Rule Library

Sigma Rules

3 rules found

3,731Total

3,132Detection

457Emerging

139Hunting

Filters

Type

Severity

Status

Product

Category

Detectionmediumtest

WMI Event Subscription

Detects creation of WMI event subscription persistence method

WindowsWMI Event

TA0004 · Privilege EscalationTA0003 · PersistenceT1546.003 · Windows Management Instrumentation Event Subscription

Tom UeltschiSat Jan 12windows

Detectionhightest

Suspicious Encoded Scripts in a WMI Consumer

Detects suspicious encoded payloads in WMI Event Consumers

WindowsWMI Event

TA0004 · Privilege EscalationTA0002 · ExecutionT1047 · Windows Management InstrumentationTA0003 · Persistence+1

Florian Roth (Nextron Systems)Wed Sep 01windows

Detectionhightest

Suspicious Scripting in a WMI Consumer

Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers

WindowsWMI Event

TA0002 · ExecutionT1059.005 · Visual Basic

Florian Roth (Nextron Systems)+1Mon Apr 15windows