From c63bcfef953e2b8bf1b20ad4259592c0ccc14793 Mon Sep 17 00:00:00 2001
From: Lee Christensen <lee@localhost>
Date: Tue, 6 Feb 2018 16:25:39 -0500
Subject: [PATCH 1/2] Add Microsoft-Windows-WMI-Activity ingestion

---
 .../winevent-wmiactivity-template.json        |  38 +++
 .../15-winevent-wmiactivity-filter.conf       | 235 ++++++++++++++++++
 logstash/pipeline/55-wmiactivity-output.conf  |  17 ++
 winlogbeat/winlogbeat.yml                     |   2 +
 4 files changed, 292 insertions(+)
 create mode 100644 logstash/output_templates/winevent-wmiactivity-template.json
 create mode 100644 logstash/pipeline/15-winevent-wmiactivity-filter.conf
 create mode 100644 logstash/pipeline/55-wmiactivity-output.conf

diff --git a/logstash/output_templates/winevent-wmiactivity-template.json b/logstash/output_templates/winevent-wmiactivity-template.json
new file mode 100644
index 0000000..7cba5bd
--- /dev/null
+++ b/logstash/output_templates/winevent-wmiactivity-template.json
@@ -0,0 +1,38 @@
+{
+  "template" : "winevent-wmiactivity-*",
+  "settings" : {
+    "index.refresh_interval": "5s"
+  },
+  "mappings":{
+    "doc":{
+      "dynamic_templates": [{
+        "strings":{
+          "match_mapping_type": "string",
+          "mapping": {
+            "type": "text",
+            "norms": false,
+            "fields": {
+              "raw": {
+                "type": "keyword",
+                "ignore_above": 256
+              }
+            }
+          }
+        }
+      }],
+      "properties":{
+        "@timestamp":{"type":"date"},
+        "process":{
+          "properties":{
+            "id":{"type":"integer"},
+            "target":{
+              "properties":{
+                "id":{"type":"integer"}
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/logstash/pipeline/15-winevent-wmiactivity-filter.conf b/logstash/pipeline/15-winevent-wmiactivity-filter.conf
new file mode 100644
index 0000000..7fdf10b
--- /dev/null
+++ b/logstash/pipeline/15-winevent-wmiactivity-filter.conf
@@ -0,0 +1,235 @@
+# HELK winevent-wmiactivity filter conf file
+# HELK build version: 0.9 (BETA)
+# HELK ELK version: 6.x
+# Author: Lee Christensen (@tifkin_)
+# License: BSD 3-Clause
+
+filter {
+  if [log_name] == "Microsoft-Windows-WMI-Activity/Operational"{
+
+    # wevtutil gp "Microsoft-Windows-WMI-Activity" /ge:true /gm:true /f:XML
+
+    if [event_id] == 5857 {
+      #<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+      #  <System>
+      #    <Provider Name="Microsoft-Windows-WMI-Activity" Guid="{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}" />
+      #    <EventID>5857</EventID>
+      #    <Version>0</Version>
+      #    <Level>0</Level>
+      #    <Task>0</Task>
+      #    <Opcode>0</Opcode>
+      #    <Keywords>0x4000000000000000</Keywords>
+      #    <TimeCreated SystemTime="2018-02-05T03:56:37.904674000Z" />
+      #    <EventRecordID>4154</EventRecordID>
+      #    <Correlation />
+      #    <Execution ProcessID="4964" ThreadID="5016" />
+      #    <Channel>Microsoft-Windows-WMI-Activity/Operational</Channel>
+      #    <Computer>HELK-win</Computer>
+      #    <Security UserID="S-1-5-18" />
+      #  </System>
+      #  <UserData>
+      #    <Operation_StartedOperational xmlns="http://manifests.microsoft.com/win/2006/windows/WMI">
+      #      <ProviderName>VolumeChangeEvents</ProviderName>
+      #      <Code>0x0</Code>
+      #      <HostProcess>wmiprvse.exe</HostProcess>
+      #      <ProcessID>4964</ProcessID>
+      #      <ProviderPath>%systemroot%\system32\wbem\wmipcima.dll</ProviderPath>
+      #    </Operation_StartedOperational>
+      #  </UserData>
+      #</Event>
+
+      mutate {
+        rename => {
+          "[user_data][ProviderName]" => "[wmi][provider]"
+          "[user_data][Code]"         => "[wmi][resultcode]"
+          "[user_data][HostProcess]"  => "[process][name]"
+          "[user_data][ProcessID]"    => "[process][id]"
+          "[user_data][ProviderPath]" => "[wmi][providerpath]"
+          "[user_data][xml_name]"     => "[wmi][xmloperation]"    # Should always be "Operation_StartedOperational"
+        }
+      }
+    }
+
+    if [event_id] == 5858 {
+      #<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+      #  <System>
+      #    <Provider Name="Microsoft-Windows-WMI-Activity" Guid="{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}" />
+      #    <EventID>5858</EventID>
+      #    <Version>0</Version>
+      #    <Level>2</Level>
+      #    <Task>0</Task>
+      #    <Opcode>0</Opcode>
+      #    <Keywords>0x4000000000000000</Keywords>
+      #    <TimeCreated SystemTime="2018-02-05T04:08:05.147338500Z" />
+      #    <EventRecordID>4157</EventRecordID>
+      #    <Correlation />
+      #    <Execution ProcessID="2616" ThreadID="3716" />
+      #    <Channel>Microsoft-Windows-WMI-Activity/Operational</Channel>
+      #    <Computer>HELK-win</Computer>
+      #    <Security UserID="S-1-5-18" />
+      #  </System>
+      #  <UserData>
+      #    <Operation_ClientFailure xmlns="http://manifests.microsoft.com/win/2006/windows/WMI">
+      #      <Id>{00000000-0000-0000-0000-000000000000}</Id>
+      #      <ClientMachine>HELK-WIN</ClientMachine>
+      #      <User>NT AUTHORITY\SYSTEM</User>
+      #      <ClientProcessId>3144</ClientProcessId>
+      #      <Component>Unknown</Component>
+      #      <Operation>Start IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PhysicalMemory</Operation>
+      #      <ResultCode>0x80041032</ResultCode>
+      #      <PossibleCause>Throttling Idle Tasks, refer to CIMOM regkey: ArbTaskMaxIdle</PossibleCause>
+      #    </Operation_ClientFailure>
+      #  </UserData>
+      #</Event>
+
+      mutate {
+        rename => {
+          "[user_data][Id]"              => "[wmi][id]"
+          "[user_data][ClientMachine]"   => "[wmi][clientmachine]"
+          "[user_data][User]"            => "[user][name]"
+          "[user_data][ClientProcessId]" => "[process][id]"
+          "[user_data][Component]"       => "[wmi][component]"
+          "[user_data][Operation]"       => "[wmi][operation]"
+          "[user_data][ResultCode]"      => "[wmi][resultcode]"
+          "[user_data][PossibleCause]"   => "[wmi][possiblecause]"
+          "[user_data][xml_name]"        => "[wmi][xmloperation]"    # Should always be "Operation_ClientFailure"
+        }
+      }
+    }
+
+    if [event_id] == 5859 {
+      #<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+      #  <System>
+      #    <Provider Name="Microsoft-Windows-WMI-Activity" Guid="{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}" />
+      #    <EventID>5859</EventID>
+      #    <Version>0</Version>
+      #    <Level>0</Level>
+      #    <Task>0</Task>
+      #    <Opcode>0</Opcode>
+      #    <Keywords>0x4000000000000000</Keywords>
+      #    <TimeCreated SystemTime="2018-02-05T03:46:20.968689200Z" />
+      #    <EventRecordID>4131</EventRecordID>
+      #    <Correlation ActivityID="{BDB2DFE9-9E33-0000-6DEB-B2BD339ED301}" />
+      #    <Execution ProcessID="2616" ThreadID="4548" />
+      #    <Channel>Microsoft-Windows-WMI-Activity/Operational</Channel>
+      #    <Computer>HELK-win</Computer>
+      #    <Security UserID="S-1-5-18" />
+      #  </System>
+      #  <UserData>
+      #    <Operation_EssStarted xmlns="http://manifests.microsoft.com/win/2006/windows/WMI">
+      #      <NamespaceName>//./root/CIMV2</NamespaceName>
+      #      <Query>select * from MSFT_SCMEventLogEvent</Query>
+      #      <User>S-1-5-32-544</User>
+      #      <Processid>2616</Processid>
+      #      <Provider>SCM Event Provider</Provider>
+      #      <queryid>0</queryid>
+      #      <PossibleCause>Permanent</PossibleCause>
+      #    </Operation_EssStarted>
+      #  </UserData>
+      #</Event>
+
+      mutate {
+        rename => {
+          "[user_data][NamespaceName]" => "[wmi][namespace]"
+          "[user_data][Query]"         => "[wmi][query]"
+          "[user_data][User]"          => "[user][name]"
+          "[user_data][Processid]"     => "[process][id]"
+          "[user_data][Provider]"      => "[wmi][provider]"
+          "[user_data][queryid]"       => "[wmi][queryid]"
+          "[user_data][PossibleCause]" => "[wmi][possiblecause]"
+          "[user_data][xml_name]"      => "[wmi][xmloperation]"    # Should always be "Operation_EssStarted"
+        }
+      }
+    }
+
+    if [event_id] == 5860 {
+      #<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+      #  <System>
+      #    <Provider Name="Microsoft-Windows-WMI-Activity" Guid="{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}" />
+      #    <EventID>5860</EventID>
+      #    <Version>0</Version>
+      #    <Level>0</Level>
+      #    <Task>0</Task>
+      #    <Opcode>0</Opcode>
+      #    <Keywords>0x4000000000000000</Keywords>
+      #    <TimeCreated SystemTime="2018-02-05T03:56:37.919072300Z" />
+      #    <EventRecordID>4155</EventRecordID>
+      #    <Correlation />
+      #    <Execution ProcessID="2616" ThreadID="7060" />
+      #    <Channel>Microsoft-Windows-WMI-Activity/Operational</Channel>
+      #    <Computer>HELK-win</Computer>
+      #    <Security UserID="S-1-5-18" />
+      #  </System>
+      #  <UserData>
+      #    <Operation_TemporaryEssStarted xmlns="http://manifests.microsoft.com/win/2006/windows/WMI">
+      #      <NamespaceName>root\cimv2</NamespaceName>
+      #      <Query>SELECT * FROM Win32_VolumeChangeEvent WHERE EventType = 2</Query>
+      #      <User>HELK-win\lee</User>
+      #      <Processid>8120</Processid>
+      #      <ClientMachine>HELK-WIN</ClientMachine>
+      #      <PossibleCause>Temporary</PossibleCause>
+      #    </Operation_TemporaryEssStarted>
+      #  </UserData>
+      #</Event>
+
+      mutate {
+        rename => {
+          "[user_data][NamespaceName]" => "[wmi][namespace]"
+          "[user_data][Query]"         => "[wmi][query]"
+          "[user_data][User]"          => "[user][name]"
+          "[user_data][Processid]"     => "[process][id]"
+          "[user_data][ClientMachine]" => "[wmi][clientmachine]"
+          "[user_data][PossibleCause]" => "[wmi][possiblecause]"
+          "[user_data][xml_name]"      => "[wmi][xmloperation]"    # Should always be "Operation_TemporaryEssStarted"
+        }
+      }
+    }
+
+    if [event_id] == 5861 {
+      #<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+      #  <System>
+      #    <Provider Name="Microsoft-Windows-WMI-Activity" Guid="{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}" />
+      #    <EventID>5861</EventID>
+      #    <Version>0</Version>
+      #    <Level>0</Level>
+      #    <Task>0</Task>
+      #    <Opcode>0</Opcode>
+      #    <Keywords>0x4000000000000000</Keywords>
+      #    <TimeCreated SystemTime="2018-02-05T04:01:49.202740500Z" />
+      #    <EventRecordID>4156</EventRecordID>
+      #    <Correlation />
+      #    <Execution ProcessID="2616" ThreadID="3884" />
+      #    <Channel>Microsoft-Windows-WMI-Activity/Operational</Channel>
+      #    <Computer>HELK-win</Computer>
+      #    <Security UserID="S-1-5-18" />
+      #  </System>
+      #  <UserData>
+      #    <Operation_ESStoConsumerBinding xmlns="http://manifests.microsoft.com/win/2006/windows/WMI">
+      #      <Namespace>//./root/subscription</Namespace>
+      #      <ESS>HumanInterfaceDevice</ESS>
+      #      <CONSUMER>NTEventLogEventConsumer="HIDConnectionEvent"</CONSUMER>
+      #      <PossibleCause>Binding EventFilter: instance of __EventFilter { CreatorSID = {1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 159, 178, 61, 51, 160, 20, 53, 244, 9, 6, 127, 21, 244, 1, 0, 0}; EventNamespace = "root/cimv2"; Name = "HumanInterfaceDevice"; Query = "SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA \"Win32_PointingDevice\" OR TargetInstance ISA \"Win32_KeyBoard\""; QueryLanguage = "WQL"; }; Perm. Consumer: instance of NTEventLogEventConsumer { Category = 0; CreatorSID = {1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 159, 178, 61, 51, 160, 20, 53, 244, 9, 6, 127, 21, 244, 1, 0, 0}; EventID = 8; EventType = 2; InsertionStringTemplates = {"HID Device Connected", "Name: %TargetInstance.Name%", "Description: %TargetInstance.Description%", "Type: %TargetInstance.CreationClassName%", "PNPDeviceID: %TargetInstance.PNPDeviceID%"}; Name = "HIDConnectionEvent"; NumberOfInsertionStrings = 5; SourceName = "WSH"; };</PossibleCause>
+      #    </Operation_ESStoConsumerBinding>
+      #  </UserData>
+      #</Event>
+
+      mutate {
+        rename => {
+          "[user_data][Namespace]"     => "[wmi][namespace]"
+          "[user_data][ESS]"           => "[wmi][eventsubsystem]"
+          "[user_data][CONSUMER]"      => "[wmi][consumer]"
+          "[user_data][PossibleCause]" => "[wmi][possiblecause]"
+          "[user_data][xml_name]"      => "[wmi][xmloperation]"    # Should always be "Operation_ESStoConsumerBinding"
+        }
+      }
+    }
+
+    # Common to all events
+    mutate {
+      convert => {
+        "[process][id]" => "integer"
+      }
+    }
+  }
+}
+
diff --git a/logstash/pipeline/55-wmiactivity-output.conf b/logstash/pipeline/55-wmiactivity-output.conf
new file mode 100644
index 0000000..9212bcf
--- /dev/null
+++ b/logstash/pipeline/55-wmiactivity-output.conf
@@ -0,0 +1,17 @@
+# HELK winevent-security output conf file
+# HELK build version: 0.9 (BETA)
+# HELK ELK version: 6.x
+# Author: Lee Christensen (@tifkin_)
+# License: BSD 3-Clause
+
+output {
+  if [log_name] == "Microsoft-Windows-WMI-Activity/Operational"{
+    elasticsearch {
+      hosts => ["127.0.0.1:9200"]
+      index => "winevent-wmiactivity-%{+YYYY.MM.dd}"
+      template => "/opt/helk/output_templates/winevent-wmiactivity-template.json"
+      template_name => "winevent-wmiactivity"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/winlogbeat/winlogbeat.yml b/winlogbeat/winlogbeat.yml
index de73ce4..f4d4c09 100644
--- a/winlogbeat/winlogbeat.yml
+++ b/winlogbeat/winlogbeat.yml
@@ -25,6 +25,8 @@ winlogbeat.event_logs:
   - name: Microsoft-windows-sysmon/operational
   - name: Microsoft-windows-PowerShell/Operational
     event_id: 4103, 4104
+  - name: Microsoft-Windows-WMI-Activity/Operational
+    event_id: 5857,5858,5859,5860,5861
 
 #==================== Elasticsearch template setting ==========================
 

From 384b2d3f1ebe254908be59e6bc8422298aabadef Mon Sep 17 00:00:00 2001
From: Lee Christensen <leechristensen@users.noreply.github.com>
Date: Wed, 7 Feb 2018 20:36:57 -0500
Subject: [PATCH 2/2] Added wmiactivity

---
 scripts/helk_kibana_setup.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/helk_kibana_setup.sh b/scripts/helk_kibana_setup.sh
index 48c98fc..f81cc34 100755
--- a/scripts/helk_kibana_setup.sh
+++ b/scripts/helk_kibana_setup.sh
@@ -20,7 +20,7 @@ DEFAULT_INDEX="sysmon-*"
 DIR=/opt/helk/dashboards
 
 # *********** Setting Index Pattern Array ***************
-declare -a index_patterns=("*" "sysmon-*" "winevent-security-*" "winevent-system-*" "winevent-application-*" "powershell-*")
+declare -a index_patterns=("*" "sysmon-*" "winevent-security-*" "winevent-system-*" "winevent-application-*" "winevent-wmiactivity-*" "powershell-*")
 
 # *********** Waiting for Kibana to be available ***************
 until curl -s localhost:5601 -o /dev/null; do
@@ -46,4 +46,4 @@ do
     curl -XPOST "$KIBANA/api/kibana/dashboards/import" -H 'kbn-xsrf:true' \
     -H 'Content-type:application/json' -d @${file} || exit 1
     echo
-done
\ No newline at end of file
+done