
Summary
This detection rule identifies the creation of WMI permanent event subscriptions using Sysmon data, specifically monitoring Event Codes 19, 20, and 21. It targets the establishment of WMI EventFilters, EventConsumers, and FilterToConsumerBindings which can signal attempts by an attacker to achieve persistence or escalate privileges within a Windows environment. By triggering these events, an attacker can execute code with SYSTEM privileges based on predetermined state changes or events. The rule provides a framework for detecting potentially malicious activity related to these subsystems and alerts security teams of possible exploitation attempts that could lead to unauthorized persistence and privilege escalation.
Categories
- Windows
- Endpoint
Data Sources
- WMI
- Windows Registry
ATT&CK Techniques
- T1546.003
- T1546
Created: 2024-11-13