Detection rules › Splunk
WMI Permanent Event Subscription - Sysmon
The following analytic identifies the creation of WMI permanent event subscriptions, which can be used to establish persistence or perform privilege escalation. It leverages Sysmon data, specifically EventCodes 19, 20, and 21, to detect the creation of WMI EventFilters, EventConsumers, and FilterToConsumerBindings. This activity is significant as it may indicate an attacker setting up mechanisms to execute code with elevated SYSTEM privileges when specific events occur. If confirmed malicious, this could allow the attacker to maintain persistence, escalate privileges, and execute arbitrary code, posing a severe threat to the environment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription |
| Privilege Escalation | T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 21 | WmiEvent (WmiEventConsumerToFilter activity detected) |
Stages and Predicates
Stage 1: search
search EventCode=21
Stage 2: stats
stats BY dest, dvc, object, object_attrs, object_category, object_path, signature, signature_id, src, status, user, user_id, vendor_product, Consumer, ConsumerNoQuotes, Filter, FilterNoQuotes
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|