There are two (2) options for enabling WMI Tracing on endpoints:
Via the command line: wevtutil.exe sl Microsoft-Windows-WMI-Activity/Trace /e:true
Via the Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-WMI-Activity/Trace
DWORD = Enabled (0 or 1)
Once enabled, WMI trace events will be recorded within the Event Log file “%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-WMI-Activity%4Trace.etl”.
To ingest them in Splunk
You will need to run the a PowerShell script on the endpoint since these logs are not in the standard Windows format and are in a debug format. The PowerShell script will import the events into the Windows Application log. I've user the following links for guidance:
https://www.fireeye.com/blog/threat-research/2016/08/wmi_vs_wmi_monitor.html
https://www.fireeye.com/blog/threat-research/2015/08/windows_managementi.html
Also the PowerShell Script FireEye Published doesn't seem to work so well it only captures what appears the first line of the event I forked the code and rewrote a little bit of the script to capture the entire message.
... View more