Query Details
MDE WMI Event Subscription
Query
# WMI Event Subscriptions ## Query Information ### MITRE ATT&CK Technique(s) | Technique ID | Title | Link | | --- | --- | --- | | T1546.003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription | https://attack.mitre.org/techniques/T1546/003/ | ### Description DESCRIPTION Use the below queries to find activities related to WMI Event subscriptions #### References - [Pen Test Lab - Persistence – WMI Event Subscription](https://pentestlab.blog/2020/01/21/persistence-wmi-event-subscription/) - [Lateral Movement via WMI Event Subscription](https://www.ired.team/offensive-security/lateral-movement/lateral-movement-via-wmi-events) - [Block persistence through WMI event subscription](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-persistence-through-wmi-event-subscription) ### Microsoft 365 Defender ASR Audit and Block events ```kql DeviceEvents | where ActionType contains "AsrPersistenceThroughWmi" ``` Defender Alert ```kql DeviceAlertEvents | where Title contains "A WMI event filter was bound to a suspicious event consumer" ``` Using New-CimInstance cmdlet ```kql let wmipersistencecommands = "New-CimInstance -Namespace root/subscription"; DeviceProcessEvents | where ProcessCommandLine has (wmipersistencecommands) ``` ```kql let pscommands = dynamic(["New-CimInstance"]); DeviceEvents | where ActionType contains "PowerShellCommand" | where AdditionalFields has_any (pscommands) ``` Using wmic ```kql DeviceProcessEvents | where FileName contains "wmic" | where ProcessCommandLine contains "root\\subscription" and ProcessCommandLine contains "CREATE" ``` Using mofcomp.exe ```kql DeviceProcessEvents | where FileName contains "mofcomp.exe" ```
Explanation
The query is used to find activities related to WMI Event subscriptions. It includes different KQL queries to detect various methods of WMI event subscription, such as using New-CimInstance cmdlet, PowerShell commands, wmic, and mofcomp.exe. The queries can be used in Microsoft 365 Defender to audit and block events related to WMI event subscriptions.
Details
Alex Verboon
Released: June 4, 2023
Tables
DeviceEventsDeviceAlertEventsDeviceProcessEvents
Keywords
Devices,Intune,User
Operators
|containswherehasletdynamichas_any|