Getting Data In

What Windows Event Codes track WMI activity

wbfoxii
Communicator

We are wondering if there is any Windows Event that captures execution of WMI from a remote host. Since you can remotely execute commands over WMI, we are assuming that Windows will log that if the proper audit setting is created. Anyone have the Event Codes that provide WMI activity logs?

We'd also like to know what events show other activity (like PtH, Golden Ticket, Silver Ticket)?

Are there any Splunk add-ons we can deploy to display this event data?

Tags (2)
0 Karma

rbecwar_splunk
Splunk Employee
Splunk Employee

There are two (2) options for enabling WMI Tracing on endpoints:

  • Via the command line: wevtutil.exe sl Microsoft-Windows-WMI-Activity/Trace /e:true
  • Via the Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-WMI-Activity/Trace DWORD = Enabled (0 or 1)

Once enabled, WMI trace events will be recorded within the Event Log file “%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-WMI-Activity%4Trace.etl”.

To ingest them in Splunk
You will need to run the a PowerShell script on the endpoint since these logs are not in the standard Windows format and are in a debug format. The PowerShell script will import the events into the Windows Application log. I've user the following links for guidance:

Also the PowerShell Script FireEye Published doesn't seem to work so well it only captures what appears the first line of the event I forked the code and rewrote a little bit of the script to capture the entire message.

0 Karma

afamoyib
Path Finder

Closest thing i came to this, was utilizing the splunk ta windows and monitoring event log. To checking for these error windows error 4825 or 6273. Had to do with remote denial for access and network policy denial.

0 Karma

wbfoxii
Communicator

We do have these events in our logs. 6273 is all related to EAP failures.

4825 is interesting - failed attempts for RDP. Does WMI fall under that?

0 Karma

Richfez
SplunkTrust
SplunkTrust

There are definitely events that will show up in Windows Event logs that are occasionally WMI related, but they're very difficult to consistently identify.

As just shown, sometimes some event id will be WMI related, other times not. The reasoning is this: those event codes show events that are happening in windows, let's say it's a failed login. Of course some failed logins are a user sitting at the keyboard. Others are network access attempts that fail. Yet more may be WMI trying to "do something". These events ARE important, and in some cases or environments the ymay be triggered entirely or nearly entirely by WMI. But they're not necessarily logging execution of WMI, they're just other events that happened to potentially be triggered by something you want to watch.

The reason I mention this is that while those are very useful, you will be missing a lot of information if they're all you are collecting. Enabling WMI tracing (Well, now it's enabling the WMI-Activity Event log) and they collecting that gives you items like 5857, which has stuff like

Win32_WIN32_TERMINALSERVICE_Prov provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 984; ProviderPath = %SystemRoot%\system32\tscfgwmi.dll

(along with all the regular windows eventcode information)

That's the difference. That's the thing WMI is doing. It may still trigger other events in other event logs (security, especially) as a result of those, but usually if you are trying to see what WMI does, this is how to do it.

0 Karma

Richfez
SplunkTrust
SplunkTrust

WMI events needs to be separately enabled.

The manual way - for your initial testing - can be found at this MSDN link for enabling Tracing WMI Activity.

I'm sure there are Group Policy settings you can enable to do this company wide, or script out wevutils ( Wevtutil.exe sl Microsoft-Windows-WMI-Activity/Trace /e:true ) to do this, but test for chattiness!

Once you've done that, you can create an inputs.conf stanza for a Windows Event Log Monitor input for the event logs

Microsoft-Windows-WMI-Activity/Trace

and that will have your information.

wbfoxii
Communicator

Thanks - I expected that we might have to enable some auditing to get this. Googling didn't turn up much useful information.

We'll check the links and get cracking.

0 Karma