Skip to content

DC0008 WMI Creation

Item Value
ID DC0008
Version 2.0
Created 20 October 2021
Last Modified 12 November 2025

Log Sources

Name Channel
WinEventLog:Application WMI Object Creation Events
WinEventLog:WMI Creation or modification of __EventFilter, __FilterToConsumerBinding, or CommandLineEventConsumer
WinEventLog:WMI EventCode=5857, 5858, 5860, 5861

Detection Strategy

ID Name Technique Detected
DET0010 Behavioral Detection of Event Triggered Execution Across Platforms T1546
DET0364 Behavioral Detection Strategy for WMI Execution Abuse on Windows T1047
DET0086 Detect WMI Event Subscription for Persistence via WmiPrvSE Process and MOF Compilation T1546.003
DET0344 Detection Strategy for Fileless Storage via Registry, WMI, and Shared Memory T1027.011
DET0474 Environmental Keying Discovery-to-Decryption Behavioral Chain Detection Strategy T1480.001
DET0562 Multi-Platform Execution Guardrails Environmental Validation Detection Strategy T1480
DET0418 Windows DACL Manipulation Behavioral Chain Detection Strategy T1222.001