Event ID 19

WMI event filter is registered

Source:

Microsoft-Windows-Sysmon

Category:

WmiEventFilter activity detected

WmiEventFilter activity detected:
    RuleName: %1!s!
    EventType: %2!s!
    UtcTime: %3!s!
    Operation: %4!s!
    User: %5!s!
    EventNamespace: %6!s!
    Name: %7!s!
    Query: %8!s!

When a WMI event filter is registered, which is a method used by malware to execute, this event logs the WMI namespace, filter name and filter expression.

LEFT/RIGHT arrow keys for navigation

Back to List