splApache-2.0from splunk/security_content
Detect WMI Event Subscription Persistence
The following analytic identifies the creation of WMI Event Subscriptions, which can be used to establish persistence or perform privilege escalation. It detects EventID 19 (EventFilter creation), EventID 20 (EventConsumer creation), and EventID 21 (FilterToConsumerBinding creation) from Sysmon logs. This activity is significant because WMI Event Subscriptions can execute code with elevated SYSTEM privileges, making it a powerful persistence mechanism. If confirmed malicious, an attacker could maintain long-term access, escalate privileges, and execute arbitrary code, posing a severe threat to the environment.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/detect_wmi_event_subscription_persistence.yml
`sysmon` EventID=20
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest dvc object
object_category object_path signature
signature_id src status
user user_id vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_wmi_event_subscription_persistence_filter`