LoFP / it is possible some applications will create a consumer and may be required to be filtered. for tuning, add any additional lolbin's for further depth of coverage.

Techniques

• T1546
• T1546.003

Sample rules

Detect WMI Event Subscription Persistence

• source: splunk
• technicques:
  • T1546.003
  • T1546

Description

The following analytic identifies the creation of WMI Event Subscriptions, which can be used to establish persistence or perform privilege escalation. It detects EventID 19 (EventFilter creation), EventID 20 (EventConsumer creation), and EventID 21 (FilterToConsumerBinding creation) from Sysmon logs. This activity is significant because WMI Event Subscriptions can execute code with elevated SYSTEM privileges, making it a powerful persistence mechanism. If confirmed malicious, an attacker could maintain long-term access, escalate privileges, and execute arbitrary code, posing a severe threat to the environment.

Detection logic

`sysmon` EventID=20 
| stats count min(_time) as firstTime max(_time) as lastTime by Computer User Destination 
| rename Computer as dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `detect_wmi_event_subscription_persistence_filter`