Hunt for adversary persistence through Windows Management Instrumentation event subscriptions by monitoring WMI consumer, filter, and binding creation events that execute malicious code triggered by system events.
cybersecurity
threat-hunting
threat-hunting
wmi-persistence
mitre-t1546-003
event-subscription
windows
endpoint-detection
1.0
mahipal
MIT
Hunting for Persistence via WMI Subscriptions
When to Use
When proactively searching for fileless persistence mechanisms in Windows environments
After threat intelligence reports indicate WMI-based persistence by APT groups (APT29, APT32, FIN8)
When investigating systems where malware persists across reboots despite cleanup attempts
During incident response when standard persistence locations (Run keys, scheduled tasks) are clean
When WmiPrvSe.exe is observed spawning unexpected child processes
Prerequisites
Sysmon Event ID 19, 20, 21 (WMI Event Filter/Consumer/Binding) enabled
Windows Event ID 5861 (WMI activity logging) from Microsoft-Windows-WMI-Activity
Enumerate Existing WMI Subscriptions: Query all permanent WMI event subscriptions on target systems. A clean system typically has very few or zero permanent subscriptions, making anomalies easy to spot.
Analyze Consumer Types: Focus on ActiveScriptEventConsumer (runs VBScript/JScript) and CommandLineEventConsumer (executes commands) -- these are the dangerous types used for persistence.
Check Event Filter Triggers: Examine what triggers the subscription. Common malicious triggers include system startup (Win32_ProcessStartTrace), user logon, or timer-based execution intervals.
Investigate WmiPrvSe.exe Child Processes: When a WMI subscription fires, the action is executed by WmiPrvSe.exe. Hunt for unusual child processes of WmiPrvSe.exe.
Correlate with MOF Compilation: Detect mofcomp.exe usage which compiles MOF files to create WMI subscriptions programmatically.
Validate and Respond: Confirm malicious subscriptions, remove them, and trace back to the initial infection vector.
Key Concepts
Concept
Description
T1546.003
Event Triggered Execution: WMI Event Subscription
__EventFilter
WMI class defining the trigger condition
__EventConsumer
WMI class defining the action to perform
__FilterToConsumerBinding
Links a filter to a consumer
ActiveScriptEventConsumer
Consumer that runs VBScript or JScript
CommandLineEventConsumer
Consumer that executes command lines
WmiPrvSe.exe
WMI Provider Host that executes subscription actions
MOF File
Managed Object Format used to define WMI objects
Detection Queries
Splunk -- WMI Subscription Creation via Sysmon
index=sysmon (EventCode=19 OR EventCode=20 OR EventCode=21)
| eval event_type=case(EventCode=19, "EventFilter", EventCode=20, "EventConsumer", EventCode=21, "FilterToConsumerBinding")
| table _time Computer User event_type EventNamespace Name Query Destination Operation
APT29 WMI Persistence: Creates an ActiveScriptEventConsumer that executes a VBScript backdoor on system startup, surviving reboots and credential resets.
Turla WMI Backdoor: Uses Win32_ProcessStartTrace filter combined with CommandLineEventConsumer for covert command execution.