T1546 Event Triggered Execution Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1546 — Event Triggered Execution: broad detection covering WMI subscriptions, registry-based triggers, and file-based persistence hooks
let WmiSubscriptionRegistryPaths = dynamic([
  "\\SOFTWARE\\Microsoft\\WBEM",
  "\\SYSTEM\\CurrentControlSet\\Services\\WbemAdap"
]);
let RegistryTriggerPaths = dynamic([
  // AppInit DLLs (T1546.010)
  "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs",
  "\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs",
  // Image File Execution Options (T1546.012)
  "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
  // Screensaver (T1546.002)
  "\\Control Panel\\Desktop\\SCRNSAVE.EXE",
  // AppCert DLLs (T1546.009)
  "\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls",
  // Netsh Helper DLL (T1546.007)
  "\\SOFTWARE\\Microsoft\\NetSh",
  // COM Hijacking (T1546.015)
  "\\SOFTWARE\\Classes\\CLSID"
]);
let AccessibilityBinaries = dynamic([
  "sethc.exe", "utilman.exe", "osk.exe", "magnify.exe",
  "narrator.exe", "displayswitch.exe", "atbroker.exe", "wscript.exe"
]);
let SdbInstPaths = dynamic(["sdbinst.exe"]);
// Detection 1: Suspicious registry modifications to event-triggered persistence locations
let RegistryTriggers = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has_any (RegistryTriggerPaths)
| where RegistryValueData != "" or ActionType == "RegistryKeyCreated"
// Exclude known-good IFEO entries (debugger set to legitimate tools)
| where not (RegistryKey contains "Image File Execution Options" and RegistryValueName == "Debugger" and
             (RegistryValueData has "vsjitdebugger.exe" or RegistryValueData has "windbg.exe" or RegistryValueData has "drwtsn32.exe"))
| extend DetectionType = case(
    RegistryKey contains "AppInit_DLLs", "AppInit_DLL_Persistence",
    RegistryKey contains "Image File Execution Options", "IFEO_Hijacking",
    RegistryKey contains "SCRNSAVE.EXE", "Screensaver_Persistence",
    RegistryKey contains "AppCertDlls", "AppCertDLL_Persistence",
    RegistryKey contains "NetSh", "Netsh_Helper_DLL",
    RegistryKey contains "CLSID", "COM_Hijacking",
    "Event_Triggered_Registry"
  )
| project Timestamp, DeviceName, AccountName, DetectionType, RegistryKey, RegistryValueName, RegistryValueData,
          InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName;
// Detection 2: WMI event subscription creation via process telemetry
let WmiSubscriptions = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (FileName =~ "wmic.exe" and ProcessCommandLine has_any ("subscription", "ActiveScriptEventConsumer", "CommandLineEventConsumer", "EventFilter", "FilterToConsumerBinding"))
   or (FileName =~ "powershell.exe" and ProcessCommandLine has_any ("Set-WmiInstance", "New-CimInstance", "__EventFilter", "__EventConsumer", "__FilterToConsumerBinding", "ActiveScriptEventConsumer", "CommandLineEventConsumer"))
| extend DetectionType = "WMI_Subscription_Creation"
| project Timestamp, DeviceName, AccountName, DetectionType,
          RegistryKey = "", RegistryValueName = "", RegistryValueData = "",
          InitiatingProcessFileName, InitiatingProcessCommandLine = ProcessCommandLine,
          InitiatingProcessAccountName = AccountName;
// Detection 3: Application Shimming via sdbinst.exe
let AppShimming = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "sdbinst.exe"
| where ProcessCommandLine !has "/u" // /u is uninstall — less suspicious
| extend DetectionType = "App_Shimming_SDB_Install"
| project Timestamp, DeviceName, AccountName, DetectionType,
          RegistryKey = "", RegistryValueName = "", RegistryValueData = "",
          InitiatingProcessFileName, InitiatingProcessCommandLine = ProcessCommandLine,
          InitiatingProcessAccountName = AccountName;
// Detection 4: Accessibility feature binary replacement (T1546.008)
let AccessibilityHijack = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| where FileName has_any (AccessibilityBinaries)
| where FolderPath has_any ("\\Windows\\System32", "\\Windows\\SysWOW64")
// Exclude Windows Update and TrustedInstaller paths
| where InitiatingProcessFileName !in~ ("TiWorker.exe", "TrustedInstaller.exe", "wuauclt.exe", "svchost.exe")
| extend DetectionType = "Accessibility_Feature_Hijack"
| project Timestamp, DeviceName, AccountName, DetectionType,
          RegistryKey = "", RegistryValueName = FileName, RegistryValueData = FolderPath,
          InitiatingProcessFileName, InitiatingProcessCommandLine = InitiatingProcessCommandLine,
          InitiatingProcessAccountName = InitiatingProcessAccountName;
// Detection 5: PowerShell profile creation/modification (T1546.013)
let PsProfilePaths = dynamic([
  "\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1",
  "\\WindowsPowerShell\\profile.ps1",
  "\\PowerShell\\Microsoft.PowerShell_profile.ps1",
  "\\PowerShell\\profile.ps1"
]);
let PowerShellProfile = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any (PsProfilePaths) or (FileName has "_profile.ps1" and FolderPath has "PowerShell")
| where InitiatingProcessFileName !in~ ("powershell.exe", "pwsh.exe", "code.exe", "notepad.exe", "devenv.exe")
| extend DetectionType = "PowerShell_Profile_Modification"
| project Timestamp, DeviceName, AccountName, DetectionType,
          RegistryKey = FolderPath, RegistryValueName = FileName, RegistryValueData = "",
          InitiatingProcessFileName, InitiatingProcessCommandLine = InitiatingProcessCommandLine,
          InitiatingProcessAccountName = InitiatingProcessAccountName;
// Union all detections
union RegistryTriggers, WmiSubscriptions, AppShimming, AccessibilityHijack, PowerShellProfile
| sort by Timestamp desc

high severity medium confidence

Data Sources

Registry: Windows Registry Key Modification Process: Process Creation File: File Creation File: File Modification WMI: WMI Creation Microsoft Defender for Endpoint

Required Tables

DeviceRegistryEvents DeviceProcessEvents DeviceFileEvents

False Positives

Software installation routines legitimately modifying AppInit_DLLs or registering COM objects — especially third-party security tools (AV/EDR agents), accessibility software, or application frameworks
Developer tools (Visual Studio, WinDbg) setting IFEO Debugger values for debugging purposes
Administrative scripts creating WMI subscriptions for legitimate monitoring (SCCM, WMI-based health checks, vendor management tools)
sdbinst.exe invocations during application compatibility fixes from IT teams applying vendor-supplied shim databases
Group Policy or MDM pushing screensaver configuration changes to enforce screen lock policies
PowerShell profile creation by developers customizing their shell environment via VS Code or PowerShell ISE

Splunk

spl

| multisearch
  [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13
      (TargetObject="*\\AppInit_DLLs" OR TargetObject="*\\Image File Execution Options*" OR
       TargetObject="*\\SCRNSAVE.EXE" OR TargetObject="*\\AppCertDlls*" OR
       TargetObject="*\\NetSh*" OR TargetObject="*SOFTWARE\\Classes\\CLSID*")
    | eval DetectionType=case(
        like(TargetObject, "%AppInit_DLLs%"), "AppInit_DLL_Persistence",
        like(TargetObject, "%Image File Execution Options%"), "IFEO_Hijacking",
        like(TargetObject, "%SCRNSAVE.EXE%"), "Screensaver_Persistence",
        like(TargetObject, "%AppCertDlls%"), "AppCertDLL_Persistence",
        like(TargetObject, "%NetSh%"), "Netsh_Helper_DLL",
        like(TargetObject, "%CLSID%"), "COM_Hijacking",
        1=1, "Event_Triggered_Registry"
      )
    | eval EventDescription="Registry value set to: ".Details
    | table _time, host, User, DetectionType, TargetObject, Details, Image, CommandLine
  ]
  [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=12
      (TargetObject="*\\AppInit_DLLs" OR TargetObject="*\\Image File Execution Options*" OR
       TargetObject="*\\AppCertDlls*" OR TargetObject="*\\NetSh*")
    | eval DetectionType="Event_Triggered_Registry_Key_Created"
    | table _time, host, User, DetectionType, TargetObject, Image, CommandLine
  ]
  [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=19 OR EventCode=20 OR EventCode=21
    | eval DetectionType=case(
        EventCode=19, "WMI_EventFilter_Created",
        EventCode=20, "WMI_EventConsumer_Created",
        EventCode=21, "WMI_FilterToConsumerBinding",
        1=1, "WMI_Subscription"
      )
    | eval EventDescription=coalesce(Query, Destination, Consumer)
    | table _time, host, User, DetectionType, EventDescription, Image, CommandLine
  ]
  [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
      (Image="*\\wmic.exe" (CommandLine="*subscription*" OR CommandLine="*ActiveScriptEventConsumer*" OR CommandLine="*CommandLineEventConsumer*" OR CommandLine="*EventFilter*" OR CommandLine="*FilterToConsumerBinding*"))
      OR (Image="*\\wmic.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
      (CommandLine="*Set-WmiInstance*" OR CommandLine="*New-CimInstance*" OR CommandLine="*__EventFilter*" OR CommandLine="*__EventConsumer*")
    | eval DetectionType="WMI_Subscription_Creation_Process"
    | table _time, host, User, DetectionType, Image, CommandLine, ParentImage, ParentCommandLine
  ]
  [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
      Image="*\\sdbinst.exe" NOT CommandLine="*/u*"
    | eval DetectionType="App_Shimming_SDB_Install"
    | table _time, host, User, DetectionType, Image, CommandLine, ParentImage, ParentCommandLine
  ]
  [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
      (TargetFilename="*\\Windows\\System32\\sethc.exe" OR TargetFilename="*\\Windows\\System32\\utilman.exe" OR
       TargetFilename="*\\Windows\\System32\\osk.exe" OR TargetFilename="*\\Windows\\System32\\magnify.exe" OR
       TargetFilename="*\\Windows\\System32\\narrator.exe" OR TargetFilename="*\\Windows\\System32\\displayswitch.exe" OR
       TargetFilename="*\\Windows\\System32\\atbroker.exe")
      NOT (Image="*\\TiWorker.exe" OR Image="*\\TrustedInstaller.exe" OR Image="*\\wuauclt.exe")
    | eval DetectionType="Accessibility_Feature_Hijack"
    | table _time, host, User, DetectionType, TargetFilename, Image, CommandLine
  ]
  [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
      (TargetFilename="*\\WindowsPowerShell\\*_profile.ps1" OR TargetFilename="*\\PowerShell\\*_profile.ps1" OR TargetFilename="*\\WindowsPowerShell\\profile.ps1")
      NOT (Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\Code.exe" OR Image="*\\notepad.exe" OR Image="*\\devenv.exe")
    | eval DetectionType="PowerShell_Profile_Modification"
    | table _time, host, User, DetectionType, TargetFilename, Image, CommandLine
  ]
| eval SuspicionScore=case(
    DetectionType="IFEO_Hijacking", 3,
    DetectionType="WMI_FilterToConsumerBinding", 4,
    DetectionType="WMI_EventConsumer_Created", 3,
    DetectionType="Accessibility_Feature_Hijack", 4,
    DetectionType="App_Shimming_SDB_Install", 2,
    DetectionType="WMI_Subscription_Creation_Process", 3,
    DetectionType="AppInit_DLL_Persistence", 3,
    DetectionType="Screensaver_Persistence", 2,
    DetectionType="PowerShell_Profile_Modification", 2,
    1=1, 1
  )
| table _time, host, User, DetectionType, SuspicionScore, Image, CommandLine, TargetObject, TargetFilename
| sort - SuspicionScore, - _time

high severity medium confidence

Data Sources

Registry: Windows Registry Key Modification Process: Process Creation File: File Creation WMI: WMI Creation Sysmon Event IDs 1, 11, 12, 13, 19, 20, 21

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Third-party security products (endpoint agents, DLP tools) legitimately registering themselves via AppInit_DLLs or COM objects during installation
IT teams applying vendor application compatibility shim databases via sdbinst.exe as part of OS migration or legacy application support programs
WMI subscriptions deployed by legitimate monitoring frameworks (SCCM, BMC TrueSight, SolarWinds) for infrastructure health checks
IFEO Debugger entries created by development tools (Visual Studio Just-In-Time debugger, process monitor) during legitimate debugging sessions
Group Policy-enforced screensaver settings pushed organization-wide for compliance with screen lock requirements

Elastic Security (EQL)

eql

any where
  (event.category == "registry" and
   (registry.path : ("*\\SOFTWARE\\Microsoft\\WBEM*",
                      "*\\SYSTEM\\CurrentControlSet\\Services\\WbemAdap*",
                      "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB*",
                      "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*") and
    registry.value : ("Debugger","GlobalFlag"))) or
  (event.category == "process" and event.type == "start" and
   process.name : ("wmic.exe","mofcomp.exe") and
   process.args : ("subscription","create","MOF","ConsumerToFilter","filter2consumer"))

high severity medium confidence

Data Sources

Windows Registry Events Windows Process Events

Required Tables

logs-endpoint.events.registry-* logs-endpoint.events.process-*

False Positives

Software installation routines legitimately modifying AppInit_DLLs or registering COM objects — especially third-party security tools (AV/EDR agents), accessibility software, or application frameworks
Developer tools (Visual Studio, WinDbg) setting IFEO Debugger values for debugging purposes
Administrative scripts creating WMI subscriptions for legitimate monitoring (SCCM, WMI-based health checks, vendor management tools)
sdbinst.exe invocations during application compatibility fixes from IT teams applying vendor-supplied shim databases
Group Policy or MDM pushing screensaver configuration changes to enforce screen lock policies
PowerShell profile creation by developers customizing their shell environment via VS Code or PowerShell ISE

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource, username as User,
  "TargetObject" as RegistryKey, "Image" as ProcessImage,
  "CommandLine" as CommandLine,
  CASE WHEN "TargetObject" ILIKE '%Image File Execution Options%' AND "Details" ILIKE '%Debugger%' THEN 10
       WHEN "Image" ILIKE '%mofcomp.exe%' THEN 9
       WHEN "TargetObject" ILIKE '%WbemAdap%' THEN 8
       ELSE 5 END as RiskScore
FROM events
WHERE (
  (eventid IN (12,13) AND (
    "TargetObject" ILIKE '%Image File Execution Options%Debugger%' OR
    "TargetObject" ILIKE '%WbemAdap%' OR
    "TargetObject" ILIKE '%AppCompatFlags%InstalledSDB%'))
  OR (eventid = 1 AND (
    "Image" ILIKE '%mofcomp.exe%' OR
    ("Image" ILIKE '%wmic.exe%' AND ("CommandLine" ILIKE '%subscription%' OR "CommandLine" ILIKE '%filter2consumer%'))))
)
ORDER BY EventTime DESC

high severity medium confidence

Data Sources

Windows Sysmon Windows Security Event Log

Required Tables

events

False Positives

Software installation routines legitimately modifying AppInit_DLLs or registering COM objects — especially third-party security tools (AV/EDR agents), accessibility software, or application frameworks
Developer tools (Visual Studio, WinDbg) setting IFEO Debugger values for debugging purposes
Administrative scripts creating WMI subscriptions for legitimate monitoring (SCCM, WMI-based health checks, vendor management tools)
sdbinst.exe invocations during application compatibility fixes from IT teams applying vendor-supplied shim databases
Group Policy or MDM pushing screensaver configuration changes to enforce screen lock policies
PowerShell profile creation by developers customizing their shell environment via VS Code or PowerShell ISE

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon
| json auto
| where EventID in ("1","12","13","19","20","21")
| eval detection_type = case(
    EventID in ("12","13") AND matches(TargetObject, "(?i)Image File Execution Options.*Debugger"), "IFEO_Debugger",
    EventID in ("12","13") AND matches(TargetObject, "(?i)WbemAdap"), "WMI_Registry",
    EventID in ("12","13") AND matches(TargetObject, "(?i)AppCompatFlags.*InstalledSDB"), "SDB_Shim",
    EventID in ("19","20","21"), "WMI_Subscription",
    EventID == "1" AND (toLower(Image) matches ".*(mofcomp|wmic)\.exe$"), "WMI_MOF_Compile",
    true(), null())
| where !isNull(detection_type)
| table _time, Computer, User, EventID, detection_type, Image, CommandLine, TargetObject
| sort by _time desc

high severity medium confidence

Data Sources

Windows Sysmon via Sumo Logic

Required Tables

windows/sysmon

False Positives

Software installation routines legitimately modifying AppInit_DLLs or registering COM objects — especially third-party security tools (AV/EDR agents), accessibility software, or application frameworks
Developer tools (Visual Studio, WinDbg) setting IFEO Debugger values for debugging purposes
Administrative scripts creating WMI subscriptions for legitimate monitoring (SCCM, WMI-based health checks, vendor management tools)
sdbinst.exe invocations during application compatibility fixes from IT teams applying vendor-supplied shim databases
Group Policy or MDM pushing screensaver configuration changes to enforce screen lock policies
PowerShell profile creation by developers customizing their shell environment via VS Code or PowerShell ISE

Google Chronicle / SecOps

yaral

rule event_triggered_execution_persistence {
  meta:
    author = "Detection Engineering"
    description = "Detects event-triggered execution persistence (T1546)"
    severity = "HIGH"
    tactic = "TA0003"

  events:
    $e.metadata.event_type = "REGISTRY_MODIFICATION"
    (
      re.regex($e.target.registry.registry_key, `(?i)Image File Execution Options`) nocase and
      $e.target.registry.registry_value_name = "Debugger"
    ) or
    re.regex($e.target.registry.registry_key, `(?i)(WbemAdap|AppCompatFlags.*InstalledSDB)`) nocase

  condition:
    $e
}

high severity medium confidence

Data Sources

Windows Registry Events via Chronicle UDM

Required Tables

REGISTRY_MODIFICATION

False Positives

Software installation routines legitimately modifying AppInit_DLLs or registering COM objects — especially third-party security tools (AV/EDR agents), accessibility software, or application frameworks
Developer tools (Visual Studio, WinDbg) setting IFEO Debugger values for debugging purposes
Administrative scripts creating WMI subscriptions for legitimate monitoring (SCCM, WMI-based health checks, vendor management tools)
sdbinst.exe invocations during application compatibility fixes from IT teams applying vendor-supplied shim databases
Group Policy or MDM pushing screensaver configuration changes to enforce screen lock policies
PowerShell profile creation by developers customizing their shell environment via VS Code or PowerShell ISE

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| (ImageFileName = /(mofcomp|wmic)\.exe$/i
   AND (CommandLine = /(subscription|filter2consumer|ConsumerToFilter)/i OR CommandLine = /\.mof$/i))
  OR (ImageFileName = /reg\.exe$/i AND CommandLine = /Image File Execution Options.*Debugger/i)
| eval detection_type = case {
    ImageFileName = /mofcomp\.exe$/i : "WMI_MOF_Compile";
    ImageFileName = /wmic\.exe$/i AND CommandLine = /subscription/i : "WMI_Subscription";
    CommandLine = /IFEO.*Debugger/i : "IFEO_Debugger";
    * : "event_persistence"
  }
| table timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, detection_type
| sort by timestamp desc

high severity medium confidence

Data Sources

CrowdStrike Falcon Process Events

Required Tables

ProcessRollup2

False Positives

Software installation routines legitimately modifying AppInit_DLLs or registering COM objects — especially third-party security tools (AV/EDR agents), accessibility software, or application frameworks
Developer tools (Visual Studio, WinDbg) setting IFEO Debugger values for debugging purposes
Administrative scripts creating WMI subscriptions for legitimate monitoring (SCCM, WMI-based health checks, vendor management tools)
sdbinst.exe invocations during application compatibility fixes from IT teams applying vendor-supplied shim databases
Group Policy or MDM pushing screensaver configuration changes to enforce screen lock policies
PowerShell profile creation by developers customizing their shell environment via VS Code or PowerShell ISE

Event Triggered Execution

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (18)

Same Tactic: Privilege Escalation

Popular Detections