T1546 Microsoft Sentinel · KQL

Detect Event Triggered Execution in Microsoft Sentinel

Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Adversaries abuse these mechanisms — including WMI event subscriptions, screensaver hijacking, PowerShell profile modification, AppInit DLLs, IFEO injection, COM hijacking, accessibility feature replacement, Unix shell configuration modification, and application shimming — to execute malicious code automatically when specific system events occur. Since the execution can be proxied by an account with higher permissions such as SYSTEM or service accounts, adversaries may escalate privileges through these triggered execution mechanisms.

MITRE ATT&CK

Tactic
Privilege Escalation Persistence
Technique
T1546 Event Triggered Execution
Canonical reference
https://attack.mitre.org/techniques/T1546/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1546 — Event Triggered Execution: broad detection covering WMI subscriptions, registry-based triggers, and file-based persistence hooks
let WmiSubscriptionRegistryPaths = dynamic([
  "\\SOFTWARE\\Microsoft\\WBEM",
  "\\SYSTEM\\CurrentControlSet\\Services\\WbemAdap"
]);
let RegistryTriggerPaths = dynamic([
  // AppInit DLLs (T1546.010)
  "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs",
  "\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs",
  // Image File Execution Options (T1546.012)
  "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
  // Screensaver (T1546.002)
  "\\Control Panel\\Desktop\\SCRNSAVE.EXE",
  // AppCert DLLs (T1546.009)
  "\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls",
  // Netsh Helper DLL (T1546.007)
  "\\SOFTWARE\\Microsoft\\NetSh",
  // COM Hijacking (T1546.015)
  "\\SOFTWARE\\Classes\\CLSID"
]);
let AccessibilityBinaries = dynamic([
  "sethc.exe", "utilman.exe", "osk.exe", "magnify.exe",
  "narrator.exe", "displayswitch.exe", "atbroker.exe", "wscript.exe"
]);
let SdbInstPaths = dynamic(["sdbinst.exe"]);
// Detection 1: Suspicious registry modifications to event-triggered persistence locations
let RegistryTriggers = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has_any (RegistryTriggerPaths)
| where RegistryValueData != "" or ActionType == "RegistryKeyCreated"
// Exclude known-good IFEO entries (debugger set to legitimate tools)
| where not (RegistryKey contains "Image File Execution Options" and RegistryValueName == "Debugger" and
             (RegistryValueData has "vsjitdebugger.exe" or RegistryValueData has "windbg.exe" or RegistryValueData has "drwtsn32.exe"))
| extend DetectionType = case(
    RegistryKey contains "AppInit_DLLs", "AppInit_DLL_Persistence",
    RegistryKey contains "Image File Execution Options", "IFEO_Hijacking",
    RegistryKey contains "SCRNSAVE.EXE", "Screensaver_Persistence",
    RegistryKey contains "AppCertDlls", "AppCertDLL_Persistence",
    RegistryKey contains "NetSh", "Netsh_Helper_DLL",
    RegistryKey contains "CLSID", "COM_Hijacking",
    "Event_Triggered_Registry"
  )
| project Timestamp, DeviceName, AccountName, DetectionType, RegistryKey, RegistryValueName, RegistryValueData,
          InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName;
// Detection 2: WMI event subscription creation via process telemetry
let WmiSubscriptions = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (FileName =~ "wmic.exe" and ProcessCommandLine has_any ("subscription", "ActiveScriptEventConsumer", "CommandLineEventConsumer", "EventFilter", "FilterToConsumerBinding"))
   or (FileName =~ "powershell.exe" and ProcessCommandLine has_any ("Set-WmiInstance", "New-CimInstance", "__EventFilter", "__EventConsumer", "__FilterToConsumerBinding", "ActiveScriptEventConsumer", "CommandLineEventConsumer"))
| extend DetectionType = "WMI_Subscription_Creation"
| project Timestamp, DeviceName, AccountName, DetectionType,
          RegistryKey = "", RegistryValueName = "", RegistryValueData = "",
          InitiatingProcessFileName, InitiatingProcessCommandLine = ProcessCommandLine,
          InitiatingProcessAccountName = AccountName;
// Detection 3: Application Shimming via sdbinst.exe
let AppShimming = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "sdbinst.exe"
| where ProcessCommandLine !has "/u" // /u is uninstall — less suspicious
| extend DetectionType = "App_Shimming_SDB_Install"
| project Timestamp, DeviceName, AccountName, DetectionType,
          RegistryKey = "", RegistryValueName = "", RegistryValueData = "",
          InitiatingProcessFileName, InitiatingProcessCommandLine = ProcessCommandLine,
          InitiatingProcessAccountName = AccountName;
// Detection 4: Accessibility feature binary replacement (T1546.008)
let AccessibilityHijack = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| where FileName has_any (AccessibilityBinaries)
| where FolderPath has_any ("\\Windows\\System32", "\\Windows\\SysWOW64")
// Exclude Windows Update and TrustedInstaller paths
| where InitiatingProcessFileName !in~ ("TiWorker.exe", "TrustedInstaller.exe", "wuauclt.exe", "svchost.exe")
| extend DetectionType = "Accessibility_Feature_Hijack"
| project Timestamp, DeviceName, AccountName, DetectionType,
          RegistryKey = "", RegistryValueName = FileName, RegistryValueData = FolderPath,
          InitiatingProcessFileName, InitiatingProcessCommandLine = InitiatingProcessCommandLine,
          InitiatingProcessAccountName = InitiatingProcessAccountName;
// Detection 5: PowerShell profile creation/modification (T1546.013)
let PsProfilePaths = dynamic([
  "\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1",
  "\\WindowsPowerShell\\profile.ps1",
  "\\PowerShell\\Microsoft.PowerShell_profile.ps1",
  "\\PowerShell\\profile.ps1"
]);
let PowerShellProfile = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any (PsProfilePaths) or (FileName has "_profile.ps1" and FolderPath has "PowerShell")
| where InitiatingProcessFileName !in~ ("powershell.exe", "pwsh.exe", "code.exe", "notepad.exe", "devenv.exe")
| extend DetectionType = "PowerShell_Profile_Modification"
| project Timestamp, DeviceName, AccountName, DetectionType,
          RegistryKey = FolderPath, RegistryValueName = FileName, RegistryValueData = "",
          InitiatingProcessFileName, InitiatingProcessCommandLine = InitiatingProcessCommandLine,
          InitiatingProcessAccountName = InitiatingProcessAccountName;
// Union all detections
union RegistryTriggers, WmiSubscriptions, AppShimming, AccessibilityHijack, PowerShellProfile
| sort by Timestamp desc
high severity medium confidence

Detects multiple T1546 Event Triggered Execution sub-techniques across Windows platforms using Microsoft Defender for Endpoint telemetry. Covers: (1) Registry modifications to AppInit_DLLs, IFEO, screensaver, AppCertDlls, Netsh Helper, and COM hijacking keys; (2) WMI event subscription creation via wmic.exe or PowerShell; (3) Application shimming via sdbinst.exe; (4) Accessibility feature binary replacement (utilman.exe, sethc.exe, etc.) targeting System32/SysWOW64; (5) PowerShell profile creation/modification from unexpected parent processes. Each detection arm is labeled with DetectionType for downstream triage and routing.

Data Sources

Registry: Windows Registry Key ModificationProcess: Process CreationFile: File CreationFile: File ModificationWMI: WMI CreationMicrosoft Defender for Endpoint

Required Tables

DeviceRegistryEventsDeviceProcessEventsDeviceFileEvents

False Positives & Tuning

  • Software installation routines legitimately modifying AppInit_DLLs or registering COM objects — especially third-party security tools (AV/EDR agents), accessibility software, or application frameworks
  • Developer tools (Visual Studio, WinDbg) setting IFEO Debugger values for debugging purposes
  • Administrative scripts creating WMI subscriptions for legitimate monitoring (SCCM, WMI-based health checks, vendor management tools)
  • sdbinst.exe invocations during application compatibility fixes from IT teams applying vendor-supplied shim databases
  • Group Policy or MDM pushing screensaver configuration changes to enforce screen lock policies
  • PowerShell profile creation by developers customizing their shell environment via VS Code or PowerShell ISE
Download portable Sigma rule (.yml)

Other platforms for T1546

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1WMI Event Subscription Persistence via PowerShell

    Expected signal: Sysmon Event IDs 19 (WmiEventFilter created: df00tech-test-filter), 20 (WmiEventConsumer created: df00tech-test-consumer), 21 (WmiEventConsumerToFilter binding). WMI Activity Operational log Event ID 5861 (New subscription). Sysmon Event ID 1 for the spawned cmd.exe when the subscription fires (parent will be WmiPrvSE.exe). KQL: DeviceProcessEvents where InitiatingProcessFileName =~ 'WmiPrvSE.exe'.

  2. Test 2Image File Execution Options Injection on calc.exe

    Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject = HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe\Debugger, Details = cmd.exe, Image = reg.exe. Security Event ID 4657 (if object access auditing enabled). When calc.exe is subsequently launched, Sysmon Event ID 1 will show cmd.exe spawning with ParentCommandLine referencing calc.exe.

  3. Test 3AppInit DLL Persistence Registration

    Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject = HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs, Details = C:\Users\Public\malicious.dll, Image = reg.exe. Second event for LoadAppInit_DLLs = 1. Security Event ID 4657 if audit policy covers this key.

  4. Test 4Screensaver Persistence via Registry

    Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject = HKCU\Control Panel\Desktop\SCRNSAVE.EXE, Details = C:\Windows\System32\calc.exe, Image = reg.exe. Note: HKCU modifications generate EventCode=13 with the current user's SID in the path. When screensaver activates, Sysmon Event ID 1 will show calc.exe spawning from winlogon.exe.

  5. Test 5Application Shimming via sdbinst.exe

    Expected signal: Sysmon Event ID 1 (Process Create): Image = C:\Windows\System32\sdbinst.exe, CommandLine = sdbinst.exe C:\Windows\Temp\test.sdb, ParentImage = python.exe or cmd.exe. Registry modification events (Sysmon Event ID 13) for HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB if the SDB installs successfully.

Last updated: 2026-03-15 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1546 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (18)

Related Techniques

T1546.003Windows Management Instrumentation Event SubscriptionT1546.008Accessibility FeaturesT1546.010AppInit DLLsT1546.012Image File Execution Options InjectionT1546.015Component Object Model HijackingT1546.013PowerShell ProfileT1546.011Application ShimmingT1546.007Netsh Helper DLLT1059.001PowerShellT1543Create or Modify System ProcessT1053.005Scheduled TaskT1574Hijack Execution FlowT1055Process Injection

Same Tactic: Privilege Escalation

Popular Detections