T1546.003 Elastic Security · Elastic

Detect Windows Management Instrumentation Event Subscription in Elastic Security

Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Attackers use WMI subscriptions to achieve fileless persistence that survives reboots, runs as SYSTEM, and is not visible in the run keys or scheduled tasks that analysts typically check. Three components are required: an EventFilter (what triggers), an EventConsumer (what runs), and a FilterToConsumerBinding (links them together).

MITRE ATT&CK

Tactic
Privilege Escalation Persistence
Technique
T1546 Event Triggered Execution
Sub-technique
T1546.003 Windows Management Instrumentation Event Subscription
Canonical reference
https://attack.mitre.org/techniques/T1546/003/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where
  (
    event.category == "process" and event.type == "start" and
    process.command_line : (
      "*ActiveScriptEventConsumer*", "*CommandLineEventConsumer*",
      "*__EventFilter*", "*__EventConsumer*", "*__FilterToConsumerBinding*",
      "*ROOT\\subscription*", "*root/subscription*"
    )
  ) or
  (
    event.category == "process" and
    event.code in ("19", "20", "21", "5857", "5861")
  ) or
  (
    event.category == "file" and event.type in ("creation", "change") and
    file.path : ("*\\wbem\\*", "*\\repository\\*") and
    file.name : ("OBJECTS.DATA", "index.btr", "mapping*")
  )
high severity high confidence

Detects WMI event subscription persistence (T1546.003) via three signals: (1) process command lines referencing WMI subscription classes such as ActiveScriptEventConsumer, CommandLineEventConsumer, __EventFilter, __EventConsumer, and __FilterToConsumerBinding; (2) Sysmon WMI activity events 19 (Filter), 20 (Consumer), 21 (Binding), 5857 (Provider Load), and 5861 (Permanent Subscription); and (3) file system writes to WBEM repository files (OBJECTS.DATA, index.btr, mapping) which store subscription definitions. WMI subscriptions provide fileless, SYSTEM-level persistence that survives reboots and evades typical run key and scheduled task auditing.

Data Sources

Microsoft Windows SysmonMicrosoft-Windows-WMI-ActivityWindows Security Event LogElastic Endpoint Security

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.file-*winlogbeat-*

False Positives & Tuning

  • SCCM and Microsoft Endpoint Configuration Manager use WMI subscriptions legitimately for software inventory, compliance baselining, and deployment tasks — validate against known SCCM server IP ranges and service accounts
  • Security products including Carbon Black, CrowdStrike Falcon, and Microsoft Defender use WMI consumers for real-time event collection — cross-reference process parent chain against known EDR installation paths
  • Enterprise monitoring tools such as SolarWinds, PRTG, and custom PowerShell DSC configurations interact with root\subscription namespace for legitimate telemetry gathering
Download portable Sigma rule (.yml)

Other platforms for T1546.003

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1WMI Subscription via PowerShell (CommandLineEventConsumer)

    Expected signal: Sysmon Event ID 19: WmiEventFilter Activity (FilterName=ArgusTestFilter). Sysmon Event ID 20: WmiEventConsumer Activity (ConsumerName=ArgusTestConsumer, Type=CommandLineEventConsumer). Sysmon Event ID 21: WmiEventConsumerToFilter Binding. WMI-Activity/Operational Event ID 5861: Permanent subscription created.

  2. Test 2WMI Subscription via WMIC (ActiveScriptEventConsumer)

    Expected signal: Sysmon Event IDs 19, 20, 21 for each WMI subscription component. The ActiveScriptEventConsumer type in Event ID 20 is higher risk than CommandLineEventConsumer. Process creation for wmic.exe with /NAMESPACE:\\root\subscription arguments.

  3. Test 3WMI Subscription via MOF File Compilation

    Expected signal: Sysmon Event ID 1: Process creation for mofcomp.exe with the .mof file path as argument. Sysmon Event IDs 19, 20, 21 after mofcomp compiles the subscription. File creation event (Sysmon 11) for the .mof file in Temp. WMI repository modification events.

Last updated: 2026-04-21 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1546.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1546Event Triggered Execution

Related Sub-techniques

T1546.001Change Default File AssociationT1546.002ScreensaverT1546.004Unix Shell Configuration ModificationT1546.005TrapT1546.006LC_LOAD_DYLIB AdditionT1546.007Netsh Helper DLLT1546.008Accessibility FeaturesT1546.009AppCert DLLsT1546.010AppInit DLLsT1546.011Application ShimmingT1546.012Image File Execution Options InjectionT1546.013PowerShell ProfileT1546.014EmondT1546.015Component Object Model HijackingT1546.016Installer PackagesT1546.017Udev RulesT1546.018Python Startup Hooks

Related Techniques

T1546Event Triggered ExecutionT1047Windows Management InstrumentationT1059.001PowerShellT1059.005Visual BasicT1027Obfuscated Files or InformationT1562.001Disable or Modify ToolsT1078Valid Accounts

Same Tactic: Privilege Escalation

Popular Detections