DETECTION OVERVIEW
Risk Factors
Creating a Windows Management Instrumentation (WMI) event subscription on a remote device requires local administrator privileges, which can be difficult for an attacker to acquire. However, a successful attacker can leverage automated tools to gain persistent system-level access and move laterally across the network.
Category
Decryptions

WMI is a built-in Windows framework for local and remote system management through standardized classes. By interacting with these classes, applications automate administrative tasks across the network. Administrators can create a WMI event subscription to automate commands.
An attacker can run automated tools to establish a legitimate event subscription that can run a malicious command. Creating an event subscription requires creating classes and then linking them together to run the malicious command. The tool sends Microsoft remote procedure call (MS-RPC) requests to the target device to create an Event Filter class and an Event Consumer class. The attacker sends a subsequent MS-RPC request with a payload that links the two classes, ensuring a malicious command runs automatically whenever the subscribed event occurs.
Allow only administrators to remotely connect to WMI
Prevent non-administrative users from connecting remotely to WMI
Prevent credential overlap of administrator and privileged accounts across systems
Enable Attack Surface Reduction (ASR) rules on Windows Systems to prevent malware from abusing WMI
Network analysis and visibility solutions remain underrepresented in enterprises. Find out why in this preview of a new Wave report.
ExtraHop® Named a Leader in First-Ever Gartner® Magic Quadrant™ for Network Detection and Response
Visit this resource for more information.
Learn how ExtraHop decryption works.
This analysis exposes the critical link between an organization's lack of internal visibility and the escalating cost of compromise, demanding an urgent re-evaluation of how core business assets are protected.
Learn why you need to be wary of the claims certain network detection and response providers make about their coverage against the MITRE ATT&CK framework.
Learn how NDR from RevealX helps security teams detect and investigate more adversary TTPs in the MITRE ATT&CK framework than rule-based tools.
