detection-rules
Sysmon Event ID 19, 20, 21: WMI Events
Caution: Collecting Sysmon events without a tailored configuration for your environment will cause high data volume. These setup instructions would need significant tuning in order to be production-ready. For more specific configurations, we recommend you to explore the following resources:
- https://github.com/trustedsec/SysmonCommunityGuide
- https://github.com/olafhartong/sysmon-modular
- https://github.com/Neo23x0/sysmon-config
Some detection rules require the use of Sysmon WMI events (Event IDs 19, 20, and 21) to detect malicious activity, such as attackers using WMI for persistence or lateral movement.
To collect these logs, use the Windows Integration and select the Sysmon Operational channel on the integration setup page.
The following snippet demonstrates the minimal configuration required to enable Sysmon's WMI monitoring capabilities. This single configuration block enables Event ID 19 (WmiEventFilter), Event ID 20 (WmiEventConsumer), and Event ID 21 (WmiEventConsumerToFilter). While this will turn on the event logging, it lacks the necessary filtering for a production environment and will generate significant noise. It should be used as a reference and integrated into a more robust configuration, such as those provided in the resources above.
<Sysmon schemaversion="4.90">
<HashAlgorithms>md5,sha256</HashAlgorithms>
<EventFiltering>
<!-- Log all WMI events (Covers IDs 19, 20, and 21) -->
<WmiEvent onmatch="exclude"></WmiEvent>
</EventFiltering>
</Sysmon>
Use the following GitHub search to identify rules that use the events generated by this configuration: