action: global
title: WMI Persistence
id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b
status: experimental
description: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
author: Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community
date: 2017/08/22
modified: 2020/10/13
references:
    - https://twitter.com/mattifestation/status/899646620148539397
    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
tags:
    - attack.persistence
    - attack.privilege_escalation
    - attack.t1084           # an old one
    - attack.t1546.003
falsepositives:
    - Unknown (data set is too small; further testing needed)
level: medium
---
logsource:
    product: windows
    service: wmi #native windows detection
    definition: 'WMI Namespaces Auditing and SACL should be configured, EventID 5861 and 5859 detection requires Windows 10, 2012 and higher'
detection:
    wmi_filter_to_consumer_binding:
        EventID: 5861
        Message|contains:
            - 'ActiveScriptEventConsumer'
            - 'CommandLineEventConsumer'
            - 'CommandLineTemplate'
        # - 'Binding EventFilter'  # too many false positive with HP Health Driver
    wmi_filter_registration:
        EventID: 5859
    condition: (wmi_filter_to_consumer_binding) OR (wmi_filter_registration)
---
logsource:
    product: windows
    service: security
detection:
    wmi_subscription:
        EventID: 4662
        ObjectType: 'WMI Namespace'
        ObjectName|contains: 'subscription'
    condition: wmi_subscription