[Osquery_manager] WMI artifacts saved query

[tomsonpl]

WMI Persistence Event Subscriptions

Windows Management Instrumentation (WMI) event subscriptions provide a powerful persistence mechanism that allows attackers to execute arbitrary commands or scripts when specific system events occur. This query provides comprehensive visibility into WMI-based persistence by detecting both active subscriptions and orphaned components that may indicate residual or partially removed malware.

Core Forensic Artifacts Coverage

#	Artifact	✓	OS	Query	File	Description
23-24	WMI Persistence	✅	Windows	wmi_persistence_event_subscriptions	40033716	WMI event subscriptions, filters, and consumers for persistence detection

Queries by Platform

---

🪟 Windows - WMI Persistence Detection (T1546.003)

Description

Detects WMI event subscriptions used for persistence (MITRE ATT&CK T1546.003). Includes bound subscriptions (active persistence) AND orphaned components (filters/consumers without bindings) which may indicate residual or partially removed malware. WMI eventing allows attackers to execute arbitrary commands or scripts when specific system events occur. Enriched with file hashes and code signatures for referenced executables and scripts.

Detection Focus:

• Bound Subscriptions: Active filter-consumer chains representing live persistence mechanisms
• Orphaned Consumers: CommandLine or ActiveScript consumers without associated filters (residual malware)
• Orphaned Filters: Event filters without consumers (incomplete cleanup or partial removal)
• CommandLineEventConsumer: Executes arbitrary commands/executables on trigger
• ActiveScriptEventConsumer: Executes VBScript/JScript code on trigger
• Hash & Signature Enrichment: MD5/SHA256 hashes and Authenticode validation for executables

Result

Query results show WMI event subscription components with their relationships:

Status	Detection Meaning
bound	Active persistence - filter triggers consumer execution
orphaned_consumer	Consumer exists without filter - possible residual malware
orphaned_filter	Filter exists without consumer - incomplete cleanup

Trusted system components (e.g., SCM Event Log Filter) appear alongside potentially malicious entries for complete visibility.

Platform

windows

Interval

3600 seconds (1 hour)

Query ID

wmi_persistence_event_subscriptions_windows_elastic

ECS Field Mappings

• event.category → ["configuration"] (static)
• event.type → ["info"] (static)
• process.command_line → command_line_template
• process.executable → executable_path
• process.hash.md5 → md5
• process.hash.sha256 → sha256
• process.code_signature.subject_name → subject_name
• process.code_signature.status → signature_status
• file.path → script_file_name
• threat.indicator.description → filter_query
• tags → ["persistence", "wmi", "event_subscription", "mitre_t1546_003"] (static)

SQL Query

-- WMI Persistence Event Subscriptions - Complete Coverage (T1546.003)
-- Detects bound subscriptions and orphaned components for full forensic visibility
-- Fixed: Uses relative_path for proper JOIN matching per osquery schema

WITH wmi_subscriptions AS (
    -- Part 1: Bound subscriptions (complete filter-consumer chains)
    SELECT
        'bound' AS status,
        filter.name AS filter_name,
        filter.query AS filter_query,
        filter.query_language,
        filter.class AS filter_class,
        COALESCE(cli.name, script.name) AS consumer_name,
        CASE
            WHEN cli.name IS NOT NULL THEN 'CommandLineEventConsumer'
            WHEN script.name IS NOT NULL THEN 'ActiveScriptEventConsumer'
            ELSE 'Unknown'
        END AS consumer_type,
        COALESCE(cli.class, script.class) AS consumer_class,
        COALESCE(cli.relative_path, script.relative_path) AS consumer_relative_path,
        cli.command_line_template,
        cli.executable_path,
        script.scripting_engine,
        script.script_file_name,
        script.script_text,
        COALESCE(
            NULLIF(cli.executable_path, ''),
            NULLIF(cli.command_line_template, ''),
            NULLIF(script.script_file_name, '')
        ) AS hashable_path
    FROM wmi_filter_consumer_binding binding
    LEFT JOIN wmi_event_filters filter ON binding.filter = filter.relative_path
    LEFT JOIN wmi_cli_event_consumers cli ON binding.consumer = cli.relative_path
    LEFT JOIN wmi_script_event_consumers script ON binding.consumer = script.relative_path

    UNION ALL

    -- Part 2: Orphaned CLI consumers (possible residual malware)
    SELECT
        'orphaned_consumer' AS status,
        '' AS filter_name,
        '' AS filter_query,
        '' AS query_language,
        '' AS filter_class,
        cli.name AS consumer_name,
        'CommandLineEventConsumer' AS consumer_type,
        cli.class AS consumer_class,
        cli.relative_path AS consumer_relative_path,
        cli.command_line_template,
        cli.executable_path,
        '' AS scripting_engine,
        '' AS script_file_name,
        '' AS script_text,
        COALESCE(NULLIF(cli.executable_path, ''), NULLIF(cli.command_line_template, '')) AS hashable_path
    FROM wmi_cli_event_consumers cli
    WHERE NOT EXISTS (
        SELECT 1 FROM wmi_filter_consumer_binding binding
        WHERE binding.consumer = cli.relative_path
    )

    UNION ALL

    -- Part 3: Orphaned Script consumers (possible residual malware)
    SELECT
        'orphaned_consumer' AS status,
        '' AS filter_name,
        '' AS filter_query,
        '' AS query_language,
        '' AS filter_class,
        script.name AS consumer_name,
        'ActiveScriptEventConsumer' AS consumer_type,
        script.class AS consumer_class,
        script.relative_path AS consumer_relative_path,
        '' AS command_line_template,
        '' AS executable_path,
        script.scripting_engine,
        script.script_file_name,
        script.script_text,
        NULLIF(script.script_file_name, '') AS hashable_path
    FROM wmi_script_event_consumers script
    WHERE NOT EXISTS (
        SELECT 1 FROM wmi_filter_consumer_binding binding
        WHERE binding.consumer = script.relative_path
    )

    UNION ALL

    -- Part 4: Orphaned filters (possible residual malware)
    SELECT
        'orphaned_filter' AS status,
        filter.name AS filter_name,
        filter.query AS filter_query,
        filter.query_language,
        filter.class AS filter_class,
        '' AS consumer_name,
        '' AS consumer_type,
        '' AS consumer_class,
        '' AS consumer_relative_path,
        '' AS command_line_template,
        '' AS executable_path,
        '' AS scripting_engine,
        '' AS script_file_name,
        '' AS script_text,
        '' AS hashable_path
    FROM wmi_event_filters filter
    WHERE NOT EXISTS (
        SELECT 1 FROM wmi_filter_consumer_binding binding
        WHERE binding.filter = filter.relative_path
    )
)

SELECT
    ws.status,
    ws.filter_name,
    ws.filter_query,
    ws.query_language,
    ws.filter_class,
    ws.consumer_name,
    ws.consumer_type,
    ws.consumer_class,
    ws.consumer_relative_path,
    ws.command_line_template,
    ws.executable_path,
    ws.scripting_engine,
    ws.script_file_name,
    ws.script_text,
    h.md5,
    h.sha256,
    a.subject_name,
    a.result AS signature_status
FROM wmi_subscriptions ws
LEFT JOIN hash h ON h.path = ws.hashable_path AND ws.hashable_path != ''
LEFT JOIN authenticode a ON a.path = ws.hashable_path AND ws.hashable_path != ''

---

This PR was AI assisted with Claude Code

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: d8f08b1