WMI Event Subscription

Severity: medium
Author: Tom Ueltschi (@c_APT_ure)
Source: upstream

Detects creation of WMI event subscription persistence method

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1546.003` Event Triggered Execution: Windows Management Instrumentation Event Subscription
Privilege Escalation	`T1546.003` Event Triggered Execution: Windows Management Instrumentation Event Subscription

Event coverage

Provider	Event ID	Title
Sysmon	19	WmiEvent (WmiEventFilter activity detected)
Sysmon	20	WmiEvent (WmiEventConsumer activity detected)
Sysmon	21	WmiEvent (WmiEventConsumerToFilter activity detected)

Stages and Predicates

Stage 1: `selection`

Neighbors

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.

Suspicious Encoded Scripts in a WMI Consumer [sigma] (adds 1 filter)
Suspicious Scripting in a WMI Consumer [sigma] (adds 1 filter)

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

No Suitable Encryption Key Found For Generating Kerberos Ticket [sigma]
Windows Update Error [sigma]