Microsoft-Windows-WMI-Activity
25 events across 3 channels
Event ID 1 — GroupOperationId = GroupOperationId; OperationId = OperationId; Operation = Operation; ClientMachine = ClientMachine; User = User; ClientProcessId = ClientProcessId; NamespaceName = NamespaceName.
Description
GroupOperationId = GroupOperationId; OperationId = OperationId; Operation = Operation; ClientMachine = ClientMachine; User = User; ClientProcessId = ClientProcessId; NamespaceName = NamespaceName.
Message #
Fields #
| Name | Description |
|---|---|
GroupOperationId UInt32 | — |
OperationId UInt32 | — |
Operation UnicodeString | — Known values
|
ClientMachine UnicodeString | — |
User UnicodeString | — |
ClientProcessId UInt32 | — |
NamespaceName UnicodeString | — |
Event ID 2 — ProviderInfo for GroupOperationId = GroupOperationId; Operation = Operation; ProviderName = ProviderName; ProviderGuid = ProviderGuid; Path = Path.
Description
ProviderInfo for GroupOperationId = GroupOperationId; Operation = Operation; ProviderName = ProviderName; ProviderGuid = ProviderGuid; Path = Path.
Message #
Fields #
| Name | Description |
|---|---|
GroupOperationId UInt32 | — |
Operation UnicodeString | — Known values
|
ProviderName UnicodeString | — |
ProviderGuid UnicodeString | — |
Path UnicodeString | — |
Event ID 3 — Stop OperationId = OperationId.
Event ID 11 — CorrelationId = CorrelationId; GroupOperationId = GroupOperationId; OperationId = OperationId; Operation = Operation; ClientMachine = ClientMachine; User = User; ClientProcessId = ClientProcessId; ...
Description
CorrelationId = CorrelationId; GroupOperationId = GroupOperationId; OperationId = OperationId; Operation = Operation; ClientMachine = ClientMachine; User = User; ClientProcessId = ClientProcessId; NamespaceName = ClientProcessCreationTime.
Message #
Fields #
| Name | Description |
|---|---|
Operation_New.CorrelationId | — |
Operation_New.GroupOperationId | — |
Operation_New.OperationId | — |
Operation_New.Operation | — |
Operation_New.ClientMachine | — |
Operation_New.ClientMachineFQDN | — |
Operation_New.User | — |
Operation_New.ClientProcessId | — |
Operation_New.ClientProcessCreationTime | — |
Operation_New.NamespaceName | — |
Operation_New.IsLocal | — |
CorrelationId UnicodeString | — |
GroupOperationId UInt32 | — |
OperationId UInt32 | — |
Operation UnicodeString | — Known values
|
ClientMachine UnicodeString | — |
ClientMachineFQDN UnicodeString | — |
User UnicodeString | — |
ClientProcessId UInt32 | — |
ClientProcessCreationTime UInt64 | — |
NamespaceName UnicodeString | — |
IsLocal Boolean | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WMI-Activity",
"guid": "1418ef04-b0b4-4623-bf7e-d74ab47bbdaa",
"event_source_name": "",
"event_id": 11,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-05-03T21:02:22.5390626+00:00",
"event_record_id": 3702,
"correlation": {
"ActivityID": "a5a72efc-0725-4af3-8928-2c7be294af3b",
"RelatedActivityID": ""
},
"execution": {
"process_id": 3776,
"thread_id": 14888
},
"channel": "Microsoft-Windows-WMI-Activity/Trace",
"computer": "DESKTOP-K7Q9MS2",
"security": {
"user_id": ""
}
},
"user_data": {
"Operation_New": {
"CorrelationId": "{EB2F7CD8-77D6-447B-8B41-85BBC0F0CD29}",
"GroupOperationId": "33824",
"OperationId": "33915",
"Operation": "Start IWbemServices::DeleteInstance - Root\\Rsop\\Computer : RSOP_ExtensionStatus.extensionGuid=\"{FB2CA36D-0B40-4307-821B-A13B252DE56C}\"",
"ClientMachine": "DESKTOP-K7Q9MS2",
"ClientMachineFQDN": "DESKTOP-K7Q9MS2",
"User": "NT AUTHORITY\\SYSTEM",
"ClientProcessId": "5592",
"ClientProcessCreationTime": "134223150821160298",
"NamespaceName": "\\\\.\\Root\\Rsop\\Computer",
"IsLocal": "true"
}
},
"message": "CorrelationId = {EB2F7CD8-77D6-447B-8B41-85BBC0F0CD29}; GroupOperationId = 33824; OperationId = 33915; Operation = Start IWbemServices::DeleteInstance - Root\\Rsop\\Computer : RSOP_ExtensionStatus.extensionGuid=\"{FB2CA36D-0B40-4307-821B-A13B252DE56C}\"; ClientMachine = DESKTOP-K7Q9MS2; User = NT AUTHORITY\\SYSTEM; ClientProcessId = 5592; NamespaceName = 134223150821160298"
}
Event ID 12 — ProviderInfo for GroupOperationId = GroupOperationId; Operation = Operation; HostID = HostId; ProviderName = ProviderName; ProviderGuid = ProviderGuid; Path = Path.
Description
ProviderInfo for GroupOperationId = GroupOperationId; Operation = Operation; HostID = HostId; ProviderName = ProviderName; ProviderGuid = ProviderGuid; Path = Path.
Message #
Fields #
| Name | Description |
|---|---|
Operation_Provider_Info_New.GroupOperationId | — |
Operation_Provider_Info_New.Operation | — |
Operation_Provider_Info_New.HostId | — |
Operation_Provider_Info_New.ProviderName | — |
Operation_Provider_Info_New.ProviderGuid | — |
Operation_Provider_Info_New.Path | — |
GroupOperationId UInt32 | — |
Operation UnicodeString | — Known values
|
HostId UInt32 | — |
ProviderName UnicodeString | — |
ProviderGuid UnicodeString | — |
Path UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WMI-Activity",
"guid": "1418ef04-b0b4-4623-bf7e-d74ab47bbdaa",
"event_source_name": "",
"event_id": 12,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-05-03T21:02:08.7213624+00:00",
"event_record_id": 2932,
"correlation": {
"ActivityID": "c4d83776-df9b-4f73-8eb3-abf6fdb18958",
"RelatedActivityID": ""
},
"execution": {
"process_id": 3776,
"thread_id": 15356
},
"channel": "Microsoft-Windows-WMI-Activity/Trace",
"computer": "DESKTOP-K7Q9MS2",
"security": {
"user_id": ""
}
},
"user_data": {
"Operation_Provider_Info_New": {
"GroupOperationId": "33752",
"Operation": "Provider::ExecQuery - CIMWin32 : select __RELPATH, __RELPATH from Win32_Process",
"HostId": "14556",
"ProviderName": "CIMWin32",
"ProviderGuid": "{d63a5850-8f16-11cf-9f47-00aa00bf345c}",
"Path": "%systemroot%\\system32\\wbem\\cimwin32.dll"
}
},
"message": "ProviderInfo for GroupOperationId = 33752; Operation = Provider::ExecQuery - CIMWin32 : select __RELPATH, __RELPATH from Win32_Process; HostID = 14556; ProviderName = CIMWin32; ProviderGuid = {d63a5850-8f16-11cf-9f47-00aa00bf345c}; Path = %systemroot%\\system32\\wbem\\cimwin32.dll"
}
Event ID 13 — Stop OperationId = OperationId; ResultCode = ResultCode.
Description
Stop OperationId = OperationId; ResultCode = ResultCode.
Message #
Fields #
| Name | Description |
|---|---|
Operation_Stop_New.OperationId | — |
Operation_Stop_New.ResultCode | — |
OperationId UInt32 | — |
ResultCode HexInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WMI-Activity",
"guid": "1418ef04-b0b4-4623-bf7e-d74ab47bbdaa",
"event_source_name": "",
"event_id": 13,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-05-03T21:02:22.5397755+00:00",
"event_record_id": 3704,
"correlation": {
"ActivityID": "eda08d7d-6e98-43be-adba-1f74e64b4281",
"RelatedActivityID": ""
},
"execution": {
"process_id": 3776,
"thread_id": 14888
},
"channel": "Microsoft-Windows-WMI-Activity/Trace",
"computer": "DESKTOP-K7Q9MS2",
"security": {
"user_id": ""
}
},
"user_data": {
"Operation_Stop_New": {
"OperationId": "33915",
"ResultCode": "0x80041002"
}
},
"message": "Stop OperationId = 33915; ResultCode = 0x80041002"
}
Event ID 14 — OperationId = OperationId; Operation = Operation; Channel = Channel; Message = Message.
Description
OperationId = OperationId; Operation = Operation; Channel = Channel; Message = Message.
Message #
Fields #
| Name | Description |
|---|---|
OperationId UInt32 | — |
Operation UnicodeString | — Known values
|
Channel UInt32 | — |
Message UnicodeString | — |
Event ID 15 — OperationId = OperationId; Operation = Operation; ErrorID = ErrorId; ErrorCategory = ErrorCategory; Message = Message; TargetName = TargetName.
Description
OperationId = OperationId; Operation = Operation; ErrorID = ErrorId; ErrorCategory = ErrorCategory; Message = Message; TargetName = TargetName.
Message #
Fields #
| Name | Description |
|---|---|
OperationId UInt32 | — |
Operation UnicodeString | — Known values
|
ErrorId UnicodeString | — |
ErrorCategory UInt32 | — |
Message UnicodeString | — |
TargetName UnicodeString | — |
Event ID 16 — OperationId = OperationId; Operation = Operation; ErrorID = ErrorId; Message = Message.
Description
OperationId = OperationId; Operation = Operation; ErrorID = ErrorId; Message = Message.
Message #
Fields #
| Name | Description |
|---|---|
Operation_Provider_Result.OperationId | — |
Operation_Provider_Result.Operation | — |
Operation_Provider_Result.ErrorId | — |
Operation_Provider_Result.Message | — |
OperationId UInt32 | — |
Operation UnicodeString | — Known values
|
ErrorId HexInt32 | — |
Message UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WMI-Activity",
"guid": "1418ef04-b0b4-4623-bf7e-d74ab47bbdaa",
"event_source_name": "",
"event_id": 16,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-05-03T20:59:47.4850086+00:00",
"event_record_id": 1271,
"correlation": {
"ActivityID": "64478093-d4f9-0001-b4d0-5164f9d4dc01",
"RelatedActivityID": ""
},
"execution": {
"process_id": 3536,
"thread_id": 11712
},
"channel": "Microsoft-Windows-WMI-Activity/Trace",
"computer": "DESKTOP-K7Q9MS2",
"security": {
"user_id": ""
}
},
"user_data": {
"Operation_Provider_Result": {
"OperationId": "32845",
"Operation": "Method Execution",
"ErrorId": "0x0",
"Message": ""
}
},
"message": "OperationId = 32845; Operation = Method Execution; ErrorID = 0x0; Message = "
}
Event ID 17 — CorrelationId = CorrelationId; ProcessId = ProcessId; Protocol = Protocol; Operation = Operation; User = User; Namespace = Namespace.
Description
CorrelationId = CorrelationId; ProcessId = ProcessId; Protocol = Protocol; Operation = Operation; User = User; Namespace = Namespace.
Message #
Fields #
| Name | Description |
|---|---|
Operation_Client.CorrelationId | — |
Operation_Client.ProcessId | — |
Operation_Client.Protocol | — |
Operation_Client.Operation | — |
Operation_Client.User | — |
Operation_Client.Namespace | — |
CorrelationId UnicodeString | — |
ProcessId UInt32 | — |
Protocol UnicodeString | — Known values
|
Operation UnicodeString | — Known values
|
User UnicodeString | — |
Namespace UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WMI-Activity",
"guid": "1418ef04-b0b4-4623-bf7e-d74ab47bbdaa",
"event_source_name": "",
"event_id": 17,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-05-03T21:02:08.7157677+00:00",
"event_record_id": 2926,
"correlation": {
"ActivityID": "64478093-d4f9-0007-03d4-5464f9d4dc01",
"RelatedActivityID": ""
},
"execution": {
"process_id": 12952,
"thread_id": 11016
},
"channel": "Microsoft-Windows-WMI-Activity/Trace",
"computer": "DESKTOP-K7Q9MS2",
"security": {
"user_id": ""
}
},
"user_data": {
"Operation_Client": {
"CorrelationId": "{64478093-D4F9-0007-03D4-5464F9D4DC01}",
"ProcessId": "12952",
"Protocol": "DCOM",
"Operation": "MI_Session::EnumerateInstance",
"User": "NULL",
"Namespace": "root\\cimv2"
}
},
"message": "CorrelationId = {64478093-D4F9-0007-03D4-5464F9D4DC01}; ProcessId = 12952; Protocol = DCOM; Operation = MI_Session::EnumerateInstance; User = NULL; Namespace = root\\cimv2"
}
Event ID 18 — WMI Events were dropped.
Event ID 19 — Performing delete operation on the WMI repository.
Description
Performing delete operation on the WMI repository. OperationID = OperationID; Operation = Operation.
Message #
Fields #
| Name | Description |
|---|---|
Operation_RepDelete.OperationID | — |
Operation_RepDelete.Operation | — |
OperationID UInt32 | — |
Operation UnicodeString | — Known values
|
ClientProcessId UInt32 | — |
ClientMachineFQDN UnicodeString | — |
ClientProcessCreationTime UInt64 | — |
IsLocal Boolean | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WMI-Activity",
"guid": "1418ef04-b0b4-4623-bf7e-d74ab47bbdaa",
"event_source_name": "",
"event_id": 19,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-05-03T21:02:22.4784408+00:00",
"event_record_id": 3467,
"correlation": {
"ActivityID": "b1d8c3f2-a930-480b-bcb8-cb95471878d4",
"RelatedActivityID": ""
},
"execution": {
"process_id": 3776,
"thread_id": 12224
},
"channel": "Microsoft-Windows-WMI-Activity/Trace",
"computer": "DESKTOP-K7Q9MS2",
"security": {
"user_id": ""
}
},
"user_data": {
"Operation_RepDelete": {
"OperationID": "33824",
"Operation": "\\\\DESKTOP-K7Q9MS2\\ROOT\\Rsop\\Computer:RSOP_RegistryPolicySetting.id=\"{852A0000-5369-4B5D-A940-3515E805B186}\",precedence=1"
}
},
"message": "Performing delete operation on the WMI repository. OperationID = 33824; Operation = \\\\DESKTOP-K7Q9MS2\\ROOT\\Rsop\\Computer:RSOP_RegistryPolicySetting.id=\"{852A0000-5369-4B5D-A940-3515E805B186}\",precedence=1"
}
Event ID 20 — Performing Update operation on the WMI repository.
Description
Performing Update operation on the WMI repository. OperationID = OperationID; Operation = Operation; Flags = Flags.
Message #
Fields #
| Name | Description |
|---|---|
Operation_RepUpdate.OperationID | — |
Operation_RepUpdate.Operation | — |
Operation_RepUpdate.Flags | — |
OperationID UInt32 | — |
Operation UnicodeString | — Known values
|
Flags UInt32 | — |
ClientProcessId UInt32 | — |
ClientMachineFQDN UnicodeString | — |
ClientProcessCreationTime UInt64 | — |
IsLocal Boolean | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WMI-Activity",
"guid": "1418ef04-b0b4-4623-bf7e-d74ab47bbdaa",
"event_source_name": "",
"event_id": 20,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-05-03T21:02:22.4902463+00:00",
"event_record_id": 3508,
"correlation": {
"ActivityID": "258aa0ca-4464-4d48-85ef-f9a43cd8ccbf",
"RelatedActivityID": ""
},
"execution": {
"process_id": 3776,
"thread_id": 14888
},
"channel": "Microsoft-Windows-WMI-Activity/Trace",
"computer": "DESKTOP-K7Q9MS2",
"security": {
"user_id": ""
}
},
"user_data": {
"Operation_RepUpdate": {
"OperationID": "33824",
"Operation": "RSOP_ExtensionStatus.extensionGuid=\"{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\"",
"Flags": "1"
}
},
"message": "Performing Update operation on the WMI repository. OperationID = 33824; Operation = RSOP_ExtensionStatus.extensionGuid=\"{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\"; Flags = 1"
}
Event ID 21 — WMI Events were bound.
Description
WMI Events were bound. ConsumerType = ConsumerType; Possiblecause = PossibleCause.
Message #
Fields #
| Name | Description |
|---|---|
ConsumerType UnicodeString | — |
PossibleCause UnicodeString | — |
Detection Rules #
View all rules referencing this event →
Elastic # view in reference
- Suspicious WMI Event Subscription Created source medium: Detects the creation of a WMI Event Subscription. Attackers can abuse this mechanism for persistence or to elevate to SYSTEM privileges.
Event ID 22 — CorrelationId = CorrelationId; GroupOperationId = GroupOperationId; OperationId = OperationId; ClassName= ClassName; MethodName = MethodName; ImplementationClass = ImplementationClass; ClientMachin...
Description
CorrelationId = CorrelationId; GroupOperationId = GroupOperationId; OperationId = OperationId; ClassName= ClassName; MethodName = MethodName; ImplementationClass = ImplementationClass; ClientMachine = ClientMachine; User = User; ClientProcessId = ClientProcessId; NamespaceName = NamespaceName.
Message #
Fields #
| Name | Description |
|---|---|
MethodExec.CorrelationId | — |
MethodExec.GroupOperationId | — |
MethodExec.OperationId | — |
MethodExec.ClassName | — |
MethodExec.MethodName | — |
MethodExec.ImplementationClass | — |
MethodExec.ClientMachine | — |
MethodExec.ClientMachineFQDN | — |
MethodExec.User | — |
MethodExec.ClientProcessId | — |
MethodExec.ClientProcessCreationTime | — |
MethodExec.NamespaceName | — |
MethodExec.IsLocal | — |
CorrelationId UnicodeString | — |
GroupOperationId UInt32 | — |
OperationId UInt32 | — |
ClassName UnicodeString | — |
MethodName UnicodeString | — |
ImplementationClass UnicodeString | — |
ClientMachine UnicodeString | — |
ClientMachineFQDN UnicodeString | — |
User UnicodeString | — |
ClientProcessId UInt32 | — |
ClientProcessCreationTime UInt64 | — |
NamespaceName UnicodeString | — |
IsLocal Boolean | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WMI-Activity",
"guid": "1418ef04-b0b4-4623-bf7e-d74ab47bbdaa",
"event_source_name": "",
"event_id": 22,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-05-03T20:57:44.1010074+00:00",
"event_record_id": 227,
"correlation": {
"ActivityID": "09b2d503-9f8b-44d1-b13f-a24eb51f7612",
"RelatedActivityID": ""
},
"execution": {
"process_id": 3776,
"thread_id": 15116
},
"channel": "Microsoft-Windows-WMI-Activity/Trace",
"computer": "DESKTOP-K7Q9MS2",
"security": {
"user_id": ""
}
},
"user_data": {
"MethodExec": {
"CorrelationId": "{8D9DCB76-6D12-4141-8AD2-CAE6C7B89797}",
"GroupOperationId": "32845",
"OperationId": "32842",
"ClassName": "MSFT_MpScan",
"MethodName": "Start",
"ImplementationClass": "MSFT_MpScan",
"ClientMachine": "DESKTOP-K7Q9MS2",
"ClientMachineFQDN": "DESKTOP-K7Q9MS2",
"User": "DESKTOP-K7Q9MS2\\localuser",
"ClientProcessId": "14256",
"ClientProcessCreationTime": "134223154630497608",
"NamespaceName": "\\\\.\\ROOT\\Microsoft\\Windows\\Defender",
"IsLocal": "true"
}
},
"message": "CorrelationId = {8D9DCB76-6D12-4141-8AD2-CAE6C7B89797}; GroupOperationId = 32845; OperationId = 32842; ClassName= MSFT_MpScan; MethodName = Start; ImplementationClass = MSFT_MpScan; ClientMachine = DESKTOP-K7Q9MS2; User = DESKTOP-K7Q9MS2\\localuser; ClientProcessId = 14256; NamespaceName = \\\\.\\ROOT\\Microsoft\\Windows\\Defender"
}
Event ID 23 — CorrelationId = CorrelationId; GroupOperationId = GroupOperationId; OperationId = OperationId; Commandline= Commandline; CreatedProcessId = CreatedProcessId; ClientMachine = CreatedProcessCreationT...
Description
CorrelationId = CorrelationId; GroupOperationId = GroupOperationId; OperationId = OperationId; Commandline= Commandline; CreatedProcessId = CreatedProcessId; ClientMachine = CreatedProcessCreationTime; User = ClientMachineFQDN; ClientProcessId = User.
Message #
Fields #
| Name | Description |
|---|---|
CorrelationId UnicodeString | — |
GroupOperationId UInt32 | — |
OperationId UInt32 | — |
Commandline UnicodeString | — |
CreatedProcessId UInt32 | — |
CreatedProcessCreationTime UInt64 | — |
ClientMachine UnicodeString | — |
ClientMachineFQDN UnicodeString | — |
User UnicodeString | — |
ClientProcessId UInt32 | — |
ClientProcessCreationTime UInt64 | — |
IsLocal Boolean | — |
Event ID 24 — GroupOperationId = GroupOperationId; Executing polling query Query in namespace NamespaceName.
Event ID 50 — Activity Transfer
Description
Activity Transfer.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WMI-Activity",
"guid": "1418ef04-b0b4-4623-bf7e-d74ab47bbdaa",
"event_source_name": "",
"event_id": 50,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-05-03T21:02:22.5402448+00:00",
"event_record_id": 3705,
"correlation": {
"ActivityID": "bf89d6b0-0749-4787-9648-37993808a186",
"RelatedActivityID": "eb2f7cd8-77d6-447b-8b41-85bbc0f0cd29"
},
"execution": {
"process_id": 3776,
"thread_id": 14888
},
"channel": "Microsoft-Windows-WMI-Activity/Trace",
"computer": "DESKTOP-K7Q9MS2",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": "Activity Transfer"
}
Event ID 100 — ComponentName = ComponentName; MessageDetail = MessageDetail; FileName = FileName.
Event ID 101 — ComponentName = ComponentName; ErrorId = ErrorId; ErrorDetail = ErrorDetail; FileName = FileName.
Event ID 5857 — Operation_StartedOperational.ProviderName provider started with result code Operation_StartedOperational.Code.
#Description
Operation_StartedOperational.ProviderName provider started with result code Operation_StartedOperational.Code. HostProcess = Operation_StartedOperational.HostProcess; ProcessID = Operation_StartedOperational.ProcessID; ProviderPath = Operation_StartedOperational.ProviderPath.
Message #
Fields #
| Name | Description |
|---|---|
Operation_StartedOperational.ProviderName | — |
Operation_StartedOperational.Code | — |
Operation_StartedOperational.HostProcess | — |
Operation_StartedOperational.ProcessID | — |
Operation_StartedOperational.ProviderPath | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WMI-Activity",
"guid": "1418EF04-B0B4-4623-BF7E-D74AB47BBDAA",
"event_source_name": "",
"event_id": 5857,
"version": 0,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T01:54:48.665106+00:00",
"event_record_id": 2401,
"correlation": {
"ActivityID": "E4DB489E-1037-0003-A64E-DBE43710DA01"
},
"execution": {
"process_id": 4404,
"thread_id": 14236
},
"channel": "Microsoft-Windows-WMI-Activity/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-20"
}
},
"user_data": {
"Operation_StartedOperational": {
"ProviderName": "netnat",
"Code": "0x0",
"HostProcess": "wmiprvse.exe",
"ProcessID": 4404,
"ProviderPath": "%systemroot%\\system32\\wbem\\NetNat.dll"
}
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/win32/wmisdk/tracing-wmi-activity
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5858 — Id = Operation_ClientFailure.Id; ClientMachine = Operation_ClientFailure.ClientMachine; User = Operation_ClientFailure.User; ClientProcessId = Operation_ClientFailure.ClientProcessId; Component = O...
#Description
Id = ; ClientMachine = ; User = ; ClientProcessId = ; Component = ; Operation = ; ResultCode = ; PossibleCause =.
Message #
Fields #
| Name | Description |
|---|---|
Operation_ClientFailure.Id | — |
Operation_ClientFailure.ClientMachine | — |
Operation_ClientFailure.User | — |
Operation_ClientFailure.ClientProcessId | — |
Operation_ClientFailure.Component | — |
Operation_ClientFailure.Operation | — |
Operation_ClientFailure.ResultCode | — |
Operation_ClientFailure.PossibleCause | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WMI-Activity",
"guid": "1418EF04-B0B4-4623-BF7E-D74AB47BBDAA",
"event_source_name": "",
"event_id": 5858,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T01:47:52.150550+00:00",
"event_record_id": 2399,
"correlation": {},
"execution": {
"process_id": 3340,
"thread_id": 10792
},
"channel": "Microsoft-Windows-WMI-Activity/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"Operation_ClientFailure": {
"Id": "{00000000-0000-0000-0000-000000000000}",
"ClientMachine": "WINDEV2310EVAL",
"User": "WINDEV2310EVAL\\User",
"ClientProcessId": 12004,
"Component": "Unknown",
"Operation": "Start IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor",
"ResultCode": "0x80041032",
"PossibleCause": "Unknown"
}
},
"message": ""
}
References #
Event ID 5859 — Namespace = Operation_EssStarted.NamespaceName; NotificationQuery = Operation_EssStarted.Query; OwnerName = Operation_EssStarted.User; HostProcessID = Operation_EssStarted.Processid; Provider= Oper...
#Description
Namespace = ; NotificationQuery = ; OwnerName = ; HostProcessID = ; Provider= , queryID = ; PossibleCause =.
Message #
Fields #
| Name | Description |
|---|---|
Operation_EssStarted.NamespaceName | — |
Operation_EssStarted.Query | — |
Operation_EssStarted.User | — |
Operation_EssStarted.Processid | — |
Operation_EssStarted.Provider | — |
Operation_EssStarted.queryid | — |
Operation_EssStarted.PossibleCause | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WMI-Activity",
"guid": "1418EF04-B0B4-4623-BF7E-D74AB47BBDAA",
"event_source_name": "",
"event_id": 5859,
"version": 0,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2022-04-07T16:53:42.548405+00:00",
"event_record_id": 562,
"correlation": {
"ActivityID": "E0AAB88C-4A9F-0001-86B9-AAE09F4AD801"
},
"execution": {
"process_id": 2456,
"thread_id": 3588
},
"channel": "Microsoft-Windows-WMI-Activity/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"Operation_EssStarted": {
"NamespaceName": "//./root/CIMV2",
"Query": "select * from MSFT_SCMEventLogEvent",
"User": "S-1-5-32-544",
"Processid": 2456,
"Provider": "SCM Event Provider",
"queryid": 0,
"PossibleCause": "Permanent"
}
},
"message": ""
}
Detection Patterns #
Privilege Escalation: Windows Management Instrumentation Event Subscription
WMI-Activity Event ID 5859: Namespace = Operation_EssStarted.NamespaceName; NotificationQuery = Operation_EssStarted.Query; OwnerName = Operation_EssStarted.User; HostProcessID = Operation_EssStarted.Processid; Provider= Operation_EssStarted.Provider, queryID = Operation_EssStarted.queryid; PossibleCause = Operation_EssStarted.PossibleCause.OREvent ID 5861: Namespace = Operation_ESStoConsumerBinding.Namespace; Eventfilter = Operation_ESStoConsumerBinding.ESS (refer to its activate eventid:5859); Consumer = Operation_ESStoConsumerBinding.CONSUMER; PossibleCause = Operation_ESStoConsumerBinding.PossibleCause.
1 rule
Sigma
Community Notes #
Can be used for remote execution.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/win32/wmisdk/tracing-wmi-activity
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5860 — Namespace = Operation_TemporaryEssStarted.NamespaceName; NotificationQuery = Operation_TemporaryEssStarted.Query; UserName = Operation_TemporaryEssStarted.User; ClientProcessID = Operation_Temporar...
#Description
Namespace = ; NotificationQuery = ; UserName = ; ClientProcessID = , ClientMachine = ; PossibleCause =.
Message #
Fields #
| Name | Description |
|---|---|
Operation_TemporaryEssStarted.NamespaceName | — |
Operation_TemporaryEssStarted.Query | — |
Operation_TemporaryEssStarted.User | — |
Operation_TemporaryEssStarted.Processid | — |
Operation_TemporaryEssStarted.ClientMachine | — |
Operation_TemporaryEssStarted.PossibleCause | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WMI-Activity",
"guid": "1418EF04-B0B4-4623-BF7E-D74AB47BBDAA",
"event_source_name": "",
"event_id": 5860,
"version": 0,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-05T22:52:28.183845+00:00",
"event_record_id": 1567,
"correlation": {},
"execution": {
"process_id": 3340,
"thread_id": 8416
},
"channel": "Microsoft-Windows-WMI-Activity/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"Operation_TemporaryEssStarted": {
"NamespaceName": "ROOT\\Subscription",
"Query": "SELECT * FROM __InstanceOperationEvent WITHIN 5WHERE TargetInstance ISA '__EventConsumer' OR TargetInstance ISA '__EventFilter' OR TargetInstance ISA '__FilterToConsumerBinding'",
"User": "NT AUTHORITY\\SYSTEM",
"Processid": 7064,
"ClientMachine": "WINDEV2310EVAL",
"PossibleCause": "Temporary"
}
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/win32/wmisdk/tracing-wmi-activity
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5861 — Namespace = Operation_ESStoConsumerBinding.Namespace; Eventfilter = Operation_ESStoConsumerBinding.ESS (refer to its activate eventid:5859); Consumer = Operation_ESStoConsumerBinding.CONSUMER; Poss...
#Description
Namespace = Operation_ESStoConsumerBinding.Namespace; Eventfilter = Operation_ESStoConsumerBinding.ESS (refer to its activate eventid:5859); Consumer = Operation_ESStoConsumerBinding.CONSUMER; PossibleCause = Operation_ESStoConsumerBinding.PossibleCause.
Message #
Fields #
| Name | Description |
|---|---|
Operation_ESStoConsumerBinding.Namespace | — |
Operation_ESStoConsumerBinding.ESS | — |
Operation_ESStoConsumerBinding.CONSUMER | — |
Operation_ESStoConsumerBinding.PossibleCause | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WMI-Activity",
"guid": "1418EF04-B0B4-4623-BF7E-D74AB47BBDAA",
"event_source_name": "",
"event_id": 5861,
"version": 0,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2022-04-07T16:53:38.894721+00:00",
"event_record_id": 560,
"correlation": {},
"execution": {
"process_id": 2456,
"thread_id": 3584
},
"channel": "Microsoft-Windows-WMI-Activity/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"Operation_ESStoConsumerBinding": {
"Namespace": "//./root/subscription",
"ESS": "SCM Event Log Filter",
"CONSUMER": "NTEventLogEventConsumer=\"SCM Event Log Consumer\"",
"PossibleCause": "Binding EventFilter: \ninstance of __EventFilter\n{\n\tCreatorSID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};\n\tEventNamespace = \"root\\\\cimv2\";\n\tName = \"SCM Event Log Filter\";\n\tQuery = \"select * from MSFT_SCMEventLogEvent\";\n\tQueryLanguage = \"WQL\";\n};\nPerm. Consumer: \ninstance of NTEventLogEventConsumer\n{\n\tCategory = 0;\n\tCreatorSID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};\n\tEventType = 1;\n\tName = \"SCM Event Log Consumer\";\n\tNameOfUserSIDProperty = \"sid\";\n\tSourceName = \"Service Control Manager\";\n};\n"
}
},
"message": ""
}
Detection Patterns #
Privilege Escalation: Windows Management Instrumentation Event Subscription
WMI-Activity Event ID 5859: Namespace = Operation_EssStarted.NamespaceName; NotificationQuery = Operation_EssStarted.Query; OwnerName = Operation_EssStarted.User; HostProcessID = Operation_EssStarted.Processid; Provider= Operation_EssStarted.Provider, queryID = Operation_EssStarted.queryid; PossibleCause = Operation_EssStarted.PossibleCause.OREvent ID 5861: Namespace = Operation_ESStoConsumerBinding.Namespace; Eventfilter = Operation_ESStoConsumerBinding.ESS (refer to its activate eventid:5859); Consumer = Operation_ESStoConsumerBinding.CONSUMER; PossibleCause = Operation_ESStoConsumerBinding.PossibleCause.
1 rule
Sigma
Community Notes #
These consumers survive reboots. WMI abuse is a classic technique for file-less persistence.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/win32/wmisdk/tracing-wmi-activity
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/persistence/evtx-5861-event-consumer-created.md