How to Investigate Malware WMI Event Consumers 2025

  • February 6, 2025

This blog post will teach you how to detect malware WMI Event Consumers.

  • First, we review the WMI and the many ways attackers use it.
  • Second, we review WMI Event Consumers and how it’s used for persistence.
  • Last, we explore investigation techniques, especially the latest (and most effective) methods.

Let’s get to it.

Jump to…
What Is Windows Management Instrumentation (WMI)?
How Do Threat Actors Abuse WMI?
What Are WMI Event Consumers?
What Are Malware WMI Event Consumers?
Traditional Investigation Methods
Modern Investigation Methods
Keep Learning Investigation Strategies

What Is Windows Management Instrumentation (WMI)?

WMI is a Windows feature that allows admins and apps to search, manage, and monitor system configs and events.

It’s often used for:

  • Admin task automation
  • Real-time event monitoring
  • Remote system management

WMI is part of the Windows OS, accessible via PowerShell, Command Prompt, and various programming interfaces.To get a more detailed understanding of what WMI is and all of its components, check out the WMI Forensics Whitepaper by FireEye or this multi-part series of offensive WMI.

How Do Threat Actors Abuse WMI?

WMI is versatile, so attackers can use it at every step in the attack lifecycle. Below are a few examples of the tactics WMI can be used for.

Some examples:

#1 Execution

WMI local process example.
Example PowerShell to create a “notepad.exe” process locally.
WMI remote process example.
Example PowerShell to create a “notepad.exe” process on a remote system.

WMI can be used to create new processes both locally and remotely using the Win32_process create method. WMIExec.py is an example of a common script that is often abused by threat actors to launch processes remotely via WMI.

#2 Lateral Movement

WMI lateral example.
Example PowerShell to list content of directory on remote system.

WMI can be used to access remote systems through DCOM (used by older systems) or WinRM (newer systems). Any action that can be done via WMI locally can be done remotely as well given the proper firewall rules are in place. We previously saw that you can create processes remotely and the same would apply to persistence such as services.

#3 Discovery

WMI patch level example.
Example PowerShell to show applied patches.
WMI AV product example.
Example PowerShell to show AV products installed.
WMI process enumeration example.
Example PowerShell to show all running processes.
WMI service enumeration example.
Example PowerShell to show services.

WMI can be used to gather a large array of data from systems such as: AV products (using the AntiVirusProduct class), Patch levels (using the Win32_QuickFixEngineering class), and running processes/services (using the Win32_Process and Win32_Service classes).

#4 Defense Evasion

WMI clear event log example.
Example PowerShell to clear application event log.
WMI virtual example.
Example PowerShell to check if the system may be a virtual machine.

WMI can be used directly to disable event logs, clear event logs (using the NTEventLogFile class), and check for virtualization/sandboxing (using Win32_computersystem class).

#5 Impact

Example PowerShell to list and then delete volume shadow copies.
Example PowerShell to list and then delete volume shadow copies.
WMI shutdown system
Example PowerShell to restart a system.

WMI can be used to impact systems by inhibiting system recovery by deleting volume shadow copies (using Win32_ShadowCopy class) and forcing system restarts/shutdown (using Win32_OperatingSystem class methods).

#6 Persistence

WMI persist service example.
Example PowerShell to create a new service locally.
WMI persist autorun example.
Example PowerShell to create an autorun run key.

WMI can be used for persistence by creating services (using Win32_service create method), modifying registry autorun keys (using StdRegProv methods), and using WMI permanent event consumers. WMIPersist.py is a script that automates the process of creating persistence via event consumers.

This post does not cover all malicious uses of WMI.

We focus on:

  • How attackers use WMI as a persistence mechanism via event consumers.
  • How investigators can detect it.

What Are WMI Event Consumers?

WMI consumers are a way to listen to WMI events and take action on them.

There are two types:

Temporary Consumers Permanent Consumers
Temporary consumers live only as long as the app that set them up. They are stored in memory. Permanent consumers live on even after the process that created them has gone away. They are stored inside the WMI database.

We will focus on permanent consumers as an attacker persistence method because:

  1. They are more common.
  2. They are more interesting.

A permanent consumer needs 3 things to exist:

#1 Event Filter

This is an event filter written in WQL that determines what condition will trigger the consumer actions.

Key Info Example
CreatorSID: User SID that created the filter.

Name: Name of the filter.

Query: The WQL query that is used to trigger the “action.”
WMI filter creation example.
Example PowerShell used to create an event filter that triggers whenever notepad.exe is created.

WMI filter enumeration example.
Example PowerShell querying root\subscription namespace for all event filters.

#2 Event Consumer

The consumer is an action that occurs when the filter finds events to trigger on. There are five standard events defined. Of these, CommandLineEventConsumer and ActiveScriptEventConsumer are the most important because they allow a program or script to be executed.

Key Info CommandLineEventConsumer Example
CreatorSID: User SID that created the consumer.

Name: Name of the consumer.

ExecutablePath: Represent the executable to be run. It can be empty, in which case CommandLineTemplate will contain the path and args.

CommandLineTemplate: Contains the args and optionally the path. Can be empty, in which case ExecutablePath is required.
WMI Cmd consumer creation example.
Example PowerShell used to create a CommandLineEventConsumer that launches PowerShell.

WMI Cmd consumer enumeration example.
Example PowerShell used to enumerate CommandLineEventConsumers.
Key Info ActiveScriptEventConsumer Example
CreatorSID: User SID that created the consumer.

Name: Name of the consumer.

ScriptFileName: Path to script file to be executed. This must be null if ScriptText is not.

ScriptText: Script content to run without writing a file to disk.
WMI script consumer creation example.
Example PowerShell used to create a ActiveScriptEventConsumer that downloads Impacket.

Example PowerShell used to enumerate ActiveScriptEventConsumers.

#3 Event Binding

The binding is what ties a filter to a consumer. Without this binding nothing will happen. An event consumer and filter can both exist, but no action will be taken until they are mapped together with the binding definition.

Key Info Example
CreatorSID: User SID that created the binding. This can differ from the user that created the filter

Consumer: Provides the name and type of consumer. Used to get details on what action will occur.

Filter: Contains the name of the filter. This is used to find the filter details. Example: What triggers the action?\.
WMI binding creation example.
Example PowerShell used to create an event binding between the notepad filter and Impacket download consumer.

WMI binding enum example.
Example PowerShell used to enumerate all event bindings in a given namespace. This example shows 2 bindings.
Note:
Consumers/filters/bindings are scoped to the namespace they were created in. The above examples created everything in the root\subscription namespace. However, they can also be defined in other namespace like root\default. It’s important to check all namespaces for potential persistence.

WMI query consumer different namespace example.
Example illustrating that consumers are scoped to a namespace. The subscription namespace has encoded_PowerShell consumer, while Default has “ping_google” and subscription/ms_409 has no consumers

What Are Malware WMI Event Consumers?

As you’ve gathered by now, WMI Event Consumers are really useful to attackers. As DFIR expert Chris Ray observes: “Malware that use WMI event consumers for persistence can be tricky to catch if you are not looking at WMI, however, once you know what to look for it’s usually easy to spot.”

Advantages for persistence:

Event-Driven Execution Fileless Persistence Stealth and Evasion
Malware remains dormant until a triggered event like a user login, system startup, or process creation. This method doesn’t put a file on disk. The malicious script is saved within the WMI database, making it difficult to detect using file-based scanning. WMI is complex, and it can be difficult to understand all of its components. As a result it’s easy to miss WMI persistence that deviates beyond the standard cases that everyone talks about.

Example of Stealth and Evasion:

If you only look in root\subscription you can miss persistent if it’s defined elsewhere like root\default or even sub-namespaces like root\subscription\ms_409

If you only focus on looking for consumers of type ActiveScriptEventConsumer or CommandLineEventConsumer you could miss easy persistence that made custom named consumers that are inherited from the above consumers.

An attacker creates a WMI event subscription using the three components we reviewed above:

#1 Create Event Filter #2 Create Event Consumer #3 Create Event Binding
The attacker picks the event that triggers execution. The attacker decides the action that executes when the event occurs. The attacker links the filter to the consumer, ensuring the execution actually happens when the event occurs.
Example Example Example
Monitor process creation (__InstanceCreationEvent) to trigger when cmd.exe runs. CommandLineEventConsumer to run a PowerShell script. CommandLineEventConsumer is mapped to event filter so that it can trigger on the desired action.

Common persistence scenarios:

Tools That Use WMI Persistence Threat Actors/Malware that has used WMI Persistence
Impacket (WMIPersist.py) APT 29
CrackMapExec SolarWinds Compromise
MetaSploit wmi_persistence module Turla
SilentTrinity
More examples of scripts that automate the WMI persistence via event consumers can be found here You can find more examples of threat groups and malware-abusing WMI consumers here and here.

Traditional Investigation Methods

A classic method of detecting malware WMI Event Consumers is:

  1. Looking where the evidence is found.
  2. Looking for suspicious signs in the data.

The evidence is found in 4 places:

  1. EDRs
  2. WMI database
  3. Sysmon event log
  4. WMI-activity event log

Here is how to access the data:

EDRs
How to Access the Data:

Most EDR tools like Microsoft Defender for Endpoint, CrowdStrike Falcon, or SentinelOne provide visibility into WMI abuse. To check if your EDR supports WMI logging check out the EDR Telemetry project for a quick comparison.

Use built-in hunting queries in Kusto Query Language (KQL) or SIEM solutions like Splunk:

DeviceEvents | where ActionType == 'WmiBindEventFilterToConsumer'

Example KQL query in Defender to get WMI binding events:

WMI Defender example.
Example MDE WMI binding event.
WMI Database
How to Access the Data:

The WMI database is located:

c:\windows\system32\wbem\repository
Windows\system32\wbem\repository\fs (xp)

The folder is comprised of the following files:

Objects.data The WMI database that stores all of the data.
Index.btr Index file to help locate data in objects.data.
Mapping[1-3].map Mapping files to map entries in index.btr to data in objects.data.

Depending on what you have available, there are 3 main options for getting data out of the WMI database:

Live Systems Disk Images and Logical Files Sets
PowerShell or similar tools to query for data directly through WMI. Parse the WMI database structure to get the most amount of detail. This is the approach we take using the python-cim library.

Scan the WMI database for signatures that indicate what data you are looking for. The main advantage this approach has is speed but can result in false hits. This is the approach tools like wmi-parser take.
Sysmon Event Log
How to Access the Data:

Requires Sysmon with an appropriate configuration (sysmon.xml). A commonly used sysmon configuration that includes the below events for monitoring can be found here by SwiftOnSecurity.

View logs in Event Viewer under:

Applications and Services Logs\Microsoft\Windows\Sysmon\Operational

Query logs using PowerShell:

Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational
WMI-Activity Event Log
How to Access the Data:

Located at:

Applications and Services Logs\Microsoft\Windows\WMI-Activity\Operational

View using Event Viewer (eventvwr.msc) or PowerShell:

Get-WinEvent -LogName Microsoft-Windows-WMI-Activity/Operational

Here’s what to look for:

  • Review any logs that indicate newly created bindings. They should be created infrequently
  • Review existing bindings. There are legit uses of WMI persistence, but once you have identified the common uses in your org it should be easier to flag changes in the future. A common use that we see often is for SCM Event logging
  • Any WMI bindings that are executing encoded PowerShell or use the ActiveScriptEventConsumer should be reviewed
  • Processes that have a parent of scrcons.exe should be reviewed. This can indicate scripts launched via ActiveScriptEventConsumers.
  • Using existing WMI sigma rules can be another great starting point for event log analysis.

Modern Investigation Methods

While we provided a traditional method, it’s not the method we recommend. That’s because this approach focuses on:

  1. Learning the ins and outs of each particular artifact type.
  2. Investigating each one by one according to their idiosyncrasies.

This is a waste of time — and risks losing the forest for the trees.

During an investigation, your real question isn’t “Are these WMI Consumer Events suspicious?” Your real question is higher level. You want to know if “Trigger Tasks” (WMI Consumer Events being one type) were used by an attacker. “Triggered Tasks” are higher-level information artifacts representing persistence on a system. Some action will occur based on a trigger.

For WMI persistence:

  • “Consumer” is the action.
  • “Filter” is the trigger.

This approach is big picture.

Modern Investigation Method Traditional Investigation Method
  • Think about the big types of evidence.
  • Create an investigation strategy.
  • Work “top down.”
  • Think about all the little artifact types
  • Think about how to investigate each
  • Work “bottom up.”

Cyber Triage is built around the modern investigation method. Cyber Triage represents WMI persistence of “Triggered Task.”

WMI Task Type.
Example showing the types of information artifacts that we group under Triggered Tasks
CT WMI Task example.
Example showing WMI persistence as “Triggered Tasks.”

Cyber Triage directly parses the WMI database using a custom script we wrote that leverages the python-cim library. We enumerate all namespaces and look for any instances of __FilterToConsumerBinding:

WMI enumration script example.

From there, we get the associated filter and consumers. Cyber Triage focuses on the consumers that can execute code/programs vs the other less interesting consumers like logging.

Cyber Triage has scoring to flag any persistence using non-standard consumers or non-standard namespaces as bad — one way a threat actor could try to hide their activity.

Example showing Cyber Triage scoring WMI persistence that is located in a non-standard namespace:

WMI bad heuristic example.

If you’d like to see how Cyber Triage works for yourself, you can.

Just use our 7-day free trial

Keep Learning Investigation Strategies

We hope this blog post helped you better understand how to investigate malware WMI event consumers. If you’d like to keep learning our approach to investigations, here are some resources you’ll love:

Intro to DFIR Series DIFR Next Steps Series

 

Share

FacebookTwitterLinkedInReddit

Cyber RespondIR Newsletter

Like to learn about DFIR?

Sign up for our newsletter to get updates when we push out new technical posts and videos.

Related

Blog