Detect Windows Management Instrumentation Event Subscription in Google Chronicle
Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Attackers use WMI subscriptions to achieve fileless persistence that survives reboots, runs as SYSTEM, and is not visible in the run keys or scheduled tasks that analysts typically check. Three components are required: an EventFilter (what triggers), an EventConsumer (what runs), and a FilterToConsumerBinding (links them together).
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.003 Windows Management Instrumentation Event Subscription
- Canonical reference
- https://attack.mitre.org/techniques/T1546/003/
YARA-L Detection Query
rule wmi_event_subscription_persistence {
meta:
author = "Detection Engineering"
description = "Detects WMI event subscription persistence (T1546.003) via subscription class creation, Sysmon WMI events, and WBEM repository file modifications"
severity = "HIGH"
mitre_attack_technique = "T1546.003"
mitre_attack_tactic = "Persistence, Privilege Escalation"
reference = "https://attack.mitre.org/techniques/T1546/003/"
events:
(
$e.metadata.event_type = "PROCESS_LAUNCH" and
(
$e.target.process.command_line = /(?i)(ActiveScriptEventConsumer|CommandLineEventConsumer|__EventFilter|__EventConsumer|__FilterToConsumerBinding|ROOT[\\|/]subscription|root[\\|/]subscription)/ or
$e.metadata.product_event_type = "19" or
$e.metadata.product_event_type = "20" or
$e.metadata.product_event_type = "21" or
$e.metadata.product_event_type = "5857" or
$e.metadata.product_event_type = "5861"
)
) or
(
$e.metadata.event_type = "FILE_CREATION" and
$e.target.file.full_path = /(?i)(\\wbem\\|\\repository\\)/ and
(
$e.target.file.full_path = /(?i)OBJECTS\.DATA/ or
$e.target.file.full_path = /(?i)index\.btr/ or
$e.target.file.full_path = /(?i)mapping/
)
)
condition:
$e
}Chronicle YARA-L 2.0 rule that detects WMI event subscription persistence (T1546.003) across three telemetry paths: process launch events where the command line matches WMI subscription class keywords (ActiveScriptEventConsumer, CommandLineEventConsumer, __EventFilter, __EventConsumer, __FilterToConsumerBinding, subscription namespace paths); direct WMI-Activity and Sysmon product event IDs 19, 20, 21, 5857, and 5861 which correspond to subscription filter creation, consumer creation, binding creation, provider load, and permanent subscription registration; and file creation or modification events targeting WBEM repository files (OBJECTS.DATA, index.btr, mapping) which persist subscription definitions across reboots.
Data Sources
Required Tables
False Positives & Tuning
- Windows Defender Advanced Threat Protection and Microsoft Sentinel agent installation registers WMI consumers for real-time telemetry — these will generate EventID 20 and 21 on managed endpoints and should be filtered by the installer process chain (MsSense.exe, MMASetup.exe)
- Enterprise software deployment platforms (Ivanti, Flexera, BigFix) use WMI event subscriptions to monitor software inventory changes and trigger compliance actions — correlate against known deployment server FQDNs in the principal.hostname field
- Windows operating system updates and service pack installations can modify WBEM repository files (OBJECTS.DATA) during component registration — suppress alerts on file modification events occurring during known patch maintenance windows
Other platforms for T1546.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1WMI Subscription via PowerShell (CommandLineEventConsumer)
Expected signal: Sysmon Event ID 19: WmiEventFilter Activity (FilterName=ArgusTestFilter). Sysmon Event ID 20: WmiEventConsumer Activity (ConsumerName=ArgusTestConsumer, Type=CommandLineEventConsumer). Sysmon Event ID 21: WmiEventConsumerToFilter Binding. WMI-Activity/Operational Event ID 5861: Permanent subscription created.
- Test 2WMI Subscription via WMIC (ActiveScriptEventConsumer)
Expected signal: Sysmon Event IDs 19, 20, 21 for each WMI subscription component. The ActiveScriptEventConsumer type in Event ID 20 is higher risk than CommandLineEventConsumer. Process creation for wmic.exe with /NAMESPACE:\\root\subscription arguments.
- Test 3WMI Subscription via MOF File Compilation
Expected signal: Sysmon Event ID 1: Process creation for mofcomp.exe with the .mof file path as argument. Sysmon Event IDs 19, 20, 21 after mofcomp compiles the subscription. File creation event (Sysmon 11) for the .mof file in Temp. WMI repository modification events.
References (6)
- https://attack.mitre.org/techniques/T1546/003/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
- https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
- https://github.com/davidpany/WMI_Forensics
- https://github.com/mandiant/flare-wmi
Unlock Pro Content
Get the full detection package for T1546.003 including response playbook, investigation guide, and atomic red team tests.