Detect Windows Management Instrumentation Event Subscription in IBM QRadar
Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Attackers use WMI subscriptions to achieve fileless persistence that survives reboots, runs as SYSTEM, and is not visible in the run keys or scheduled tasks that analysts typically check. Three components are required: an EventFilter (what triggers), an EventConsumer (what runs), and a FilterToConsumerBinding (links them together).
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.003 Windows Management Instrumentation Event Subscription
- Canonical reference
- https://attack.mitre.org/techniques/T1546/003/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
LOGSOURCENAME(logsourceid) AS LogSource,
sourceip AS SourceIP,
username AS Username,
QIDNAME(qid) AS EventName,
"EventID" AS WindowsEventID,
CASE
WHEN "EventID" = '19' THEN 'WMI Filter Activity'
WHEN "EventID" = '20' THEN 'WMI Consumer Activity'
WHEN "EventID" = '21' THEN 'WMI Consumer Binding'
WHEN "EventID" = '5857' THEN 'WMI Provider Load'
WHEN "EventID" = '5861' THEN 'WMI Permanent Subscription'
WHEN "CommandLine" ILIKE '%ActiveScriptEventConsumer%' THEN 'ActiveScript Consumer'
WHEN "CommandLine" ILIKE '%CommandLineEventConsumer%' THEN 'CommandLine Consumer'
WHEN "CommandLine" ILIKE '%__EventFilter%' THEN 'EventFilter Creation'
WHEN "CommandLine" ILIKE '%__FilterToConsumerBinding%' THEN 'Filter-Consumer Binding'
ELSE 'WMI Repository Change'
END AS DetectionType,
"CommandLine",
"Message"
FROM events
WHERE
(
LOGSOURCETYPEID(logsourceid) IN (12, 13)
AND (
"EventID" IN ('19', '20', '21', '5857', '5858', '5861')
OR (
"EventID" = '1'
AND (
"CommandLine" ILIKE '%ActiveScriptEventConsumer%'
OR "CommandLine" ILIKE '%CommandLineEventConsumer%'
OR "CommandLine" ILIKE '%__EventFilter%'
OR "CommandLine" ILIKE '%__EventConsumer%'
OR "CommandLine" ILIKE '%__FilterToConsumerBinding%'
OR "CommandLine" ILIKE '%ROOT\\subscription%'
OR "CommandLine" ILIKE '%root/subscription%'
)
)
)
)
ORDER BY starttime DESC
LAST 24 HOURSDetects WMI event subscription persistence (T1546.003) in QRadar by correlating Sysmon WMI-specific event IDs (19=Filter, 20=Consumer, 21=Binding, 5857=Provider Load, 5861=Permanent Subscription) with WMI-Activity log events and process command lines containing WMI subscription class references. The CASE statement classifies each detection into one of five WMI subscription component types to aid analyst triage. Results are ordered by most recent first to surface active subscription creation attempts.
Data Sources
Required Tables
False Positives & Tuning
- System Center Configuration Manager (SCCM) and Microsoft Intune use WMI permanent subscriptions for hardware inventory collection cycles — baseline legitimate SCCM service account activity and server IP ranges in QRadar reference sets
- Antivirus and EDR products (Symantec, McAfee, Tanium) register WMI consumers during installation and product updates — correlate with software deployment change windows to reduce noise
- PowerShell Desired State Configuration (DSC) and Group Policy processing can interact with WMI subscription namespaces during policy application — validate timing against scheduled GPO refresh intervals (typically every 90 minutes)
Other platforms for T1546.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1WMI Subscription via PowerShell (CommandLineEventConsumer)
Expected signal: Sysmon Event ID 19: WmiEventFilter Activity (FilterName=ArgusTestFilter). Sysmon Event ID 20: WmiEventConsumer Activity (ConsumerName=ArgusTestConsumer, Type=CommandLineEventConsumer). Sysmon Event ID 21: WmiEventConsumerToFilter Binding. WMI-Activity/Operational Event ID 5861: Permanent subscription created.
- Test 2WMI Subscription via WMIC (ActiveScriptEventConsumer)
Expected signal: Sysmon Event IDs 19, 20, 21 for each WMI subscription component. The ActiveScriptEventConsumer type in Event ID 20 is higher risk than CommandLineEventConsumer. Process creation for wmic.exe with /NAMESPACE:\\root\subscription arguments.
- Test 3WMI Subscription via MOF File Compilation
Expected signal: Sysmon Event ID 1: Process creation for mofcomp.exe with the .mof file path as argument. Sysmon Event IDs 19, 20, 21 after mofcomp compiles the subscription. File creation event (Sysmon 11) for the .mof file in Temp. WMI repository modification events.
References (6)
- https://attack.mitre.org/techniques/T1546/003/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
- https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
- https://github.com/davidpany/WMI_Forensics
- https://github.com/mandiant/flare-wmi
Unlock Pro Content
Get the full detection package for T1546.003 including response playbook, investigation guide, and atomic red team tests.