# T1546.003 Windows Management Instrumentation Event Subscription

-----------------------------------------------------------------------

## Technique Description

Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime.(Citation: Mandiant M-Trends 2015)

Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.(Citation: FireEye WMI SANS 2015)(Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription.(Citation: Dell WMI Persistence)(Citation: Microsoft MOF May 2018)

WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.

## Technique Detection

Monitor WMI event subscription entries, comparing current WMI event subscriptions to known good subscriptions for each host. Tools such as Sysinternals Autoruns may also be used to detect WMI changes that could be attempts at persistence.(Citation: TechNet Autoruns)(Citation: Medium Detecting WMI Persistence) Monitor for the creation of new WMI <code>EventFilter</code>, <code>EventConsumer</code>, and <code>FilterToConsumerBinding</code> events. Event ID 5861 is logged on Windows 10 systems when new <code>EventFilterToConsumerBinding</code> events are created.(Citation: Elastic - Hunting for Persistence Part 1)

Monitor processes and command-line arguments that can be used to register WMI persistence, such as the <code> Register-WmiEvent</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet, as well as those that result from the execution of subscriptions (i.e. spawning from the WmiPrvSe.exe WMI Provider Host process).(Citation: Microsoft Register-WmiEvent)

-----------------------------------------------------------------------

### Tactics:

  * Privilege-Escalation

  * Persistence

### Platforms:

  * Windows

### Adversary Required Permissions:

  * Administrator

  * SYSTEM

### Data Sources:

  * **Process:** Process Creation

  * **Command:** Command Execution

  * **WMI:** WMI Creation

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129)'s custom ORat tool uses a WMI event consumer to maintain persistence.(Citation: Secureworks BRONZE PRESIDENT December 2019)| 
| UNC2452 | [UNC2452](https://attack.mitre.org/groups/G0118) used WMI event subscriptions for persistence.(Citation: Microsoft 365 Defender Solorigate)(Citation: Microsoft Deep Dive Solorigate January 2021)| 
| Blue Mockingbird | [Blue Mockingbird](https://attack.mitre.org/groups/G0108) has used mofcomp.exe to establish WMI Event Subscription persistence mechanisms configured from a *.mof file.(Citation: RedCanary Mockingbird May 2020)| 
| Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has used WMI for persistence.(Citation: FireEye Periscope March 2018)| 
| APT33 | [APT33](https://attack.mitre.org/groups/G0064) has attempted to use WMI event subscriptions to establish persistence on compromised hosts.(Citation: Microsoft Holmium June 2020)| 
| FIN8 | [FIN8](https://attack.mitre.org/groups/G0061) has used WMI event subscriptions for persistence.(Citation: Bitdefender FIN8 July 2021)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used WMI event subscriptions for persistence.(Citation: Mandiant No Easy Breach)(Citation: ESET Dukes October 2019)(Citation: Microsoft 365 Defender Solorigate)(Citation: Microsoft Deep Dive Solorigate January 2021)| 
| Turla | [Turla](https://attack.mitre.org/groups/G0010) has used WMI event filters and consumers to establish persistence.(Citation: ESET Turla PowerShell May 2019)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1546/003)

  * [Fireeye Wmi 2015](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf), Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.

  * [Dell Wmi Persistence](https://www.secureworks.com/blog/wmi-persistence), Dell SecureWorks Counter Threat Unit™ (CTU) Research Team. (2016, March 28). A Novel WMI Persistence Implementation. Retrieved March 30, 2016.

  * [Fireeye Wmi Sans 2015](https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf), Devon Kerr. (2015). There's Something About WMI. Retrieved May 4, 2020.

  * [Medium Detecting Wmi Persistence](https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96), French, D. (2018, October 9). Detecting & Removing an Attacker’s WMI Persistence. Retrieved October 11, 2019.

  * [Elastic - Hunting For Persistence Part 1](https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1), French, D., Murphy, B. (2020, March 24). Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 1). Retrieved December 21, 2020.

  * [Mandiant M-Trends 2015](https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf), Mandiant. (2015, February 24). M-Trends 2015: A View from the Front Lines. Retrieved May 18, 2016.

  * [Microsoft Register-Wmievent](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/register-wmievent?view=powershell-5.1), Microsoft. (n.d.). Retrieved January 24, 2020.

  * [Technet Autoruns](https://technet.microsoft.com/en-us/sysinternals/bb963902), Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.

  * [Microsoft Mof May 2018](https://docs.microsoft.com/en-us/windows/win32/wmisdk/managed-object-format--mof-), Satran, M. (2018, May 30). Managed Object Format (MOF). Retrieved January 24, 2020.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------
### This technique is a duplicate.  Follow the link below to the "Primary Version".
<a href="../Persistence/T1546.003 Windows Management Instrumentation Event Subscription.ipynb" target="_blank">Primary Version</a>