This note documents detection patterns related to WMI Event Subscription within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Sysmon | 19 | WMI Event Filter created | Critical | Primary detection point. Captures creation of __EventFilter. Review filter name, namespace, query, creator process, and user context. |
| Sysmon | 20 | WMI Event Consumer created | Critical | Captures creation of CommandLineEventConsumer, ActiveScriptEventConsumer, etc. Review payload command, script body, destination paths. |
| Sysmon | 21 | WMI Filter-to-Consumer binding created | Critical | Confirms full persistence chain completed. Review filter + consumer linkage. |
| Security | 4688 | Process creation | High | Useful when attacker uses wmic.exe, powershell.exe, mofcomp.exe, scrcons.exe, or custom tooling to register subscription. |
| Sysmon | 1 | Process creation | Critical | Best host-level execution evidence. Hunt for suspicious WMI-related commands and unusual parent-child chains. |
| Microsoft-Windows-WMI-Activity/Operational | 5857 | WMI provider started | Medium | Helps identify provider load context. Often noisy but valuable when correlated. |
| Microsoft-Windows-WMI-Activity/Operational | 5858 | WMI operation failed | Medium | Sometimes reveals malformed attacker queries or namespace abuse. |
| Microsoft-Windows-WMI-Activity/Operational | 5860 / 5861 | WMI consumer activity | High | Useful for consumer execution tracking depending on OS version and logging state. |
| Security | 4624 | Successful logon | High | Correlate attacker logon before persistence creation. Review LogonType, source host, account. |
| Security | 4672 | Special privileges assigned | High | Elevated token often precedes subscription registration. |
| Sysmon | 11 | File create | Medium | Consumers may drop scripts, payloads, temp files, staging artifacts. |
| Sysmon | 7 | Image loaded | Medium | Useful when script engines or uncommon DLLs load during consumer execution. |
| PowerShell | 4104 | Script block logging | Critical | If PowerShell creates WMI subscription, often captures exact Set-WmiInstance, Register-WmiEvent, or CIM calls. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Persistent WMI repository changes | New objects under root\subscription | Critical | Core persistence footprint. Rare in normal endpoints outside management software. |
| Consumer executes unexpected command | Hidden PowerShell, cmd, rundll32, regsvr32 | Critical | Strong malicious signal. |
| Suspicious timer queries | WITHIN 5 WHERE TargetInstance ISA... | High | Attackers often use polling intervals for trigger conditions. |
| Event subscription on workstation | New subscription outside enterprise management baseline | High | Workstations usually have few legitimate custom subscriptions. |
| Encoded PowerShell in consumer | Base64 command strings | Critical | Strong malicious persistence indicator. |
| Unusual creator process | Office, browser, archive tool spawning WMI registration | High | Very abnormal chain. |
| Follow-on lateral movement | Remote WMI execution after subscription creation | High | WMI persistence often coexists with remote admin abuse. |
| Delayed beacon after trigger | Consumer fires minutes/hours later | High | Attackers use delayed execution to avoid immediate detection. |
| Namespace abuse outside root\subscription | Custom namespaces | Medium | Less common but important for stealth cases. |
Common Tools
| Tool | Usage |
|---|---|
| PowerShell | Set-WmiInstance, Register-WmiEvent, CIM cmdlets for filter/consumer creation |
| WMIC | Legacy creation and interaction with WMI objects |
| mofcomp.exe | Compile MOF files into repository |
| PowerSploit | Offensive WMI persistence modules |
| Empire | Common WMI persistence module |
| Cobalt Strike | WMI persistence available through operator scripts |
| Impacket | WMI execution tooling adjacent to persistence |
| Custom COM / VBScript | Direct COM interaction with repository |
Relevant Artifacts
- Sysmon Event IDs 19, 20, 21 (highest-value evidence)
- WMI repository:
C:\Windows\System32\wbem\Repository\ - WMI namespace:
root\subscription - PowerShell logs: 4103 / 4104
- Security logs: 4688, 4624, 4672
- WMI Operational log:
Microsoft-Windows-WMI-Activity/Operational - Prefetch:
WMIC.EXE,POWERSHELL.EXE,MOFCOMP.EXE,SCRCONS.EXE - Amcache / ShimCache for tool execution
- MFT / USN Journal for MOF or payload file creation
- Registry persistence cross-check: WMI often coexists with Run Keys / Tasks
- EDR process trees showing delayed consumer execution
MITRE ATT&CK References
- T1546.003 WMI Event Subscription
- T1047 Windows Management Instrumentation
- T1059 PowerShell
- T1546 Event Triggered Execution
Decision Tree
-
Is suspicious WMI subscription present?
- Check Sysmon 19/20/21
- Enumerate
root\subscription
-
What created it?
- Pivot to 4688 / Sysmon 1
- Identify parent process and command line
-
Is consumer malicious?
- Inspect payload:
- PowerShell
- cmd.exe
- rundll32
- script body
- Inspect payload:
-
When does it trigger?
- Timer
- Process creation
- Logon event
- System event
-
Pivot:
- User logon context
- Network beacon
- Additional persistence
-
Scope:
- Single host?
- Lateral deployment?
- Management software false positive?
Example Detection Templates
KQL
Sysmon
| where EventID in (19,20,21)
| project TimeGenerated, Computer, EventID, User, EventData
| order by TimeGenerated desc
Sysmon
| where EventID == 20
| where EventData has_any ("powershell", "cmd.exe", "rundll32", "regsvr32")
| project TimeGenerated, Computer, User, EventData
SecurityEvent
| where EventID == 4688
| where CommandLine has_any ("wmic", "Set-WmiInstance", "Register-WmiEvent", "mofcomp")
| project TimeGenerated, Computer, Account, CommandLine, ParentProcessName
EQL
process where process.command_line like "*wmic*" or process.command_line like "*Set-WmiInstance*" or process.command_line like "*Register-WmiEvent*"
sequence by host.name with maxspan=5m
[ process where process.command_line like "*wmic*" ]
[ any where event.code in ("19","20","21") ]
Sigma
title: Suspicious WMI Event Subscription Creation
id: 4b7d2c88-wmi-subscription
status: experimental
description: Detects WMI event subscription creation often associated with persistence
references:
- https://attack.mitre.org/techniques/T1546/003/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: sysmon
detection:
selection:
EventID:
- 19
- 20
- 21
condition: selection
fields:
- EventID
- User
- EventData
falsepositives:
- SCCM
- Enterprise monitoring tools
level: high
tags:
- attack.persistence
- attack.t1546.003
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Sysmon coverage | Enable 19/20/21 everywhere | Critical | Core visibility |
| Namespace auditing | Regularly enumerate root\subscription | High | Detect persistence drift |
| PowerShell logging | Enable 4104 | High | Captures script-based creation |
| WMI ACL hardening | Restrict who can write subscriptions | High | Reduces abuse surface |
| Baseline management tools | Know legitimate subscriptions | Critical | Avoid false positives |