WMI Persistence — Event Subscription Backdoors

MITRE ATT&CK

Security Relevance

WMI subscriptions are stored in the WMI repository — not in the registry, file system, or scheduled tasks — making them invisible to most persistence-hunting checklists. They survive reboots, do not appear in autoruns tools unless specifically queried, and execute under the SYSTEM context. APT29 (Cozy Bear), the group responsible for the SolarWinds compromise, is documented to use WMI subscriptions as a primary persistence mechanism. Detecting WMI persistence requires specific logging configuration and knowledge of what legitimate subscriptions look like in your environment.

Indicators of Malicious Use

• ⚑Event ID 5857: WMI provider loaded — look for unusual provider DLL paths, especially in non-standard directories.
• ⚑Event ID 5858: WMI provider error — errors in subscription execution can reveal what the payload is attempting to do.
• ⚑Event ID 4688: scrcons.exe (WMI Standard Event Consumer script host) or wmiprvse.exe spawning child processes — the subscription is executing.
• ⚑Event ID 4688: wmic.exe or PowerShell with WMI subscription creation syntax: wmic /namespace:\\root\subscription.
• ⚑scrcons.exe spawning powershell.exe, cmd.exe, or any process not consistent with legitimate WMI automation.
• ⚑wmiprvse.exe making outbound network connections — indicates a subscription executing a C2 download or reverse shell.
• ⚑Permanent event subscriptions visible via PowerShell query: Get-WMIObject -Namespace root\subscription -Class __EventFilter — any unrecognized subscription is suspicious.

Example Log Entry

Log Name: Microsoft-Windows-WMI-Activity/Operational
Event ID:  5857

ProviderName: SCM Event Provider
Code: 0x80041032
HostProcess: wmiprvse.exe

[Followed by Event ID 4688:]

Log Name: Security
Event ID:  4688
New Process Name:   C:\Windows\System32\scrcons.exe
Creator Process:    C:\Windows\System32\wbem\wmiprvse.exe

[Followed by Event ID 4688:]

New Process Name:   C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Creator Process:    C:\Windows\System32\scrcons.exe
Process Command Line: powershell.exe -enc [BASE64_PAYLOAD]

Investigation Steps

1. 1.Query the WMI repository directly for permanent subscriptions — run on any suspected system: Get-WMIObject -Namespace root\subscription -Class __EventFilter | Select Name,Query and Get-WMIObject -Namespace root\subscription -Class __EventConsumer.
2. 2.Check for the three components of a WMI subscription: EventFilter (the trigger condition), EventConsumer (the action), and FilterToConsumerBinding (the link between them). All three must be present for persistence to work.
3. 3.Review Event ID 4688 for scrcons.exe and wmiprvse.exe spawning child processes — any child process is the subscription's payload executing.
4. 4.Check Event ID 4688 for wmic.exe with namespace:\\root\subscription in the command line — this is how subscriptions are created from the command line.
5. 5.Correlate WMI activity timestamps with other incident indicators — WMI persistence is usually deployed after the attacker achieves elevated access.
6. 6.Look for the subscription trigger — 'SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA Win32_PerfFormattedData_PerfOS_System' is a common startup-trigger query used by attackers.
7. 7.Collect memory and WMI repository artifacts before remediation — the repository is at C:\Windows\System32\wbem\Repository and should be preserved for forensic analysis.

Common False Positives

• ◎Microsoft System Center / SCCM — uses WMI subscriptions extensively for inventory and software deployment. Known SCCM subscriptions will be present on managed systems.
• ◎Antivirus and EDR products — many security products use WMI for real-time monitoring. Subscriptions created by known security vendors are expected.
• ◎Enterprise monitoring tools (SolarWinds Orion, PRTG, Nagios) — may use WMI subscriptions for system health monitoring.
• ◎Windows itself — the OS includes built-in WMI subscriptions for system management. Build a baseline of expected subscriptions on a clean system before hunting.

Remediation

• ✓Remove malicious subscriptions immediately: Get-WMIObject -Namespace root\subscription -Class __EventFilter | Where-Object {$_.Name -eq 'MALICIOUS_NAME'} | Remove-WMIObject — remove all three components (Filter, Consumer, Binding).
• ✓Enable WMI Activity logging via Event Viewer: Applications and Services Logs → Microsoft → Windows → WMI-Activity → Operational — right-click and Enable Log.
• ✓Enable Process Creation auditing and command-line logging (Event ID 4688) — this captures scrcons.exe and wmiprvse.exe child processes.
• ✓Deploy a baseline audit of WMI subscriptions across your environment using tools like AutoRuns (Sysinternals) or PowerShell scripts — alert on any deviation from baseline.
• ✓Restrict WMI access via firewall rules — block remote WMI (DCOM port 135 and dynamic ports) from workstations to servers if not required.
• ✓Use Sysmon with appropriate configuration to log WMI subscription creation (Sysmon Event ID 19, 20, 21) — provides richer visibility than Windows native logging.

Related Event IDs

Related Detection Guides