Pawel15 0 Posted April 4 Share Posted April 4 Suspicious alerts started popping up on some computers. There can be several such notifications on one computer. Someone had a similar problem? Here's what type of alerts they are: most look the same. I will be grateful for information! Quote Link to comment Share on other sites More sharing options...
itman 1,538 Posted April 4 Share Posted April 4 (edited) Appears Eset is detecting something is creating a permanent WMI event; most likely a consumer event. Such events can be used to perform all kinds of nasty stuff as noted in this article: https://pentestlab.blog/2020/01/21/persistence-wmi-event-subscription/ . Refer to this article: https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96 which instructs on how to use SysInternals Sysmon and Autoruns utilites to determine if any consumer events exist on the device. If they exist and were not intentionally created by the sys admin, etc.., this would be indicative of possible malicious intent. Also, Autoruns is not 100% reliable in determining if persistent WMI events have been created. Edited April 4 by itman Quote Link to comment Share on other sites More sharing options...
ESET Staff JamesR 48 Posted April 4 ESET Staff Share Posted April 4 In ESET Inspect the WMI Persistence events are made up of multiple parts. These parts are "Query", "Invoke", and "Set by user". From your screenshot, I can see that Whenever a query of: "select * from __namespacecreationevent", the action of "" will be invoked. And that this was set by a user with no name. The important part is, the item to be invoked, is nothing. This means nothing happens when the query criteria is seen on the system. In short, this Inspect detection by itself, is not malicious. I would recommend to look for other detections on the same computers which would add to the the story of what happened. If you see nothing on interest, then this is a false positive which should be excluded. If you decide there is no malicious activity which is related to this, and want to exclude this from triggering again, you can use the following as a template for creating the exclusion. <definition> <operations> <operation type="WmiPersistence"> <operator type="and"> <condition component="WmiPersistenceInfo" property="Query" condition="is" value="select * from __namespacecreationevent" /> <condition component="WmiPersistenceInfo" property="Handler" condition="isempty"/> <condition component="WmiPersistenceInfo" property="TriggeringUserName" condition="isempty"/> <!-- if the above does not work, try changing both "isempty" to "isnotset" --> </operator> </operation> </operations> </definition> Quote Link to comment Share on other sites More sharing options...
thae 4 Posted April 5 Share Posted April 5 I've got somewhat the same on one client today: I don't see anything suspicious in the raw events before or after that time. Quote Link to comment Share on other sites More sharing options...
Pawel15 0 Posted April 5 Author Share Posted April 5 Hi, I don't know if it matters but on that day the Inspect version was upgraded to the latest available version and the antivirus was also updated. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.