Pawel15 0 Posted April 4, 2023 Share Posted April 4, 2023 Suspicious alerts started popping up on some computers. There can be several such notifications on one computer. Someone had a similar problem? Here's what type of alerts they are: most look the same. I will be grateful for information! Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 4, 2023 Share Posted April 4, 2023 (edited) Appears Eset is detecting something is creating a permanent WMI event; most likely a consumer event. Such events can be used to perform all kinds of nasty stuff as noted in this article: https://pentestlab.blog/2020/01/21/persistence-wmi-event-subscription/ . Refer to this article: https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96 which instructs on how to use SysInternals Sysmon and Autoruns utilites to determine if any consumer events exist on the device. If they exist and were not intentionally created by the sys admin, etc.., this would be indicative of possible malicious intent. Also, Autoruns is not 100% reliable in determining if persistent WMI events have been created. Edited April 4, 2023 by itman Link to comment Share on other sites More sharing options...
ESET Staff JamesR 52 Posted April 4, 2023 ESET Staff Share Posted April 4, 2023 In ESET Inspect the WMI Persistence events are made up of multiple parts. These parts are "Query", "Invoke", and "Set by user". From your screenshot, I can see that Whenever a query of: "select * from __namespacecreationevent", the action of "" will be invoked. And that this was set by a user with no name. The important part is, the item to be invoked, is nothing. This means nothing happens when the query criteria is seen on the system. In short, this Inspect detection by itself, is not malicious. I would recommend to look for other detections on the same computers which would add to the the story of what happened. If you see nothing on interest, then this is a false positive which should be excluded. If you decide there is no malicious activity which is related to this, and want to exclude this from triggering again, you can use the following as a template for creating the exclusion. <definition> <operations> <operation type="WmiPersistence"> <operator type="and"> <condition component="WmiPersistenceInfo" property="Query" condition="is" value="select * from __namespacecreationevent" /> <condition component="WmiPersistenceInfo" property="Handler" condition="isempty"/> <condition component="WmiPersistenceInfo" property="TriggeringUserName" condition="isempty"/> <!-- if the above does not work, try changing both "isempty" to "isnotset" --> </operator> </operation> </operations> </definition> Link to comment Share on other sites More sharing options...
thae 9 Posted April 5, 2023 Share Posted April 5, 2023 I've got somewhat the same on one client today: I don't see anything suspicious in the raw events before or after that time. Link to comment Share on other sites More sharing options...
Pawel15 0 Posted April 5, 2023 Author Share Posted April 5, 2023 Hi, I don't know if it matters but on that day the Inspect version was upgraded to the latest available version and the antivirus was also updated. Link to comment Share on other sites More sharing options...
Recommended Posts