WMI Permanent Event Subscription - Sysmon

Description

This search looks for the creation of WMI permanent event subscriptions.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Adversary Tactics,

Alert Volume

This search looks for the creation of WMI permanent event subscriptions.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Privilege Escalation
Persistence

MITRE ATT&CK Techniques

Event Triggered Execution

Windows Management Instrumentation Event Subscription

MITRE Threat Groups

APT29
APT33
Blue Mockingbird
Leviathan
Turla

Kill Chain Phases

Actions On Objectives

   Help

WMI Permanent Event Subscription - Sysmon Help

To successfully implement this search, you must be collecting Sysmon data using Sysmon version 6.1 or greater and have Sysmon configured to generate alerts for WMI activity. In addition, you must have at least version 6.0.4 of the Sysmon TA installed to properly parse the fields.

   Search

Open in Search