title: Windows Management Instrumentation Event Subscription (T1546.003)
id: df00tech-t1546-003
status: experimental
description: "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Attackers use WMI subscriptions to achieve fileless persistence that survives reboots, runs as SYSTEM, and is not visible in the run keys or scheduled tasks that analysts typically check. Three components are required: an EventFilter (what triggers), an EventConsumer (what runs), and a FilterToConsumerBinding (links them together)."
references:
  - https://attack.mitre.org/techniques/T1546/003/
  - https://df00tech.com/detections/T1546.003
author: df00tech
date: 2026/04/21
tags:
  - attack.t1546.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Endpoint security products (Microsoft Defender for Endpoint, CrowdStrike, Carbon Black) that use WMI subscriptions for their own monitoring and persistence"
  - SCCM/ConfigMgr client that uses WMI subscriptions for hardware inventory and software distribution tracking
  - "Enterprise monitoring solutions (SolarWinds, SCOM, Nagios agents) that leverage WMI event subscriptions for system monitoring"
  - "Legitimate software that uses WMI subscriptions for update triggers or license management (some AV products, backup agents)"
level: high