ExtraHop named a leader in the Gartner® Magic Quadrant™ for Network Detection and Response

Search
  • Platformchevron right
  • Solutionschevron right
  • Modern NDRchevron right
  • Resourceschevron right
  • Companychevron right

DETECTION OVERVIEW

Remote WMI Event Subscription Activity

Risk Factors

Creating a Windows Management Instrumentation (WMI) event subscription on a remote device requires local administrator privileges, which can be difficult for an attacker to acquire. However, a successful attacker can leverage automated tools to gain persistent system-level access and move laterally across the network.

Category

Lateral Movement

Decryptions

Active Directory Decryption
Detection diagram
Next in Lateral Movement: SIP Brute Force

Background

WMI is a built-in Windows framework for local and remote system management through standardized classes. By interacting with these classes, applications automate administrative tasks across the network. Administrators can create a WMI event subscription to automate commands.

An attacker can run automated tools to establish a legitimate event subscription that can run a malicious command. Creating an event subscription requires creating classes and then linking them together to run the malicious command. The tool sends Microsoft remote procedure call (MS-RPC) requests to the target device to create an Event Filter class and an Event Consumer class. The attacker sends a subsequent MS-RPC request with a payload that links the two classes, ensuring a malicious command runs automatically whenever the subscribed event occurs.


Mitigation Options

Allow only administrators to remotely connect to WMI

Prevent non-administrative users from connecting remotely to WMI

Prevent credential overlap of administrator and privileged accounts across systems

Enable Attack Surface Reduction (ASR) rules on Windows Systems to prevent malware from abusing WMI


MITRE ATT&CK ID

Associated content

Announcing The Forrester Wave™: Network Analysis And Visibility Solutions, Q4 2025

Network analysis and visibility solutions remain underrepresented in enterprises. Find out why in this preview of a new Wave report.

Blog Post

ExtraHop® Named a Leader in First-Ever Gartner® Magic Quadrant™ for Network Detection and Response — ExtraHop

ExtraHop® Named a Leader in First-Ever Gartner® Magic Quadrant™ for Network Detection and Response

News

Detections

Visit this resource for more information.

Documentation

Decryption

Learn how ExtraHop decryption works.

Documentation

The 2025 ExtraHop Global Threat Landscape Report: The Alarming Reality of Threat Actor Dwell Time and Deeper Network Access — ExtraHop

This analysis exposes the critical link between an organization's lack of internal visibility and the escalating cost of compromise, demanding an urgent re-evaluation of how core business assets are protected.

Blog Post

ExtraHop RevealX MITRE ATT&CK Coverage 2024 — ExtraHop

Learn why you need to be wary of the claims certain network detection and response providers make about their coverage against the MITRE ATT&CK framework.

Blog Post

MITRE ATT&CK - Network Detection & Response with RevealX — ExtraHop

Learn how NDR from RevealX helps security teams detect and investigate more adversary TTPs in the MITRE ATT&CK framework than rule-based tools.

Report
Periodic Table of Use Cases

What else can RevealX do for you?