This event, logged to the WMI-Activity/Operational channel, is logged when a new WMI event consumer is registered on the system.
- Behavioral - Persistence (TA0003)
- Account - Security Identifier (SID)
- Windows 11
- Windows 10
- Windows 8
- Windows 7
- Windows Vista
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx
Because new WMI event consumers on Windows enpoints are rather rare, this artifact provides a high-fidelity indicator of persistence activity. The information that you find in this event may vary depending on specific attacker techniques. In general, suspicious WMI event consumers will be of the following types, which are indicated in the event data for event ID 5861:
CommandLineEventConsumerActiveScriptEventConsumer
Depending on the method an attacker has used to install a WMI event consumer, they will either have run mofcomp.exe or powershell. Consider cross-referencing this finding with artifacts that provide evidence of execution and searching for such activity.
Evidence of WMI event consumers may also be queried on a live system through Powershell's Get-WMI module as follows:
Get-WMIObject -Namespace root/Subscription -Class CommandLineEventConsumer
