Event ID 5859 — Namespace = Operation_EssStarted.NamespaceName; NotificationQuery = Operation_EssStarted.Query; OwnerName = Operation_EssStarted.User; HostProcessID = Operation_EssStarted.Processid; Provider= Oper...

Provider: Microsoft-Windows-WMI-Activity
Channel: Operational
Collection Priority: Recommended (Palantir, others)

Description

Namespace = ; NotificationQuery = ; OwnerName = ; HostProcessID = ; Provider= , queryID = ; PossibleCause =.

Message #

Namespace = %1; NotificationQuery = %2; OwnerName = %3; HostProcessID = %4;  Provider= %5, queryID = %6; PossibleCause = %7

Fields #

Name	Description
`Operation_EssStarted.NamespaceName`	—
`Operation_EssStarted.Query`	—
`Operation_EssStarted.User`	—
`Operation_EssStarted.Processid`	—
`Operation_EssStarted.Provider`	—
`Operation_EssStarted.queryid`	—
`Operation_EssStarted.PossibleCause`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WMI-Activity",
    "guid": "1418EF04-B0B4-4623-BF7E-D74AB47BBDAA",
    "event_source_name": "",
    "event_id": 5859,
    "version": 0,
    "level": 0,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2022-04-07T16:53:42.548405+00:00",
    "event_record_id": 562,
    "correlation": {
      "ActivityID": "E0AAB88C-4A9F-0001-86B9-AAE09F4AD801"
    },
    "execution": {
      "process_id": 2456,
      "thread_id": 3588
    },
    "channel": "Microsoft-Windows-WMI-Activity/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "Operation_EssStarted": {
      "NamespaceName": "//./root/CIMV2",
      "Query": "select * from MSFT_SCMEventLogEvent",
      "User": "S-1-5-32-544",
      "Processid": 2456,
      "Provider": "SCM Event Provider",
      "queryid": 0,
      "PossibleCause": "Permanent"
    }
  },
  "message": ""
}

Detection Patterns #

Privilege Escalation: Windows Management Instrumentation Event Subscription

WMI-Activity Event ID 5859: Namespace = Operation_EssStarted.NamespaceName; NotificationQuery = Operation_EssStarted.Query; OwnerName = Operation_EssStarted.User; HostProcessID = Operation_EssStarted.Processid; Provider= Operation_EssStarted.Provider, queryID = Operation_EssStarted.queryid; PossibleCause = Operation_EssStarted.PossibleCause.OREvent ID 5861: Namespace = Operation_ESStoConsumerBinding.Namespace; Eventfilter = Operation_ESStoConsumerBinding.ESS (refer to its activate eventid:5859); Consumer = Operation_ESStoConsumerBinding.CONSUMER; PossibleCause = Operation_ESStoConsumerBinding.PossibleCause.

1 rule

Sigma

WMI Persistence (source)

Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community

Community Notes #

Can be used for remote execution.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/win32/wmisdk/tracing-wmi-activity
Example event sourced from https://github.com/NextronSystems/evtx-baseline