#はじめに
Sysmonで採取できるWindows Management Instrumentation(WMI)関連のイベントログについて、参照方法などの概要を説明する機会があったのでその備忘録。
Sysmonで記録されるイベントログからどのようなことが分析できるか(またはできないか・・・)、WMIに関連する切り口でよく知られたイベントログの参照例をいくつかとりあげてみました。
イベントログはElasticsearch+Winlogbeatで収集していますが、それらのコンフィグレーションは以前の記事と同様です。またイベントログはKibanaで参照しています。
(おまけを追記)
WMIリポジトリファイル(C:\Windows\System32\wbem\Repository\OBJECTS.DATA)を解析しイベントサブスクリプション情報を抽出する解析ツールについても追記しました。ご参考まで。
※コマンド実行例については全てMicrosoft社の公式ドキュメントの通常運用で利用される正規なコマンド例をベースに作成。
※本記事には昨今の法的リスクを考慮し、私たちが攻撃者から身を守るために採取されるログ内容をどう参照可能かを説明する情報のみであり、攻撃に利用可能な内容は含まれていません。ご了承ください。
#MITRE ATT&CKによる分類(参考)
セキュリティの文脈でのWindows Management Instrumentation(WMI)についての詳細は以下によくまとまっており感謝です。
- T1047 Windows Management Instrumentation
- T1084 Windows Management Instrumentation Event Subscription
- WINDOWS MANAGEMENT INSTRUMENTATION (WMI) OFFENSE, DEFENSE, AND FORENSICS (PDF)
#利用するソフトウェア
- OS: Ubuntu 18.04
- Elasticsearch (7.3.2)
- Kibana (7.3.2)
- Winlogbeat (7.6.0)
- Sysmon (v10.42)
- Windows 10 (クライアントPC)
WMI経由でのプロセスの起動
Event ID 1 [Process creation]
WMI経由で起動されたプロセス(例:コマンド実行やスクリプト実行)の例としてnotepad.exeを実行。親プロセス(またはその起動プロセスツリー上のプロセス)がコマンドを実行したPowerShell.exeではなくWmiPrvSE.exeになります。
PowerShellから実行
PS C:\> ([WMICLASS]"\\localhost\ROOT\CIMV2:win32_process").Create("notepad.exe")
Kibanaで参照できるログ
{
"_index": "winlogbeat-7.6.0-2020.02.18-000001",
"_type": "_doc",
"_id": "wPWtWHABhT969eT7niK1",
"_version": 1,
"_source": {
"@timestamp": "2020-02-18T14:22:18.171Z",
"process": {
"executable": "C:\\Windows\\System32\\notepad.exe",
"args": [
"notepad.exe"
],
"working_directory": "C:\\WINDOWS\\system32\\",
"parent": {
"entity_id": "{22052e76-de23-5e4b-0000-0010ee1c0300}",
"pid": 3508,
"executable": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"args": [
"C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe",
"-secured",
"-Embedding"
],
"name": "WmiPrvSE.exe"
},
"name": "notepad.exe",
"entity_id": "{22052e76-f31a-5e4b-0000-0010a0b74900}",
"pid": 8208
},
"user": {
"domain": "DESKTOP-XXXXXXXX",
"name": "xxxxx"
},
"hash": {
"md5": "0e61079d3283687d2e279272966ae99d",
"sha256": "a92056d772260b39a876d01552496b2f8b4610a0b1e084952fe1176784e2ce77"
},
"ecs": {
"version": "1.4.0"
},
"winlog": {
"event_id": 1,
"task": "Process Create (rule: ProcessCreate)",
"provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"event_data": {
"FileVersion": "10.0.17763.475 (WinBuild.160101.0800)",
"OriginalFileName": "NOTEPAD.EXE",
"IntegrityLevel": "High",
"LogonGuid": "{22052e76-de2a-5e4b-0000-0020ca760500}",
"Product": "Microsoft® Windows® Operating System",
"TerminalSessionId": "1",
"Company": "Microsoft Corporation",
"LogonId": "0x576ca",
"Description": "Notepad"
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"record_id": 329631,
"process": {
"pid": 2800,
"thread": {
"id": 696
}
},
"user": {
"identifier": "S-1-5-18",
"name": "SYSTEM",
"domain": "NT AUTHORITY",
"type": "User"
},
"api": "wineventlog",
"opcode": "情報",
"provider_name": "Microsoft-Windows-Sysmon",
"version": 5,
"computer_name": "DESKTOP-XXXXXXXX"
},
"event": {
"action": "Process Create (rule: ProcessCreate)",
"created": "2020-02-18T14:22:19.761Z",
"module": "sysmon",
"category": "process",
"type": "process_start",
"kind": "event",
"code": 1,
"provider": "Microsoft-Windows-Sysmon"
},
"host": {
"name": "DESKTOP-XXXXXXX",
"hostname": "DESKTOP-XXXXXXX",
"architecture": "x86_64",
"os": {
"name": "Windows 10 Pro",
"kernel": "10.0.17763.1039 (WinBuild.160101.0800)",
"build": "17763.1039",
"platform": "windows",
"version": "10.0",
"family": "windows"
},
"id": "xxxxxxxxxxxx"
},
"log": {
"level": "情報"
},
"agent": {
"type": "winlogbeat",
"ephemeral_id": "xxxxxxxxxxxxxxxxxxx",
"hostname": "DESKTOP-xxxxxxxxx",
"id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"version": "7.6.0"
}
}
}
WMI経由でのレジストリキーの作成
Event ID 12: RegistryEvent (Object create and delete)
WMI経由で作成されたレジストリキー(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\foo)。実行プロセスがPowerShell.exeではなくWmiPrvSE.exe。
PowerShellから実行
PS C:\> $hklm=2147483650
PS C:\> $computer ='.'
PS C:\> $reg = [WMIClass]"ROOT\DEFAULT:StdRegProv"
PS C:\> $key="SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\foo"
PS C:\> $results = $reg.CreateKey($hklm, $key)
Kibanaで参照できるログ
{
"_index": "winlogbeat-7.6.0-2020.02.18-000001",
"_type": "_doc",
"_id": "5vWMWHABhT969eT73xVp",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2020-02-18T13:46:31.970Z",
"process": {
"pid": 2224,
"executable": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe",
"name": "wmiprvse.exe",
"entity_id": "{22052e76-eab7-5e4b-0000-0010d7e53b00}"
},
"ecs": {
"version": "1.4.0"
},
"agent": {
"hostname": "DESKTOP-xxxxxxxx",
"id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"version": "7.6.0",
"type": "winlogbeat",
"ephemeral_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxx"
},
"winlog": {
"channel": "Microsoft-Windows-Sysmon/Operational",
"api": "wineventlog",
"computer_name": "DESKTOP-xxxxxxxx",
"opcode": "情報",
"version": 2,
"event_id": 12,
"record_id": 328634,
"provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"user": {
"identifier": "S-1-5-18",
"name": "SYSTEM",
"domain": "NT AUTHORITY",
"type": "User"
},
"event_data": {
"TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\foo",
"EventType": "CreateKey"
},
"provider_name": "Microsoft-Windows-Sysmon",
"process": {
"pid": 2800,
"thread": {
"id": 696
}
},
"task": "Registry object added or deleted (rule: RegistryEvent)"
},
"event": {
"created": "2020-02-18T13:46:33.641Z",
"kind": "event",
"code": 12,
"provider": "Microsoft-Windows-Sysmon",
"module": "sysmon",
"action": "Registry object added or deleted (rule: RegistryEvent)"
},
"host": {
"name": "DESKTOP-xxxxxxxx",
"architecture": "x86_64",
"os": {
"build": "17763.1039",
"platform": "windows",
"version": "10.0",
"family": "windows",
"name": "Windows 10 Pro",
"kernel": "10.0.17763.1039 (WinBuild.160101.0800)"
},
"id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"hostname": "DESKTOP-xxxxxxxx"
},
"log": {
"level": "情報"
}
}
}
WMI経由でのローカルシステム情報のクエリー
アンチウィルスソフトウェアのインストール情報
PS C:\> $product = Get-WmiObject -Namespace "root/SecurityCenter2" -Query "SELECT * FROM AntiVirusProduct"
PS C:\> $product
__GENUS : 2
__CLASS : AntiVirusProduct
__SUPERCLASS :
__DYNASTY : AntiVirusProduct
__RELPATH : AntiVirusProduct.instanceGuid="{xxxxxxxxxxxxxxxxxxxxxxxxxxxx}"
__PROPERTY_COUNT : 6
__DERIVATION : {}
__SERVER : DESKTOP-xxxxxxx
__NAMESPACE : ROOT\SecurityCenter2
__PATH : \\DESKTOP-xxxxxxx\ROOT\SecurityCenter2:AntiVirusProduct.instanceGuid="{xxxxxxxxxxxxxx
xxxxxxxxxxxxxx}"
displayName : Windows Defender
instanceGuid : {xxxxxxxxxxxxxx}
pathToSignedProductExe : windowsdefender://
pathToSignedReportingExe : %ProgramFiles%\Windows Defender\MsMpeng.exe
productState : 397568
timestamp : Tue, 18 Feb 2020 12:54:55 GMT
PSComputerName : DESKTOP-xxxxxxxx
残念ながら有効なSysmonログは採取されませんでした。WMIを利用した初期探索系行動の検出時には注意が必要ですね。
WMI経由でのリモートPCへのアクセス
Event ID 3: Network connection
WMI経由でリモートPCへアクセスしてみます。WMIは以下の2つのプロトコルを利用しますが、ここではそれら通信ログに注目してみます。
- Server Message Block (SMB)
- Remote Procedure Call Service (RPCS) (ポート: 135) ※この後で動的に変わるポート番号による通信も発生します。
svchost.exe -k RPCSSによるポート135での通信とその後の動的ポートによる通信がポイントです。
リモートPC上のプロセス一覧を取得
PS C:\> $myid='desktop-xxxxxx\foo'
PS C:\> $mypwd='hogehoge'
PS C:\> $SecurePassword = ConvertTo-SecureString –String $mypwd –AsPlainText -Force
PS C:\> $Credential = New-Object System.Management.Automation.PSCredential($myid, $SecurePassword)
PS C:\> $Computer = "DESKTOP-XXXXXXX"
PS C:\> Get-WmiObject -Namespace "root\cimv2" -Class Win32_Process -Impersonation 3 -Credential $Credential -ComputerName $Computer
__GENUS : 2
__CLASS : Win32_Process
__SUPERCLASS : CIM_Process
__DYNASTY : CIM_ManagedSystemElement
__RELPATH : Win32_Process.Handle="0"
__PROPERTY_COUNT : 45
__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}
__SERVER : DESKTOP-xxxxxxxxxx
__NAMESPACE : root\cimv2
__PATH : \\DESKTOP-xxxxxxxxx\root\cimv2:Win32_Process.Handle="0"
Caption : System Idle Process
CommandLine :
CreationClassName : Win32_Process
CreationDate :
CSCreationClassName : Win32_ComputerSystem
CSName : DESKTOP-xxxxxxxxx
Description : System Idle Process
ExecutablePath :
ExecutionState :
Handle : 0
HandleCount : 0
InstallDate :
KernelModeTime : 151063568350
MaximumWorkingSetSize :
MinimumWorkingSetSize :
Name : System Idle Process
OSCreationClassName : Win32_OperatingSystem
OSName : Microsoft Windows 7 Professional |C:\Windows|\Device\Harddisk0\Partition1
OtherOperationCount : 0
OtherTransferCount : 0
PageFaults : 1
PageFileUsage : 0
...(略)
コマンド実行時に前述の通り2種類の通信が発生しています。
| EXE名 | 送信元 | 送信先 | プロトコル | 方向 |
|---|---|---|---|---|
| powershell.exe | 192.168.0.134:56321 | 192.168.0.135:49154 | tcp | outbound |
| svchost.exe -k RPCSS | 192.168.0.134:56319 | 192.168.0.135:135 | tcp | outbound |
TCPポート135の通信ログ
{
"_index": "winlogbeat-7.6.0-2020.02.18-000001",
"_type": "_doc",
"_id": "8PX3WHABhT969eT7CEkw",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2020-02-18T15:42:27.575Z",
"winlog": {
"api": "wineventlog",
"computer_name": "DESKTOP-xxxxxx",
"provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"version": 5,
"process": {
"pid": 2800,
"thread": {
"id": 3876
}
},
"event_id": 3,
"user": {
"domain": "NT AUTHORITY",
"type": "User",
"identifier": "S-1-5-18",
"name": "SYSTEM"
},
"provider_name": "Microsoft-Windows-Sysmon",
"task": "Network connection detected (rule: NetworkConnect)",
"record_id": 334447,
"channel": "Microsoft-Windows-Sysmon/Operational",
"opcode": "情報"
},
"process": {
"entity_id": "{22052e76-de1f-5e4b-0000-0010811b0100}",
"pid": 872,
"executable": "C:\\Windows\\System32\\svchost.exe",
"name": "svchost.exe"
},
"network": {
"transport": "tcp",
"protocol": "epmap",
"direction": "outbound",
"type": "ipv4",
"community_id": "1:CilmSmzG1zKTVtYt+MKudG1QX80="
},
"agent": {
"ephemeral_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"hostname": "DESKTOP-xxxxxx",
"id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"version": "7.6.0",
"type": "winlogbeat"
},
"event": {
"provider": "Microsoft-Windows-Sysmon",
"action": "Network connection detected (rule: NetworkConnect)",
"created": "2020-02-18T15:42:28.396Z",
"module": "sysmon",
"kind": "event",
"code": 3
},
"host": {
"name": "DESKTOP-xxxxxx",
"hostname": "DESKTOP-xxxxxx",
"architecture": "x86_64",
"os": {
"family": "windows",
"name": "Windows 10 Pro",
"kernel": "10.0.17763.1039 (WinBuild.160101.0800)",
"build": "17763.1039",
"platform": "windows",
"version": "10.0"
},
"id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
},
"log": {
"level": "情報"
},
"source": {
"ip": "192.168.0.134",
"domain": "DESKTOP-xxxxxx.localdomain",
"port": 56319
},
"destination": {
"ip": "192.168.0.135",
"domain": "WIN-V6BHBTO1QK6",
"port": 135
},
"user": {
"domain": "NT AUTHORITY",
"name": "NETWORK SERVICE"
},
"ecs": {
"version": "1.4.0"
}
}
}
以下のように動的ポートによる通信の実行プロセスとしてはPowerShell.exeが記録されています。
動的なTCPポート番号による通信ログ
{
"_index": "winlogbeat-7.6.0-2020.02.18-000001",
"_type": "_doc",
"_id": "8vX3WHABhT969eT7CEkw",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2020-02-18T15:42:27.593Z",
"winlog": {
"opcode": "情報",
"process": {
"thread": {
"id": 3876
},
"pid": 2800
},
"event_id": 3,
"provider_name": "Microsoft-Windows-Sysmon",
"user": {
"name": "SYSTEM",
"domain": "NT AUTHORITY",
"type": "User",
"identifier": "S-1-5-18"
},
"computer_name": "DESKTOP-xxxxxx",
"channel": "Microsoft-Windows-Sysmon/Operational",
"record_id": 334449,
"task": "Network connection detected (rule: NetworkConnect)",
"api": "wineventlog",
"provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"version": 5
},
"event": {
"module": "sysmon",
"kind": "event",
"code": 3,
"provider": "Microsoft-Windows-Sysmon",
"action": "Network connection detected (rule: NetworkConnect)",
"created": "2020-02-18T15:42:28.396Z"
},
"host": {
"os": {
"platform": "windows",
"version": "10.0",
"family": "windows",
"name": "Windows 10 Pro",
"kernel": "10.0.17763.1039 (WinBuild.160101.0800)",
"build": "17763.1039"
},
"id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"name": "DESKTOP-xxxxxx",
"hostname": "DESKTOP-xxxxxx",
"architecture": "x86_64"
},
"log": {
"level": "情報"
},
"process": {
"entity_id": "{22052e76-de8a-5e4b-0000-001063791000}",
"pid": 7492,
"executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"name": "powershell.exe"
},
"user": {
"domain": "DESKTOP-xxxxxx",
"name": "xxxxxx"
},
"network": {
"transport": "tcp",
"direction": "outbound",
"type": "ipv4",
"community_id": "1:mIssAx3ritmZPkMGaMD2ttxAluQ="
},
"source": {
"ip": "192.168.0.134",
"domain": "DESKTOP-xxxxxx.localdomain",
"port": 56321
},
"destination": {
"ip": "192.168.0.135",
"domain": "WIN-V6BHBTO1QK6",
"port": 49154
},
"ecs": {
"version": "1.4.0"
},
"agent": {
"ephemeral_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"hostname": "DESKTOP-xxxxxx",
"id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"version": "7.6.0",
"type": "winlogbeat"
}
}
}
Event ID 1: Process creation
以下を参照すると**svchost.exe**の実体を起動時の引数情報(-k RPCSS)などから追うことができます。
TCPポート135通信の起動プロセス起動ログ
{
"_index": "winlogbeat-7.6.0-2020.02.18-000001",
"_type": "_doc",
"_id": "0_RdWHABhT969eT7rfVZ",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2020-02-18T12:52:47.088Z",
"event": {
"kind": "event",
"module": "sysmon",
"type": "process_start",
"category": "process",
"code": 1,
"provider": "Microsoft-Windows-Sysmon",
"action": "Process Create (rule: ProcessCreate)",
"created": "2020-02-18T12:54:56.384Z"
},
"host": {
"id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"hostname": "DESKTOP-xxxxxx",
"architecture": "x86_64",
"name": "DESKTOP-xxxxxx",
"os": {
"family": "windows",
"name": "Windows 10 Pro",
"kernel": "10.0.17763.1039 (WinBuild.160101.0800)",
"build": "17763.1039",
"platform": "windows",
"version": "10.0"
}
},
"process": {
"name": "svchost.exe",
"entity_id": "{22052e76-de1f-5e4b-0000-0010811b0100}",
"pid": 872,
"executable": "C:\\Windows\\System32\\svchost.exe",
"args": [
"C:\\WINDOWS\\system32\\svchost.exe",
"-k",
"RPCSS",
"-p"
],
"working_directory": "C:\\WINDOWS\\system32\\",
"parent": {
"entity_id": "{22052e76-de1e-5e4b-0000-001079b60000}",
"pid": 604,
"executable": "C:\\Windows\\System32\\services.exe",
"args": [
"C:\\WINDOWS\\system32\\services.exe"
],
"name": "services.exe"
}
},
"user": {
"domain": "NT AUTHORITY",
"name": "NETWORK SERVICE"
},
"ecs": {
"version": "1.4.0"
},
"log": {
"level": "情報"
},
"winlog": {
"task": "Process Create (rule: ProcessCreate)",
"event_id": 1,
"provider_name": "Microsoft-Windows-Sysmon",
"computer_name": "DESKTOP-xxxxxx",
"provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"process": {
"pid": 2800,
"thread": {
"id": 696
}
},
"event_data": {
"Company": "Microsoft Corporation",
"FileVersion": "10.0.17763.1 (WinBuild.160101.0800)",
"LogonGuid": "{xxxxxxxxxxxxxxxxxxxxxxxxxxx}",
"OriginalFileName": "svchost.exe",
"Product": "Microsoft® Windows® Operating System",
"Description": "Host Process for Windows Services",
"TerminalSessionId": "0",
"LogonId": "0x3e4",
"IntegrityLevel": "System"
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"version": 5,
"user": {
"domain": "NT AUTHORITY",
"type": "User",
"identifier": "S-1-5-18",
"name": "SYSTEM"
},
"record_id": 324590,
"api": "wineventlog",
"opcode": "情報"
},
"hash": {
"md5": "8a0a29438052faed8a2532da50455756",
"sha256": "7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6"
},
"agent": {
"ephemeral_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"hostname": "DESKTOP-xxxxxx",
"id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"version": "7.6.0",
"type": "winlogbeat"
}
}
}
イベントサブスクリプション
SysmonではWMIイベントサブスクリプションを以下の3つのイベントログとして採取可能です。
-
Event ID 19: WmiEvent (WmiEventFilter activity detected)
WMIイベントフィルタが登録された場合。フィルタ名およびフィルタ内容が記録されます。 -
Event ID 20: WmiEvent (WmiEventConsumer activity detected)
上記のWMIイベントフィルタ条件にマッチしたイベントの通知先(イベントコンシューマー)が登録された場合。 -
Event ID 21: WmiEvent (WmiEventConsumerToFilter activity detected)
上述のイベントフィルタとコンシューマーが実際にバインドされ有効化された場合。
本記事の例では以下のようなイベントサブスクリプションを行ってみます
- WMIイベントフィルタ:「notepad.exeがプロセスとして実行された場合に」
- WMIイベントコンシューマー:「nslookup.exeでwww.example.comのDNS問い合わせを行うコマンドを実行」
- 上述のフィルタとコンシューマーをバインドし有効化する
SysmonログからはこのようなWMIイベントサブスクリプションを検出するほか、その後のWmiPrvSE.exeによる不審なプロセス起動やそのふるまいおよび通信を追跡することが可能な場合があります。
(1) WMIイベントサブスクリプションの検出
(2) WmiPrvSE.exeによる不審プロセスの起動
(3) 起動されたプロセスの不審なふるまいや通信
本記事の例ではユーザ操作(explorer.exe)によるnotepad.exe実行、それをトリガーにしたnslookup.exeによる外部への通信動作となります。
Event ID 19: WmiEvent (WmiEventFilter activity detected)
SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process' AND TargetInstance.Caption = 'notepad.exe'
notepad.exeの起動イベントを条件としてして登録しています。_source.winlog.event_dataに詳細情報があります。
Kibanaで参照できるログ
{
"_index": "winlogbeat-7.6.0-2020.02.18-000001",
"_type": "_doc",
"_id": "wfUiWXABhT969eT7F1rs",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2020-02-18T16:29:29.429Z",
"ecs": {
"version": "1.4.0"
},
"agent": {
"ephemeral_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"hostname": "DESKTOP-XXXXXX",
"id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"version": "7.6.0",
"type": "winlogbeat"
},
"event": {
"module": "sysmon",
"created": "2020-02-18T16:29:30.490Z",
"kind": "event",
"code": 19,
"provider": "Microsoft-Windows-Sysmon",
"action": "WmiEventFilter activity detected (rule: WmiEvent)"
},
"host": {
"name": "DESKTOP-XXXXXX",
"hostname": "DESKTOP-XXXXXX",
"architecture": "x86_64",
"os": {
"family": "windows",
"name": "Windows 10 Pro",
"kernel": "10.0.17763.1039 (WinBuild.160101.0800)",
"build": "17763.1039",
"platform": "windows",
"version": "10.0"
},
"id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
},
"log": {
"level": "情報"
},
"winlog": {
"provider_name": "Microsoft-Windows-Sysmon",
"task": "WmiEventFilter activity detected (rule: WmiEvent)",
"channel": "Microsoft-Windows-Sysmon/Operational",
"process": {
"pid": 2800,
"thread": {
"id": 4636
}
},
"record_id": 335701,
"api": "wineventlog",
"computer_name": "DESKTOP-XXXXXX",
"opcode": "情報",
"provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"version": 3,
"user": {
"type": "User",
"identifier": "S-1-5-18",
"name": "SYSTEM",
"domain": "NT AUTHORITY"
},
"event_id": 19,
"event_data": {
"Operation": "Created",
"EventNamespace": " \"root\\\\cimv2\"",
"Name": " \"hoge1\"",
"Query": " \"SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process' AND TargetInstance.Caption = 'notepad.exe'\"",
"EventType": "WmiFilterEvent"
}
},
"user": {
"name": "xxxxx",
"domain": "DESKTOP-XXXXXX"
}
}
}
Event ID 20: WmiEvent (WmiEventConsumer activity detected)
C:\Windows\System32\nslookup.exe www.example.com
notepad.exeが起動されたイベント通知時に実行されるコマンド(nslookup.exe)です。_source.processに情報が記述されます。
Kibanaで参照できるログ
{
"_index": "winlogbeat-7.6.0-2020.02.18-000001",
"_type": "_doc",
"_id": "yfUiWXABhT969eT7N1qC",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2020-02-18T16:29:36.920Z",
"ecs": {
"version": "1.4.0"
},
"event": {
"created": "2020-02-18T16:29:38.571Z",
"kind": "event",
"code": 20,
"provider": "Microsoft-Windows-Sysmon",
"action": "WmiEventConsumer activity detected (rule: WmiEvent)",
"module": "sysmon"
},
"host": {
"name": "DESKTOP-XXXXXX",
"os": {
"platform": "windows",
"version": "10.0",
"family": "windows",
"name": "Windows 10 Pro",
"kernel": "10.0.17763.1039 (WinBuild.160101.0800)",
"build": "17763.1039"
},
"id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"hostname": "DESKTOP-XXXXXX",
"architecture": "x86_64"
},
"process": {
"executable": " \"C:\\\\Windows\\\\System32\\\\nslookup.exe www.example.com\"",
"name": "nslookup.exe www.example.com\""
},
"user": {
"domain": "DESKTOP-XXXXXX",
"name": "xxxxxx"
},
"agent": {
"id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"version": "7.6.0",
"type": "winlogbeat",
"ephemeral_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"hostname": "DESKTOP-XXXXXX"
},
"winlog": {
"event_data": {
"Operation": "Created",
"Name": " \"hoge2\"",
"Type": "Command Line",
"EventType": "WmiConsumerEvent"
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"event_id": 20,
"provider_name": "Microsoft-Windows-Sysmon",
"provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"user": {
"name": "SYSTEM",
"domain": "NT AUTHORITY",
"type": "User",
"identifier": "S-1-5-18"
},
"api": "wineventlog",
"process": {
"thread": {
"id": 4636
},
"pid": 2800
},
"computer_name": "DESKTOP-XXXXXX",
"record_id": 335707,
"task": "WmiEventConsumer activity detected (rule: WmiEvent)",
"opcode": "情報",
"version": 3
},
"log": {
"level": "情報"
}
}
}
Event ID 21: WmiEvent (WmiEventConsumerToFilter activity detected)
「notepad.exe実行イベント発生 ==> nslookup.exe実行」のようにイベントフィルタ条件とアクションをバインドします。
※イベントフィルタ名("hoge1")とコンシューマー名("hoge2")のリンク情報がのるだけなのでそれぞれの実体を確認する必要があります(_source.winlog.event_dataを参照)。
Kibanaで参照できるログ
{
"_index": "winlogbeat-7.6.0-2020.02.18-000001",
"_type": "_doc",
"_id": "zfUiWXABhT969eT7U1oG",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2020-02-18T16:29:44.532Z",
"log": {
"level": "情報"
},
"user": {
"domain": "DESKTOP-XXXXXX",
"name": "xxxxxx"
},
"ecs": {
"version": "1.4.0"
},
"agent": {
"id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"version": "7.6.0",
"type": "winlogbeat",
"ephemeral_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"hostname": "DESKTOP-XXXXXX"
},
"winlog": {
"version": 3,
"api": "wineventlog",
"provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"event_data": {
"Operation": "Created",
"Consumer": " \"CommandLineEventConsumer.Name=\\\"hoge2\\\"\"",
"Filter": " \"__EventFilter.Name=\\\"hoge1\\\"\"",
"EventType": "WmiBindingEvent"
},
"record_id": 335709,
"channel": "Microsoft-Windows-Sysmon/Operational",
"event_id": 21,
"provider_name": "Microsoft-Windows-Sysmon",
"task": "WmiEventConsumerToFilter activity detected (rule: WmiEvent)",
"computer_name": "DESKTOP-XXXXXX",
"opcode": "情報",
"user": {
"identifier": "S-1-5-18",
"name": "SYSTEM",
"domain": "NT AUTHORITY",
"type": "User"
},
"process": {
"thread": {
"id": 4636
},
"pid": 2800
}
},
"event": {
"module": "sysmon",
"code": 21,
"provider": "Microsoft-Windows-Sysmon",
"action": "WmiEventConsumerToFilter activity detected (rule: WmiEvent)",
"created": "2020-02-18T16:29:45.614Z",
"kind": "event"
},
"host": {
"hostname": "DESKTOP-XXXXXX",
"architecture": "x86_64",
"name": "DESKTOP-XXXXXX",
"os": {
"kernel": "10.0.17763.1039 (WinBuild.160101.0800)",
"build": "17763.1039",
"platform": "windows",
"version": "10.0",
"family": "windows",
"name": "Windows 10 Pro"
},
"id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
}
}
Event ID 1: Process creation
ユーザー操作(explorer.exeの子プロセス)としてnotepad.exeが実行されたログです。
Kibanaで参照できるログ
{
"_index": "winlogbeat-7.6.0-2020.02.18-000001",
"_type": "_doc",
"_id": "CPUiWXABhT969eT7dFuJ",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2020-02-18T16:29:53.231Z",
"ecs": {
"version": "1.4.0"
},
"host": {
"id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"hostname": "DESKTOP-XXXXXX",
"architecture": "x86_64",
"name": "DESKTOP-XXXXXX",
"os": {
"platform": "windows",
"version": "10.0",
"family": "windows",
"name": "Windows 10 Pro",
"kernel": "10.0.17763.1039 (WinBuild.160101.0800)",
"build": "17763.1039"
}
},
"winlog": {
"version": 5,
"event_data": {
"OriginalFileName": "NOTEPAD.EXE",
"Description": "Notepad",
"LogonGuid": "{22052e76-de2a-5e4b-0000-002008770500}",
"TerminalSessionId": "1",
"Company": "Microsoft Corporation",
"Product": "Microsoft® Windows® Operating System",
"IntegrityLevel": "Medium",
"LogonId": "0x57708",
"FileVersion": "10.0.17763.475 (WinBuild.160101.0800)"
},
"event_id": 1,
"opcode": "情報",
"provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"computer_name": "DESKTOP-XXXXXX",
"process": {
"pid": 2800,
"thread": {
"id": 696
}
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"record_id": 335749,
"api": "wineventlog",
"user": {
"identifier": "S-1-5-18",
"name": "SYSTEM",
"domain": "NT AUTHORITY",
"type": "User"
},
"provider_name": "Microsoft-Windows-Sysmon",
"task": "Process Create (rule: ProcessCreate)"
},
"process": {
"executable": "C:\\Windows\\System32\\notepad.exe",
"args": [
"C:\\WINDOWS\\system32\\notepad.exe"
],
"working_directory": "C:\\Users\\xxxxxx\\",
"parent": {
"entity_id": "{22052e76-de2e-5e4b-0000-00107ca30600}",
"pid": 4984,
"executable": "C:\\Windows\\explorer.exe",
"args": [
"C:\\WINDOWS\\Explorer.EXE"
],
"name": "explorer.exe"
},
"name": "notepad.exe",
"entity_id": "{22052e76-1101-5e4c-0000-001049ba8500}",
"pid": 4252
},
"user": {
"domain": "DESKTOP-XXXXXX",
"name": "xxxxxx"
},
"hash": {
"md5": "0e61079d3283687d2e279272966ae99d",
"sha256": "a92056d772260b39a876d01552496b2f8b4610a0b1e084952fe1176784e2ce77"
},
"log": {
"level": "情報"
},
"event": {
"type": "process_start",
"category": "process",
"action": "Process Create (rule: ProcessCreate)",
"created": "2020-02-18T16:29:54.176Z",
"kind": "event",
"code": 1,
"provider": "Microsoft-Windows-Sysmon",
"module": "sysmon"
},
"agent": {
"ephemeral_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"hostname": "DESKTOP-XXXXXX",
"id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"version": "7.6.0",
"type": "winlogbeat"
}
}
}
Event ID 1: Process creation
wmiprvse.exeによりnslookup.exeコマンドが実行されたログ。nslookup.exeの親プロセスとしてwmiprvse.exeが記録されています(_source.processを参照)。
Kibanaで参照できるログ
{
"_index": "winlogbeat-7.6.0-2020.02.18-000001",
"_type": "_doc",
"_id": "DvUiWXABhT969eT7eFuN",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2020-02-18T16:29:54.147Z",
"winlog": {
"api": "wineventlog",
"process": {
"pid": 2800,
"thread": {
"id": 696
}
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"event_data": {
"Description": "nslookup",
"LogonGuid": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"OriginalFileName": "nslookup.exe",
"IntegrityLevel": "System",
"Product": "Microsoft® Windows® Operating System",
"FileVersion": "10.0.17763.292 (WinBuild.160101.0800)",
"TerminalSessionId": "0",
"Company": "Microsoft Corporation",
"LogonId": "0x3e7"
},
"provider_name": "Microsoft-Windows-Sysmon",
"record_id": 335755,
"user": {
"type": "User",
"identifier": "S-1-5-18",
"name": "SYSTEM",
"domain": "NT AUTHORITY"
},
"task": "Process Create (rule: ProcessCreate)",
"computer_name": "DESKTOP-XXXXXX",
"provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"version": 5,
"event_id": 1,
"opcode": "情報"
},
"process": {
"entity_id": "{22052e76-1102-5e4c-0000-001097cd8500}",
"pid": 7704,
"executable": "C:\\Windows\\System32\\nslookup.exe",
"args": [
"C:\\Windows\\System32\\nslookup.exe",
"www.example.com"
],
"working_directory": "C:\\WINDOWS\\system32\\",
"parent": {
"entity_id": "{22052e76-1102-5e4c-0000-0010d5c98500}",
"pid": 1680,
"executable": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"args": [
"C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe",
"-Embedding"
],
"name": "WmiPrvSE.exe"
},
"name": "nslookup.exe"
},
"hash": {
"md5": "ad20d425c3012ee191535ad65e56debb",
"sha256": "54daf167f8dbe7fe0f23b37a600bd8d9d16b756d3b83f0804b5037cbbe895eb6"
},
"ecs": {
"version": "1.4.0"
},
"agent": {
"type": "winlogbeat",
"ephemeral_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"hostname": "DESKTOP-XXXXXX",
"id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"version": "7.6.0"
},
"event": {
"code": 1,
"provider": "Microsoft-Windows-Sysmon",
"action": "Process Create (rule: ProcessCreate)",
"created": "2020-02-18T16:29:55.213Z",
"module": "sysmon",
"category": "process",
"type": "process_start",
"kind": "event"
},
"host": {
"name": "DESKTOP-XXXXXX",
"id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"hostname": "DESKTOP-XXXXXX",
"architecture": "x86_64",
"os": {
"platform": "windows",
"version": "10.0",
"family": "windows",
"name": "Windows 10 Pro",
"kernel": "10.0.17763.1039 (WinBuild.160101.0800)",
"build": "17763.1039"
}
},
"log": {
"level": "情報"
},
"user": {
"domain": "NT AUTHORITY",
"name": "SYSTEM"
}
}
}
Event ID 3: Network connection
wmiprvse.exeにより起動されたnslookup.exeコマンドからネットワーク通信が発生したログ。
Kibanaで参照できるログ
{
"_index": "winlogbeat-7.6.0-2020.02.18-000001",
"_type": "_doc",
"_id": "GvUiWXABhT969eT7fluF",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2020-02-18T16:29:56.671Z",
"ecs": {
"version": "1.4.0"
},
"agent": {
"version": "7.6.0",
"type": "winlogbeat",
"ephemeral_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"hostname": "DESKTOP-XXXXXX",
"id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
},
"host": {
"hostname": "DESKTOP-XXXXXX",
"architecture": "x86_64",
"os": {
"family": "windows",
"name": "Windows 10 Pro",
"kernel": "10.0.17763.1039 (WinBuild.160101.0800)",
"build": "17763.1039",
"platform": "windows",
"version": "10.0"
},
"id": "22052e76-721a-4007-86f6-6346e89d0c86",
"name": "DESKTOP-XXXXXX"
},
"log": {
"level": "情報"
},
"process": {
"entity_id": "{22052e76-1102-5e4c-0000-001097cd8500}",
"pid": 7704,
"executable": "C:\\Windows\\System32\\nslookup.exe",
"name": "nslookup.exe"
},
"network": {
"type": "ipv4",
"community_id": "1:MgrdNlzRK8poajFO8fErmFSGL6M=",
"transport": "udp",
"protocol": "domain",
"direction": "outbound"
},
"source": {
"ip": "192.168.0.134",
"domain": "DESKTOP-XXXXXX.localdomain",
"port": 58466
},
"user": {
"name": "SYSTEM",
"domain": "NT AUTHORITY"
},
"event": {
"kind": "event",
"code": 3,
"provider": "Microsoft-Windows-Sysmon",
"action": "Network connection detected (rule: NetworkConnect)",
"created": "2020-02-18T16:29:57.249Z",
"module": "sysmon"
},
"winlog": {
"provider_name": "Microsoft-Windows-Sysmon",
"opcode": "情報",
"process": {
"thread": {
"id": 3876
},
"pid": 2800
},
"computer_name": "DESKTOP-XXXXXX",
"version": 5,
"event_id": 3,
"api": "wineventlog",
"provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"channel": "Microsoft-Windows-Sysmon/Operational",
"task": "Network connection detected (rule: NetworkConnect)",
"user": {
"type": "User",
"identifier": "S-1-5-18",
"name": "SYSTEM",
"domain": "NT AUTHORITY"
},
"record_id": 335764
},
"destination": {
"ip": "192.168.1.10",
"domain": "proxy.example.com",
"port": 53
}
}
}
登録されているイベントサブスクリプションを取得するコマンド例
# イベントフィルタ
PS C:\> Get-WMIObject -Namespace root\Subscription -Class __EventFilter
# イベントコンシューマー
PS C:\> Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer
# バインド情報
PS C:\> Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding
まとめ
私たちが攻撃者から身を守るためにSysmonで記録されるイベントログからどのようなことが参照できるか、WMIに関連する切り口でよく知られたイベントログの参照例をいくつかとりあげてみました。
今回の例ではPowerShellからWMIを実行しましたが、同様にVBS、wmic.exeコマンドやmofcomp.exeによる場合なども実際にどういうログが採取できるか検証してみるのも有効だと思われます。
おまけ:WMIレポジトリファイルからイベントサブスクリプションを列挙してみる
こちらのWMI_Forensicsツールを使うとWMIレポジトリファイルから直接WMIイベントスクリプション情報を抽出できます。
Windows 10 PC上のWMIレポジトリファイルは以下にあります。
C:\Windows\System32\wbem\Repository\OBJECTS.DATA
今回はこのOBJECTS.DATAファイルを調査用のLinux端末上へコピーしてからツールを実行しています。
root@xxx:~/git# git clone https://github.com/davidpany/WMI_Forensics.git
root@xxx:~/git# cd WMI_Forensics/
root@xxx:~/git/WMI_Forensics# python ./PyWMIPersistenceFinder.py ~/wbem/Repository/OBJECTS.DATA
