Navigation :

WMI Temporary Event Subscription

Description

This search looks for the creation of WMI temporary event subscriptions.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Adversary Tactics,

Alert Volume

This search looks for the creation of WMI temporary event subscriptions.

SPL Difficulty

None

Journey

Stage 1

MITRE ATT&CK Tactics

Execution

MITRE ATT&CK Techniques

Windows Management Instrumentation

Windows Management Instrumentation

MITRE Threat Groups

APT29
APT32
APT41
Blue Mockingbird
Chimera
Deep Panda
FIN6
FIN8
Frankenstein
Lazarus Group
Leviathan
MuddyWater
OilRig
Soft Cell
Stealth Falcon
Threat Group-3390
Wizard Spider
menuPass

Kill Chain Phases

Actions On Objectives

Data Sources

Windows Security

   Help

WMI Temporary Event Subscription Help

To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational].

   Search

`wmi` EventCode=5860 Temporary | rex field=Message "NotificationQuery =\s+(?<query>[^;|^$]+)" | search query!="SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = 'wsmprovhost.exe'" AND query!="SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'" | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, query  | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `wmi_temporary_event_subscription_filter`
Open in Search