title: WMI Event Subscription
author: Tom Ueltschi (@c_APT_ure)
date: 2019/01/12
description: Detects creation of WMI event subscription persistence method
detection:
  SELECTION_1:
    EventID: 19
  SELECTION_2:
    EventID: 20
  SELECTION_3:
    EventID: 21
  condition: (SELECTION_1 or SELECTION_2 or SELECTION_3)
falsepositives:
- exclude legitimate (vetted) use of WMI event subscription in your network
id: 0f06a3a5-6a09-413f-8743-e6cf35561297
level: high
logsource:
  category: wmi_event
  product: windows
status: experimental
tags:
- attack.t1084
- attack.persistence
- attack.t1546.003
ruletype: SIGMA