T1546.003 Microsoft Sentinel · KQL

Detect Windows Management Instrumentation Event Subscription in Microsoft Sentinel

Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Attackers use WMI subscriptions to achieve fileless persistence that survives reboots, runs as SYSTEM, and is not visible in the run keys or scheduled tasks that analysts typically check. Three components are required: an EventFilter (what triggers), an EventConsumer (what runs), and a FilterToConsumerBinding (links them together).

MITRE ATT&CK

Tactic
Privilege Escalation Persistence
Technique
T1546 Event Triggered Execution
Sub-technique
T1546.003 Windows Management Instrumentation Event Subscription
Canonical reference
https://attack.mitre.org/techniques/T1546/003/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let WmiConsumerCreation = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (
    "ActiveScriptEventConsumer", "CommandLineEventConsumer",
    "__EventFilter", "__EventConsumer", "__FilterToConsumerBinding",
    "ROOT\\subscription", "root/subscription"
  )
| extend WmiComponent = case(
    ProcessCommandLine has "__EventFilter", "EventFilter",
    ProcessCommandLine has "__EventConsumer" or ProcessCommandLine has "CommandLineEventConsumer" or ProcessCommandLine has "ActiveScriptEventConsumer", "EventConsumer",
    ProcessCommandLine has "__FilterToConsumerBinding", "Binding",
    "Unknown"
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, WmiComponent,
         InitiatingProcessFileName, InitiatingProcessCommandLine;
let WmiPersistenceIndicators = DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has_any ("wbem", "repository")
| where FileName has_any ("OBJECTS.DATA", "index.btr", "mapping");
union WmiConsumerCreation, (WmiPersistenceIndicators | extend WmiComponent="RepositoryChange")
| sort by Timestamp desc
high severity high confidence

Detects WMI event subscription creation by monitoring process command lines for WMI subscription class names (ActiveScriptEventConsumer, CommandLineEventConsumer, __EventFilter, __FilterToConsumerBinding) and ROOT\subscription namespace references. Also monitors for modifications to the WMI repository files in the wbem directory. WMI subscriptions created via PowerShell, WMIC, or direct MOF compilation are all captured.

Data Sources

Process: Process CreationCommand: Command ExecutionWMI: WMI CreationFile: File ModificationMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceFileEvents

False Positives & Tuning

  • Endpoint security products (Microsoft Defender for Endpoint, CrowdStrike, Carbon Black) that use WMI subscriptions for their own monitoring and persistence
  • SCCM/ConfigMgr client that uses WMI subscriptions for hardware inventory and software distribution tracking
  • Enterprise monitoring solutions (SolarWinds, SCOM, Nagios agents) that leverage WMI event subscriptions for system monitoring
  • Legitimate software that uses WMI subscriptions for update triggers or license management (some AV products, backup agents)
Download portable Sigma rule (.yml)

Other platforms for T1546.003

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1WMI Subscription via PowerShell (CommandLineEventConsumer)

    Expected signal: Sysmon Event ID 19: WmiEventFilter Activity (FilterName=ArgusTestFilter). Sysmon Event ID 20: WmiEventConsumer Activity (ConsumerName=ArgusTestConsumer, Type=CommandLineEventConsumer). Sysmon Event ID 21: WmiEventConsumerToFilter Binding. WMI-Activity/Operational Event ID 5861: Permanent subscription created.

  2. Test 2WMI Subscription via WMIC (ActiveScriptEventConsumer)

    Expected signal: Sysmon Event IDs 19, 20, 21 for each WMI subscription component. The ActiveScriptEventConsumer type in Event ID 20 is higher risk than CommandLineEventConsumer. Process creation for wmic.exe with /NAMESPACE:\\root\subscription arguments.

  3. Test 3WMI Subscription via MOF File Compilation

    Expected signal: Sysmon Event ID 1: Process creation for mofcomp.exe with the .mof file path as argument. Sysmon Event IDs 19, 20, 21 after mofcomp compiles the subscription. File creation event (Sysmon 11) for the .mof file in Temp. WMI repository modification events.

Last updated: 2026-04-21 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1546.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1546Event Triggered Execution

Related Sub-techniques

T1546.001Change Default File AssociationT1546.002ScreensaverT1546.004Unix Shell Configuration ModificationT1546.005TrapT1546.006LC_LOAD_DYLIB AdditionT1546.007Netsh Helper DLLT1546.008Accessibility FeaturesT1546.009AppCert DLLsT1546.010AppInit DLLsT1546.011Application ShimmingT1546.012Image File Execution Options InjectionT1546.013PowerShell ProfileT1546.014EmondT1546.015Component Object Model HijackingT1546.016Installer PackagesT1546.017Udev RulesT1546.018Python Startup Hooks

Related Techniques

T1546Event Triggered ExecutionT1047Windows Management InstrumentationT1059.001PowerShellT1059.005Visual BasicT1027Obfuscated Files or InformationT1562.001Disable or Modify ToolsT1078Valid Accounts

Same Tactic: Privilege Escalation

Popular Detections