T1546.003 Windows Management Instrumentation Event Subscription Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let WmiConsumerCreation = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (
    "ActiveScriptEventConsumer", "CommandLineEventConsumer",
    "__EventFilter", "__EventConsumer", "__FilterToConsumerBinding",
    "ROOT\\subscription", "root/subscription"
  )
| extend WmiComponent = case(
    ProcessCommandLine has "__EventFilter", "EventFilter",
    ProcessCommandLine has "__EventConsumer" or ProcessCommandLine has "CommandLineEventConsumer" or ProcessCommandLine has "ActiveScriptEventConsumer", "EventConsumer",
    ProcessCommandLine has "__FilterToConsumerBinding", "Binding",
    "Unknown"
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, WmiComponent,
         InitiatingProcessFileName, InitiatingProcessCommandLine;
let WmiPersistenceIndicators = DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has_any ("wbem", "repository")
| where FileName has_any ("OBJECTS.DATA", "index.btr", "mapping");
union WmiConsumerCreation, (WmiPersistenceIndicators | extend WmiComponent="RepositoryChange")
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution WMI: WMI Creation File: File Modification Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Endpoint security products (Microsoft Defender for Endpoint, CrowdStrike, Carbon Black) that use WMI subscriptions for their own monitoring and persistence
SCCM/ConfigMgr client that uses WMI subscriptions for hardware inventory and software distribution tracking
Enterprise monitoring solutions (SolarWinds, SCOM, Nagios agents) that leverage WMI event subscriptions for system monitoring
Legitimate software that uses WMI subscriptions for update triggers or license management (some AV products, backup agents)

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Microsoft-Windows-WMI-Activity/Operational")
| eval EventSource=sourcetype
| eval WmiActivity=case(
    EventCode=19, "WMI Filter Activity",
    EventCode=20, "WMI Consumer Activity",
    EventCode=21, "WMI Consumer Binding",
    EventCode=5857, "WMI Provider Load",
    EventCode=5858, "WMI Query Error",
    EventCode=5861, "WMI Permanent Subscription",
    1=1, null()
  )
| eval WmiCmdLine=case(
    sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode=1,
    if(match(CommandLine, "(ActiveScriptEventConsumer|CommandLineEventConsumer|__EventFilter|FilterToConsumerBinding|root.subscription|ROOT.subscription)"), "WMI_CMD", null()),
    1=1, null()
  )
| where isnotnull(WmiActivity) OR WmiCmdLine="WMI_CMD"
| eval DetectionType=coalesce(WmiActivity, WmiCmdLine)
| table _time, host, User, EventCode, DetectionType, CommandLine, Message
| sort - _time

high severity high confidence

Data Sources

WMI: WMI Creation Sysmon Event ID 19 (WmiEvent - WmiEventFilter Activity Detected) Sysmon Event ID 20 (WmiEvent - WmiEventConsumer Activity Detected) Sysmon Event ID 21 (WmiEvent - WmiEventConsumerToFilter Activity Detected) WinEventLog:Microsoft-Windows-WMI-Activity/Operational Event ID 5861

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Microsoft-Windows-WMI-Activity/Operational

False Positives

Endpoint security products using WMI subscriptions for monitoring
SCCM/ConfigMgr client WMI subscriptions
Enterprise monitoring solutions
Legitimate software using WMI for update triggers or license management

Elastic Security (EQL)

eql

any where
  (
    event.category == "process" and event.type == "start" and
    process.command_line : (
      "*ActiveScriptEventConsumer*", "*CommandLineEventConsumer*",
      "*__EventFilter*", "*__EventConsumer*", "*__FilterToConsumerBinding*",
      "*ROOT\\subscription*", "*root/subscription*"
    )
  ) or
  (
    event.category == "process" and
    event.code in ("19", "20", "21", "5857", "5861")
  ) or
  (
    event.category == "file" and event.type in ("creation", "change") and
    file.path : ("*\\wbem\\*", "*\\repository\\*") and
    file.name : ("OBJECTS.DATA", "index.btr", "mapping*")
  )

high severity high confidence

Data Sources

Microsoft Windows Sysmon Microsoft-Windows-WMI-Activity Windows Security Event Log Elastic Endpoint Security

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* winlogbeat-*

False Positives

SCCM and Microsoft Endpoint Configuration Manager use WMI subscriptions legitimately for software inventory, compliance baselining, and deployment tasks — validate against known SCCM server IP ranges and service accounts
Security products including Carbon Black, CrowdStrike Falcon, and Microsoft Defender use WMI consumers for real-time event collection — cross-reference process parent chain against known EDR installation paths
Enterprise monitoring tools such as SolarWinds, PRTG, and custom PowerShell DSC configurations interact with root\subscription namespace for legitimate telemetry gathering

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS SourceIP,
  username AS Username,
  QIDNAME(qid) AS EventName,
  "EventID" AS WindowsEventID,
  CASE
    WHEN "EventID" = '19' THEN 'WMI Filter Activity'
    WHEN "EventID" = '20' THEN 'WMI Consumer Activity'
    WHEN "EventID" = '21' THEN 'WMI Consumer Binding'
    WHEN "EventID" = '5857' THEN 'WMI Provider Load'
    WHEN "EventID" = '5861' THEN 'WMI Permanent Subscription'
    WHEN "CommandLine" ILIKE '%ActiveScriptEventConsumer%' THEN 'ActiveScript Consumer'
    WHEN "CommandLine" ILIKE '%CommandLineEventConsumer%' THEN 'CommandLine Consumer'
    WHEN "CommandLine" ILIKE '%__EventFilter%' THEN 'EventFilter Creation'
    WHEN "CommandLine" ILIKE '%__FilterToConsumerBinding%' THEN 'Filter-Consumer Binding'
    ELSE 'WMI Repository Change'
  END AS DetectionType,
  "CommandLine",
  "Message"
FROM events
WHERE
  (
    LOGSOURCETYPEID(logsourceid) IN (12, 13)
    AND (
      "EventID" IN ('19', '20', '21', '5857', '5858', '5861')
      OR (
        "EventID" = '1'
        AND (
          "CommandLine" ILIKE '%ActiveScriptEventConsumer%'
          OR "CommandLine" ILIKE '%CommandLineEventConsumer%'
          OR "CommandLine" ILIKE '%__EventFilter%'
          OR "CommandLine" ILIKE '%__EventConsumer%'
          OR "CommandLine" ILIKE '%__FilterToConsumerBinding%'
          OR "CommandLine" ILIKE '%ROOT\\subscription%'
          OR "CommandLine" ILIKE '%root/subscription%'
        )
      )
    )
  )
ORDER BY starttime DESC
LAST 24 HOURS

high severity high confidence

Data Sources

Microsoft Windows Sysmon via WinCollect Microsoft-Windows-WMI-Activity Operational Log Windows Security Event Log

Required Tables

events

False Positives

System Center Configuration Manager (SCCM) and Microsoft Intune use WMI permanent subscriptions for hardware inventory collection cycles — baseline legitimate SCCM service account activity and server IP ranges in QRadar reference sets
Antivirus and EDR products (Symantec, McAfee, Tanium) register WMI consumers during installation and product updates — correlate with software deployment change windows to reduce noise
PowerShell Desired State Configuration (DSC) and Group Policy processing can interact with WMI subscription namespaces during policy application — validate timing against scheduled GPO refresh intervals (typically every 90 minutes)

Sumo Logic CSE

sql

_sourceCategory=*windows*
| where sourcetype in ("XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "WinEventLog:Microsoft-Windows-WMI-Activity/Operational")
| eval WmiDirectEvent = if(
    EventCode in ("19", "20", "21", "5857", "5858", "5861"), "true", "false"
  )
| eval WmiCmdLine = if(
    EventCode == "1" and (
      CommandLine matches "(?i)ActiveScriptEventConsumer" or
      CommandLine matches "(?i)CommandLineEventConsumer" or
      CommandLine matches "(?i)__EventFilter" or
      CommandLine matches "(?i)__EventConsumer" or
      CommandLine matches "(?i)__FilterToConsumerBinding" or
      CommandLine matches "(?i)ROOT[\\\\|/]subscription" or
      CommandLine matches "(?i)root[\\\\|/]subscription"
    ), "true", "false"
  )
| where WmiDirectEvent == "true" or WmiCmdLine == "true"
| eval DetectionType = if(EventCode == "19", "WMI Filter Activity",
    if(EventCode == "20", "WMI Consumer Activity",
      if(EventCode == "21", "WMI Consumer Binding",
        if(EventCode == "5857", "WMI Provider Load",
          if(EventCode == "5861", "WMI Permanent Subscription",
            if(WmiCmdLine == "true", "WMI Command Line Indicator",
              "Unknown WMI Activity"))))))
| fields _messageTime, host, User, EventCode, DetectionType, CommandLine, Message, sourcetype
| sort by _messageTime desc

high severity high confidence

Data Sources

Microsoft Windows Sysmon Microsoft-Windows-WMI-Activity Operational Log

Required Tables

_sourceCategory=*windows*

False Positives

Windows Management Instrumentation is used heavily by enterprise monitoring suites (SolarWinds Orion, Nagios, Zabbix agents) that register permanent subscriptions to collect system health metrics — maintain an allowlist of monitoring server source IPs
Microsoft Visual Studio and developer tooling may reference WMI subscription namespaces during debugging sessions or SDK testing on developer workstations — scope this detection to server-class systems and exclude known developer machine hostnames
Third-party backup software (Veeam, Acronis, Commvault) uses WMI consumers to monitor VSS snapshot events and trigger backup jobs — correlate detections with backup job schedules and vendor process name allowlists

Google Chronicle / SecOps

yaral

rule wmi_event_subscription_persistence {
  meta:
    author = "Detection Engineering"
    description = "Detects WMI event subscription persistence (T1546.003) via subscription class creation, Sysmon WMI events, and WBEM repository file modifications"
    severity = "HIGH"
    mitre_attack_technique = "T1546.003"
    mitre_attack_tactic = "Persistence, Privilege Escalation"
    reference = "https://attack.mitre.org/techniques/T1546/003/"

  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      (
        $e.target.process.command_line = /(?i)(ActiveScriptEventConsumer|CommandLineEventConsumer|__EventFilter|__EventConsumer|__FilterToConsumerBinding|ROOT[\\|/]subscription|root[\\|/]subscription)/ or
        $e.metadata.product_event_type = "19" or
        $e.metadata.product_event_type = "20" or
        $e.metadata.product_event_type = "21" or
        $e.metadata.product_event_type = "5857" or
        $e.metadata.product_event_type = "5861"
      )
    ) or
    (
      $e.metadata.event_type = "FILE_CREATION" and
      $e.target.file.full_path = /(?i)(\\wbem\\|\\repository\\)/ and
      (
        $e.target.file.full_path = /(?i)OBJECTS\.DATA/ or
        $e.target.file.full_path = /(?i)index\.btr/ or
        $e.target.file.full_path = /(?i)mapping/
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Microsoft Windows Sysmon via Chronicle forwarder Microsoft-Windows-WMI-Activity Operational Google Chronicle UDM ingestion

Required Tables

UDM Events

False Positives

Windows Defender Advanced Threat Protection and Microsoft Sentinel agent installation registers WMI consumers for real-time telemetry — these will generate EventID 20 and 21 on managed endpoints and should be filtered by the installer process chain (MsSense.exe, MMASetup.exe)
Enterprise software deployment platforms (Ivanti, Flexera, BigFix) use WMI event subscriptions to monitor software inventory changes and trigger compliance actions — correlate against known deployment server FQDNs in the principal.hostname field
Windows operating system updates and service pack installations can modify WBEM repository files (OBJECTS.DATA) during component registration — suppress alerts on file modification events occurring during known patch maintenance windows

CrowdStrike LogScale (CQL)

cql

// Branch 1: Process command lines referencing WMI subscription classes
(
  #event_simpleName=ProcessRollup2
  | regex field=CommandLine "(?i)(ActiveScriptEventConsumer|CommandLineEventConsumer|__EventFilter|__EventConsumer|__FilterToConsumerBinding|ROOT[\\\\|/]subscription|root[\\\\|/]subscription)"
  | eval DetectionBranch="WMI Subscription Command Line"
)

// Branch 2: Script execution consumers spawning child processes (SYSTEM-level WMI child)
union
(
  #event_simpleName=ProcessRollup2
  | where ParentBaseFileName in ("WmiPrvSE.exe", "scrcons.exe")
  | where FileName not in ("WmiPrvSE.exe", "mofcomp.exe", "wmiadap.exe")
  | eval DetectionBranch="Suspicious WMI Provider Child Process"
)

// Branch 3: MOF file compilation (used to register WMI subscriptions)
union
(
  #event_simpleName=ProcessRollup2
  | where FileName = "mofcomp.exe"
  | where CommandLine != null
  | regex field=CommandLine "(?!.*\\\\Windows\\\\system32)"
  | eval DetectionBranch="MOF Compilation Outside System32"
)

| table([_time, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, DetectionBranch, ProcessId_decimal, ParentProcessId_decimal])
| sort(_time, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon ProcessRollup2 CrowdStrike Falcon Endpoint Activity

Required Tables

ProcessRollup2

False Positives

Legitimate WMI providers (winmgmt, wmiadap.exe, wmiprvse.exe) spawn child processes during WMI query processing for performance counters and hardware inventory — validate that WmiPrvSE.exe child processes belong to known data provider binaries and are not running from temp or user-writable paths
Software deployment agents that use MOF files for registration (third-party WMI providers, Microsoft MOM/SCOM management packs) will trigger the mofcomp.exe branch — maintain a CrowdStrike allowlist by SHA256 hash of known-good MOF compilation events from deployment tooling
SCCM hardware inventory and software metering clients register their WMI providers via MOF compilation — filter by ParentBaseFileName of ccmexec.exe or SMS Agent Host service account to reduce SCCM-related false positives

Windows Management Instrumentation Event Subscription

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Privilege Escalation

Popular Detections