Event Logs Listener Validation

The Indicator of Attack installation script configures an event watcher and a Windows Management Instrumentation (WMI) Producer/Consumer in the machine's memory. WMI is a Windows component that provides you with information about the status of local or remote computer systems.

To check for correct WMI registration:

  • In PowerShell, run the following command:

    Copy 
    Get-WmiObject -Class '__FilterToConsumerBinding' -Namespace 'root\subscription' -Filter "Filter = ""__EventFilter.name='AlsidForAD-Launcher'"""

  • If at least one consumer exists, you obtain this type of output:

    Copy 
    > Get-WmiObject -Class '__FilterToConsumerBinding' -Namespace 'root\subscription' -Filter "Filter = ""__EventFilter.name='AlsidForAD-Launcher'"""


    __GENUS                 : 2
    __CLASS                 : __FilterToConsumerBinding
    __SUPERCLASS            : __IndicationRelated
    __DYNASTY               : __SystemClass
    __RELPATH               : __FilterToConsumerBinding.Consumer="ActiveScriptEventConsumer.Name=\"AlsidForAD-Launcher\"",F
                              ilter="__EventFilter.Name=\"AlsidForAD-Launcher\""
    __PROPERTY_COUNT        : 7
    __DERIVATION            : {__IndicationRelated, __SystemClass}
    __SERVER                : DC-999
    __NAMESPACE             : ROOT\subscription
    __PATH                  : \\DC-999\ROOT\subscription:__FilterToConsumerBinding.Consumer="ActiveScriptEventConsumer.Name
                              =\"AlsidForAD-Launcher\"",Filter="__EventFilter.Name=\"AlsidForAD-Launcher\""
    Consumer                : ActiveScriptEventConsumer.Name="AlsidForAD-Launcher"
    CreatorSID              : {1, 1, 0, 0...}
    DeliverSynchronously    : False
    DeliveryQoS             :
    Filter                  : __EventFilter.Name="AlsidForAD-Launcher"
    MaintainSecurityContext : False
    SlowDownProviders       : False
    PSComputerName          : DC-999

    • If there is no registered WMI consumer, the command returns nothing.

    • This is a prerequisite for the process to run on the DC for WMI.

  • In PowerShell, run the following command:

    Copy 
    gcim win32_process | Where-Object { $_.CommandLine -match "Register-TenableADEventsListener.exe"}

  • Valid result example:

    Copy 
    PS C:\IOAInstall> gcim win32_process | Where-Object { $_.CommandLine -match "Register-TenableADEventsListener.exe"}

    ProcessId Name                                 HandleCount WorkingSetSize VirtualSize

    5748      Register-TenableADEventsListener.exe 152         4096000        4384534528

  • In PowerShell, run the following command:

    Copy 
    gcim win32_process | Where-Object { $_.CommandLine -match "TenableADWMIListener"}

  • Valid result example:

Copy 
> gcim win32_process | Where-Object { $_.CommandLine -match "TenableADWMIListener"}

ProcessId Name           HandleCount WorkingSetSize VirtualSize
--------- ----           ----------- -------------- -----------
952       powershell.exe 502         26513408       2199678185472