Skip to content

DS0005 WMI

The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers12

Item Value
ID DS0005
Platforms Windows
Collection Layers Host
Version 1.0
Created 20 October 2021
Last Modified 10 November 2021

Data Components

WMI Creation

Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or provider (ex: Sysmon EIDs 19-21)

Domain ID Name
enterprise T1546 Event Triggered Execution
enterprise T1546.003 Windows Management Instrumentation Event Subscription
enterprise T1027 Obfuscated Files or Information
enterprise T1027.011 Fileless Storage

References

  1. Microsoft. (2018, May 31). WMI System Classes. Retrieved September 29, 2021. 

  2. Microsoft. (2018, May 31). WMI Architecture. Retrieved September 29, 2021. 

  3. Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. 

  4. French, D. (2018, October 9). Detecting & Removing an Attacker’s WMI Persistence. Retrieved October 11, 2019. 

  5. French, D., Murphy, B. (2020, March 24). Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 1). Retrieved December 21, 2020.