{
	"id": "58594136-8bab-4b36-91ce-e80e2b9b8f85",
	"created_at": "2026-04-06T00:21:57.999948Z",
	"updated_at": "2026-04-10T03:20:05.169185Z",
	"deleted_at": null,
	"sha1_hash": "cc6d84aaaf6992824fa92eb6de9a2eb67970ad88",
	"title": "Detecting \u0026 Removing an Attacker’s WMI Persistence",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1468619,
	"plain_text": "Detecting \u0026 Removing an Attacker’s WMI Persistence\r\nBy David French\r\nPublished: 2018-10-09 · Archived: 2026-04-05 17:27:51 UTC\r\nPress enter or click to view image in full size\r\nWindows Management Instrumentation (WMI) Event Subscription is a popular technique to establish persistence\r\non an endpoint. I decided to spend some time playing with Empire’s WMI modules and analyzing the artifacts for\r\ndetection opportunities. I also reviewed the PowerShell commands that can be used to view and remove WMI\r\nevent subscriptions.\r\n“Windows Management Instrumentation Event Subscription” is MITRE ATT\u0026CK Technique T1084.\r\nAttackers may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event\r\noccurs, providing persistence on a system.\r\nWhat is WMI?\r\n“WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), which is an industry\r\ninitiative to develop a standard technology for accessing management information in an enterprise environment.\r\nhttps://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96\r\nPage 1 of 6\n\nWMI uses the Common Information Model (CIM) industry standard to represent systems, applications, networks,\r\ndevices, and other managed components.”\r\nAn event filter is a WMI class that describes which events WMI delivers to an event consumer. An event filter\r\nalso describes the conditions under which WMI delivers the events.\r\nConfiguring Sysmon Logging\r\nSysmon can be configured to log WmiEventFilter , WmiEventConsumer , and WmiEventConsumerToFilter\r\nactivity and enable the detection of WMI abuse.\r\nPress enter or click to view image in full size\r\nSysmon Event IDs for WMI activity\r\nRoberto Rodriguez’s (@Cyb3rWard0g) Sysmon configuration file will capture the above Event IDs.\r\nGet David French’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nExecute the following command to install Sysmon and apply a configuration file.\r\nsysmon.exe -i -c .\\config_file.xml\r\nEstablish Persistence\r\nLet’s use Empire’s Invoke-WMI module to create a permanent WMI subscription and persist a stager on the\r\nvictim endpoint.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96\r\nPage 2 of 6\n\nReviewing Empire’s WMI-related modules\r\nPress enter or click to view image in full size\r\nReviewing the options for Empire’s Invoke-WMI module\r\nPress enter or click to view image in full size\r\nRunning the module\r\nDetection\r\nhttps://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96\r\nPage 3 of 6\n\nReviewing the Sysmon logs we can see that the Empire module:\r\n1. Registered a WMI event filter\r\n2. Registered a WMI event consumer\r\n3. Bound the event consumer to the event filter\r\nPress enter or click to view image in full size\r\nSysmon events logged after Empire Invoke-WMI module execution\r\nThe WMI event filter sets the conditions for the stager to execute, which includes references to the system’s\r\nuptime.\r\nPress enter or click to view image in full size\r\nSysmon Event ID 19: WmiEvent (WmiEventFilter activity detected)\r\nThe WMI event consumer contains the Empire stager in Base64-encoded form and is registered with the\r\ninnocuous name, Updater when its default settings are used.\r\nPress enter or click to view image in full size\r\nSysmon Event ID 20: WmiEvent (WmiEventConsumer activity detected)\r\nThe WMI event consumer CommandLineEventConsumer.Name=\\”Updater\\\" is bound to the event filter\r\n__EventFilter.Name=\\”Updater\\”\r\nhttps://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96\r\nPage 4 of 6\n\nPress enter or click to view image in full size\r\nSysmon Event ID 21: WmiEvent (WmiEventConsumerToFilter activity detected)\r\nNow that the event consumer is bound to the event filter, IF the event filter conditions are true THEN trigger the\r\nevent consumer (the stager).\r\nEradication\r\nThe simplest method to remove the entry from the WMI database is to use Autoruns. Launch Autoruns as an\r\nadministrator and select the WMI tab to review WMI-related persistence.\r\nPress enter or click to view image in full size\r\nUsing Autoruns to review WMI database entries\r\nPress enter or click to view image in full size\r\nUsing Autoruns to review content of the WMI database\r\nRight-click the malicious WMI database entry and select Delete .\r\nAlternatively, you can remove the WMI event subscriptions from the command line.\r\nUse Get-WMIObject in PowerShell to review the WMI event filter, event consumer, and consumer filter to event\r\nfilter binding. Thanks to Boe Prox (@proxb) for explaining these commands in detail on his blog.\r\n# Reviewing WMI Subscriptions using Get-WMIObject\r\n# Event Filter\r\nGet-WMIObject -Namespace root\\Subscription -Class __EventFilter -Filter “Name=’Updater’”# Event Consu\r\nGet-WMIObject -Namespace root\\Subscription -Class CommandLineEventConsumer -Filter “Name=’Updater’”\r\n # Binding\r\nGet-WMIObject -Namespace root\\Subscription -Class __FilterToConsumerBinding -Filter “__Path LIKE ‘%Up\r\nhttps://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96\r\nPage 5 of 6\n\nUse Remove-WMIObject to remove all components of the WMI persistence.\r\n# Removing WMI Subscriptions using Remove-WMIObject\r\n# Event Filter\r\nGet-WMIObject -Namespace root\\Subscription -Class __EventFilter -Filter “Name=’Updater’” | Remove-Wmi\r\nGet-WMIObject -Namespace root\\Subscription -Class CommandLineEventConsumer -Filter “Name=’Updater’”\r\n # Binding\r\nGet-WMIObject -Namespace root\\Subscription -Class __FilterToConsumerBinding -Filter “__Path LIKE ‘%Up\r\nPress enter or click to view image in full size\r\nRemoving WMI event subscriptions\r\nRun Autoruns again to verify that the persistence was removed.\r\nPress enter or click to view image in full size\r\nSource: https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96\r\nhttps://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96"
	],
	"report_names": [
		"detecting-removing-wmi-persistence-60ccbb7dff96"
	],
	"threat_actors": [],
	"ts_created_at": 1775434917,
	"ts_updated_at": 1775791205,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cc6d84aaaf6992824fa92eb6de9a2eb67970ad88.pdf",
		"text": "https://archive.orkl.eu/cc6d84aaaf6992824fa92eb6de9a2eb67970ad88.txt",
		"img": "https://archive.orkl.eu/cc6d84aaaf6992824fa92eb6de9a2eb67970ad88.jpg"
	}
}