WMI Event Subscription Persistence
MITRE ATT&CK™ Event Triggered Execution: Windows Management Instrumentation Event Subscription - Technique T1546.003
Last updated
Was this helpful?
MITRE ATT&CK™ Event Triggered Execution: Windows Management Instrumentation Event Subscription - Technique T1546.003
Last updated
Was this helpful?
Using WMI on a remote endpoint, we can perform persistence based on subscription to WMI events. Note that this technique can be used to perform lateral movements. for more information
Typically, WMI event subscription requires creation of the following three classes which are used to store the payload or the arbitrary command, to specify the event that will trigger the payload and to relate the two classes (__EventConsumer &__EventFilter) so execution and trigger to bind together.
__EventFilter // Trigger (new process, failed logon etc.)
EventConsumer // Perform Action (execute payload etc.)
__FilterToConsumerBinding // Binds Filter and Consumer Classes
Implementation of this technique doesn’t require any toolkit since Windows has a utility that can interact with WMI (wmic) and PowerShell can be leveraged as well.
Execution of the following commands using powershell will create in the name space of “root\subscription“ three events. You can set the arbitrary payload to execute within 5 seconds on every new logon session creation or within 60 seconds every time Windows starts.
We can cleanup using following commands