remove incorrect threat.indicator.description mapping
- Enhance tags with osquery and windows identifiers
- Fix query column alias: a.subject_name AS signature_signer for proper ECS mapping
@tomsonpl
Add file timestamp enrichment to WMI persistence query
8b3bcfa 
- Add ECS mappings for file.created, file.mtime, file.accessed, file.ctime, file.size
- Join with file table to retrieve timestamp metadata for referenced executables/scripts
- Convert timestamps to UTC ISO 8601 format using datetime() for ECS standardization
- Update description to mention file timestamp enrichment
calladoum-elastic
calladoum-elastic approved these changes Dec 11, 2025
View reviewed changes
Copy link

@calladoum-elastic calladoum-elastic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor comment, otherwise lgtm

ferullo
ferullo reviewed Dec 15, 2025
View reviewed changes
...manager/kibana/osquery_saved_query/osquery_manager-40033716-3580-48fe-a17d-441a838acd8a.json Outdated
{
"key": "file.path",
"value": {
"field": "script_file_name"
Copy link
Contributor

@ferullo ferullo Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is the same file that all the other file.* fields correspond to. I think they all correspond to process.* info, right? It feels like this needs to be addressed somehow. Do we need the script_file_name mapped to ECS? If not could the process.* and file.* fielsets be merged?

Copy link
Contributor Author

@tomsonpl tomsonpl Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea, let me keep these fields unmapped for forensics purposes, so in the end we're end up with having just one namespace - file.

Would this work for you?

Copy link
Contributor

@ferullo ferullo Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah

@tomsonpl
Simplify WMI persistence query ECS mappings and add VirusTotal link
df825cb 
- Replace event.kind/module/dataset with event.action mapping
- Move code signature fields from process.* to file.* namespace
- Remove redundant MITRE ATT&CK threat.* static mappings (covered in description)
- Add VirusTotal link generation for hash lookups
- Simplify tags array
- Update timestamps to 2025-12-31
@tomsonpl
Fix ECS mappings and add SHA1 to WMI persistence query
b494e12 
  - Add h.sha1 hash column and file.hash.sha1 mapping
  - Consolidate hash mappings to file.* namespace
  - Remove path field mappings to prevent inconsistent field population
@elasticmachine
Copy link

elasticmachine commented Jan 7, 2026

💚 Build Succeeded

History

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ferullo ferullo ferullo approved these changes

@calladoum-elastic calladoum-elastic calladoum-elastic approved these changes

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:osquery_manager Osquery Manager Team:Defend Workflows Security team for Endpoint and OSQuery workflows [elastic/security-defend-workflows]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@tomsonpl @elasticmachine @ferullo @calladoum-elastic @andrewkroh