GET /api/techniques/394/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"id": 394,
"key": "wmi-event-subscriptions",
"unprotect_id": "U1353",
"name": "WMI Event Subscriptions",
"description": "Adversaries may leverage WMI event subscriptions to evade detection by triggering malicious actions only under specific conditions that are unlikely to occur in a sandboxed environment. For instance, a threat actor might configure an event subscription to monitor file system, network, or logon activity, ensuring that their second-stage payload is only downloaded and executed when a particular event suggests real user activity, thereby bypassing automated analysis",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1546\r\nhttps://github.com/1d8/offsec/tree/main/persistence/windows/wmi-event-subscription",
"creation_date": "2025-04-02T07:50:20.849022Z",
"tags": "",
"modification_date": "2025-04-02T07:50:20.849064Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
41
]
}
