Microsoft-Windows-WMI-Activity
25 events across 3 channels
Event ID 1 — GroupOperationId = %1; OperationId = %2; Operation = %3; ClientMachine = %4; User = %5; ClientProcessId = %6; NamespaceName = %7.
Message
Fields
| Name | Description |
|---|---|
GroupOperationId | — |
OperationId | — |
Operation | — |
ClientMachine | — |
User | — |
ClientProcessId | — |
NamespaceName | — |
Event ID 2 — ProviderInfo for GroupOperationId = %1; Operation = %2; ProviderName = %3; ProviderGuid = %4; Path = %5.
Message
Fields
| Name | Description |
|---|---|
GroupOperationId | — |
Operation | — |
ProviderName | — |
ProviderGuid | — |
Path | — |
Event ID 3 — Stop OperationId = %1.
Message
Fields
| Name | Description |
|---|---|
OperationId | — |
Event ID 11 — CorrelationId = %1; GroupOperationId = %2; OperationId = %3; Operation = %4; ClientMachine = %5; User = %7; ClientProcessId = %8; NamespaceName = %9.
Message
Fields
| Name | Description |
|---|---|
CorrelationId | — |
GroupOperationId | — |
OperationId | — |
Operation | — |
ClientMachine | — |
ClientMachineFQDN | — |
User | — |
ClientProcessId | — |
ClientProcessCreationTime | — |
NamespaceName | — |
IsLocal | — |
Event ID 12 — ProviderInfo for GroupOperationId = %1; Operation = %2; HostID = %3; ProviderName = %4; ProviderGuid = %5; Path = %6.
Message
Fields
| Name | Description |
|---|---|
GroupOperationId | — |
Operation | — |
HostId | — |
ProviderName | — |
ProviderGuid | — |
Path | — |
Event ID 13 — Stop OperationId = %1; ResultCode = %2.
Message
Fields
| Name | Description |
|---|---|
OperationId | — |
ResultCode | — |
Event ID 14 — OperationId = %1; Operation = %2; Channel = %3; Message = %4.
Message
Fields
| Name | Description |
|---|---|
OperationId | — |
Operation | — |
Channel | — |
Message | — |
Event ID 15 — OperationId = %1; Operation = %2; ErrorID = %3; ErrorCategory = %4; Message = %5; TargetName = %6.
Message
Fields
| Name | Description |
|---|---|
OperationId | — |
Operation | — |
ErrorId | — |
ErrorCategory | — |
Message | — |
TargetName | — |
Event ID 16 — OperationId = %1; Operation = %2; ErrorID = %3; Message = %4.
Message
Fields
| Name | Description |
|---|---|
OperationId | — |
Operation | — |
ErrorId | — |
Message | — |
Event ID 17 — CorrelationId = %1; ProcessId = %2; Protocol = %3; Operation = %4; User = %5; Namespace = %6.
Message
Fields
| Name | Description |
|---|---|
CorrelationId | — |
ProcessId | — |
Protocol | — |
Operation | — |
User | — |
Namespace | — |
Event ID 18 — WMI Events were dropped.
Message
Fields
| Name | Description |
|---|---|
ConsumerType | — |
PossibleCause | — |
Event ID 19 — Performing delete operation on the WMI repository.
Message
Fields
| Name | Description |
|---|---|
OperationID | — |
Operation | — |
ClientProcessId | — |
ClientMachineFQDN | — |
ClientProcessCreationTime | — |
IsLocal | — |
Event ID 20 — Performing Update operation on the WMI repository.
Message
Fields
| Name | Description |
|---|---|
OperationID | — |
Operation | — |
Flags | — |
ClientProcessId | — |
ClientMachineFQDN | — |
ClientProcessCreationTime | — |
IsLocal | — |
Event ID 21 — WMI Events were bound.
Message
Fields
| Name | Description |
|---|---|
ConsumerType | — |
PossibleCause | — |
Event ID 22 — CorrelationId = %1; GroupOperationId = %2; OperationId = %3; ClassName= %4; MethodName = %5; ImplementationClass = %6; ClientMachine = %7; User = %...
Message
Fields
| Name | Description |
|---|---|
CorrelationId | — |
GroupOperationId | — |
OperationId | — |
ClassName | — |
MethodName | — |
ImplementationClass | — |
ClientMachine | — |
ClientMachineFQDN | — |
User | — |
ClientProcessId | — |
ClientProcessCreationTime | — |
NamespaceName | — |
IsLocal | — |
Event ID 23 — CorrelationId = %1; GroupOperationId = %2; OperationId = %3; Commandline= %4; CreatedProcessId = %5; ClientMachine = %6; User = %8; ClientProcessId...
Message
Fields
| Name | Description |
|---|---|
CorrelationId | — |
GroupOperationId | — |
OperationId | — |
Commandline | — |
CreatedProcessId | — |
CreatedProcessCreationTime | — |
ClientMachine | — |
ClientMachineFQDN | — |
User | — |
ClientProcessId | — |
ClientProcessCreationTime | — |
IsLocal | — |
Event ID 24 — GroupOperationId = %1; Executing polling query %2 in namespace %3.
Message
Fields
| Name | Description |
|---|---|
GroupOperationId | — |
Query | — |
NamespaceName | — |
Event ID 50 — Activity Transfer
Message
Event ID 100 — ComponentName = %1; MessageDetail = %2; FileName = %3.
Message
Fields
| Name | Description |
|---|---|
ComponentName | — |
MessageDetail | — |
FileName | — |
Event ID 101 — ComponentName = %1; ErrorId = %2; ErrorDetail = %3; FileName = %4.
Message
Fields
| Name | Description |
|---|---|
ComponentName | — |
ErrorId | — |
ErrorDetail | — |
FileName | — |
Event ID 5857 — %1 provider started with result code %2.
Message
Fields
| Name | Description |
|---|---|
Operation_StartedOperational.ProviderName | — |
Operation_StartedOperational.Code | — |
Operation_StartedOperational.HostProcess | — |
Operation_StartedOperational.ProcessID | — |
Operation_StartedOperational.ProviderPath | — |
Example Event
system:
provider: Microsoft-Windows-WMI-Activity
guid: 1418EF04-B0B4-4623-BF7E-D74AB47BBDAA
event_source_name: ''
event_id: 5857
version: 0
level: 0
task: 0
opcode: 0
keywords: 4611686018427387904
time_created: '2023-11-06T01:54:48.665106+00:00'
event_record_id: 2401
correlation:
ActivityID: E4DB489E-1037-0003-A64E-DBE43710DA01
execution:
process_id: 4404
thread_id: 14236
channel: Microsoft-Windows-WMI-Activity/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-20
user_data:
Operation_StartedOperational:
ProviderName: netnat
Code: '0x0'
HostProcess: wmiprvse.exe
ProcessID: 4404
ProviderPath: '%systemroot%\system32\wbem\NetNat.dll'
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/win32/wmisdk/tracing-wmi-activity
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5858 — Id = %1; ClientMachine = %2; User = %3; ClientProcessId = %4; Component = %5; Operation = %6; ResultCode = %7; PossibleCause = %8.
Message
Fields
| Name | Description |
|---|---|
Operation_ClientFailure.Id | — |
Operation_ClientFailure.ClientMachine | — |
Operation_ClientFailure.User | — |
Operation_ClientFailure.ClientProcessId | — |
Operation_ClientFailure.Component | — |
Operation_ClientFailure.Operation | — |
Operation_ClientFailure.ResultCode | — |
Operation_ClientFailure.PossibleCause | — |
Example Event
system:
provider: Microsoft-Windows-WMI-Activity
guid: 1418EF04-B0B4-4623-BF7E-D74AB47BBDAA
event_source_name: ''
event_id: 5858
version: 0
level: 2
task: 0
opcode: 0
keywords: 4611686018427387904
time_created: '2023-11-06T01:47:52.150550+00:00'
event_record_id: 2399
correlation: {}
execution:
process_id: 3340
thread_id: 10792
channel: Microsoft-Windows-WMI-Activity/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-18
user_data:
Operation_ClientFailure:
Id: '{00000000-0000-0000-0000-000000000000}'
ClientMachine: WINDEV2310EVAL
User: WINDEV2310EVAL\User
ClientProcessId: 12004
Component: Unknown
Operation: 'Start IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled
FROM Win32_Processor'
ResultCode: '0x80041032'
PossibleCause: Unknown
message: ''
References
Event ID 5859 — Namespace = %1; NotificationQuery = %2; OwnerName = %3; HostProcessID = %4; Provider= %5, queryID = %6; PossibleCause = %7.
Message
Fields
| Name | Description |
|---|---|
Operation_EssStarted.NamespaceName | — |
Operation_EssStarted.Query | — |
Operation_EssStarted.User | — |
Operation_EssStarted.Processid | — |
Operation_EssStarted.Provider | — |
Operation_EssStarted.queryid | — |
Operation_EssStarted.PossibleCause | — |
Example Event
system:
provider: Microsoft-Windows-WMI-Activity
guid: 1418EF04-B0B4-4623-BF7E-D74AB47BBDAA
event_source_name: ''
event_id: 5859
version: 0
level: 0
task: 0
opcode: 0
keywords: 4611686018427387904
time_created: '2022-04-07T16:53:42.548405+00:00'
event_record_id: 562
correlation:
ActivityID: E0AAB88C-4A9F-0001-86B9-AAE09F4AD801
execution:
process_id: 2456
thread_id: 3588
channel: Microsoft-Windows-WMI-Activity/Operational
computer: WIN-FPV0DSIC9O6.sigma.fr
security:
user_id: S-1-5-18
user_data:
Operation_EssStarted:
NamespaceName: //./root/CIMV2
Query: select * from MSFT_SCMEventLogEvent
User: S-1-5-32-544
Processid: 2456
Provider: SCM Event Provider
queryid: 0
PossibleCause: Permanent
message: ''
Community Notes
Can be used for remote execution.Sigma Rules
- WMI Persistence
Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/win32/wmisdk/tracing-wmi-activity
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5860 — Namespace = %1; NotificationQuery = %2; UserName = %3; ClientProcessID = %4, ClientMachine = %5; PossibleCause = %6.
Message
Fields
| Name | Description |
|---|---|
Operation_TemporaryEssStarted.NamespaceName | — |
Operation_TemporaryEssStarted.Query | — |
Operation_TemporaryEssStarted.User | — |
Operation_TemporaryEssStarted.Processid | — |
Operation_TemporaryEssStarted.ClientMachine | — |
Operation_TemporaryEssStarted.PossibleCause | — |
Example Event
system:
provider: Microsoft-Windows-WMI-Activity
guid: 1418EF04-B0B4-4623-BF7E-D74AB47BBDAA
event_source_name: ''
event_id: 5860
version: 0
level: 0
task: 0
opcode: 0
keywords: 4611686018427387904
time_created: '2023-11-05T22:52:28.183845+00:00'
event_record_id: 1567
correlation: {}
execution:
process_id: 3340
thread_id: 8416
channel: Microsoft-Windows-WMI-Activity/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-18
user_data:
Operation_TemporaryEssStarted:
NamespaceName: ROOT\Subscription
Query: SELECT * FROM __InstanceOperationEvent WITHIN 5WHERE TargetInstance ISA
'__EventConsumer' OR TargetInstance ISA '__EventFilter' OR TargetInstance ISA
'__FilterToConsumerBinding'
User: NT AUTHORITY\SYSTEM
Processid: 7064
ClientMachine: WINDEV2310EVAL
PossibleCause: Temporary
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/win32/wmisdk/tracing-wmi-activity
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5861 — Namespace = %1; Eventfilter = %2 (refer to its activate eventid:5859); Consumer = %3; PossibleCause = %4.
Message
Fields
| Name | Description |
|---|---|
Operation_ESStoConsumerBinding.Namespace | — |
Operation_ESStoConsumerBinding.ESS | — |
Operation_ESStoConsumerBinding.CONSUMER | — |
Operation_ESStoConsumerBinding.PossibleCause | — |
Example Event
system:
provider: Microsoft-Windows-WMI-Activity
guid: 1418EF04-B0B4-4623-BF7E-D74AB47BBDAA
event_source_name: ''
event_id: 5861
version: 0
level: 0
task: 0
opcode: 0
keywords: 4611686018427387904
time_created: '2022-04-07T16:53:38.894721+00:00'
event_record_id: 560
correlation: {}
execution:
process_id: 2456
thread_id: 3584
channel: Microsoft-Windows-WMI-Activity/Operational
computer: WIN-FPV0DSIC9O6.sigma.fr
security:
user_id: S-1-5-18
user_data:
Operation_ESStoConsumerBinding:
Namespace: //./root/subscription
ESS: SCM Event Log Filter
CONSUMER: NTEventLogEventConsumer="SCM Event Log Consumer"
PossibleCause: "Binding EventFilter: \ninstance of __EventFilter\n{\n\tCreatorSID
= {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};\n\tEventNamespace = \"root\\\\cimv2\";\n\tName
= \"SCM Event Log Filter\";\n\tQuery = \"select * from MSFT_SCMEventLogEvent\";\n\tQueryLanguage
= \"WQL\";\n};\nPerm. Consumer: \ninstance of NTEventLogEventConsumer\n{\n\tCategory
= 0;\n\tCreatorSID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};\n\tEventType
= 1;\n\tName = \"SCM Event Log Consumer\";\n\tNameOfUserSIDProperty = \"sid\";\n\tSourceName
= \"Service Control Manager\";\n};\n"
message: ''
Community Notes
These consumers survive reboots. WMI abuse is a classic technique for file-less persistence.Sigma Rules
- WMI Persistence
Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/win32/wmisdk/tracing-wmi-activity
- Example event sourced from https://github.com/NextronSystems/evtx-baseline