Detect Windows Management Instrumentation Event Subscription in CrowdStrike LogScale
Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Attackers use WMI subscriptions to achieve fileless persistence that survives reboots, runs as SYSTEM, and is not visible in the run keys or scheduled tasks that analysts typically check. Three components are required: an EventFilter (what triggers), an EventConsumer (what runs), and a FilterToConsumerBinding (links them together).
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.003 Windows Management Instrumentation Event Subscription
- Canonical reference
- https://attack.mitre.org/techniques/T1546/003/
LogScale Detection Query
// Branch 1: Process command lines referencing WMI subscription classes
(
#event_simpleName=ProcessRollup2
| regex field=CommandLine "(?i)(ActiveScriptEventConsumer|CommandLineEventConsumer|__EventFilter|__EventConsumer|__FilterToConsumerBinding|ROOT[\\\\|/]subscription|root[\\\\|/]subscription)"
| eval DetectionBranch="WMI Subscription Command Line"
)
// Branch 2: Script execution consumers spawning child processes (SYSTEM-level WMI child)
union
(
#event_simpleName=ProcessRollup2
| where ParentBaseFileName in ("WmiPrvSE.exe", "scrcons.exe")
| where FileName not in ("WmiPrvSE.exe", "mofcomp.exe", "wmiadap.exe")
| eval DetectionBranch="Suspicious WMI Provider Child Process"
)
// Branch 3: MOF file compilation (used to register WMI subscriptions)
union
(
#event_simpleName=ProcessRollup2
| where FileName = "mofcomp.exe"
| where CommandLine != null
| regex field=CommandLine "(?!.*\\\\Windows\\\\system32)"
| eval DetectionBranch="MOF Compilation Outside System32"
)
| table([_time, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, DetectionBranch, ProcessId_decimal, ParentProcessId_decimal])
| sort(_time, order=desc)Detects WMI event subscription persistence (T1546.003) in CrowdStrike LogScale across three behavioral branches: (1) ProcessRollup2 events where the command line matches WMI subscription class keywords (ActiveScriptEventConsumer, CommandLineEventConsumer, __EventFilter, __FilterToConsumerBinding, subscription namespace paths); (2) suspicious child processes spawned directly by WmiPrvSE.exe or scrcons.exe (the WMI script consumer host), which indicates an ActiveScriptEventConsumer has fired and executed its payload; and (3) mofcomp.exe invocations targeting MOF files outside of System32, which is a common technique for programmatically registering WMI subscriptions. The union of all three branches provides broad coverage of subscription creation and execution phases.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate WMI providers (winmgmt, wmiadap.exe, wmiprvse.exe) spawn child processes during WMI query processing for performance counters and hardware inventory — validate that WmiPrvSE.exe child processes belong to known data provider binaries and are not running from temp or user-writable paths
- Software deployment agents that use MOF files for registration (third-party WMI providers, Microsoft MOM/SCOM management packs) will trigger the mofcomp.exe branch — maintain a CrowdStrike allowlist by SHA256 hash of known-good MOF compilation events from deployment tooling
- SCCM hardware inventory and software metering clients register their WMI providers via MOF compilation — filter by ParentBaseFileName of ccmexec.exe or SMS Agent Host service account to reduce SCCM-related false positives
Other platforms for T1546.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1WMI Subscription via PowerShell (CommandLineEventConsumer)
Expected signal: Sysmon Event ID 19: WmiEventFilter Activity (FilterName=ArgusTestFilter). Sysmon Event ID 20: WmiEventConsumer Activity (ConsumerName=ArgusTestConsumer, Type=CommandLineEventConsumer). Sysmon Event ID 21: WmiEventConsumerToFilter Binding. WMI-Activity/Operational Event ID 5861: Permanent subscription created.
- Test 2WMI Subscription via WMIC (ActiveScriptEventConsumer)
Expected signal: Sysmon Event IDs 19, 20, 21 for each WMI subscription component. The ActiveScriptEventConsumer type in Event ID 20 is higher risk than CommandLineEventConsumer. Process creation for wmic.exe with /NAMESPACE:\\root\subscription arguments.
- Test 3WMI Subscription via MOF File Compilation
Expected signal: Sysmon Event ID 1: Process creation for mofcomp.exe with the .mof file path as argument. Sysmon Event IDs 19, 20, 21 after mofcomp compiles the subscription. File creation event (Sysmon 11) for the .mof file in Temp. WMI repository modification events.
References (6)
- https://attack.mitre.org/techniques/T1546/003/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
- https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
- https://github.com/davidpany/WMI_Forensics
- https://github.com/mandiant/flare-wmi
Unlock Pro Content
Get the full detection package for T1546.003 including response playbook, investigation guide, and atomic red team tests.