EXPLORE
Sign In
← Back to Explore
splunk_escuTTP

WMI Temporary Event Subscription

The following analytic detects the creation of WMI temporary event subscriptions. It leverages Windows Event Logs, specifically EventCode 5860, to identify these activities. This detection is significant because attackers often use WMI to execute commands, gather information, or maintain persistence within a compromised system. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, escalate privileges, or persist in the environment. Analysts should review the specific WMI queries and assess their intent, considering potential false positives from legitimate administrative tasks.

MITRE ATT&CK

T1047

Detection Query

`wmi` EventCode=5860 Temporary
  | rex field=Message "NotificationQuery =\s+(?<query>[^;
  | ^$]+)"
  | search query!="SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = 'wsmprovhost.exe'" AND query!="SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'"
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY ComputerName, query
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `wmi_temporary_event_subscription_filter`

Author

Rico Valdez, Splunk

Created

2026-03-10

Tags

Suspicious WMI Use
Raw Content
name: WMI Temporary Event Subscription
id: 38cbd42c-1098-41bb-99cf-9d6d2b296d83
version: 8
date: '2026-03-10'
author: Rico Valdez, Splunk
status: experimental
type: TTP
description: The following analytic detects the creation of WMI temporary event subscriptions. It leverages Windows Event Logs, specifically EventCode 5860, to identify these activities. This detection is significant because attackers often use WMI to execute commands, gather information, or maintain persistence within a compromised system. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, escalate privileges, or persist in the environment. Analysts should review the specific WMI queries and assess their intent, considering potential false positives from legitimate administrative tasks.
data_source: []
search: |-
    `wmi` EventCode=5860 Temporary
      | rex field=Message "NotificationQuery =\s+(?<query>[^;
      | ^$]+)"
      | search query!="SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = 'wsmprovhost.exe'" AND query!="SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'"
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY ComputerName, query
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `wmi_temporary_event_subscription_filter`
how_to_implement: To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational].
known_false_positives: Some software may create WMI temporary event subscriptions for various purposes. The included search contains an exception for two of these that occur by default on Windows 10 systems. You may need to modify the search to create exceptions for other legitimate events.
references: []
rba:
    message: WMI Temporary event subscription detected on $dest$
    risk_objects:
        - field: dest
          type: system
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Suspicious WMI Use
    asset_type: Endpoint
    mitre_attack_id:
        - T1047
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint