Monitor Windows Management Instrumentation (WMI) Events (CM0039)

In Playbook

Details

  • ID: CM0039
  • Version: 1.0
  • Created: 14 March 2025
  • Modified: 14 March 2025
  • Type: Examine
  • Status: Active

Intended Outcome

Monitoring Windows Management Instrumentation (WMI) events detects adversary execution of malicious commands and payloads.

Introduction

WMI is the infrastructure for management data and operations on Windows-based operating systems.

Preparation

No Preparation content identified.

Risks

No Risks content identified.

Guidance

  • Collect Information about WMI using PowerShell. Execute the following commands in PowerShell to collect WMI event filters, consumers, and bindings on a system.
  • Collect Information about WMI using free, open source, modular PowerShell-based incident response framework such as Arthur and/or KANSA.
  • Collect Information about WMI using Vendor Tools.
    • In addition to the methods described above, various vendor tools may be used to collect WMI events (or indeed are configured to collect them by default). For example, Splunk supports WMI data collection.
  • Configure Sysmon to capture WMI Event Filter, Consumer, and Binding Activity. Sysmon can be configured to monitor WMIEventFilter activity (event 19), WMIEventConsumer activity (event 20), and WMIEventConsumerToFilter activity (event 21). Roberto Rodriguez' (@Cyb3rWard0g) Sysmon configuration file can be installed to capture Event IDs 19, 20, and 21. Sysmon can be installed with this configuration file using the following command.
    • sysmon.exe -i -c .\config_file.xml

References

  • ID: CM0039
  • Version: 1.0
  • Created: 13 March 2025
  • Modified: 13 March 2025
  • Type: Examine