From 604d88cf1ef2ab0a2f55555061e4e18f33c2c151 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Sat, 12 Jan 2019 12:02:26 +0100
Subject: [PATCH] Rule: WMI Event Subscription

---
 .../sysmon/sysmon_wmi_event_subscription.yml  | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 rules/windows/sysmon/sysmon_wmi_event_subscription.yml

diff --git a/rules/windows/sysmon/sysmon_wmi_event_subscription.yml b/rules/windows/sysmon/sysmon_wmi_event_subscription.yml
new file mode 100644
index 000000000..95177ba63
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_wmi_event_subscription.yml
@@ -0,0 +1,22 @@
+title: WMI Event Subscription
+status: experimental
+description: Detects creation of WMI event subscription persistence method
+references:
+    - https://attack.mitre.org/techniques/T1084/
+tags:
+    - attack.t1084
+    - attack.persistence
+author: Tom Ueltschi (@c_APT_ure)
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selector:
+        EventID:
+            - 19
+            - 20
+            - 21
+    condition: selector
+falsepositives:
+    - exclude legitimate (vetted) use of WMI event subscription in your network
+level: high