WMI Event Subscription Persistence
What is WMI Event Subscription Persistence?
WMI Event Subscription PersistencePersistence technique that registers a permanent WMI event filter and consumer so attacker code runs whenever a chosen system event occurs.
WMI event subscription persistence (MITRE ATT&CK T1546.003) abuses Windows Management Instrumentation by creating an __EventFilter (a WQL query selecting a trigger condition), an __EventConsumer (the action, often CommandLineEventConsumer or ActiveScriptEventConsumer), and a __FilterToConsumerBinding linking them. Once written to the root\subscription namespace, the WMI service executes the consumer in the SYSTEM context whenever the filter fires - at logon, on a timer, when a process starts, when a USB is inserted, etc. The technique is fileless, survives reboots, and is widely used by advanced threat actors. Detection: enable WMI-Activity Operational and Trace logs, monitor Sysmon events 19/20/21, baseline subscriptions, and remove unfamiliar bindings. Hardening: restrict WMI namespace permissions and apply ASR rules.
● Examples
- 01
A CommandLineEventConsumer that launches PowerShell whenever the system uptime crosses 200 seconds at boot.
- 02
An ActiveScriptEventConsumer that runs malicious VBScript every five minutes.
● Frequently asked questions
What is WMI Event Subscription Persistence?
Persistence technique that registers a permanent WMI event filter and consumer so attacker code runs whenever a chosen system event occurs. It belongs to the Attacks & Threats category of cybersecurity.
What does WMI Event Subscription Persistence mean?
Persistence technique that registers a permanent WMI event filter and consumer so attacker code runs whenever a chosen system event occurs.
How does WMI Event Subscription Persistence work?
WMI event subscription persistence (MITRE ATT&CK T1546.003) abuses Windows Management Instrumentation by creating an __EventFilter (a WQL query selecting a trigger condition), an __EventConsumer (the action, often CommandLineEventConsumer or ActiveScriptEventConsumer), and a __FilterToConsumerBinding linking them. Once written to the root\subscription namespace, the WMI service executes the consumer in the SYSTEM context whenever the filter fires - at logon, on a timer, when a process starts, when a USB is inserted, etc. The technique is fileless, survives reboots, and is widely used by advanced threat actors. Detection: enable WMI-Activity Operational and Trace logs, monitor Sysmon events 19/20/21, baseline subscriptions, and remove unfamiliar bindings. Hardening: restrict WMI namespace permissions and apply ASR rules.
How do you defend against WMI Event Subscription Persistence?
Defences for WMI Event Subscription Persistence typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for WMI Event Subscription Persistence?
Common alternative names include: WMI permanent subscription, Permanent event subscription.
● Related terms
- attacks№ 975
Scheduled Task Persistence
Persistence and execution technique in which an attacker creates or modifies a Windows scheduled task to run their payload on a trigger such as logon, boot, or a timer.
- attacks№ 914
Registry Run Key Persistence
Classic Windows persistence technique that adds an entry under a Run or RunOnce registry key so a binary or script executes every time a user logs on.
- attacks№ 200
COM Hijacking
A persistence technique that redirects a Windows Component Object Model CLSID lookup to attacker code, executing it whenever a host process instantiates that object.
- attacks№ 515
IFEO Injection
A persistence and privilege-escalation technique that abuses the Windows Image File Execution Options registry key to run attacker code whenever a target executable launches.
- attacks№ 054
AppInit_DLLs
Legacy Windows persistence technique that abuses a registry value so a specified DLL is loaded into every user-mode process linking user32.dll.
● See also
- № 238Cron Persistence
- № 608launchd Persistence