Jump to content

Suspicion of notification from computers

Recommended Posts

Suspicious alerts started popping up on some computers. There can be several such notifications on one computer. Someone had a similar problem? Here's what type of alerts they are:



most look the same. I will be grateful for information!

Link to comment
Share on other sites

Appears Eset is detecting something is creating a permanent WMI event; most likely a consumer event. Such events can be used to perform all kinds of nasty stuff as noted in this article: https://pentestlab.blog/2020/01/21/persistence-wmi-event-subscription/ .

Refer to this article: https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96 which instructs on how to use SysInternals Sysmon and Autoruns utilites to determine if any consumer events exist on the device. If they exist and were not intentionally created by the sys admin, etc.., this would be indicative of possible malicious intent. Also, Autoruns is not 100% reliable in determining if persistent WMI events have been created.

Edited by itman
Link to comment
Share on other sites

  • ESET Staff

In ESET Inspect the WMI Persistence events are made up of multiple parts.  These parts are "Query", "Invoke", and "Set by user".

From your screenshot, I can see that 

Whenever a query of: "select * from __namespacecreationevent", the action of "" will be invoked.  And that this was set by a user with no name.

The important part is, the item to be invoked, is nothing.  This means nothing happens when the query criteria is seen on the system.  In short, this Inspect detection by itself, is not malicious.  I would recommend to look for other detections on the same computers which would add to the the story of what happened.  If you see nothing on interest, then this is a false positive which should be excluded.

If you decide there is no malicious activity which is related to this, and want to exclude this from triggering again, you can use the following as a template for creating the exclusion.

        <operation type="WmiPersistence">
            <operator type="and">
                <condition component="WmiPersistenceInfo" property="Query" condition="is" value="select * from __namespacecreationevent" />
                <condition component="WmiPersistenceInfo" property="Handler" condition="isempty"/>
                <condition component="WmiPersistenceInfo" property="TriggeringUserName" condition="isempty"/>
                <!-- if the above does not work, try changing both "isempty" to "isnotset" -->


Link to comment
Share on other sites

I've got somewhat the same on one client today:

I don't see anything suspicious in the raw events before or after that time.

Link to comment
Share on other sites

I don't know if it matters but on that day the Inspect version was upgraded to the latest available version and the antivirus was also updated.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...