DET0086 Detect WMI Event Subscription for Persistence via WmiPrvSE Process and MOF Compilation

Item	Value
ID	DET0086
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1546.003 (Windows Management Instrumentation Event Subscription)

Analytics

Windows

AN0236

Monitor for creation of WMI EventFilter, EventConsumer, and FilterToConsumerBinding objects through WMI or MOF file execution. Detect command-line execution of mofcomp.exe, usage of Register-WmiEvent via PowerShell, and anomalous child processes of WmiPrvSE.exe that indicate triggered execution. Look for lateral anomalies in process lineage and WMI logging channels.

Log Sources

Data Component	Name	Channel
WMI Creation (DC0008)	WinEventLog:WMI	EventCode=5857, 5858, 5860, 5861
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Module Load (DC0016)	WinEventLog:Sysmon	EventCode=7

Mutable Elements

Field	Description
TimeWindow	Defines temporal correlation range between WMI creation and child process execution
UserContext	Tune for specific accounts (e.g., SYSTEM or attacker-controlled users)
ProcessNameAllowlist	Used to exclude known benign consumers triggered via WMI (e.g., backup tools)
ParentProcessAnomalyThreshold	Defines what constitutes anomalous spawning from WmiPrvSE.exe