Tool
Vendor-native detections for T1546.003
3 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
3 shown of 3Detect WMI Event Subscription Persistence
The following analytic identifies the creation of WMI Event Subscriptions, which can be used to establish persistence or perform privilege escalation. It detects EventID 19 (EventFilter creation), EventID 20 (EventConsumer creation), and EventID 21 (FilterToConsumerBinding creation) from Sysmon logs. This activity is significant because WMI Event Subscriptions can execute code with elevated SYSTEM privileges, making it a powerful persistence mechanism. If confirmed malicious, an attacker could maintain long-term access, escalate privileges, and execute arbitrary code, posing a severe threat to the environment.
Show query
`sysmon` EventID=20
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest dvc object
object_category object_path signature
signature_id src status
user user_id vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_wmi_event_subscription_persistence_filter`WMI Permanent Event Subscription - Sysmon
The following analytic identifies the creation of WMI permanent event subscriptions, which can be used to establish persistence or perform privilege escalation. It leverages Sysmon data, specifically EventCodes 19, 20, and 21, to detect the creation of WMI EventFilters, EventConsumers, and FilterToConsumerBindings. This activity is significant as it may indicate an attacker setting up mechanisms to execute code with elevated SYSTEM privileges when specific events occur. If confirmed malicious, this could allow the attacker to maintain persistence, escalate privileges, and execute arbitrary code, posing a severe threat to the environment.
Show query
`sysmon` EventCode=21
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest dvc object
object_attrs object_category object_path
signature signature_id src
status user user_id
vendor_product Consumer ConsumerNoQuotes
Filter FilterNoQuotes
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `wmi_permanent_event_subscription___sysmon_filter`Windows MOF Event Triggered Execution via WMI
The following analytic detects the execution of MOFComp.exe loading a MOF file, often triggered by cmd.exe or powershell.exe, or from unusual paths like User Profile directories. It leverages Endpoint Detection and Response (EDR) data, focusing on process names, parent processes, and command-line executions. This activity is significant as it may indicate an attacker using WMI for persistence or lateral movement. If confirmed malicious, it could allow the attacker to execute arbitrary code, maintain persistence, or escalate privileges within the environment.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name IN ("cmd.exe", "powershell.exe") Processes.process_name=mofcomp.exe) OR (Processes.process_name=mofcomp.exe Processes.process IN ("*\\AppData\\Local\\*","*\\Users\\Public\\*")) by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mof_event_triggered_execution_via_wmi_filter`Showing 1-3 of 3