Detect Event Triggered Execution in IBM QRadar
Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Adversaries abuse these mechanisms — including WMI event subscriptions, screensaver hijacking, PowerShell profile modification, AppInit DLLs, IFEO injection, COM hijacking, accessibility feature replacement, Unix shell configuration modification, and application shimming — to execute malicious code automatically when specific system events occur. Since the execution can be proxied by an account with higher permissions such as SYSTEM or service accounts, adversaries may escalate privileges through these triggered execution mechanisms.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Canonical reference
- https://attack.mitre.org/techniques/T1546/
QRadar Detection Query
SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
logsourcename(logsourceid) as LogSource, username as User,
"TargetObject" as RegistryKey, "Image" as ProcessImage,
"CommandLine" as CommandLine,
CASE WHEN "TargetObject" ILIKE '%Image File Execution Options%' AND "Details" ILIKE '%Debugger%' THEN 10
WHEN "Image" ILIKE '%mofcomp.exe%' THEN 9
WHEN "TargetObject" ILIKE '%WbemAdap%' THEN 8
ELSE 5 END as RiskScore
FROM events
WHERE (
(eventid IN (12,13) AND (
"TargetObject" ILIKE '%Image File Execution Options%Debugger%' OR
"TargetObject" ILIKE '%WbemAdap%' OR
"TargetObject" ILIKE '%AppCompatFlags%InstalledSDB%'))
OR (eventid = 1 AND (
"Image" ILIKE '%mofcomp.exe%' OR
("Image" ILIKE '%wmic.exe%' AND ("CommandLine" ILIKE '%subscription%' OR "CommandLine" ILIKE '%filter2consumer%'))))
)
ORDER BY EventTime DESCDetects event-triggered execution persistence via WMI subscriptions and IFEO debugger registry keys in QRadar.
Data Sources
Required Tables
False Positives & Tuning
- Software installation routines legitimately modifying AppInit_DLLs or registering COM objects — especially third-party security tools (AV/EDR agents), accessibility software, or application frameworks
- Developer tools (Visual Studio, WinDbg) setting IFEO Debugger values for debugging purposes
- Administrative scripts creating WMI subscriptions for legitimate monitoring (SCCM, WMI-based health checks, vendor management tools)
- sdbinst.exe invocations during application compatibility fixes from IT teams applying vendor-supplied shim databases
- Group Policy or MDM pushing screensaver configuration changes to enforce screen lock policies
- PowerShell profile creation by developers customizing their shell environment via VS Code or PowerShell ISE
Other platforms for T1546
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1WMI Event Subscription Persistence via PowerShell
Expected signal: Sysmon Event IDs 19 (WmiEventFilter created: df00tech-test-filter), 20 (WmiEventConsumer created: df00tech-test-consumer), 21 (WmiEventConsumerToFilter binding). WMI Activity Operational log Event ID 5861 (New subscription). Sysmon Event ID 1 for the spawned cmd.exe when the subscription fires (parent will be WmiPrvSE.exe). KQL: DeviceProcessEvents where InitiatingProcessFileName =~ 'WmiPrvSE.exe'.
- Test 2Image File Execution Options Injection on calc.exe
Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject = HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe\Debugger, Details = cmd.exe, Image = reg.exe. Security Event ID 4657 (if object access auditing enabled). When calc.exe is subsequently launched, Sysmon Event ID 1 will show cmd.exe spawning with ParentCommandLine referencing calc.exe.
- Test 3AppInit DLL Persistence Registration
Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject = HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs, Details = C:\Users\Public\malicious.dll, Image = reg.exe. Second event for LoadAppInit_DLLs = 1. Security Event ID 4657 if audit policy covers this key.
- Test 4Screensaver Persistence via Registry
Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject = HKCU\Control Panel\Desktop\SCRNSAVE.EXE, Details = C:\Windows\System32\calc.exe, Image = reg.exe. Note: HKCU modifications generate EventCode=13 with the current user's SID in the path. When screensaver activates, Sysmon Event ID 1 will show calc.exe spawning from winlogon.exe.
- Test 5Application Shimming via sdbinst.exe
Expected signal: Sysmon Event ID 1 (Process Create): Image = C:\Windows\System32\sdbinst.exe, CommandLine = sdbinst.exe C:\Windows\Temp\test.sdb, ParentImage = python.exe or cmd.exe. Registry modification events (Sysmon Event ID 13) for HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB if the SDB installs successfully.
References (10)
- https://attack.mitre.org/techniques/T1546/
- https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
- https://www.microsoft.com/security/blog/2020/03/09/real-life-cybercrime-stories-dart-microsoft-detection-and-response-team
- https://github.com/mandiant/ShimCacheParser
- https://learn.microsoft.com/en-us/windows/win32/dlls/appinit-dlls-in-windows-7-and-windows-server-2008-r2
- https://learn.microsoft.com/en-us/previous-versions/windows/desktop/eventlogprov/win32-ntlogevent
- https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1546
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry
- https://www.blackhat.com/docs/us-15/materials/us-15-Pierce-Defending-Against-Malicious-Application-Shimming.pdf
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
Unlock Pro Content
Get the full detection package for T1546 including response playbook, investigation guide, and atomic red team tests.
Related Detections
Sub-techniques (18)
- T1546.001Change Default File Association
- T1546.002Screensaver
- T1546.003Windows Management Instrumentation Event Subscription
- T1546.004Unix Shell Configuration Modification
- T1546.005Trap
- T1546.006LC_LOAD_DYLIB Addition
- T1546.007Netsh Helper DLL
- T1546.008Accessibility Features
- T1546.009AppCert DLLs
- T1546.010AppInit DLLs
- T1546.011Application Shimming
- T1546.012Image File Execution Options Injection
- T1546.013PowerShell Profile
- T1546.014Emond
- T1546.015Component Object Model Hijacking
- T1546.016Installer Packages
- T1546.017Udev Rules
- T1546.018Python Startup Hooks