Persistence · Term

What is a WMI event subscription?

WMI event subscriptions can run code when something happens, like a user logging on or a time of day, with no file in an obvious autostart location. That stealth makes them a favored persistence. Here is how.

Persistence · TermAll services
TL;DR

A WMI event subscription is a persistence technique that uses Windows Management Instrumentation to run a payload when a chosen event occurs, a logon, a process start, or a time trigger. It is built from three WMI objects: an event filter (the trigger), a consumer (the action, often a command), and a binding that links them. Stored in the WMI repository as SYSTEM, it leaves no file in a normal autostart location, which makes it stealthy. It needs admin and maps to MITRE T1546.003.

By John Dill, Red Team Lead, SecureLayer7Updated

What it is

WMI can react to system events. A permanent event subscription ties together:

  • an `__EventFilter` (when to fire, for example "85 seconds after boot" or "at logon"),
  • an event consumer such as a `CommandLineEventConsumer` (what to run),
  • a `__FilterToConsumerBinding` linking the two.

Once registered, WMI itself (running as SYSTEM) executes the consumer whenever the filter matches. The definition lives in the WMI repository, not in run keys or the Startup folder.

The technique and payload

With admin, the attacker registers all three objects (via PowerShell or wmic):

  • An __EventFilter querying for a trigger (logon, an interval, a process start).
  • A CommandLineEventConsumer whose CommandLineTemplate runs the payload.
  • A __FilterToConsumerBinding joining them.

WMI then runs the payload as SYSTEM on each trigger, with nothing in the usual autostart spots. This stealth and SYSTEM execution are why it is a favored advanced persistence. Documented for defensive context.

How to defend

  • Enumerate permanent WMI subscriptions regularly (filters, consumers, bindings) and baseline the legitimate ones.
  • Enable WMI activity logging and alert on CommandLineEventConsumer/ActiveScriptEventConsumer creation.
  • Use Sysmon (events 19/20/21) to catch WMI subscription creation.
  • Limit local admin, required to register subscriptions.
  • Hunt for consumers running scripts or binaries from user-writable paths.

References

  1. [1]MITRE ATT&CK: Event Triggered Execution (T1546)(MITRE)
  2. [2]Microsoft: WMI events(Microsoft)
  3. [3]MITRE ATT&CK: Persistence (TA0003)(MITRE)
Related terms

Common questions

Persistence, asked often

Want your environment checked for attacker persistence?

Scope an engagement

Find the backdoors an attacker would leave behind.

Our red-team and internal penetration tests show where an intruder could hide to survive a reboot or a password reset, registry keys, scheduled tasks, services, web shells, and rogue accounts, then hand your team the evidence and the fix. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.