MITRE ATT&CK

Windows Management Instrumentation (WMI) is a Windows feature for system management and automation via standardized interfaces. Administrators use WMI to query system info, execute commands, and automate tasks remotely. Attackers exploit WMI event subscriptions to achieve stealthy persistence without touching registry keys or startup folders.

How Attackers Use WMI for Persistence:

WMI event subscription allows payloads to execute automatically when specific triggers occur.

To establish persistence using WMI event subscription, an attacker performs the following three steps:

1. Create an Event Filter:
   • Defines a specific trigger condition (e.g., executes every one minute, at system startup, or when a particular process starts).
   • Example: An attacker may set a filter to trigger when explorer.exe launches.
2. Create an Event Consumer:
   • Specifies the script or command that executes when the filter condition is met.
   • Example: Running powershell.exe with a malicious payload.
3. Create a Binding:
   • Links the Event Filter and Event Consumer, enabling automatic execution whenever the defined condition occurs.
   • Once established, the attacker’s payload executes persistently without requiring additional user interaction.

This method is highly stealthy because it blends with normal system activity

Detection Methods:

Monitor for unusual WMI event subscriptions and activity

Key indicators include:

• New WMI event filters, consumers, or bindings being created.
• Execution of suspicious scripts or commands via WMI.
• Correlation of WMI activity with suspicious processes (e.g., cmd.exe, powershell.exe, mshta.exe).
• Use of non-standard WMI namespaces (e.g., ROOT\\Subscription).

Windows Event Logs & Sysmon Event IDs:

Windows Event Logs