WMI Subscription Persistence

v20260317

hunting-for-persistence-via-wmi-subscriptions

Guide to hunting WMI-based persistence by monitoring Sysmon and Windows WMI subscription creation events, enumerating dangerous filters and consumers, analyzing triggers, and correlating WmiPrvSe.exe activity and MOF compilation to detect stealthy threats.

Threat Hunting WMI Persistence Sysmon Incident Response Windows Security Event Monitoring

Get Skill

442 downloads

Overview

Hunting for Persistence via WMI Subscriptions

When to Use

When proactively searching for fileless persistence mechanisms in Windows environments
After threat intelligence reports indicate WMI-based persistence by APT groups (APT29, APT32, FIN8)
When investigating systems where malware persists across reboots despite cleanup attempts
During incident response when standard persistence locations (Run keys, scheduled tasks) are clean
When WmiPrvSe.exe is observed spawning unexpected child processes

Prerequisites

Sysmon Event ID 19, 20, 21 (WMI Event Filter/Consumer/Binding) enabled
Windows Event ID 5861 (WMI activity logging) from Microsoft-Windows-WMI-Activity
PowerShell logging enabled (Script Block Logging, Module Logging)
WMI repository access for enumeration
SIEM platform for event correlation

Workflow

Enumerate Existing WMI Subscriptions: Query all permanent WMI event subscriptions on target systems. A clean system typically has very few or zero permanent subscriptions, making anomalies easy to spot.
Monitor WMI Event Creation (Sysmon 19/20/21): Sysmon Event 19 captures WmiEventFilter activity, Event 20 captures WmiEventConsumer activity, and Event 21 captures WmiEventConsumerToFilter binding.
Analyze Consumer Types: Focus on ActiveScriptEventConsumer (runs VBScript/JScript) and CommandLineEventConsumer (executes commands) -- these are the dangerous types used for persistence.
Check Event Filter Triggers: Examine what triggers the subscription. Common malicious triggers include system startup (Win32_ProcessStartTrace), user logon, or timer-based execution intervals.
Investigate WmiPrvSe.exe Child Processes: When a WMI subscription fires, the action is executed by WmiPrvSe.exe. Hunt for unusual child processes of WmiPrvSe.exe.
Correlate with MOF Compilation: Detect mofcomp.exe usage which compiles MOF files to create WMI subscriptions programmatically.
Validate and Respond: Confirm malicious subscriptions, remove them, and trace back to the initial infection vector.

Key Concepts

Concept	Description
T1546.003	Event Triggered Execution: WMI Event Subscription
__EventFilter	WMI class defining the trigger condition
__EventConsumer	WMI class defining the action to perform
__FilterToConsumerBinding	Links a filter to a consumer
ActiveScriptEventConsumer	Consumer that runs VBScript or JScript
CommandLineEventConsumer	Consumer that executes command lines
WmiPrvSe.exe	WMI Provider Host that executes subscription actions
MOF File	Managed Object Format used to define WMI objects

Detection Queries

Splunk -- WMI Subscription Creation via Sysmon

index=sysmon (EventCode=19 OR EventCode=20 OR EventCode=21)
| eval event_type=case(EventCode=19, "EventFilter", EventCode=20, "EventConsumer", EventCode=21, "FilterToConsumerBinding")
| table _time Computer User event_type EventNamespace Name Query Destination Operation

Splunk -- WMI Subscription via Windows Event 5861

index=wineventlog source="Microsoft-Windows-WMI-Activity/Operational" EventCode=5861
| table _time Computer NamespaceName Operation PossibleCause

PowerShell -- Enumerate WMI Subscriptions

Get-WmiObject -Namespace root\subscription -Class __EventFilter
Get-WmiObject -Namespace root\subscription -Class __EventConsumer
Get-WmiObject -Namespace root\subscription -Class __FilterToConsumerBinding

KQL -- WmiPrvSe.exe Spawning Suspicious Children

DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "wmiprvse.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine

Sigma Rule

title: WMI Event Subscription Persistence
status: stable
logsource:
    product: windows
    category: wmi_event
detection:
    selection_consumer:
        EventID: 20
        Destination|contains:
            - 'ActiveScriptEventConsumer'
            - 'CommandLineEventConsumer'
    condition: selection_consumer
level: high
tags:
    - attack.persistence
    - attack.t1546.003

Common Scenarios

APT29 WMI Persistence: Creates an ActiveScriptEventConsumer that executes a VBScript backdoor on system startup, surviving reboots and credential resets.
Turla WMI Backdoor: Uses Win32_ProcessStartTrace filter combined with CommandLineEventConsumer for covert command execution.
FIN8 WMI Timer: Interval-based __IntervalTimerEvent triggering encoded PowerShell downloads every 30 minutes.
MOF-Based Installation: Adversary drops a .mof file and compiles it with mofcomp.exe to silently create persistent subscriptions.

Output Format

Hunt ID: TH-WMI-[DATE]-[SEQ]
Host: [Hostname]
Subscription Name: [Filter/Consumer name]
Filter Query: [WQL trigger condition]
Consumer Type: [ActiveScript/CommandLine]
Consumer Action: [Script content or command]
Binding: [Filter-to-Consumer link]
Created: [Timestamp]
User Context: [SYSTEM/User]
Risk Level: [Critical/High/Medium/Low]

Info

Category Development

Name hunting-for-persistence-via-wmi-subscriptions

Version v20260317

Size 15.28KB

Source mukul975/Anthropic-Cybersecurity-Skills

Updated At 2026-03-18