Technique on mitre.org

T1546.003: Windows Management Instrumentation Event Subscription

Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user login, or the computer's uptime.

Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. Adversaries may also compile WMI scripts – using mofcomp.exe –into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription.

WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_persistence: PT-CR-1096: Deserialization_Payload_WMI_Subscription: Payload usage in the events of WMI subscription creation is detected mitre_attck_persistence: PT-CR-272: WMI_Subscriptions: An attempt to modify the content of WMI subscriptions has been detected. Attackers can gain a persistence in the system and elevate privileges by executing malicious content initiated by Windows Management Instrumentation (WMI) event subscriptions mitre_attck_lateral_movement: PT-CR-1095: LiquidSnake_WMI_EventFilter: The remote use of the LiquidSnake utility to perform malicious actions with WMI subscriptions and execute code is detected hacking_tools: PT-CR-2450: WMEye_Execution: Possible use of the WMEye utility for remote execution of arbitrary code and lateral movement. The WMEye utility creates a WMI event filter to write a payload to a file and execute the payload using the MSBuild.exe process. hacking_tools: PT-CR-2449: WMEye_Event_Filter_Creation: A WMI event filter is created, and the MSBuild.exe process is started be used to execute a payload written to a file using the created event filter. This may indicate the use of the WMEye utility, which allows lateral movement to other infrastructure hosts and remote execution of arbitrary code.

Detection

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor newly executed processes that result from the execution of subscriptions (i.e. spawning from the WmiPrvSe.exe WMI Provider Host process). Note: Windows Event ID 4688 (A new process has been created) and Sysmon Event ID 1 (Process creation) can be used to alert on processes created by WMI event subscription triggers by filtering on events with a parent process name of `WmiPrvSe.exe`. Monitor for execution of mofcomp.exe as a child of a suspicious shell or script running utility – `\powershell.exe` or `\cmd.exe` – or by having a suspicious path in the command line, such as `%temp%`. Adversaries may compile modified MOF files using mofcomp.exe to create malicious WMI event subscriptions.

ID	DS0005	Data source and component	WMI: WMI Creation	Description	Monitor WMI event subscription entries, comparing current WMI event subscriptions to known good subscriptions for each host. Tools such as Sysinternals Autoruns may also be used to detect WMI changes that could be attempts at persistence. Monitor for the creation of new WMI `EventFilter`, `EventConsumer`, and `FilterToConsumerBinding` events. Event ID 5861 is logged on Windows 10 systems when new `EventFilterToConsumerBinding` events are created.

ID	DS0022	Data source and component	File: File Creation	Description	Monitor for MOF files outside of the `HKLM\SOFTWARE\Microsoft\WBEM` folder, as almost all legitimate MOF files will be stored in the WBEM folder. Adversaries may create modified MOF files to be complied into WMI event subscriptions.

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments that can be used to register WMI persistence, such as the `Register-WmiEvent` PowerShell cmdlet

ID	Data source and component	Description
DS0009	Process: Process Creation	Monitor newly executed processes that result from the execution of subscriptions (i.e. spawning from the WmiPrvSe.exe WMI Provider Host process). Note: Windows Event ID 4688 (A new process has been created) and Sysmon Event ID 1 (Process creation) can be used to alert on processes created by WMI event subscription triggers by filtering on events with a parent process name of `WmiPrvSe.exe`. Monitor for execution of mofcomp.exe as a child of a suspicious shell or script running utility – `\powershell.exe` or `\cmd.exe` – or by having a suspicious path in the command line, such as `%temp%`. Adversaries may compile modified MOF files using mofcomp.exe to create malicious WMI event subscriptions.
DS0005	WMI: WMI Creation	Monitor WMI event subscription entries, comparing current WMI event subscriptions to known good subscriptions for each host. Tools such as Sysinternals Autoruns may also be used to detect WMI changes that could be attempts at persistence. Monitor for the creation of new WMI `EventFilter`, `EventConsumer`, and `FilterToConsumerBinding` events. Event ID 5861 is logged on Windows 10 systems when new `EventFilterToConsumerBinding` events are created.
DS0022	File: File Creation	Monitor for MOF files outside of the `HKLM\SOFTWARE\Microsoft\WBEM` folder, as almost all legitimate MOF files will be stored in the WBEM folder. Adversaries may create modified MOF files to be complied into WMI event subscriptions.
DS0017	Command: Command Execution	Monitor executed commands and arguments that can be used to register WMI persistence, such as the `Register-WmiEvent` PowerShell cmdlet

Mitigation

ID	M1040	Name	Behavior Prevention on Endpoint	Description	On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent malware from abusing WMI to attain persistence.

ID	M1018	Name	User Account Management	Description	By default, only administrators are allowed to connect remotely using WMI; restrict other users that are allowed to connect, or disallow all users from connecting remotely to WMI.

ID	M1026	Name	Privileged Account Management	Description	Prevent credential overlap across systems of administrator and privileged accounts.

ID	Name	Description
M1040	Behavior Prevention on Endpoint	On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent malware from abusing WMI to attain persistence.
M1018	User Account Management	By default, only administrators are allowed to connect remotely using WMI; restrict other users that are allowed to connect, or disallow all users from connecting remotely to WMI.
M1026	Privileged Account Management	Prevent credential overlap across systems of administrator and privileged accounts.