LoFP
/
t1546.003
t1546.003
Title
Tags
although unlikely, administrators may use event subscriptions for legitimate purposes.
t1047
t1546
t1546.003
endpoint
splunk
dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button
t1546
t1546.003
windows
sigma
dell power manager (c:\program files\dell\powermanager\dpmpowerplansetup.exe)
t1546
t1546.003
windows
sigma
exclude legitimate (vetted) use of wmi event subscription in your network
t1546
t1546.003
windows
sigma
false positives may be present from automation based applications (sccm), filtering may be required. in addition, break the query out based on volume of usage. filter process names or f
t1546.003
endpoint
splunk
it is possible some applications will create a consumer and may be required to be filtered. for tuning, add any additional lolbin's for further depth of coverage.
t1546
t1546.003
endpoint
splunk
legitimate event consumers
t1546
t1546.003
windows
sigma
legitimate software creating script event consumers
t1546
t1546.003
windows
sigma
sccm
t1546
t1546.003
windows
sigma
unknown (data set is too small; further testing needed)
t1546
t1546.003
windows
sigma