We are wondering if there is any Windows Event that captures execution of WMI from a remote host. Since you can remotely execute commands over WMI, we are assuming that Windows will log that if the proper audit setting is created. Anyone have the Event Codes that provide WMI activity logs?
We'd also like to know what events show other activity (like PtH, Golden Ticket, Silver Ticket)?
Are there any Splunk add-ons we can deploy to display this event data?
There are two (2) options for enabling WMI Tracing on endpoints:
Once enabled, WMI trace events will be recorded within the Event Log file “%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-WMI-Activity%4Trace.etl”.
To ingest them in Splunk
You will need to run the a PowerShell script on the endpoint since these logs are not in the standard Windows format and are in a debug format. The PowerShell script will import the events into the Windows Application log. I've user the following links for guidance:
Also the PowerShell Script FireEye Published doesn't seem to work so well it only captures what appears the first line of the event I forked the code and rewrote a little bit of the script to capture the entire message.
Closest thing i came to this, was utilizing the splunk ta windows and monitoring event log. To checking for these error windows error 4825 or 6273. Had to do with remote denial for access and network policy denial.
There are definitely events that will show up in Windows Event logs that are occasionally WMI related, but they're very difficult to consistently identify.
As just shown, sometimes some event id will be WMI related, other times not. The reasoning is this: those event codes show events that are happening in windows, let's say it's a failed login. Of course some failed logins are a user sitting at the keyboard. Others are network access attempts that fail. Yet more may be WMI trying to "do something". These events ARE important, and in some cases or environments the ymay be triggered entirely or nearly entirely by WMI. But they're not necessarily logging execution of WMI, they're just other events that happened to potentially be triggered by something you want to watch.
The reason I mention this is that while those are very useful, you will be missing a lot of information if they're all you are collecting. Enabling WMI tracing (Well, now it's enabling the WMI-Activity Event log) and they collecting that gives you items like 5857, which has stuff like
Win32_WIN32_TERMINALSERVICE_Prov provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 984; ProviderPath = %SystemRoot%\system32\tscfgwmi.dll
(along with all the regular windows eventcode information)
That's the difference. That's the thing WMI is doing. It may still trigger other events in other event logs (security, especially) as a result of those, but usually if you are trying to see what WMI does, this is how to do it.
WMI events needs to be separately enabled.
The manual way - for your initial testing - can be found at this MSDN link for enabling Tracing WMI Activity.
I'm sure there are Group Policy settings you can enable to do this company wide, or script out wevutils (
Wevtutil.exe sl Microsoft-Windows-WMI-Activity/Trace /e:true ) to do this, but test for chattiness!
and that will have your information.