GitHub Repo

Detection: WMI Permanent Event Subscription - Sysmon

Updated Date: 2026-05-13 ID: ad05aae6-3b2a-4f73-af97-57bd26cee3b9 Author: Rico Valdez, Michael Haag, Splunk Type: TTP Product: Splunk Enterprise Security

Description

The following analytic identifies the creation of WMI permanent event subscriptions, which can be used to establish persistence or perform privilege escalation. It leverages Sysmon data, specifically EventCodes 19, 20, and 21, to detect the creation of WMI EventFilters, EventConsumers, and FilterToConsumerBindings. This activity is significant as it may indicate an attacker setting up mechanisms to execute code with elevated SYSTEM privileges when specific events occur. If confirmed malicious, this could allow the attacker to maintain persistence, escalate privileges, and execute arbitrary code, posing a severe threat to the environment.

 1`sysmon` EventCode=21
 2  
 3| stats count min(_time) as firstTime max(_time) as lastTime
 4    BY dest dvc object
 5       object_attrs object_category object_path
 6       signature signature_id src
 7       status user user_id
 8       vendor_product Consumer ConsumerNoQuotes
 9       Filter FilterNoQuotes
10  
11| `security_content_ctime(firstTime)`
12  
13| `security_content_ctime(lastTime)`
14  
15| `wmi_permanent_event_subscription___sysmon_filter`

Data Source

Name Platform Sourcetype Source
Sysmon EventID 21 Windows icon Windows 'XmlWinEventLog' 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'

Macros Used

Name Value
sysmon (source=WinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational)
wmi_permanent_event_subscription___sysmon_filter search *
wmi_permanent_event_subscription___sysmon_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1546.003 Windows Management Instrumentation Event Subscription Persistence
Exploitation
Installation
DE.CM
CIS 10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Finding (Notable) Yes
Rule Title %name%
Rule Description %description%
Notable Event Fields user, dest
Creates Intermediate Finding (Risk Event) Yes
TTP detections generate a Finding (Notable) and may generate Intermediate Findings (Risk Events) for associated entities.

Implementation

To successfully implement this search, you must be collecting Sysmon data using Sysmon version 6.1 or greater and have Sysmon configured to generate alerts for WMI activity (eventID= 19, 20, 21). In addition, you must have at least version 6.0.4 of the Sysmon TA installed to properly parse the fields.

Known False Positives

Although unlikely, administrators may use event subscriptions for legitimate purposes.

Associated Analytic Story

Finding

Title Entity Field Entity Type Risk Score
WMI Permanent Event Subscription detected on $dest$ by $user$ user user 50

Intermediate Findings

Message Entity Field Entity Type Risk Score
WMI Permanent Event Subscription detected on $dest$ by $user$ dest system 50

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset XmlWinEventLog:Microsoft-Windows-Sysmon/Operational XmlWinEventLog
Integration ✅ Passing Dataset XmlWinEventLog:Microsoft-Windows-Sysmon/Operational XmlWinEventLog

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 12