Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or provider (ex: Sysmon EIDs 19-21)
Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or provider (ex: Sysmon EIDs 19-21)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1546 | Event Triggered Execution |
Monitor for newly constructed WMI Objects that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. |
|
| .003 | Windows Management Instrumentation Event Subscription |
Monitor WMI event subscription entries, comparing current WMI event subscriptions to known good subscriptions for each host. Tools such as Sysinternals Autoruns may also be used to detect WMI changes that could be attempts at persistence. [3] [4] Monitor for the creation of new WMI |
||
| Enterprise | T1027 | Obfuscated Files or Information |
Monitor for the creation of WMI Objects and values that may highlight storage of malicious data such as commands or payloads. |
|
| .011 | Fileless Storage |
Monitor for the creation of WMI Objects and values that may highlight storage of malicious data such as commands or payloads. |
||
| Enterprise | T1021 | Remote Services |
Monitor for newly constructed WMI objects that is often used to log into a service that accepts remote connects. |
|
| Enterprise | T1047 | Windows Management Instrumentation |
Monitor for newly constructed WMI objects that will execute malicious commands and payloads. |
|