Detect Windows Management Instrumentation Event Subscription in Sumo Logic CSE
Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Attackers use WMI subscriptions to achieve fileless persistence that survives reboots, runs as SYSTEM, and is not visible in the run keys or scheduled tasks that analysts typically check. Three components are required: an EventFilter (what triggers), an EventConsumer (what runs), and a FilterToConsumerBinding (links them together).
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.003 Windows Management Instrumentation Event Subscription
- Canonical reference
- https://attack.mitre.org/techniques/T1546/003/
Sumo Detection Query
_sourceCategory=*windows*
| where sourcetype in ("XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "WinEventLog:Microsoft-Windows-WMI-Activity/Operational")
| eval WmiDirectEvent = if(
EventCode in ("19", "20", "21", "5857", "5858", "5861"), "true", "false"
)
| eval WmiCmdLine = if(
EventCode == "1" and (
CommandLine matches "(?i)ActiveScriptEventConsumer" or
CommandLine matches "(?i)CommandLineEventConsumer" or
CommandLine matches "(?i)__EventFilter" or
CommandLine matches "(?i)__EventConsumer" or
CommandLine matches "(?i)__FilterToConsumerBinding" or
CommandLine matches "(?i)ROOT[\\\\|/]subscription" or
CommandLine matches "(?i)root[\\\\|/]subscription"
), "true", "false"
)
| where WmiDirectEvent == "true" or WmiCmdLine == "true"
| eval DetectionType = if(EventCode == "19", "WMI Filter Activity",
if(EventCode == "20", "WMI Consumer Activity",
if(EventCode == "21", "WMI Consumer Binding",
if(EventCode == "5857", "WMI Provider Load",
if(EventCode == "5861", "WMI Permanent Subscription",
if(WmiCmdLine == "true", "WMI Command Line Indicator",
"Unknown WMI Activity"))))))
| fields _messageTime, host, User, EventCode, DetectionType, CommandLine, Message, sourcetype
| sort by _messageTime descDetects WMI event subscription persistence (T1546.003) in Sumo Logic by evaluating two independent detection paths: direct WMI-Activity and Sysmon WMI event IDs (19, 20, 21, 5857, 5861) indicating subscription lifecycle events, and Sysmon process creation events (EventCode=1) whose command lines reference WMI subscription class names. A classification label is applied to each match to identify which component of the three-part subscription model (EventFilter, EventConsumer, FilterToConsumerBinding) is being configured. Results surface in reverse chronological order for SOC review.
Data Sources
Required Tables
False Positives & Tuning
- Windows Management Instrumentation is used heavily by enterprise monitoring suites (SolarWinds Orion, Nagios, Zabbix agents) that register permanent subscriptions to collect system health metrics — maintain an allowlist of monitoring server source IPs
- Microsoft Visual Studio and developer tooling may reference WMI subscription namespaces during debugging sessions or SDK testing on developer workstations — scope this detection to server-class systems and exclude known developer machine hostnames
- Third-party backup software (Veeam, Acronis, Commvault) uses WMI consumers to monitor VSS snapshot events and trigger backup jobs — correlate detections with backup job schedules and vendor process name allowlists
Other platforms for T1546.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1WMI Subscription via PowerShell (CommandLineEventConsumer)
Expected signal: Sysmon Event ID 19: WmiEventFilter Activity (FilterName=ArgusTestFilter). Sysmon Event ID 20: WmiEventConsumer Activity (ConsumerName=ArgusTestConsumer, Type=CommandLineEventConsumer). Sysmon Event ID 21: WmiEventConsumerToFilter Binding. WMI-Activity/Operational Event ID 5861: Permanent subscription created.
- Test 2WMI Subscription via WMIC (ActiveScriptEventConsumer)
Expected signal: Sysmon Event IDs 19, 20, 21 for each WMI subscription component. The ActiveScriptEventConsumer type in Event ID 20 is higher risk than CommandLineEventConsumer. Process creation for wmic.exe with /NAMESPACE:\\root\subscription arguments.
- Test 3WMI Subscription via MOF File Compilation
Expected signal: Sysmon Event ID 1: Process creation for mofcomp.exe with the .mof file path as argument. Sysmon Event IDs 19, 20, 21 after mofcomp compiles the subscription. File creation event (Sysmon 11) for the .mof file in Temp. WMI repository modification events.
References (6)
- https://attack.mitre.org/techniques/T1546/003/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
- https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
- https://github.com/davidpany/WMI_Forensics
- https://github.com/mandiant/flare-wmi
Unlock Pro Content
Get the full detection package for T1546.003 including response playbook, investigation guide, and atomic red team tests.