Last week Microsoft released the DRAFT Security baseline for Windows 10 and Windows Server, version 20H2. Although available since Windows 10 1903, the attack surface reduction rule ‘Block persistence through WMI event subscription’ is now being included into the recommended security control configurations.
The technique is included in the MITRE ATT&CK framework: T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription
When we head over to the Microsoft docs, Block persistence through WMI event subscription we find the following information:
- Intune name: Not yet available
- Configuration Manager name: Not yet available
- GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b
This basically means that at present the only options for enabling this rule are PowerShell or Group Policy. I guess if you have already deployed all of your other ASR rules through a Microsoft Endpoint Manager based exploit guard policy, the last thing you’d want to start doing is to use another management tool, in this case Group Policy, for deploying configurations that relate to the same thing i.e. ASR rules. So in order to stay in Microsoft Endpoint Manager land with this I’ve created a configuration item for this. The CI has two scripts, one for discovery and one for the remediation.
For the discovery script, I borrowed some code from here: https://github.com/anthonws/MDATP_PoSh_Scripts/tree/master/ASR.
Discovery script: https://gist.github.com/alexverboon/7cadcaf170b40b0ce5e4fec0f2fc26d5
Remediation script: https://gist.github.com/alexverboon/2c9bf111f1c4841908a70b612638dc49
Assuming that you’re familiar with creating configuration items in Microsoft Endpoint configuration manger, below some screenshots.
Important: Note that the code in the remediation script sets the ASR rule to Enabled , which means it will block, as always I strongly recommend that you first run the ASR rule in Audit more for a while. To do so, simply change the code in the remediation script from:
Write-Output “Configuring Block persistence through WMI event subscription in Block mode”
$AsrPersistenceThroughWmiRuleID = “e6db77e5-3df2-4cf1-b95a-636979351e5b”
Add-MpPreference -AttackSurfaceReductionRules_Ids “$AsrPersistenceThroughWmiRuleID” -AttackSurfaceReductionRules_Actions Enabled
to
Write-Output “Configuring Block persistence through WMI event subscription in Audit mode”
$AsrPersistenceThroughWmiRuleID = “e6db77e5-3df2-4cf1-b95a-636979351e5b”
Add-MpPreference -AttackSurfaceReductionRules_Ids “$AsrPersistenceThroughWmiRuleID” -AttackSurfaceReductionRules_Actions AuditMode
Once you have created the CI, add it to a configuration baseline and deploy it to a collection with some test clients. And test if the rule works. Here are a few ideas for testing.
Use the Atomic execution framework and run the following command – https://www.verboon.info/2020/06/advance-your-microsoft-defender-atp-hunting-skills-using-the-atomic-execution-framework/
Invoke-AtomicTest -AtomicTechnique T1546.003 -TestNumbers 1 -ShowDetails Invoke-AtomicTest -AtomicTechnique T1546.003 -TestNumbers 1 Invoke-AtomicTest -AtomicTechnique T1546.003 -TestNumbers 1 -Cleanup
Or run the commands described in this blog post Persistence – WMI Event Subscription https://pentestlab.blog/2020/01/21/persistence-wmi-event-subscription/
When running in Block (Enabled mode) you will get the following Alert when attempting to register an event subscription.
And of course, we get event logs, for more details on ASR event logs, check this blog post I wrote a while ago. Retrieving Windows Defender Exploit Guard Windows Event logs with PowerShell
And last but not least, here are some advanced hunting queries that you can run within the Microsoft Defender 365 security portal for retrieving the ASR events and some identify event subscription attempts.
Hello, I enjoy your posts but the images are in a very low quality and most of the times I cannot read or see the queries. Would it be possible to change that in the future? I wanted to check the hunting queries used in this one and it seems impossible. Thank you for sharing anyway!
Yes working on it, sorry