Detection rules › Splunk
Detect WMI Event Subscription Persistence
The following analytic identifies the creation of WMI Event Subscriptions, which can be used to establish persistence or perform privilege escalation. It detects EventID 19 (EventFilter creation), EventID 20 (EventConsumer creation), and EventID 21 (FilterToConsumerBinding creation) from Sysmon logs. This activity is significant because WMI Event Subscriptions can execute code with elevated SYSTEM privileges, making it a powerful persistence mechanism. If confirmed malicious, an attacker could maintain long-term access, escalate privileges, and execute arbitrary code, posing a severe threat to the environment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription |
| Privilege Escalation | T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 20 | WmiEvent (WmiEventConsumer activity detected) |
Stages and Predicates
Stage 1: search
search EventID=20
Stage 2: stats
stats BY dest, dvc, object, object_category, object_path, signature, signature_id, src, status, user, user_id, vendor_product
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventID | eq |
|