Skip to content

Hide Navigation Hide TOC

WMI Creation (05645013-2fed-4066-8bdc-626b2e201dd4)

Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or provider (ex: Sysmon EIDs 19-21)

Cluster A Galaxy A Cluster B Galaxy B Level
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern WMI Creation (05645013-2fed-4066-8bdc-626b2e201dd4) mitre-data-component 1
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern WMI Creation (05645013-2fed-4066-8bdc-626b2e201dd4) mitre-data-component 1
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern WMI Creation (05645013-2fed-4066-8bdc-626b2e201dd4) mitre-data-component 1
WMI Creation (05645013-2fed-4066-8bdc-626b2e201dd4) mitre-data-component Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939) Attack Pattern 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern WMI Creation (05645013-2fed-4066-8bdc-626b2e201dd4) mitre-data-component 1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern WMI Creation (05645013-2fed-4066-8bdc-626b2e201dd4) mitre-data-component 1
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939) Attack Pattern 2