BETA DETECTION: Suspicious WMI QoS Policy Instance Creation Targeting Security Processes

name: Suspicious WMI QoS Policy Instance Creation Targeting Security Processes Analytic
signatureid: EDR-SYM933-RUN
category: 'Defense Evasion'
threatname: 'Impair Defenses: Disable or Modify Tools'
functionality: 'Endpoint Management Systems'

description: |
  Detects process-level WMI activity consistent with programmatic creation of
  MSFT_NetQosPolicySettingData instances in ROOT\StandardCimv2, the mechanism used
  by the EDRChoker compiled binary to apply QoS bandwidth throttle policies against
  EDR agent processes without invoking PowerShell. EDRChoker uses System.Management
  (WMI) directly from a C# binary to call ManagementClass.CreateInstance() and
  Put(PutType.CreateOnly) on MSFT_NetQosPolicySettingData, setting ThrottleRateAction
  to 8 bits per second against a target EDR process via AppPathNameMatchCondition.
  This approach bypasses Script Block Logging entirely and is not captured by
  WEL-PSH130-RUN. Detection relies on Sysmon Event ID 19/20/21 (WMI activity) or
  equivalent WMI operation telemetry correlating suspicious process context with
  WMI namespace and class access patterns.
reference:
  - https://www.zerosalarium.com/2026/06/edrchoker-choking-telemetry-stream-block-edr.html
  - https://github.com/TwoSevenOneT/EDRChoker/blob/master/Program.cs
  - https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page
  - https://attack.mitre.org/techniques/T1562/001/
  - https://attack.mitre.org/techniques/T1047/
  - https://github.com/fluffybunnies-h4x/FT-Sysmon-Config
labels:
  - attack.defense_evasion
  - attack.t1562.001
  - attack.t1047
  - attack.t1112
  - EDRChoker
  - QoS_Throttle
  - pacer.sys
  - WMI_Abuse
  - EDR_Bypass
logsource:
  product: windows
  service: sysmon
detection:
  selection_wmi_namespace:
    EventID:
      - 19   # WmiEventFilter activity detected
      - 20   # WmiEventConsumer activity detected
      - 21   # WmiEventConsumerToFilter activity detected
    Operation|contains:
      - 'ROOT\StandardCimv2'
      - 'ROOT\\StandardCimv2'
  selection_qos_class:
    Operation|contains:
      - 'MSFT_NetQosPolicySettingData'
  selection_suspicious_parent:
    # Catch non-standard parents invoking WMI QoS writes
    # Legitimate QoS management is typically powershell.exe or group policy (svchost/gpsvc)
    ParentImage|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
      - '\cmd.exe'
      - '\wscript.exe'
      - '\cscript.exe'
      - '\mshta.exe'
      - '\rundll32.exe'
      - '\regsvr32.exe'
  filter_legitimate_gpo:
    # Group Policy QoS management via svchost/gpsvc is expected in managed environments
    Image|endswith: '\svchost.exe'
    CommandLine|contains: 'gpsvc'
  condition: (selection_wmi_namespace and selection_qos_class) and not filter_legitimate_gpo
criticality: High

verbose_info:
violation_summary:
  grouping_attribute: 'accountname'
  level2_attribute: 'devicehostname'
  level2_metadata_attributes:

TECHNICAL DETAILS

    EDRChoker WMI interaction (from Program.cs):

      var scope = new ManagementScope(@"\\.\ROOT\StandardCimv2");
      scope.Connect();
      var managementPath = new ManagementPath("MSFT_NetQosPolicySettingData");
      var policyClass = new ManagementClass(scope, managementPath, null);
      ManagementObject newPolicy = policyClass.CreateInstance();
      newPolicy["AppPathNameMatchCondition"] = procName;   // EDR process name
      newPolicy["ThrottleRateAction"] = 8UL;               // 8 bits/sec
      newPolicy["InstanceID"] = $"{guid}\\{policyName}\\ActiveStore";
      newPolicy.Put(new PutOptions { Type = PutType.CreateOnly });

    This path produces no PowerShell Script Block Log events (4104).
    Detection depends on Sysmon WMI telemetry (EVID 19/20/21) or a SIEM
    that ingests WMI provider host activity from Microsoft-Windows-WMI-Activity/Operational.

    Alternative detection path (no Sysmon):
    Microsoft-Windows-WMI-Activity/Operational Event ID 5861 captures WMI
    permanent subscription creation which may surface MSFT_NetQosPolicySettingData
    writes from non-PowerShell callers. Include this channel if available.

    Tuning note: In environments without Sysmon, this rule can be adapted to
    alert on WmiPrvSE.exe spawning unusual child processes, or on
    registry writes to:
      HKLM\SOFTWARE\Policies\Microsoft\Windows\QoS\

    False Positives:
      - Group Policy-driven QoS provisioning via gpsvc (filtered above)
      - Legitimate network management tools with WMI-based QoS configuration
      - SCCM/Intune policy deployments that configure QoS via WMI

Policy building walkthrough can be found in this previous post:

https://connect.securonix.com/threat%2Dresearch%2Dintelligence%2D62/beta%2Ddetection%2Dtelnyx%2Dteampcp%2Dcredential%2Dexfiltration%2D241