Skip to content
Reverse Engineering
Persistenceadvanced

WMI Event Subscription

Malware registers a permanent WMI event subscription — a filter bound to a consumer — so the WMI service runs its payload: fileless SYSTEM persistence.

Windows Management Instrumentation supports permanent event subscriptions: a standing rule that tells the WMI service to take an action whenever a defined event occurs. Because the subscription lives inside the WMI repository (OBJECTS.DATA) rather than as a file or registry autorun, and because the WMI service (scrcons.exe / WmiPrvSE.exe) runs as SYSTEM, this technique gives stealthy, privileged, and effectively fileless persistence. It is a hallmark of advanced and APT-grade tooling.

A subscription is built from three objects in the root\subscription namespace: an __EventFilter (what to watch for), an __EventConsumer (what to do), and a __FilterToConsumerBinding (which ties them together). When the filtered event fires, WMI runs the consumer's action.

How it works

The filter is a WQL query against an intrinsic or extrinsic event; a common trigger is "system uptime is 200–300 seconds after boot," firing the payload shortly after every restart:

text
__EventFilter:
  Name  = "BootFilter"
  Query = SELECT * FROM __InstanceModificationEvent WITHIN 60
          WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'
          AND TargetInstance.SystemUpTime >= 200 AND TargetInstance.SystemUpTime < 300

CommandLineEventConsumer:
  Name            = "BootConsumer"
  CommandLineTemplate = powershell -enc <base64 payload>

__FilterToConsumerBinding:
  Filter   = __EventFilter.Name="BootFilter"
  Consumer = CommandLineEventConsumer.Name="BootConsumer"

The two most-abused consumer classes are CommandLineEventConsumer (runs a process) and ActiveScriptEventConsumer (runs VBScript/JScript in-process). All three objects are written into the WMI repository, so the payload command often appears nowhere on disk.

Detection & analysis

Static analysis:

  • Enumerate existing subscriptions with PowerShell: Get-WmiObject -Namespace root\subscription -Class __EventFilter (and CommandLineEventConsumer, ActiveScriptEventConsumer, __FilterToConsumerBinding). Autoruns also has a dedicated "WMI" tab.
  • For dead-box forensics, parse the repository file C:\Windows\System32\wbem\Repository\OBJECTS.DATA with PyWMIPersistenceFinder or python-cim; consumer command lines and script bodies are recoverable as strings.
  • In a sample, look for IWbemServices::PutInstance, the namespace string root\\subscription, and the class names __EventFilter / CommandLineEventConsumer / ActiveScriptEventConsumer. PowerShell-based droppers reference Set-WmiInstance -Namespace root/subscription.

Dynamic analysis:

  • Sysmon provides purpose-built coverage: Event ID 19 (WmiEventFilter registered), Event ID 20 (WmiEventConsumer registered), and Event ID 21 (WmiEventConsumerToFilter binding). All three firing in sequence is the definitive signal.
  • When the trigger fires, watch for scrcons.exe (ActiveScript consumer host) or a child of WmiPrvSE.exe spawning the payload — captured by Sysmon Event ID 1.

Detection rule hint:

Alert on Sysmon Event IDs 19/20/21 — legitimate software rarely registers permanent WMI subscriptions. Treat any CommandLineEventConsumer or ActiveScriptEventConsumer whose action invokes PowerShell, mshta, encoded commands, or a user-writable binary as malicious, and flag scrcons.exe/WmiPrvSE.exe spawning interpreters as a likely consumer execution.

Votes

Comments(0)