
Summary
This detection rule identifies the creation of WMI temporary event subscriptions, leveraging Windows Event Log entries corresponding to EventCode 5860. WMI (Windows Management Instrumentation) is often exploited by attackers to execute commands, acquire system information, or maintain persistence in a compromised environment. The analytic checks for specific queries related to temporary event subscriptions and filters out common benign queries associated with system administration, such as those related to process start events from wsmprovhost.exe and queries regarding antivirus or firewall products. By alerting on these event subscriptions, which can signify nefarious activity if created with malicious intent, analysts can investigate potentially harmful behaviors that could lead to code execution or privilege escalation. The implementation requires ingestion of WMI activity logs and may need adjustments to account for legitimate administrative tasks that may trigger false positives.
Categories
- Windows
- Endpoint
Data Sources
- WMI
- Windows Registry
ATT&CK Techniques
- T1047
Created: 2024-11-13