ATT&CK v18 has been released! Check out the blog post or changelog for more information.

WMI Creation

Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or providers.

ID: DC0008

Domains: Enterprise

Version: 2.0

Created: 20 October 2021

Last Modified: 12 November 2025

Log Sources

Name	Channel
WinEventLog:Application	WMI Object Creation Events
WinEventLog:WMI	Creation or modification of __EventFilter, __FilterToConsumerBinding, or CommandLineEventConsumer
WinEventLog:WMI	EventCode=5857, 5858, 5860, 5861

ID	Name	Technique Detected
DET0010	Behavioral Detection of Event Triggered Execution Across Platforms	T1546
DET0364	Behavioral Detection Strategy for WMI Execution Abuse on Windows	T1047
DET0086	Detect WMI Event Subscription for Persistence via WmiPrvSE Process and MOF Compilation	T1546.003
DET0344	Detection Strategy for Fileless Storage via Registry, WMI, and Shared Memory	T1027.011
DET0474	Environmental Keying Discovery-to-Decryption Behavioral Chain Detection Strategy	T1480.001
DET0562	Multi-Platform Execution Guardrails Environmental Validation Detection Strategy	T1480
DET0418	Windows DACL Manipulation Behavioral Chain Detection Strategy	T1222.001