Name: Hunting For Persistence Via Wmi Subscriptions
Author: mukul975

When to Use

When proactively searching for fileless persistence mechanisms in Windows environments
After threat intelligence reports indicate WMI-based persistence by APT groups (APT29, APT32, FIN8)
When investigating systems where malware persists across reboots despite cleanup attempts
During incident response when standard persistence locations (Run keys, scheduled tasks) are clean
When WmiPrvSe.exe is observed spawning unexpected child processes

Prerequisites

Sysmon Event ID 19, 20, 21 (WMI Event Filter/Consumer/Binding) enabled
Windows Event ID 5861 (WMI activity logging) from Microsoft-Windows-WMI-Activity
PowerShell logging enabled (Script Block Logging, Module Logging)
WMI repository access for enumeration
SIEM platform for event correlation

Enumerate Existing WMI Subscriptions: Query all permanent WMI event subscriptions on target systems. A clean system typically has very few or zero permanent subscriptions, making anomalies easy to spot.

When proactively searching for fileless persistence mechanisms in Windows environments
After threat intelligence reports indicate WMI-based persistence by APT groups (APT29, APT32, FIN8)
When investigating systems where malware persists across reboots despite cleanup attempts
During incident response when standard persistence locations (Run keys, scheduled tasks) are clean
When WmiPrvSe.exe is observed spawning unexpected child processes

Sysmon Event ID 19, 20, 21 (WMI Event Filter/Consumer/Binding) enabled
Windows Event ID 5861 (WMI activity logging) from Microsoft-Windows-WMI-Activity
PowerShell logging enabled (Script Block Logging, Module Logging)
WMI repository access for enumeration
SIEM platform for event correlation

Enumerate Existing WMI Subscriptions: Query all permanent WMI event subscriptions on target systems. A clean system typically has very few or zero permanent subscriptions, making anomalies easy to spot.

Concept	Description
T1546.003	Event Triggered Execution: WMI Event Subscription
__EventFilter	WMI class defining the trigger condition
__EventConsumer	WMI class defining the action to perform
__FilterToConsumerBinding	Links a filter to a consumer
ActiveScriptEventConsumer	Consumer that runs VBScript or JScript
CommandLineEventConsumer	Consumer that executes command lines
WmiPrvSe.exe	WMI Provider Host that executes subscription actions
MOF File	Managed Object Format used to define WMI objects