T1546.003 Windows Management Instrumentation Event Subscription Mappings

Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime. (Citation: Mandiant M-Trends 2015)

Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription. (Citation: Dell WMI Persistence) (Citation: Microsoft MOF May 2018)

WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1546.003 Windows Management Instrumentation Event Subscription
AC-3 Access Enforcement Protects T1546.003 Windows Management Instrumentation Event Subscription
AC-5 Separation of Duties Protects T1546.003 Windows Management Instrumentation Event Subscription
AC-6 Least Privilege Protects T1546.003 Windows Management Instrumentation Event Subscription
CM-5 Access Restrictions for Change Protects T1546.003 Windows Management Instrumentation Event Subscription
CM-6 Configuration Settings Protects T1546.003 Windows Management Instrumentation Event Subscription
IA-2 Identification and Authentication (organizational Users) Protects T1546.003 Windows Management Instrumentation Event Subscription