Skip to content
Threat Feed
medium advisory

Detection of WMI Temporary Event Subscription Creation

Detection of WMI temporary event subscriptions via Windows Event Logs can identify potential attacker command execution, information gathering, or persistence attempts.

This threat brief focuses on the detection of WMI temporary event subscriptions. Attackers frequently abuse Windows Management Instrumentation (WMI) to execute commands, gather information about the target system, and establish persistence. Defenders should monitor for Event ID 5860, indicating the creation of these subscriptions. While WMI is a legitimate administrative tool, its misuse can lead to arbitrary code execution, privilege escalation, and persistent access within the compromised environment. Identifying and analyzing these temporary event subscriptions is crucial to uncovering malicious activity. The provided detection methods aim to highlight suspicious WMI usage, allowing security teams to investigate and remediate potential threats before significant damage occurs. Be mindful of false positives generated by legitimate software utilizing WMI.

Attack Chain

  1. An attacker gains initial access to the target system, potentially through phishing, exploiting a vulnerability, or using stolen credentials.
  2. The attacker leverages their initial access to execute code, potentially using PowerShell or other scripting languages.
  3. The attacker creates a WMI temporary event subscription using the WMIC command-line utility or PowerShell cmdlets. This subscription is designed to trigger an action when a specific event occurs on the system.
  4. The attacker configures the WMI filter with a query to monitor a specific event, such as a new process creation or a file modification.
  5. When the defined event occurs, the WMI event subscription triggers the attacker's specified action, such as executing a malicious script or downloading a payload from a remote server.
  6. The attacker gains persistence or executes further malicious activities based on the output of the triggered WMI event.
  7. The attacker utilizes the WMI-triggered actions to move laterally across the network, compromising additional systems.
  8. The attacker achieves their final objective, such as data exfiltration, ransomware deployment, or disruption of services.

Impact

Successful exploitation via WMI temporary event subscriptions can lead to a range of damaging outcomes. Attackers can execute arbitrary code, potentially compromising sensitive data or disrupting critical systems. Privilege escalation can grant attackers elevated access, enabling them to move laterally across the network and compromise additional systems. The use of WMI for persistence can allow attackers to maintain access to the compromised environment even after the initial intrusion vector has been addressed. Organizations across all sectors are potentially vulnerable to these attacks.

Recommendation

  • Enable Windows Event Logging for WMI activity and ensure the logs are being ingested into your SIEM to detect EventCode 5860.
  • Deploy the Sigma rule Detect Suspicious WMI Event Filter Creation to identify potential malicious WMI event filter creation activity.
  • Investigate any alerts generated by the Sigma rule to identify and validate potentially malicious WMI activity.
  • Review the WMI queries identified by this rule to assess their intent and identify any suspicious or unauthorized commands.
  • Tune the Sigma rule with appropriate filters based on your organization's environment to reduce false positives.
  • Implement endpoint detection and response (EDR) solutions to provide additional visibility into WMI activity and block malicious actions.

Detection coverage 2

Detect Suspicious WMI Event Filter Creation

high

Detects the creation of WMI event filters with potentially malicious queries. This can indicate an attacker attempting to gain persistence or execute code via WMI.

sigma tactics: execution, persistence techniques: T1047 sources: process_creation, windows

Detect WMI Event Consumer Creation

high

Detects the creation of WMI event consumers, often used in conjunction with event filters for malicious purposes.

sigma tactics: execution, persistence techniques: T1047 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →