WMI Creation (05645013-2fed-4066-8bdc-626b2e201dd4)

Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or providers.

Data Collection Measures:

Windows Security Event Logs:
- Event ID 5861 (WMI Permanent Event Subscription)
- Event ID 5860 (WMI Event Filter Activity)
- Event ID 5857 (WMI Event Consumer Activity)
Sysmon Logs:
- Sysmon Event ID 19 – WMI Event Filter Created
- Sysmon Event ID 20 – WMI Event Consumer Created
- Sysmon Event ID 21 – WMI Event Binding Created
Endpoint Detection & Response (EDR)
- Detects WMI-based persistence techniques.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	WMI Creation (05645013-2fed-4066-8bdc-626b2e201dd4)	mitre-data-component	1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	WMI Creation (05645013-2fed-4066-8bdc-626b2e201dd4)	mitre-data-component	1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	WMI Creation (05645013-2fed-4066-8bdc-626b2e201dd4)	mitre-data-component	1
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58)	Attack Pattern	WMI Creation (05645013-2fed-4066-8bdc-626b2e201dd4)	mitre-data-component	1
Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939)	Attack Pattern	WMI Creation (05645013-2fed-4066-8bdc-626b2e201dd4)	mitre-data-component	1
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	WMI Creation (05645013-2fed-4066-8bdc-626b2e201dd4)	mitre-data-component	1
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58)	Attack Pattern	Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939)	Attack Pattern	2