detection.wiki

Microsoft-Windows-Sysmon › Event 20

Event ID 20 — WmiEvent (WmiEventConsumer activity detected)

Provider
Microsoft-Windows-Sysmon
Channel
Operational
Level
Informational
Collection Priority
Recommended (Olaf Hartong, others)
Task
WmiEventConsumer activity detected (rule: WmiEvent)
Opcode
Info

Description

This event logs the registration of WMI consumers.

Message #

WmiEventConsumer activity detected:
RuleName: %1
EventType: %2
UtcTime: %3
Operation: %4
User: %5
Name: %6
Type: %7
Destination: %8

Fields #

NameDescription
RuleName UnicodeString → stringCustom tag mapped to event, i.e. ATT&CK technique ID
EventType UnicodeString → stringWMI event type
UtcTime UnicodeString → stringTime in UTC when event was created
Operation UnicodeString → stringWMI consumer operation (e.g., Created, Deleted)
Known values
%%2456
Open key file.
%%2457
Delete key file.
%%2458
Read persisted key from file.
%%2459
Write persisted key to file.
%%2464
Export of persistent cryptographic key.
%%2465
Import of persistent cryptographic key.
%%2480
Open Key.
%%2481
Create Key.
%%2482
Delete Key.
%%2483
Encrypt.
%%2484
Decrypt.
%%2485
Sign hash.
%%2486
Secret agreement.
%%2487
Domain settings.
%%2488
Local settings.
%%2489
Add provider.
%%2490
Remove provider.
%%2491
Add context.
%%2492
Remove context.
%%2493
Add function.
%%2494
Remove function.
%%2495
Add function provider.
%%2496
Remove function provider.
%%2497
Add function property.
%%2498
Remove function property.
%%2499
Machine key.
%%2500
User key.
%%2501
Key Derivation.
%%2502
Claim Creation.
%%2503
Claim Verification.
User UnicodeString → stringUser that created the WMI consumer
Name UnicodeString → stringName of the consumer created
Type UnicodeString → stringType of WMI consumer
Destination UnicodeString → stringDestination or command executed by the WMI consumer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
    "event_source_name": "",
    "event_id": 20,
    "version": 3,
    "level": 4,
    "task": 20,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2019-07-19T14:54:58.819106Z",
    "event_record_id": 4056,
    "correlation": {},
    "execution": {
      "process_id": 2796,
      "thread_id": 1776
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "MSEDGEWIN10",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "",
    "EventType": "WmiConsumerEvent",
    "UtcTime": "2019-07-19 14:54:58.807",
    "Operation": "Created",
    "User": "MSEDGEWIN10\\IEUser",
    "Name": " \"AtomicRedTeam-WMIPersistence-Example\"",
    "Type": "Command Line",
    "Destination": " \"C:\\\\Windows\\\\System32\\\\notepad.exe\""
  }
}

Detection Patterns #

WMI Consumer

Sysmon Event ID 19: WmiEventOREvent ID 20: WmiEventOREvent ID 21: WmiEvent
3 rules

Sigma

Suspicious Encoded Scripts in a WMI Consumer (source)
Florian Roth (Nextron Systems)
Suspicious Scripting in a WMI Consumer (source)
Florian Roth (Nextron Systems), Jonhnathan Ribeiro
WMI Event Subscription (source)
Tom Ueltschi (@c_APT_ure)

Detection Rules #

View all rules referencing this event →

Splunk # view in reference

  • Detect WMI Event Subscription Persistence source: The following analytic identifies the creation of WMI Event Subscriptions, which can be used to establish persistence or perform privilege escalation. It detects EventID 19 (EventFilter creation), EventID 20 (EventConsumer creation), and EventID 21 (FilterToConsumerBinding creation) from Sysmon logs. This activity is significant because WMI Event Subscriptions can execute code with elevated SYSTEM privileges, making it a powerful persistence mechanism. If confirmed malicious, an attacker could maintain long-term access, escalate privileges, and execute arbitrary code, posing a severe threat to the environment.

References #