Monitor for creation of WMI EventFilter, EventConsumer, and FilterToConsumerBinding objects through WMI or MOF file execution. Detect command-line execution of mofcomp.exe, usage of Register-WmiEvent via PowerShell, and anomalous child processes of WmiPrvSE.exe that indicate triggered execution. Look for lateral anomalies in process lineage and WMI logging channels.
| Data Component | Name | Channel |
|---|---|---|
| WMI Creation (DC0008) | WinEventLog:Microsoft-Windows-WMI-Activity/Operational | EventCode=5861 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Field | Description |
|---|---|
| TimeWindow | Defines temporal correlation range between WMI creation and child process execution |
| UserContext | Tune for specific accounts (e.g., SYSTEM or attacker-controlled users) |
| ProcessNameAllowlist | Used to exclude known benign consumers triggered via WMI (e.g., backup tools) |
| ParentProcessAnomalyThreshold | Defines what constitutes anomalous spawning from WmiPrvSE.exe |