1. Home
  2. Data Sources
  3. WMI

WMI

The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers[1][2]

ID: DS0005
Platform: Windows
Collection Layer: Host
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 10 November 2021
Version Permalink

Data Components

WMI: WMI Creation

Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or provider (ex: Sysmon EIDs 19-21)

WMI: WMI Creation

Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or provider (ex: Sysmon EIDs 19-21)

Domain ID Name Detects
Enterprise T1546 Event Triggered Execution

Monitor for newly constructed WMI Objects that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events.
.003 Windows Management Instrumentation Event Subscription

Monitor WMI event subscription entries, comparing current WMI event subscriptions to known good subscriptions for each host. Tools such as Sysinternals Autoruns may also be used to detect WMI changes that could be attempts at persistence. [3] [4] Monitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding events. Event ID 5861 is logged on Windows 10 systems when new EventFilterToConsumerBinding events are created.[5]
Enterprise T1027 Obfuscated Files or Information

Monitor for the creation of WMI Objects and values that may highlight storage of malicious data such as commands or payloads.
.011 Fileless Storage

Monitor for the creation of WMI Objects and values that may highlight storage of malicious data such as commands or payloads.
Enterprise T1021 Remote Services

Monitor for newly constructed WMI objects that is often used to log into a service that accepts remote connects.

Enterprise T1047 Windows Management Instrumentation

Monitor for newly constructed WMI objects that will execute malicious commands and payloads.

Analytic 1 - WMI object creation events

index=security sourcetype="WinEventLog:Microsoft-Windows-WMI-Activity/Operational" (EventCode=5861 OR EventCode=5857 OR EventCode=5858) | eval CommandLine = coalesce(CommandLine, ParentCommandLine) | where (EventCode=5861 AND (CommandLine LIKE "create" OR CommandLine LIKE "process")) OR (EventCode=5857 AND (CommandLine LIKE "exec" OR CommandLine LIKE "invoke")) OR (EventCode=5858 AND (CommandLine LIKE "payload" OR CommandLine LIKE "wmic"))

References

  1. Microsoft. (2018, May 31). WMI System Classes. Retrieved September 29, 2021.
  2. Microsoft. (2018, May 31). WMI Architecture. Retrieved September 29, 2021.
  3. Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.
  1. French, D. (2018, October 9). Detecting & Removing an Attacker’s WMI Persistence. Retrieved October 11, 2019.
  2. French, D., Murphy, B. (2020, March 24). Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 1). Retrieved December 21, 2020.