ASR in Intune for "Block persistence through WMI event subscription"

%3CLINGO-SUB%20id%3D%22lingo-sub-2068130%22%20slang%3D%22en-US%22%3EASR%20in%20Intune%20for%20%22Block%20persistence%20through%20WMI%20event%20subscription%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2068130%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20seems%20that%20to%20address%20the%20%22%3CSTRONG%3EBlock%20persistence%20through%20WMI%20event%20subscription%22%2C%26nbsp%3B%3C%2FSTRONG%3Ethere%20is%20nothing%20in%20the%20Intune%20GUI%20that%20you%20can%20check%2Fenable.%20You%20need%20to%20use%20an%20Administrative%20template%20and%20specify%20the%20OMR-URI%20value.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20done%20this%20and%20assigned%20this%20admin%20template%20to%20a%20subset%20of%20my%20users%20(I've%20assigned%20this%20policy%20to%20users%20not%20devices)%2C%20about%2013%20Users.%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20after%20looking%20at%20the%20results%2C%20I%20get%20about%209%20errors%20out%20of%20the%2013%20Users...%20and%20they%20seem%20to%20vary%20from%20day%20to%20day.%20Also%20I%20can%20also%20get%20a%20status%20per%20device..%3C%2FP%3E%3CP%3EObviously%2C%20either%20in%20the%20policy%20results%20or%20in%20the%20device%20page%2C%20I%20don't%20see%20any%20details%20besides%20%22Failed%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20I%20miss%20anything%3F%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3EP%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2068300%22%20slang%3D%22en-US%22%3ERe%3A%20ASR%20in%20Intune%20for%20%22Block%20persistence%20through%20WMI%20event%20subscription%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2068300%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F905649%22%20target%3D%22_blank%22%3E%40XPaulo%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHello%20Paulo%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYour%20probably%20not%20the%20only%20one.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20are%20you%20talking%20about%20persistence%20or%20WMI%20commands%20(One%20is%20Intune%20ready%20the%20other%20is%20not)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20get%20the%20same%20inconsistent%20results%20but%20when%20I%20check%20the%20PowerShell%20script%20run%20by%20devices%20I%20see%20that%20it%20is%20not%20the%20case.%26nbsp%3B%20I%20have%20checked%20that%20the%20devices%20are%20indeed%20registered%20and%20even%20more%20that%20the%20devices%20are%20managed%20by%20Intune%20(MDM%20-%20you%20have%20to%20becareful%20that%20the%20same%20devices%20are%20not%20also%20managed%20by%20MAM)%20and%20comply%20with%20the%20prerequisites%20required%20to%20run%20said%20scripts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20look%20at%20the%20development%20of%20Endpoint%20Manager%20(yes%20Microsoft%20still%20call%20it%20Intune)%20you%20will%20see%20its%20on%20the%20agenda.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Ffundamentals%2Fin-development%23new-setting-for-attack-surface-reduction-rules-to-block-malware-from-gaining-persistence-through-wmi%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EIn%20development%20-%20Microsoft%20Intune%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20beginning%20to%20get%20so%20annoyed%20with%20this%20that%20I%20am%20considering%20turning%20it%20into%20a%20Endpoint%20Analytics%20proactive%20remediation%20script%20to%20see%20what%20the%20hell%20is%20going%20on.%26nbsp%3B%20Microsoft%20provide%20two%20very%20good%20examples%26nbsp%3B%20that%20you%20can%20see%20here.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fendpoint.microsoft.com%2F%23blade%2FMicrosoft_Intune_Enrollment%2FUXAnalyticsMenu%2FproactiveRemediations%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EEndpoint%20analytics%20-%20Microsoft%20Endpoint%20Manager%20admin%20center%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20code%20for%20PowerShell%20is%20here%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3ESet-MpPreference%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B-AttackSurfaceReductionRules_Ids%26nbsp%3Be6db77e5-3df2-4cf1-b95a-636979351e5b%26nbsp%3B-AttackSurfaceReductionRules_Actions%26nbsp%3BEnabled%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EIf%20you%20think%20I%20can%20be%20of%20any%20further%20assistance%20please%20reply.%26nbsp%3B%20If%20I%20am%20rabbiting%20on%20about%20stuff%20you%20already%20know%20please%20ignore.%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2077342%22%20slang%3D%22en-US%22%3ERe%3A%20ASR%20in%20Intune%20for%20%22Block%20persistence%20through%20WMI%20event%20subscription%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2077342%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F905649%22%20target%3D%22_blank%22%3E%40XPaulo%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%20both%20go%20away%20(since%20there%20are%20two%20associated%20with%20WMI)%3C%2FP%3E%3CP%3EI%20will%20ditch%20the%20PowerShell%20script%20when%20its%20officially%20supported%20by%20Intune%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20just%20checked%203%20machines%20that%20have%20a%20high%20%22uptime%22%20and%20its%20not%20reported%20in%20any%20of%20them%2C%20so%20resolved.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello all,

 

It seems that to address the "Block persistence through WMI event subscription", there is nothing in the Intune GUI that you can check/enable. You need to use an Administrative template and specify the OMR-URI value.

 

I've done this and assigned this admin template to a subset of my users (I've assigned this policy to users not devices), about 13 Users. 

And after looking at the results, I get about 9 errors out of the 13 Users... and they seem to vary from day to day. Also I can also get a status per device..

Obviously, either in the policy results or in the device page, I don't see any details besides "Failed"

 

Did I miss anything?

Thanks

P

 

 

 

5 Replies

@XPaulo 

 

Hello Paulo,

 

Your probably not the only one. 

 

But are you talking about persistence or WMI commands (One is Intune ready the other is not)

 

I get the same inconsistent results but when I check the PowerShell script run by devices I see that it is not the case.  I have checked that the devices are indeed registered and even more that the devices are managed by Intune (MDM - you have to becareful that the same devices are not also managed by MAM) and comply with the prerequisites required to run said scripts.

 

If you look at the development of Endpoint Manager (yes Microsoft still call it Intune) you will see its on the agenda.

 

In development - Microsoft Intune | Microsoft Docs

 

I am beginning to get so annoyed with this that I am considering turning it into a Endpoint Analytics proactive remediation script to see what the hell is going on.  Microsoft provide two very good examples  that you can see here.

 

Endpoint analytics - Microsoft Endpoint Manager admin center

 

The code for PowerShell is here

 

Set-MpPreference -AttackSurfaceReductionRules_Ids e6db77e5-3df2-4cf1-b95a-636979351e5b -AttackSurfaceReductionRules_Actions Enabled
 
If you think I can be of any further assistance please reply.  If I am rabbiting on about stuff you already know please ignore.
 
 

 

 

 

 

Hello @braedachau 

 

Thanks for your reply.

So you're not using an admin template but rather a PS script? 

I am not sure I understand if it works in your case or not. Are you managing to see the recommendations go away?

 

Thanks

Paulo

@XPaulo 

 

Yes both go away (since there are two associated with WMI)

I will ditch the PowerShell script when its officially supported by Intune

 

I just checked 3 machines that have a high "uptime" and its not reported in any of them, so resolved.

 

 

Regards

 

 

 

@MMelkersen 

 

Okay having a look,

 

Recommendation 11,12 and 13 via ASR in Endpoint manager

Recommendation 14 implemented via PowerShell script iaw our discussions, Windows devices must be managed by Intune either registered or joined, and must be MDM not MAM.

Recommendation 14 - interesting solution - shall investigate your solution as blogged.

Recommendation 15, 16 doesn't appear in my list of "global" recommendations so its already managed

Recommendation 17, 18 exist but I'm not pushing this as I have MFA (Ill get to the golden ticket problem)

Recommendation 19 - nope doesn't exist - so managed.

Recommendation 20 - I don't agree with and that's domain, public and private - end users should know IMHO

 

 

I have 53 recommendations in total over 7 Windows 10 test devices one of which is a dud.  I changed the name before a restart and ended up with a bullcrap entry that pulls my score down.  30 days from now it should clear itself (I actually hate this - in that you cant delete obsolete or renamed devices), and then Ill push it back up to 180 days.

 

I run Sentinel.  This was the solution that Microsoft used to discover the SolarWinds debacle (biggest hack to date).  I have also read the Fireeye post report as well including the CISA alert.  I also have MCSA enabled and this also tells me a great deal.  

 

At best I can get my security recommendations down to 16 on joined machines, 19 on registered and then I have my bogus entry and as of writing I am getting new reports on Chrome browser.

 

My gut feeling - I can never get this to zero as my hardware is to old, and Microsoft keep upping the ante as they should based on what they see across a billion devices.

 

If you read this post

 

Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments | CISA

 

and can implement it you are doing well, then there are these

 

CrowdStrike/CRT: Contact: CRT@crowdstrike.com (github.com)

 

T0pCyber/hawk: Powershell Based tool for gathering information related to O365 intrusions and potent...

 

GitHub - fireeye/Mandiant-Azure-AD-Investigator

 

GitHub - cisagov/Sparrow: Sparrow.ps1 was created by CISA's Cloud Forensics team to help detect poss...

 

I am not exactly sure what you are trying to achieve.  Perfection, not going to happen, to many factors involved and way to many seriously smart and over resourced organizations trying to find a way in.

 

I read a post somewhere that basically says - assume you are going to be breached.  Eventually you will be but then how long does it take you to realize it, and close the door.

 

I tell you one thing, this is the most engaging conversation I have had on this forum so if you feel like continuing to share please keep replying.  Remember though I am a amateur, I don't have certifications yet that confirm my love of this content.

 

I am also on LinkedIn, my profile is here.  Feel free if you think I am worthy to add me to your list.

The fact is I believe we have the same goals and you might teach me a thing or two, and we can not upset the Microsoft moderator by keep deviating from our posts.

 

Leon Scott | LinkedIn

 

Make sure you tell me its you.

 

Sincerely

Leon Scott.