Skip to content

<<< Hide Navigation Hide TOC >>>

WMI Creation (05645013-2fed-4066-8bdc-626b2e201dd4)

Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or providers.

Data Collection Measures:

  • Windows Security Event Logs:
    • Event ID 5861 (WMI Permanent Event Subscription)
    • Event ID 5860 (WMI Event Filter Activity)
    • Event ID 5857 (WMI Event Consumer Activity)
  • Sysmon Logs:
    • Sysmon Event ID 19 – WMI Event Filter Created
    • Sysmon Event ID 20 – WMI Event Consumer Created
    • Sysmon Event ID 21 – WMI Event Binding Created
  • Endpoint Detection & Response (EDR)
    • Detects WMI-based persistence techniques.
Galaxy ColorsAttack Pat...mitre-data...
Rows: 8
Loading extensions...
Collapse filters
Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
<, <=, >, >=, =, *, !, {, }, ||,&&, [empty], [nonempty], rgx:
Learn more

TableFilter v0.7.2

https://www.tablefilter.com/
©2015-2025 Max Guglielmi
?
Cluster A Galaxy A Cluster B Galaxy B Level
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern WMI Creation (05645013-2fed-4066-8bdc-626b2e201dd4) mitre-data-component 1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern WMI Creation (05645013-2fed-4066-8bdc-626b2e201dd4) mitre-data-component 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern WMI Creation (05645013-2fed-4066-8bdc-626b2e201dd4) mitre-data-component 1
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern WMI Creation (05645013-2fed-4066-8bdc-626b2e201dd4) mitre-data-component 1
Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939) Attack Pattern WMI Creation (05645013-2fed-4066-8bdc-626b2e201dd4) mitre-data-component 1
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern WMI Creation (05645013-2fed-4066-8bdc-626b2e201dd4) mitre-data-component 1
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939) Attack Pattern 2