T1546.003 Splunk · SPL

Detect Windows Management Instrumentation Event Subscription in Splunk

Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Attackers use WMI subscriptions to achieve fileless persistence that survives reboots, runs as SYSTEM, and is not visible in the run keys or scheduled tasks that analysts typically check. Three components are required: an EventFilter (what triggers), an EventConsumer (what runs), and a FilterToConsumerBinding (links them together).

MITRE ATT&CK

Tactic
Privilege Escalation Persistence
Technique
T1546 Event Triggered Execution
Sub-technique
T1546.003 Windows Management Instrumentation Event Subscription
Canonical reference
https://attack.mitre.org/techniques/T1546/003/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Microsoft-Windows-WMI-Activity/Operational")
| eval EventSource=sourcetype
| eval WmiActivity=case(
    EventCode=19, "WMI Filter Activity",
    EventCode=20, "WMI Consumer Activity",
    EventCode=21, "WMI Consumer Binding",
    EventCode=5857, "WMI Provider Load",
    EventCode=5858, "WMI Query Error",
    EventCode=5861, "WMI Permanent Subscription",
    1=1, null()
  )
| eval WmiCmdLine=case(
    sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode=1,
    if(match(CommandLine, "(ActiveScriptEventConsumer|CommandLineEventConsumer|__EventFilter|FilterToConsumerBinding|root.subscription|ROOT.subscription)"), "WMI_CMD", null()),
    1=1, null()
  )
| where isnotnull(WmiActivity) OR WmiCmdLine="WMI_CMD"
| eval DetectionType=coalesce(WmiActivity, WmiCmdLine)
| table _time, host, User, EventCode, DetectionType, CommandLine, Message
| sort - _time
high severity high confidence

Detects WMI persistent event subscriptions using two data sources: Sysmon WMI events (Event ID 19=FilterActivity, 20=ConsumerActivity, 21=ConsumerBinding) which directly record subscription creation, and WMI Activity Operational log (Event ID 5861 = permanent subscription registered). Also detects WMI subscription creation via process command line analysis. Event IDs 19-21 are the highest-fidelity signals as Sysmon logs them natively.

Data Sources

WMI: WMI CreationSysmon Event ID 19 (WmiEvent - WmiEventFilter Activity Detected)Sysmon Event ID 20 (WmiEvent - WmiEventConsumer Activity Detected)Sysmon Event ID 21 (WmiEvent - WmiEventConsumerToFilter Activity Detected)WinEventLog:Microsoft-Windows-WMI-Activity/Operational Event ID 5861

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalWinEventLog:Microsoft-Windows-WMI-Activity/Operational

False Positives & Tuning

  • Endpoint security products using WMI subscriptions for monitoring
  • SCCM/ConfigMgr client WMI subscriptions
  • Enterprise monitoring solutions
  • Legitimate software using WMI for update triggers or license management
Download portable Sigma rule (.yml)

Other platforms for T1546.003

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1WMI Subscription via PowerShell (CommandLineEventConsumer)

    Expected signal: Sysmon Event ID 19: WmiEventFilter Activity (FilterName=ArgusTestFilter). Sysmon Event ID 20: WmiEventConsumer Activity (ConsumerName=ArgusTestConsumer, Type=CommandLineEventConsumer). Sysmon Event ID 21: WmiEventConsumerToFilter Binding. WMI-Activity/Operational Event ID 5861: Permanent subscription created.

  2. Test 2WMI Subscription via WMIC (ActiveScriptEventConsumer)

    Expected signal: Sysmon Event IDs 19, 20, 21 for each WMI subscription component. The ActiveScriptEventConsumer type in Event ID 20 is higher risk than CommandLineEventConsumer. Process creation for wmic.exe with /NAMESPACE:\\root\subscription arguments.

  3. Test 3WMI Subscription via MOF File Compilation

    Expected signal: Sysmon Event ID 1: Process creation for mofcomp.exe with the .mof file path as argument. Sysmon Event IDs 19, 20, 21 after mofcomp compiles the subscription. File creation event (Sysmon 11) for the .mof file in Temp. WMI repository modification events.

Last updated: 2026-04-21 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1546.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1546Event Triggered Execution

Related Sub-techniques

T1546.001Change Default File AssociationT1546.002ScreensaverT1546.004Unix Shell Configuration ModificationT1546.005TrapT1546.006LC_LOAD_DYLIB AdditionT1546.007Netsh Helper DLLT1546.008Accessibility FeaturesT1546.009AppCert DLLsT1546.010AppInit DLLsT1546.011Application ShimmingT1546.012Image File Execution Options InjectionT1546.013PowerShell ProfileT1546.014EmondT1546.015Component Object Model HijackingT1546.016Installer PackagesT1546.017Udev RulesT1546.018Python Startup Hooks

Related Techniques

T1546Event Triggered ExecutionT1047Windows Management InstrumentationT1059.001PowerShellT1059.005Visual BasicT1027Obfuscated Files or InformationT1562.001Disable or Modify ToolsT1078Valid Accounts

Same Tactic: Privilege Escalation

Popular Detections