Windows.ETW.WMIEventing :: Velociraptor

Windows.ETW.WMIEventing

This artifact collects events associated with creation and deletion of WMI Event Consumers. All Event Consumers created under any namespace will generate events which are filtered on event consumer classes.

It uses the ETW provider: Microsoft-Windows-WMI-Activity {1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}
Note: This provider events have support on Windows 10+


name: Windows.ETW.WMIEventing
author: Matt Green - @mgreen27
description: |
    This artifact collects events associated with creation and deletion of WMI 
    Event Consumers. All Event Consumers created under any namespace will 
    generate events which are filtered on event consumer classes.  
    
    It uses the ETW provider:
    Microsoft-Windows-WMI-Activity {1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}  
    Note: This provider events have support on Windows 10+

type: CLIENT_EVENT

sources:
  - precondition:
      SELECT OS From info() where OS = 'windows'
      
    query: |
      LET RecentProcesses = SELECT * FROM fifo(query={
                SELECT System.TimeStamp AS CreateTime, 
                    EventData.ImageName AS ImageName,
                    int(int=EventData.ProcessID) AS Pid,
                    EventData.MandatoryLabel AS MandatoryLabel,
                    EventData.ProcessTokenElevationType AS ProcessTokenElevationType,
                    EventData.ProcessTokenIsElevated AS TokenIsElevated
                FROM watch_etw(guid="{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}", any=0x10)
                WHERE System.ID = 1   
            }, max_rows=1000, max_age=60)
        
      -- Query it once to materialize the FIFO
      LET _ <= SELECT * FROM RecentProcesses
        
      LET GetProcessInfo(TargetPid) = SELECT * FROM switch(
            -- First try to get the pid directly
            a={
                SELECT 
                    Name, Pid, CreateTime,
                    Exe as ImageName,
                    CommandLine,
                    Username,
                    TokenIsElevated
                FROM pslist(pid=TargetPid)
            },
            -- Failing this look in the FIFO for a recently started process.
            b={
                SELECT
                    basename(path=ImageName) as Name,
                    Pid,
                    CreateTime,
                    ImageName,
                    Null as CommandLine,
                    Null as Username,
                    if(condition= TokenIsElevated="0", 
                        then= false, 
                        else= true ) as TokenIsElevated
                FROM RecentProcesses
                WHERE Pid = TargetPid
                LIMIT 1
            })
            
      -- watch ETW provider and first round data manipulation
      SELECT
            System.TimeStamp AS EventTime,
            System.ID as EventId,
            strip(prefix='\\\\\.\\',string=EventData.NamespaceName) as NamespaceName,
            EventData.Operation as Operation,
            GetProcessInfo(TargetPid=int(int=EventData.ClientProcessId))[0] as Process,
            EventData.IsLocal as IsLocal,
            EventData.ClientMachine as ClientMachine,
            EventData.ClientMachineFQDN as ClientMachineFQDN,
            EventData.User as User,
            EventData.CorrelationId as CorrelationId,
            EventData.OperationId as OperationId,
            EventData.GroupOperationId as GroupOperationId
        FROM watch_etw(guid="{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}")
        WHERE EventId = 11
            AND Operation =~ 'WbemServices::(PutInstance|DeleteInstance|PutClass|DeleteClass)'
            AND Operation =~ 'EventConsumer|EventFilter|FilterToConsumerBinding'