Which SIEM platforms have a T1546 detection rule?

df00tech provides T1546 (Event Triggered Execution) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1546 detection?

The T1546 detection is rated high severity with medium confidence.

What are common false positives for T1546?

Common false positives for T1546 include: Software installation routines legitimately modifying AppInit_DLLs or registering COM objects — especially third-party security tools (AV/EDR agents), accessibility software, or application frameworks; Developer tools (Visual Studio, WinDbg) setting IFEO Debugger values for debugging purposes; Administrative scripts creating WMI subscriptions for legitimate monitoring (SCCM, WMI-based health checks, vendor management tools).

T1546 Splunk · SPL

Detect Event Triggered Execution in Splunk

Q: What data sources are required to detect Event Triggered Execution (T1546)?

Detecting Event Triggered Execution requires the following data sources: Registry: Windows Registry Key Modification, Process: Process Creation, File: File Creation, File: File Modification, WMI: WMI Creation, Microsoft Defender for Endpoint.

Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Adversaries abuse these mechanisms — including WMI event subscriptions, screensaver hijacking, PowerShell profile modification, AppInit DLLs, IFEO injection, COM hijacking, accessibility feature replacement, Unix shell configuration modification, and application shimming — to execute malicious code automatically when specific system events occur. Since the execution can be proxied by an account with higher permissions such as SYSTEM or service accounts, adversaries may escalate privileges through these triggered execution mechanisms.

MITRE ATT&CK

Tactic: Privilege Escalation Persistence
Technique: T1546 Event Triggered Execution
Canonical reference: https://attack.mitre.org/techniques/T1546/

SPL Detection Query

Splunk (SPL)

spl

| multisearch
  [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13
      (TargetObject="*\\AppInit_DLLs" OR TargetObject="*\\Image File Execution Options*" OR
       TargetObject="*\\SCRNSAVE.EXE" OR TargetObject="*\\AppCertDlls*" OR
       TargetObject="*\\NetSh*" OR TargetObject="*SOFTWARE\\Classes\\CLSID*")
    | eval DetectionType=case(
        like(TargetObject, "%AppInit_DLLs%"), "AppInit_DLL_Persistence",
        like(TargetObject, "%Image File Execution Options%"), "IFEO_Hijacking",
        like(TargetObject, "%SCRNSAVE.EXE%"), "Screensaver_Persistence",
        like(TargetObject, "%AppCertDlls%"), "AppCertDLL_Persistence",
        like(TargetObject, "%NetSh%"), "Netsh_Helper_DLL",
        like(TargetObject, "%CLSID%"), "COM_Hijacking",
        1=1, "Event_Triggered_Registry"
      )
    | eval EventDescription="Registry value set to: ".Details
    | table _time, host, User, DetectionType, TargetObject, Details, Image, CommandLine
  ]
  [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=12
      (TargetObject="*\\AppInit_DLLs" OR TargetObject="*\\Image File Execution Options*" OR
       TargetObject="*\\AppCertDlls*" OR TargetObject="*\\NetSh*")
    | eval DetectionType="Event_Triggered_Registry_Key_Created"
    | table _time, host, User, DetectionType, TargetObject, Image, CommandLine
  ]
  [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=19 OR EventCode=20 OR EventCode=21
    | eval DetectionType=case(
        EventCode=19, "WMI_EventFilter_Created",
        EventCode=20, "WMI_EventConsumer_Created",
        EventCode=21, "WMI_FilterToConsumerBinding",
        1=1, "WMI_Subscription"
      )
    | eval EventDescription=coalesce(Query, Destination, Consumer)
    | table _time, host, User, DetectionType, EventDescription, Image, CommandLine
  ]
  [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
      (Image="*\\wmic.exe" (CommandLine="*subscription*" OR CommandLine="*ActiveScriptEventConsumer*" OR CommandLine="*CommandLineEventConsumer*" OR CommandLine="*EventFilter*" OR CommandLine="*FilterToConsumerBinding*"))
      OR (Image="*\\wmic.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
      (CommandLine="*Set-WmiInstance*" OR CommandLine="*New-CimInstance*" OR CommandLine="*__EventFilter*" OR CommandLine="*__EventConsumer*")
    | eval DetectionType="WMI_Subscription_Creation_Process"
    | table _time, host, User, DetectionType, Image, CommandLine, ParentImage, ParentCommandLine
  ]
  [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
      Image="*\\sdbinst.exe" NOT CommandLine="*/u*"
    | eval DetectionType="App_Shimming_SDB_Install"
    | table _time, host, User, DetectionType, Image, CommandLine, ParentImage, ParentCommandLine
  ]
  [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
      (TargetFilename="*\\Windows\\System32\\sethc.exe" OR TargetFilename="*\\Windows\\System32\\utilman.exe" OR
       TargetFilename="*\\Windows\\System32\\osk.exe" OR TargetFilename="*\\Windows\\System32\\magnify.exe" OR
       TargetFilename="*\\Windows\\System32\\narrator.exe" OR TargetFilename="*\\Windows\\System32\\displayswitch.exe" OR
       TargetFilename="*\\Windows\\System32\\atbroker.exe")
      NOT (Image="*\\TiWorker.exe" OR Image="*\\TrustedInstaller.exe" OR Image="*\\wuauclt.exe")
    | eval DetectionType="Accessibility_Feature_Hijack"
    | table _time, host, User, DetectionType, TargetFilename, Image, CommandLine
  ]
  [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
      (TargetFilename="*\\WindowsPowerShell\\*_profile.ps1" OR TargetFilename="*\\PowerShell\\*_profile.ps1" OR TargetFilename="*\\WindowsPowerShell\\profile.ps1")
      NOT (Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\Code.exe" OR Image="*\\notepad.exe" OR Image="*\\devenv.exe")
    | eval DetectionType="PowerShell_Profile_Modification"
    | table _time, host, User, DetectionType, TargetFilename, Image, CommandLine
  ]
| eval SuspicionScore=case(
    DetectionType="IFEO_Hijacking", 3,
    DetectionType="WMI_FilterToConsumerBinding", 4,
    DetectionType="WMI_EventConsumer_Created", 3,
    DetectionType="Accessibility_Feature_Hijack", 4,
    DetectionType="App_Shimming_SDB_Install", 2,
    DetectionType="WMI_Subscription_Creation_Process", 3,
    DetectionType="AppInit_DLL_Persistence", 3,
    DetectionType="Screensaver_Persistence", 2,
    DetectionType="PowerShell_Profile_Modification", 2,
    1=1, 1
  )
| table _time, host, User, DetectionType, SuspicionScore, Image, CommandLine, TargetObject, TargetFilename
| sort - SuspicionScore, - _time

high severity medium confidence

Detects T1546 Event Triggered Execution sub-techniques across Windows using Sysmon operational logs. Covers: Sysmon Event ID 13 (registry value set) and Event ID 12 (registry key created) for AppInit_DLLs, IFEO, screensaver, AppCertDlls, Netsh Helper, and COM class hijacking; Sysmon Event IDs 19/20/21 (WMI event filter, consumer, and binding creation) for WMI subscriptions; Sysmon Event ID 1 (process creation) for wmic.exe and PowerShell WMI subscription commands and sdbinst.exe shimming; Sysmon Event ID 11 (file creation) for accessibility feature binary replacement and PowerShell profile modification. Each result includes a SuspicionScore to prioritize high-fidelity events.

Data Sources

Registry: Windows Registry Key ModificationProcess: Process CreationFile: File CreationWMI: WMI CreationSysmon Event IDs 1, 11, 12, 13, 19, 20, 21

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

Third-party security products (endpoint agents, DLP tools) legitimately registering themselves via AppInit_DLLs or COM objects during installation
IT teams applying vendor application compatibility shim databases via sdbinst.exe as part of OS migration or legacy application support programs
WMI subscriptions deployed by legitimate monitoring frameworks (SCCM, BMC TrueSight, SolarWinds) for infrastructure health checks
IFEO Debugger entries created by development tools (Visual Studio Just-In-Time debugger, process monitor) during legitimate debugging sessions
Group Policy-enforced screensaver settings pushed organization-wide for compliance with screen lock requirements

Download portable Sigma rule (.yml)

Other platforms for T1546

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1WMI Event Subscription Persistence via PowerShell
Expected signal: Sysmon Event IDs 19 (WmiEventFilter created: df00tech-test-filter), 20 (WmiEventConsumer created: df00tech-test-consumer), 21 (WmiEventConsumerToFilter binding). WMI Activity Operational log Event ID 5861 (New subscription). Sysmon Event ID 1 for the spawned cmd.exe when the subscription fires (parent will be WmiPrvSE.exe). KQL: DeviceProcessEvents where InitiatingProcessFileName =~ 'WmiPrvSE.exe'.
Test 2Image File Execution Options Injection on calc.exe
Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject = HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe\Debugger, Details = cmd.exe, Image = reg.exe. Security Event ID 4657 (if object access auditing enabled). When calc.exe is subsequently launched, Sysmon Event ID 1 will show cmd.exe spawning with ParentCommandLine referencing calc.exe.
Test 3AppInit DLL Persistence Registration
Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject = HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs, Details = C:\Users\Public\malicious.dll, Image = reg.exe. Second event for LoadAppInit_DLLs = 1. Security Event ID 4657 if audit policy covers this key.
Test 4Screensaver Persistence via Registry
Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject = HKCU\Control Panel\Desktop\SCRNSAVE.EXE, Details = C:\Windows\System32\calc.exe, Image = reg.exe. Note: HKCU modifications generate EventCode=13 with the current user's SID in the path. When screensaver activates, Sysmon Event ID 1 will show calc.exe spawning from winlogon.exe.
Test 5Application Shimming via sdbinst.exe
Expected signal: Sysmon Event ID 1 (Process Create): Image = C:\Windows\System32\sdbinst.exe, CommandLine = sdbinst.exe C:\Windows\Temp\test.sdb, ParentImage = python.exe or cmd.exe. Registry modification events (Sysmon Event ID 13) for HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB if the SDB installs successfully.

Last updated: 2026-03-15 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1546 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Sub-techniques (18)

Related Techniques

T1546.003Windows Management Instrumentation Event Subscription T1546.008Accessibility Features T1546.010AppInit DLLs T1546.012Image File Execution Options Injection T1546.015Component Object Model Hijacking T1546.013PowerShell Profile T1546.011Application Shimming T1546.007Netsh Helper DLL T1059.001PowerShell T1543Create or Modify System Process T1053.005Scheduled Task T1574Hijack Execution Flow T1055Process Injection

Detect Event Triggered Execution in Splunk

MITRE ATT&CK

SPL Detection Query

Data Sources

Required Sourcetypes

False Positives & Tuning

Other platforms for T1546

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (18)

Related Techniques

Same Tactic: Privilege Escalation

Popular Detections

MITRE ATT&CK

SPL Detection Query

Data Sources

Required Sourcetypes

False Positives & Tuning

Other platforms for T1546

Testing Methodology

Unlock Pro Content

Related Detections

Sub-techniques (18)

Related Techniques

Same Tactic: Privilege Escalation

Popular Detections

Get new detections in your inbox