Detectionmediumtest

WMI Persistence - Security

Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.communityCreated Tue Aug 22Updated Tue Nov 29f033f3f3-fd24-4995-97d8-a3bb17550a88windows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Detection Logic

detection:
    selection:
        EventID: 4662
        ObjectType: 'WMI Namespace'
        ObjectName|contains: 'subscription'
    condition: selection

False Positives

Unknown (data set is too small; further testing needed)

References

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0004 · Privilege Escalation

Sub-techniques

T1546.003 · Windows Management Instrumentation Event Subscription

Related Rules

DerivedDetectionmedium

WMI Persistence

Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata

Rule ID

f033f3f3-fd24-4995-97d8-a3bb17550a88

Status

test

Level

medium

Type

Detection

Created

Tue Aug 22

Modified

Tue Nov 29

Author

Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community

Path

rules/windows/builtin/security/win_security_wmi_persistence.yml

Raw Tags

attack.persistenceattack.privilege-escalationattack.t1546.003

View on GitHub