seikaikyo/hunting-for-persistence-via-wmi-subscriptions

Hunting for Persistence via WMI Subscriptions

When to Use

• When proactively searching for fileless persistence mechanisms in Windows environments
• After threat intelligence reports indicate WMI-based persistence by APT groups (APT29, APT32, FIN8)
• When investigating systems where malware persists across reboots despite cleanup attempts
• During incident response when standard persistence locations (Run keys, scheduled tasks) are clean
• When WmiPrvSe.exe is observed spawning unexpected child processes

Prerequisites

• Sysmon Event ID 19, 20, 21 (WMI Event Filter/Consumer/Binding) enabled
• Windows Event ID 5861 (WMI activity logging) from Microsoft-Windows-WMI-Activity
• PowerShell logging enabled (Script Block Logging, Module Logging)
• WMI repository access for enumeration
• SIEM platform for event correlation

Workflow

1. Enumerate Existing WMI Subscriptions: Query all permanent WMI event subscriptions on target systems. A clean system typically has very few or zero permanent subscriptions, making anomalies easy to spot.
2. Monitor WMI Event Creation (Sysmon 19/20/21): Sysmon Event 19 captures WmiEventFilter activity, Event 20 captures WmiEventConsumer activity, and Event 21 captures WmiEventConsumerToFilter binding.
3. Analyze Consumer Types: Focus on ActiveScriptEventConsumer (runs VBScript/JScript) and CommandLineEventConsumer (executes commands) -- these are the dangerous types used for persistence.
4. Check Event Filter Triggers: Examine what triggers the subscription. Common malicious triggers include system startup (Win32_ProcessStartTrace), user logon, or timer-based execution intervals.
5. Investigate WmiPrvSe.exe Child Processes: When a WMI subscription fires, the action is executed by WmiPrvSe.exe. Hunt for unusual child processes of WmiPrvSe.exe.
6. Correlate with MOF Compilation: Detect mofcomp.exe usage which compiles MOF files to create WMI subscriptions programmatically.
7. Validate and Respond: Confirm malicious subscriptions, remove them, and trace back to the initial infection vector.

Key Concepts

| Concept | Description | |---------|-------------| | T1546.003 | Event Triggered Execution: WMI Event Subscription | | __EventFilter | WMI class defining the trigger condition | | __EventConsumer | WMI class defining the action to perform | | __FilterToConsumerBinding | Links a filter to a consumer | | ActiveScriptEventConsumer | Consumer that runs VBScript or JScript | | CommandLineEventConsumer | Consumer that executes command lines | | WmiPrvSe.exe | WMI Provider Host that executes subscription actions | | MOF File | Managed Object Format used to define WMI objects |

Detection Queries

Splunk -- WMI Subscription Creation via Sysmon

index=sysmon (EventCode=19 OR EventCode=20 OR EventCode=21)
| eval event_type=case(EventCode=19, "EventFilter", EventCode=20, "EventConsumer", EventCode=21, "FilterToConsumerBinding")
| table _time Computer User event_type EventNamespace Name Query Destination Operation

Splunk -- WMI Subscription via Windows Event 5861

index=wineventlog source="Microsoft-Windows-WMI-Activity/Operational" EventCode=5861
| table _time Computer NamespaceName Operation PossibleCause

PowerShell -- Enumerate WMI Subscriptions

Get-WmiObject -Namespace root\subscription -Class __EventFilter
Get-WmiObject -Namespace root\subscription -Class __EventConsumer
Get-WmiObject -Namespace root\subscription -Class __FilterToConsumerBinding

KQL -- WmiPrvSe.exe Spawning Suspicious Children

DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "wmiprvse.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine

Sigma Rule

title: WMI Event Subscription Persistence
status: stable
logsource:
    product: windows
    category: wmi_event
detection:
    selection_consumer:
        EventID: 20
        Destination|contains:
            - 'ActiveScriptEventConsumer'
            - 'CommandLineEventConsumer'
    condition: selection_consumer
level: high
tags:
    - attack.persistence
    - attack.t1546.003

Common Scenarios

1. APT29 WMI Persistence: Creates an ActiveScriptEventConsumer that executes a VBScript backdoor on system startup, surviving reboots and credential resets.
2. Turla WMI Backdoor: Uses Win32_ProcessStartTrace filter combined with CommandLineEventConsumer for covert command execution.
3. FIN8 WMI Timer: Interval-based __IntervalTimerEvent triggering encoded PowerShell downloads every 30 minutes.
4. MOF-Based Installation: Adversary drops a .mof file and compiles it with mofcomp.exe to silently create persistent subscriptions.

Output Format

Hunt ID: TH-WMI-[DATE]-[SEQ]
Host: [Hostname]
Subscription Name: [Filter/Consumer name]
Filter Query: [WQL trigger condition]
Consumer Type: [ActiveScript/CommandLine]
Consumer Action: [Script content or command]
Binding: [Filter-to-Consumer link]
Created: [Timestamp]
User Context: [SYSTEM/User]
Risk Level: [Critical/High/Medium/Low]