ATT&CK v18 has been released! Check out the blog post or changelog for more information.

WMI Creation

Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or providers.

Data Collection Measures:

Windows Security Event Logs:
- Event ID 5861 (WMI Permanent Event Subscription)
- Event ID 5860 (WMI Event Filter Activity)
- Event ID 5857 (WMI Event Consumer Activity)
Sysmon Logs:
- Sysmon Event ID 19 – WMI Event Filter Created
- Sysmon Event ID 20 – WMI Event Consumer Created
- Sysmon Event ID 21 – WMI Event Binding Created
Endpoint Detection & Response (EDR)
- Detects WMI-based persistence techniques.

ID: DC0008

Domains: Enterprise

Version: 2.0

Created: 20 October 2021

Last Modified: 21 October 2025

Log Sources

Name	Channel
WinEventLog:Application	WMI Object Creation Events
WinEventLog:Microsoft-Windows-WMI-Activity/Operational	EventCode=5861
WinEventLog:Microsoft-Windows-WMI-Activity/Operational	EventCode=5857, 5860, 5861
WinEventLog:WMI	Creation or modification of __EventFilter, __FilterToConsumerBinding, or CommandLineEventConsumer
WinEventLog:WMI	EventCode=5857, 5858
WinEventLog:WMI	EventCode=5857, 5860, 5861

Detection Strategy

ID	Name	Technique Detected
DET0010	Behavioral Detection of Event Triggered Execution Across Platforms	T1546
DET0364	Behavioral Detection Strategy for WMI Execution Abuse on Windows	T1047
DET0086	Detect WMI Event Subscription for Persistence via WmiPrvSE Process and MOF Compilation	T1546.003
DET0344	Detection Strategy for Fileless Storage via Registry, WMI, and Shared Memory	T1027.011
DET0474	Environmental Keying Discovery-to-Decryption Behavioral Chain Detection Strategy	T1480.001
DET0562	Multi-Platform Execution Guardrails Environmental Validation Detection Strategy	T1480
DET0418	Windows DACL Manipulation Behavioral Chain Detection Strategy	T1222.001