Event ID 5861 — Namespace = Operation_ESStoConsumerBinding.Namespace; Eventfilter = Operation_ESStoConsumerBinding.ESS (refer to its activate eventid:5859); Consumer = Operation_ESStoConsumerBinding.CONSUMER; Poss...

Provider: Microsoft-Windows-WMI-Activity
Channel: Operational
Collection Priority: Recommended (Palantir, others)

Description

Namespace = Operation_ESStoConsumerBinding.Namespace; Eventfilter = Operation_ESStoConsumerBinding.ESS (refer to its activate eventid:5859); Consumer = Operation_ESStoConsumerBinding.CONSUMER; PossibleCause = Operation_ESStoConsumerBinding.PossibleCause.

Message #

Namespace = %1; Eventfilter = %2 (refer to its activate eventid:5859); Consumer = %3; PossibleCause = %4

Fields #

Name	Description
`Operation_ESStoConsumerBinding.Namespace`	—
`Operation_ESStoConsumerBinding.ESS`	—
`Operation_ESStoConsumerBinding.CONSUMER`	—
`Operation_ESStoConsumerBinding.PossibleCause`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WMI-Activity",
    "guid": "1418EF04-B0B4-4623-BF7E-D74AB47BBDAA",
    "event_source_name": "",
    "event_id": 5861,
    "version": 0,
    "level": 0,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2022-04-07T16:53:38.894721+00:00",
    "event_record_id": 560,
    "correlation": {},
    "execution": {
      "process_id": 2456,
      "thread_id": 3584
    },
    "channel": "Microsoft-Windows-WMI-Activity/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "Operation_ESStoConsumerBinding": {
      "Namespace": "//./root/subscription",
      "ESS": "SCM Event Log Filter",
      "CONSUMER": "NTEventLogEventConsumer=\"SCM Event Log Consumer\"",
      "PossibleCause": "Binding EventFilter: \ninstance of __EventFilter\n{\n\tCreatorSID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};\n\tEventNamespace = \"root\\\\cimv2\";\n\tName = \"SCM Event Log Filter\";\n\tQuery = \"select * from MSFT_SCMEventLogEvent\";\n\tQueryLanguage = \"WQL\";\n};\nPerm. Consumer: \ninstance of NTEventLogEventConsumer\n{\n\tCategory = 0;\n\tCreatorSID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};\n\tEventType = 1;\n\tName = \"SCM Event Log Consumer\";\n\tNameOfUserSIDProperty = \"sid\";\n\tSourceName = \"Service Control Manager\";\n};\n"
    }
  },
  "message": ""
}

Detection Patterns #

Privilege Escalation: Windows Management Instrumentation Event Subscription

WMI-Activity Event ID 5859: Namespace = Operation_EssStarted.NamespaceName; NotificationQuery = Operation_EssStarted.Query; OwnerName = Operation_EssStarted.User; HostProcessID = Operation_EssStarted.Processid; Provider= Operation_EssStarted.Provider, queryID = Operation_EssStarted.queryid; PossibleCause = Operation_EssStarted.PossibleCause.OREvent ID 5861: Namespace = Operation_ESStoConsumerBinding.Namespace; Eventfilter = Operation_ESStoConsumerBinding.ESS (refer to its activate eventid:5859); Consumer = Operation_ESStoConsumerBinding.CONSUMER; PossibleCause = Operation_ESStoConsumerBinding.PossibleCause.

1 rule

Sigma

WMI Persistence (source)

Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community

Community Notes #

These consumers survive reboots. WMI abuse is a classic technique for file-less persistence.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/win32/wmisdk/tracing-wmi-activity
Example event sourced from https://github.com/NextronSystems/evtx-baseline
Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/persistence/evtx-5861-event-consumer-created.md