Which SIEM platforms have a T1546 detection rule?

df00tech provides T1546 (Event Triggered Execution) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1546 detection?

The T1546 detection is rated high severity with medium confidence.

What are common false positives for T1546?

Common false positives for T1546 include: Software installation routines legitimately modifying AppInit_DLLs or registering COM objects — especially third-party security tools (AV/EDR agents), accessibility software, or application frameworks; Developer tools (Visual Studio, WinDbg) setting IFEO Debugger values for debugging purposes; Administrative scripts creating WMI subscriptions for legitimate monitoring (SCCM, WMI-based health checks, vendor management tools).

T1546: Event Triggered Execution — Detection (KQL, SPL, Sigma + 5 SIEMs)

Q: What data sources are required to detect Event Triggered Execution (T1546)?

Detecting Event Triggered Execution requires the following data sources: Registry: Windows Registry Key Modification, Process: Process Creation, File: File Creation, File: File Modification, WMI: WMI Creation, Microsoft Defender for Endpoint.

Microsoft Sentinel / Defender

kusto

// T1546 — Event Triggered Execution: broad detection covering WMI subscriptions, registry-based triggers, and file-based persistence hooks
let WmiSubscriptionRegistryPaths = dynamic([
  "\\SOFTWARE\\Microsoft\\WBEM",
  "\\SYSTEM\\CurrentControlSet\\Services\\WbemAdap"
]);
let RegistryTriggerPaths = dynamic([
  // AppInit DLLs (T1546.010)
  "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs",
  "\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs",
  // Image File Execution Options (T1546.012)
  "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
  // Screensaver (T1546.002)
  "\\Control Panel\\Desktop\\SCRNSAVE.EXE",
  // AppCert DLLs (T1546.009)
  "\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls",
  // Netsh Helper DLL (T1546.007)
  "\\SOFTWARE\\Microsoft\\NetSh",
  // COM Hijacking (T1546.015)
  "\\SOFTWARE\\Classes\\CLSID"
]);
let AccessibilityBinaries = dynamic([
  "sethc.exe", "utilman.exe", "osk.exe", "magnify.exe",
  "narrator.exe", "displayswitch.exe", "atbroker.exe", "wscript.exe"
]);
let SdbInstPaths = dynamic(["sdbinst.exe"]);
// Detection 1: Suspicious registry modifications to event-triggered persistence locations
let RegistryTriggers = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has_any (RegistryTriggerPaths)
| where RegistryValueData != "" or ActionType == "RegistryKeyCreated"
// Exclude known-good IFEO entries (debugger set to legitimate tools)
| where not (RegistryKey contains "Image File Execution Options" and RegistryValueName == "Debugger" and
             (RegistryValueData has "vsjitdebugger.exe" or RegistryValueData has "windbg.exe" or RegistryValueData has "drwtsn32.exe"))
| extend DetectionType = case(
    RegistryKey contains "AppInit_DLLs", "AppInit_DLL_Persistence",
    RegistryKey contains "Image File Execution Options", "IFEO_Hijacking",
    RegistryKey contains "SCRNSAVE.EXE", "Screensaver_Persistence",
    RegistryKey contains "AppCertDlls", "AppCertDLL_Persistence",
    RegistryKey contains "NetSh", "Netsh_Helper_DLL",
    RegistryKey contains "CLSID", "COM_Hijacking",
    "Event_Triggered_Registry"
  )
| project Timestamp, DeviceName, AccountName, DetectionType, RegistryKey, RegistryValueName, RegistryValueData,
          InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName;
// Detection 2: WMI event subscription creation via process telemetry
let WmiSubscriptions = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (FileName =~ "wmic.exe" and ProcessCommandLine has_any ("subscription", "ActiveScriptEventConsumer", "CommandLineEventConsumer", "EventFilter", "FilterToConsumerBinding"))
   or (FileName =~ "powershell.exe" and ProcessCommandLine has_any ("Set-WmiInstance", "New-CimInstance", "__EventFilter", "__EventConsumer", "__FilterToConsumerBinding", "ActiveScriptEventConsumer", "CommandLineEventConsumer"))
| extend DetectionType = "WMI_Subscription_Creation"
| project Timestamp, DeviceName, AccountName, DetectionType,
          RegistryKey = "", RegistryValueName = "", RegistryValueData = "",
          InitiatingProcessFileName, InitiatingProcessCommandLine = ProcessCommandLine,
          InitiatingProcessAccountName = AccountName;
// Detection 3: Application Shimming via sdbinst.exe
let AppShimming = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "sdbinst.exe"
| where ProcessCommandLine !has "/u" // /u is uninstall — less suspicious
| extend DetectionType = "App_Shimming_SDB_Install"
| project Timestamp, DeviceName, AccountName, DetectionType,
          RegistryKey = "", RegistryValueName = "", RegistryValueData = "",
          InitiatingProcessFileName, InitiatingProcessCommandLine = ProcessCommandLine,
          InitiatingProcessAccountName = AccountName;
// Detection 4: Accessibility feature binary replacement (T1546.008)
let AccessibilityHijack = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| where FileName has_any (AccessibilityBinaries)
| where FolderPath has_any ("\\Windows\\System32", "\\Windows\\SysWOW64")
// Exclude Windows Update and TrustedInstaller paths
| where InitiatingProcessFileName !in~ ("TiWorker.exe", "TrustedInstaller.exe", "wuauclt.exe", "svchost.exe")
| extend DetectionType = "Accessibility_Feature_Hijack"
| project Timestamp, DeviceName, AccountName, DetectionType,
          RegistryKey = "", RegistryValueName = FileName, RegistryValueData = FolderPath,
          InitiatingProcessFileName, InitiatingProcessCommandLine = InitiatingProcessCommandLine,
          InitiatingProcessAccountName = InitiatingProcessAccountName;
// Detection 5: PowerShell profile creation/modification (T1546.013)
let PsProfilePaths = dynamic([
  "\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1",
  "\\WindowsPowerShell\\profile.ps1",
  "\\PowerShell\\Microsoft.PowerShell_profile.ps1",
  "\\PowerShell\\profile.ps1"
]);
let PowerShellProfile = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any (PsProfilePaths) or (FileName has "_profile.ps1" and FolderPath has "PowerShell")
| where InitiatingProcessFileName !in~ ("powershell.exe", "pwsh.exe", "code.exe", "notepad.exe", "devenv.exe")
| extend DetectionType = "PowerShell_Profile_Modification"
| project Timestamp, DeviceName, AccountName, DetectionType,
          RegistryKey = FolderPath, RegistryValueName = FileName, RegistryValueData = "",
          InitiatingProcessFileName, InitiatingProcessCommandLine = InitiatingProcessCommandLine,
          InitiatingProcessAccountName = InitiatingProcessAccountName;
// Union all detections
union RegistryTriggers, WmiSubscriptions, AppShimming, AccessibilityHijack, PowerShellProfile
| sort by Timestamp desc

Detects multiple T1546 Event Triggered Execution sub-techniques across Windows platforms using Microsoft Defender for Endpoint telemetry. Covers: (1) Registry modifications to AppInit_DLLs, IFEO, screensaver, AppCertDlls, Netsh Helper, and COM hijacking keys; (2) WMI event subscription creation via wmic.exe or PowerShell; (3) Application shimming via sdbinst.exe; (4) Accessibility feature binary replacement (utilman.exe, sethc.exe, etc.) targeting System32/SysWOW64; (5) PowerShell profile creation/modification from unexpected parent processes. Each detection arm is labeled with DetectionType for downstream triage and routing.

high severity medium confidence

Data Sources

Registry: Windows Registry Key Modification Process: Process Creation File: File Creation File: File Modification WMI: WMI Creation Microsoft Defender for Endpoint

Required Tables

DeviceRegistryEvents DeviceProcessEvents DeviceFileEvents

False Positives

Software installation routines legitimately modifying AppInit_DLLs or registering COM objects — especially third-party security tools (AV/EDR agents), accessibility software, or application frameworks
Developer tools (Visual Studio, WinDbg) setting IFEO Debugger values for debugging purposes
Administrative scripts creating WMI subscriptions for legitimate monitoring (SCCM, WMI-based health checks, vendor management tools)
sdbinst.exe invocations during application compatibility fixes from IT teams applying vendor-supplied shim databases
Group Policy or MDM pushing screensaver configuration changes to enforce screen lock policies
PowerShell profile creation by developers customizing their shell environment via VS Code or PowerShell ISE

Splunk

spl

| multisearch
  [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13
      (TargetObject="*\\AppInit_DLLs" OR TargetObject="*\\Image File Execution Options*" OR
       TargetObject="*\\SCRNSAVE.EXE" OR TargetObject="*\\AppCertDlls*" OR
       TargetObject="*\\NetSh*" OR TargetObject="*SOFTWARE\\Classes\\CLSID*")
    | eval DetectionType=case(
        like(TargetObject, "%AppInit_DLLs%"), "AppInit_DLL_Persistence",
        like(TargetObject, "%Image File Execution Options%"), "IFEO_Hijacking",
        like(TargetObject, "%SCRNSAVE.EXE%"), "Screensaver_Persistence",
        like(TargetObject, "%AppCertDlls%"), "AppCertDLL_Persistence",
        like(TargetObject, "%NetSh%"), "Netsh_Helper_DLL",
        like(TargetObject, "%CLSID%"), "COM_Hijacking",
        1=1, "Event_Triggered_Registry"
      )
    | eval EventDescription="Registry value set to: ".Details
    | table _time, host, User, DetectionType, TargetObject, Details, Image, CommandLine
  ]
  [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=12
      (TargetObject="*\\AppInit_DLLs" OR TargetObject="*\\Image File Execution Options*" OR
       TargetObject="*\\AppCertDlls*" OR TargetObject="*\\NetSh*")
    | eval DetectionType="Event_Triggered_Registry_Key_Created"
    | table _time, host, User, DetectionType, TargetObject, Image, CommandLine
  ]
  [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=19 OR EventCode=20 OR EventCode=21
    | eval DetectionType=case(
        EventCode=19, "WMI_EventFilter_Created",
        EventCode=20, "WMI_EventConsumer_Created",
        EventCode=21, "WMI_FilterToConsumerBinding",
        1=1, "WMI_Subscription"
      )
    | eval EventDescription=coalesce(Query, Destination, Consumer)
    | table _time, host, User, DetectionType, EventDescription, Image, CommandLine
  ]
  [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
      (Image="*\\wmic.exe" (CommandLine="*subscription*" OR CommandLine="*ActiveScriptEventConsumer*" OR CommandLine="*CommandLineEventConsumer*" OR CommandLine="*EventFilter*" OR CommandLine="*FilterToConsumerBinding*"))
      OR (Image="*\\wmic.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
      (CommandLine="*Set-WmiInstance*" OR CommandLine="*New-CimInstance*" OR CommandLine="*__EventFilter*" OR CommandLine="*__EventConsumer*")
    | eval DetectionType="WMI_Subscription_Creation_Process"
    | table _time, host, User, DetectionType, Image, CommandLine, ParentImage, ParentCommandLine
  ]
  [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
      Image="*\\sdbinst.exe" NOT CommandLine="*/u*"
    | eval DetectionType="App_Shimming_SDB_Install"
    | table _time, host, User, DetectionType, Image, CommandLine, ParentImage, ParentCommandLine
  ]
  [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
      (TargetFilename="*\\Windows\\System32\\sethc.exe" OR TargetFilename="*\\Windows\\System32\\utilman.exe" OR
       TargetFilename="*\\Windows\\System32\\osk.exe" OR TargetFilename="*\\Windows\\System32\\magnify.exe" OR
       TargetFilename="*\\Windows\\System32\\narrator.exe" OR TargetFilename="*\\Windows\\System32\\displayswitch.exe" OR
       TargetFilename="*\\Windows\\System32\\atbroker.exe")
      NOT (Image="*\\TiWorker.exe" OR Image="*\\TrustedInstaller.exe" OR Image="*\\wuauclt.exe")
    | eval DetectionType="Accessibility_Feature_Hijack"
    | table _time, host, User, DetectionType, TargetFilename, Image, CommandLine
  ]
  [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
      (TargetFilename="*\\WindowsPowerShell\\*_profile.ps1" OR TargetFilename="*\\PowerShell\\*_profile.ps1" OR TargetFilename="*\\WindowsPowerShell\\profile.ps1")
      NOT (Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\Code.exe" OR Image="*\\notepad.exe" OR Image="*\\devenv.exe")
    | eval DetectionType="PowerShell_Profile_Modification"
    | table _time, host, User, DetectionType, TargetFilename, Image, CommandLine
  ]
| eval SuspicionScore=case(
    DetectionType="IFEO_Hijacking", 3,
    DetectionType="WMI_FilterToConsumerBinding", 4,
    DetectionType="WMI_EventConsumer_Created", 3,
    DetectionType="Accessibility_Feature_Hijack", 4,
    DetectionType="App_Shimming_SDB_Install", 2,
    DetectionType="WMI_Subscription_Creation_Process", 3,
    DetectionType="AppInit_DLL_Persistence", 3,
    DetectionType="Screensaver_Persistence", 2,
    DetectionType="PowerShell_Profile_Modification", 2,
    1=1, 1
  )
| table _time, host, User, DetectionType, SuspicionScore, Image, CommandLine, TargetObject, TargetFilename
| sort - SuspicionScore, - _time

Detects T1546 Event Triggered Execution sub-techniques across Windows using Sysmon operational logs. Covers: Sysmon Event ID 13 (registry value set) and Event ID 12 (registry key created) for AppInit_DLLs, IFEO, screensaver, AppCertDlls, Netsh Helper, and COM class hijacking; Sysmon Event IDs 19/20/21 (WMI event filter, consumer, and binding creation) for WMI subscriptions; Sysmon Event ID 1 (process creation) for wmic.exe and PowerShell WMI subscription commands and sdbinst.exe shimming; Sysmon Event ID 11 (file creation) for accessibility feature binary replacement and PowerShell profile modification. Each result includes a SuspicionScore to prioritize high-fidelity events.

high severity medium confidence

Data Sources

Registry: Windows Registry Key Modification Process: Process Creation File: File Creation WMI: WMI Creation Sysmon Event IDs 1, 11, 12, 13, 19, 20, 21

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Third-party security products (endpoint agents, DLP tools) legitimately registering themselves via AppInit_DLLs or COM objects during installation
IT teams applying vendor application compatibility shim databases via sdbinst.exe as part of OS migration or legacy application support programs
WMI subscriptions deployed by legitimate monitoring frameworks (SCCM, BMC TrueSight, SolarWinds) for infrastructure health checks
IFEO Debugger entries created by development tools (Visual Studio Just-In-Time debugger, process monitor) during legitimate debugging sessions
Group Policy-enforced screensaver settings pushed organization-wide for compliance with screen lock requirements

Elastic Security (EQL)

eql

any where
  (event.category == "registry" and
   (registry.path : ("*\\SOFTWARE\\Microsoft\\WBEM*",
                      "*\\SYSTEM\\CurrentControlSet\\Services\\WbemAdap*",
                      "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB*",
                      "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*") and
    registry.value : ("Debugger","GlobalFlag"))) or
  (event.category == "process" and event.type == "start" and
   process.name : ("wmic.exe","mofcomp.exe") and
   process.args : ("subscription","create","MOF","ConsumerToFilter","filter2consumer"))

Detects event-triggered execution persistence via WMI subscriptions, IFEO debugger keys, and AppCompat SDB shims.

high severity medium confidence

Data Sources

Windows Registry Events Windows Process Events

Required Tables

logs-endpoint.events.registry-* logs-endpoint.events.process-*

False Positives

Software installation routines legitimately modifying AppInit_DLLs or registering COM objects — especially third-party security tools (AV/EDR agents), accessibility software, or application frameworks
Developer tools (Visual Studio, WinDbg) setting IFEO Debugger values for debugging purposes
Administrative scripts creating WMI subscriptions for legitimate monitoring (SCCM, WMI-based health checks, vendor management tools)
sdbinst.exe invocations during application compatibility fixes from IT teams applying vendor-supplied shim databases
Group Policy or MDM pushing screensaver configuration changes to enforce screen lock policies
PowerShell profile creation by developers customizing their shell environment via VS Code or PowerShell ISE

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource, username as User,
  "TargetObject" as RegistryKey, "Image" as ProcessImage,
  "CommandLine" as CommandLine,
  CASE WHEN "TargetObject" ILIKE '%Image File Execution Options%' AND "Details" ILIKE '%Debugger%' THEN 10
       WHEN "Image" ILIKE '%mofcomp.exe%' THEN 9
       WHEN "TargetObject" ILIKE '%WbemAdap%' THEN 8
       ELSE 5 END as RiskScore
FROM events
WHERE (
  (eventid IN (12,13) AND (
    "TargetObject" ILIKE '%Image File Execution Options%Debugger%' OR
    "TargetObject" ILIKE '%WbemAdap%' OR
    "TargetObject" ILIKE '%AppCompatFlags%InstalledSDB%'))
  OR (eventid = 1 AND (
    "Image" ILIKE '%mofcomp.exe%' OR
    ("Image" ILIKE '%wmic.exe%' AND ("CommandLine" ILIKE '%subscription%' OR "CommandLine" ILIKE '%filter2consumer%'))))
)
ORDER BY EventTime DESC

Detects event-triggered execution persistence via WMI subscriptions and IFEO debugger registry keys in QRadar.

high severity medium confidence

Data Sources

Windows Sysmon Windows Security Event Log

Required Tables

events

False Positives

Software installation routines legitimately modifying AppInit_DLLs or registering COM objects — especially third-party security tools (AV/EDR agents), accessibility software, or application frameworks
Developer tools (Visual Studio, WinDbg) setting IFEO Debugger values for debugging purposes
Administrative scripts creating WMI subscriptions for legitimate monitoring (SCCM, WMI-based health checks, vendor management tools)
sdbinst.exe invocations during application compatibility fixes from IT teams applying vendor-supplied shim databases
Group Policy or MDM pushing screensaver configuration changes to enforce screen lock policies
PowerShell profile creation by developers customizing their shell environment via VS Code or PowerShell ISE

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon
| json auto
| where EventID in ("1","12","13","19","20","21")
| eval detection_type = case(
    EventID in ("12","13") AND matches(TargetObject, "(?i)Image File Execution Options.*Debugger"), "IFEO_Debugger",
    EventID in ("12","13") AND matches(TargetObject, "(?i)WbemAdap"), "WMI_Registry",
    EventID in ("12","13") AND matches(TargetObject, "(?i)AppCompatFlags.*InstalledSDB"), "SDB_Shim",
    EventID in ("19","20","21"), "WMI_Subscription",
    EventID == "1" AND (toLower(Image) matches ".*(mofcomp|wmic)\.exe$"), "WMI_MOF_Compile",
    true(), null())
| where !isNull(detection_type)
| table _time, Computer, User, EventID, detection_type, Image, CommandLine, TargetObject
| sort by _time desc

Detects event-triggered execution persistence mechanisms including WMI subscriptions and IFEO debugger keys in Sumo Logic.

high severity medium confidence

Data Sources

Windows Sysmon via Sumo Logic

Required Tables

windows/sysmon

False Positives

Software installation routines legitimately modifying AppInit_DLLs or registering COM objects — especially third-party security tools (AV/EDR agents), accessibility software, or application frameworks
Developer tools (Visual Studio, WinDbg) setting IFEO Debugger values for debugging purposes
Administrative scripts creating WMI subscriptions for legitimate monitoring (SCCM, WMI-based health checks, vendor management tools)
sdbinst.exe invocations during application compatibility fixes from IT teams applying vendor-supplied shim databases
Group Policy or MDM pushing screensaver configuration changes to enforce screen lock policies
PowerShell profile creation by developers customizing their shell environment via VS Code or PowerShell ISE

Google Chronicle / SecOps

yaral

rule event_triggered_execution_persistence {
  meta:
    author = "Detection Engineering"
    description = "Detects event-triggered execution persistence (T1546)"
    severity = "HIGH"
    tactic = "TA0003"

  events:
    $e.metadata.event_type = "REGISTRY_MODIFICATION"
    (
      re.regex($e.target.registry.registry_key, `(?i)Image File Execution Options`) nocase and
      $e.target.registry.registry_value_name = "Debugger"
    ) or
    re.regex($e.target.registry.registry_key, `(?i)(WbemAdap|AppCompatFlags.*InstalledSDB)`) nocase

  condition:
    $e
}

Chronicle YARA-L rule detecting event-triggered execution persistence via IFEO debugger and WMI registry keys.

high severity medium confidence

Data Sources

Windows Registry Events via Chronicle UDM

Required Tables

REGISTRY_MODIFICATION

False Positives

Software installation routines legitimately modifying AppInit_DLLs or registering COM objects — especially third-party security tools (AV/EDR agents), accessibility software, or application frameworks
Developer tools (Visual Studio, WinDbg) setting IFEO Debugger values for debugging purposes
Administrative scripts creating WMI subscriptions for legitimate monitoring (SCCM, WMI-based health checks, vendor management tools)
sdbinst.exe invocations during application compatibility fixes from IT teams applying vendor-supplied shim databases
Group Policy or MDM pushing screensaver configuration changes to enforce screen lock policies
PowerShell profile creation by developers customizing their shell environment via VS Code or PowerShell ISE

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| (ImageFileName = /(mofcomp|wmic)\.exe$/i
   AND (CommandLine = /(subscription|filter2consumer|ConsumerToFilter)/i OR CommandLine = /\.mof$/i))
  OR (ImageFileName = /reg\.exe$/i AND CommandLine = /Image File Execution Options.*Debugger/i)
| eval detection_type = case {
    ImageFileName = /mofcomp\.exe$/i : "WMI_MOF_Compile";
    ImageFileName = /wmic\.exe$/i AND CommandLine = /subscription/i : "WMI_Subscription";
    CommandLine = /IFEO.*Debugger/i : "IFEO_Debugger";
    * : "event_persistence"
  }
| table timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, detection_type
| sort by timestamp desc

Detects WMI subscription persistence and IFEO debugger configuration via CrowdStrike Falcon.

high severity medium confidence

Data Sources

CrowdStrike Falcon Process Events

Required Tables

ProcessRollup2

False Positives

Software installation routines legitimately modifying AppInit_DLLs or registering COM objects — especially third-party security tools (AV/EDR agents), accessibility software, or application frameworks
Developer tools (Visual Studio, WinDbg) setting IFEO Debugger values for debugging purposes
Administrative scripts creating WMI subscriptions for legitimate monitoring (SCCM, WMI-based health checks, vendor management tools)
sdbinst.exe invocations during application compatibility fixes from IT teams applying vendor-supplied shim databases
Group Policy or MDM pushing screensaver configuration changes to enforce screen lock policies
PowerShell profile creation by developers customizing their shell environment via VS Code or PowerShell ISE

Event Triggered Execution

What is T1546 Event Triggered Execution?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1546

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hubs

Sub-techniques (18)

Related Techniques

Same Tactic: Privilege Escalation

Popular Detections

What is T1546 Event Triggered Execution?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1546

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Sub-techniques (18)

Related Techniques

Same Tactic: Privilege Escalation

Popular Detections

Get new detections in your inbox