none
WmiEventConsumer doesn't log ScriptText

    Question

  • We were testing WmiEvent detection in sysmon v8 using wmipersist_windows.exe from Impacket tools

    What we found is that when launched like this: "wmipersist_windows.exe creds@system install -name AASEC -vbs samplevbs.vbs -timer 60000", it creates a WmiEventConsumer which we can query with powershell (gwmi -namespace root\subscription -Class ActiveScriptEventConsumer):

    Name             : AASEC
    ScriptFilename   :
    ScriptingEngine  : VBScript
    ScriptText       : Dim objFS, objFile
                       Set objFS = CreateObject("Scripting.FileSystemObject")
                       Set objFile = objFS.OpenTextFile("C:\output.log", 8, true)
                       objFile.WriteLine "Hey There!"
                       objFile.Close

    However, ScriptingEngine (Type) and ScriptText (Destination) information is missing from the corresponding sysmon EventID 20. The only thing that gets captured is the name. So we end up missing the critical information about what actually happened. On the other hand, when creating an ActiveScriptEventConsumer manually with PS like this:

    PS C:\WINDOWS\system32> $ASEventConsumer = ([wmiclass]"\\.\root\subscription:ActiveScriptEventConsumer").CreateInstance(
    )
    PS C:\WINDOWS\system32> $ASEventConsumer.Name = 'ActiveScriptEventConsumer_Example'
    PS C:\WINDOWS\system32> $ASEventConsumer.ScriptingEngine = 'VBScript'
    PS C:\WINDOWS\system32> $ASEventConsumer.ScriptText = 'Dim objFS, objFile
    >>                    Set objFS = CreateObject("Scripting.FileSystemObject")
    >>                    Set objFile = objFS.OpenTextFile("C:\output.log", 8, true)
    >>                    objFile.WriteLine "Hey There!"
    >>                    objFile.Close'
    PS C:\WINDOWS\system32> $ASECResult = $ASEventConsumer.Put()

    this information is correctly captured in the event in Type and Destination.

    Seems like wmipersist is using some method to create an event consumer that's bypassing sysmon's ability to fully detect it.

     
    Friday, April 12, 2019 4:34 PM

All replies

  • @MarkC, let me know if you guys think this is something that can be investigated and/or fixed in the future versions? Also happy to help run this down with you.
    Wednesday, April 17, 2019 3:33 PM