detection.wiki

Detection rules › Elastic

Suspicious WMI Event Subscription Created

Author
Elastic
Source
upstream

Detects the creation of a WMI Event Subscription. Attackers can abuse this mechanism for persistence or to elevate to SYSTEM privileges.

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1546 Event Triggered Execution, T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription
Privilege EscalationT1546 Event Triggered Execution, T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

Event coverage

ProviderEvent IDTitle
WMI-Activity21WMI Events were bound.

Stages and Predicates

Stage 1: eql:any

((data_stream.dataset:"endpoint.events.api" and event.provider:"Microsoft-Windows-WMI-Activity" and process.Ext.api.name:"IWbemServices::PutInstance" and process.Ext.api.parameters.consumer_type:("ActiveScriptEventConsumer" or "CommandLineEventConsumer")) or (data_stream.dataset:"windows.sysmon_operational" and winlog.event_data.Consumer:"subscription:CommandLineEventConsumer" and winlog.event_data.Operation:"Created"))

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
data_stream.dataseteq
  • endpoint.events.api
  • windows.sysmon_operational
event.providereq
  • Microsoft-Windows-WMI-Activity
process.Ext.api.nameeq
  • IWbemServices::PutInstance
process.Ext.api.parameters.consumer_typein
  • ActiveScriptEventConsumer
  • CommandLineEventConsumer
winlog.event_data.Consumerwildcard
  • *subscription:ActiveScriptEventConsumer*
  • *subscription:CommandLineEventConsumer*
winlog.event_data.Operationwildcard
  • Created