Windows Management Instrumentation Event Subscription
Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user login, or the computer's uptime.(Citation: Mandiant M-Trends 2015) Adversaries may use the capabilities of WMI to subscribe to an ev...
BY SOURCE
PROCEDURES (11)
Auto-extracted: 2 detections for persist
Auto-extracted: 2 detections for persist
Auto-extracted: 2 detections for module load monitoring
Auto-extracted: 2 detections for process creation monitoring
Auto-extracted: 2 detections for suspicious
Auto-extracted: 2 detections for privilege
Auto-extracted: 1 detections for privilege
Auto-extracted: 1 detections for file monitoring
Auto-extracted: 1 detections for privilege
Auto-extracted: 1 detections for suspicious
Auto-extracted: 1 detections for privilege