Technique: Windows Management Instrumentation Event Subscription

ID: T1084

Export to Word

Description

Windows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. Adversaries may attempt to evade detection of this technique by compiling WMI scripts into Windows Management Object (MOF) files (.mof extension). (Citation: Dell WMI Persistence) Examples of events that may be subscribed to are the wall clock time or the computer's uptime. (Citation: Kazanciyan 2014) Several threat groups have reportedly used this technique to maintain persistence. (Citation: Mandiant M-Trends 2015)

Threat-Mapped Scoring

Threat Score: 1.8
Industry:
Threat Priority: P4 - Informational (Low)

ATT&CK Kill Chain Metadata

← Back to Home ← Back to TTP Search