detection.wiki

Microsoft-Windows-Sysmon › Event 21

Event ID 21 — WmiEvent (WmiEventConsumerToFilter activity detected)

Provider
Microsoft-Windows-Sysmon
Channel
Operational
Level
Informational
Collection Priority
Recommended (Olaf Hartong, others)
Task
WmiEventConsumerToFilter activity detected (rule: WmiEvent)
Opcode
Info

Description

When a consumer binds to a filter, this event logs the consumer name and filter path.

Message #

WmiEventConsumerToFilter activity detected:
RuleName: %1
EventType: %2
UtcTime: %3
Operation: %4
User: %5
Consumer: %6
Filter: %7

Fields #

NameDescription
RuleName UnicodeString → stringCustom tag mapped to event, i.e. ATT&CK technique ID
EventType UnicodeString → stringWMI event type
UtcTime UnicodeString → stringTime in UTC when event was created
Operation UnicodeString → stringWMI consumer-to-filter binding operation
Known values
%%2456
Open key file.
%%2457
Delete key file.
%%2458
Read persisted key from file.
%%2459
Write persisted key to file.
%%2464
Export of persistent cryptographic key.
%%2465
Import of persistent cryptographic key.
%%2480
Open Key.
%%2481
Create Key.
%%2482
Delete Key.
%%2483
Encrypt.
%%2484
Decrypt.
%%2485
Sign hash.
%%2486
Secret agreement.
%%2487
Domain settings.
%%2488
Local settings.
%%2489
Add provider.
%%2490
Remove provider.
%%2491
Add context.
%%2492
Remove context.
%%2493
Add function.
%%2494
Remove function.
%%2495
Add function provider.
%%2496
Remove function provider.
%%2497
Add function property.
%%2498
Remove function property.
%%2499
Machine key.
%%2500
User key.
%%2501
Key Derivation.
%%2502
Claim Creation.
%%2503
Claim Verification.
User UnicodeString → stringUser that created the WMI consumer-to-filter binding
Consumer UnicodeString → stringConsumer created to bind
Filter UnicodeString → stringFilter created to bind

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
    "event_source_name": "",
    "event_id": 21,
    "version": 3,
    "level": 4,
    "task": 21,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2019-07-19T14:57:02.378480Z",
    "event_record_id": 4057,
    "correlation": {},
    "execution": {
      "process_id": 2796,
      "thread_id": 4356
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "MSEDGEWIN10",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "",
    "EventType": "WmiBindingEvent",
    "UtcTime": "2019-07-19 14:57:02.369",
    "Operation": "Created",
    "User": "MSEDGEWIN10\\IEUser",
    "Consumer": " \"\\\\\\\\.\\\\ROOT\\\\subscription:CommandLineEventConsumer.Name=\\\"AtomicRedTeam-WMIPersistence-Example\\\"\"",
    "Filter": " \"\\\\\\\\.\\\\ROOT\\\\subscription:__EventFilter.Name=\\\"AtomicRedTeam-WMIPersistence-Example\\\"\""
  }
}

Detection Patterns #

WMI Consumer

Sysmon Event ID 19: WmiEventOREvent ID 20: WmiEventOREvent ID 21: WmiEvent
3 rules

Sigma

Suspicious Encoded Scripts in a WMI Consumer (source)
Florian Roth (Nextron Systems)
Suspicious Scripting in a WMI Consumer (source)
Florian Roth (Nextron Systems), Jonhnathan Ribeiro
WMI Event Subscription (source)
Tom Ueltschi (@c_APT_ure)

Community Notes #

May surface registration of WMI event-based auto-runs that survive reboots.

Detection Rules #

View all rules referencing this event →

Splunk # view in reference

  • WMI Permanent Event Subscription - Sysmon source: The following analytic identifies the creation of WMI permanent event subscriptions, which can be used to establish persistence or perform privilege escalation. It leverages Sysmon data, specifically EventCodes 19, 20, and 21, to detect the creation of WMI EventFilters, EventConsumers, and FilterToConsumerBindings. This activity is significant as it may indicate an attacker setting up mechanisms to execute code with elevated SYSTEM privileges when specific events occur. If confirmed malicious, this could allow the attacker to maintain persistence, escalate privileges, and execute arbitrary code, posing a severe threat to the environment.

References #