WMI permanent event subscriptions execute a consumer when a WMI event query matches.
The persistence chain has three parts:
- An event filter that defines the trigger
- An event consumer that defines the action
- A binding that connects the filter to the consumer
Permanent WMI subscriptions are stored in the WMI repository and survive reboot. They commonly execute through the WMI service context, so creation usually requires local administrator rights unless namespace permissions are misconfigured.
When enumerating WMI persistence opportunities, try to identify:
- Existing objects in
root\subscription __EventFilterobjects with suspicious WQLCommandLineEventConsumerobjects executing shells or payloadsActiveScriptEventConsumerobjects with embedded script- Filter-to-consumer bindings
- Recent creation through PowerShell, WMIC, CIM or
mofcomp.exe
Enumeration
List event filters:
Get-WmiObject -Namespace root\subscription -Class __EventFilter
List command-line consumers:
Get-WmiObject -Namespace root\subscription -Class CommandLineEventConsumer
List script consumers:
Get-WmiObject -Namespace root\subscription -Class ActiveScriptEventConsumer
List bindings:
Get-WmiObject -Namespace root\subscription -Class __FilterToConsumerBinding
CIM alternatives:
Get-CimInstance -Namespace root/subscription -ClassName __EventFilter
Get-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer
Get-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding
Legacy WMIC inspection:
wmic /namespace:\\root\subscription PATH __EventFilter get Name,Query
wmic /namespace:\\root\subscription PATH CommandLineEventConsumer get Name,CommandLineTemplate
Interesting findings include:
- Unknown event filters
- WQL queries using short polling intervals such as
WITHIN 5 - Consumers launching
cmd.exe,powershell.exe,rundll32.exe,regsvr32.exeor payloads from writable paths - Bindings that connect unknown filters to unknown consumers
- WMI subscriptions created near logon, service creation or payload staging
mofcomp.exe,wmic.exeor PowerShell used before persistence appears
Once WMI subscription creation is available, a trigger and command consumer can be registered.
Remediation
Patch the weakness:
- Remove unauthorized
__FilterToConsumerBindingobjects first. - Remove the related
CommandLineEventConsumerorActiveScriptEventConsumer. - Remove the related
__EventFilter. - Remove payload files referenced by consumers.
- Review WMI namespace permissions if non-admin users were able to create permanent subscriptions.
Remove the example subscription:
Get-WmiObject -Namespace root\subscription -Class __FilterToConsumerBinding |
Where-Object { $_.Filter -like "*Windows Update Filter*" -or $_.Consumer -like "*Windows Update Consumer*" } |
Remove-WmiObject
Get-WmiObject -Namespace root\subscription -Class CommandLineEventConsumer -Filter "Name='Windows Update Consumer'" | Remove-WmiObject
Get-WmiObject -Namespace root\subscription -Class __EventFilter -Filter "Name='Windows Update Filter'" | Remove-WmiObject
Detect abuse:
- Review Sysmon Event IDs
19,20and21for WMI filter, consumer and binding creation. - Review PowerShell Event IDs
4103and4104forSet-WmiInstance,Register-WmiEventand CIM creation. - Review WMI-Activity Operational logs for suspicious WMI operations.
- Hunt for
wmic.exe,mofcomp.exeand PowerShell writing toroot\subscription. - Alert on consumers launching script interpreters, LOLBins or payloads from writable paths.