MITRE ATT&CK Technique
Privilege Escalation
T1546.003
Description
Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user login, or the computer's uptime.(Citation: Mandiant M-Trends 2015) Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.(Citation: FireEye WMI SANS 2015)(Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts – using `mofcomp.exe` –into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription.(Citation: Dell WMI Persistence)(Citation: Microsoft MOF May 2018) WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.
Supported Platforms
Windows
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-01-24T14:07:56.276Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may establish persistence and elevate privileges '
'by executing malicious content triggered by a Windows '
'Management Instrumentation (WMI) event subscription. WMI can '
'be used to install event filters, providers, consumers, and '
'bindings that execute code when a defined event occurs. '
'Examples of events that may be subscribed to are the wall '
"clock time, user login, or the computer's uptime.(Citation: "
'Mandiant M-Trends 2015)\n'
'\n'
'Adversaries may use the capabilities of WMI to subscribe to '
'an event and execute arbitrary code when that event occurs, '
'providing persistence on a system.(Citation: FireEye WMI SANS '
'2015)(Citation: FireEye WMI 2015) Adversaries may also '
'compile WMI scripts – using `mofcomp.exe` –into Windows '
'Management Object (MOF) files (.mof extension) that can be '
'used to create a malicious subscription.(Citation: Dell WMI '
'Persistence)(Citation: Microsoft MOF May 2018)\n'
'\n'
'WMI subscription execution is proxied by the WMI Provider '
'Host process (WmiPrvSe.exe) and thus may result in elevated '
'SYSTEM privileges.',
'external_references': [{'external_id': 'T1546.003',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1546/003'},
{'description': 'Ballenthin, W., et al. (2015). '
'Windows Management Instrumentation '
'(WMI) Offense, Defense, and '
'Forensics. Retrieved March 30, 2016.',
'source_name': 'FireEye WMI 2015',
'url': 'https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf'},
{'description': 'Dell SecureWorks Counter Threat '
'Unit™ (CTU) Research Team. (2016, '
'March 28). A Novel WMI Persistence '
'Implementation. Retrieved March 30, '
'2016.',
'source_name': 'Dell WMI Persistence',
'url': 'https://www.secureworks.com/blog/wmi-persistence'},
{'description': "Devon Kerr. (2015). There's "
'Something About WMI. Retrieved '
'November 17, 2024.',
'source_name': 'FireEye WMI SANS 2015',
'url': 'https://web.archive.org/web/20221203203722/https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf'},
{'description': 'French, D. (2018, October 9). '
'Detecting & Removing an Attacker’s '
'WMI Persistence. Retrieved October '
'11, 2019.',
'source_name': 'Medium Detecting WMI Persistence',
'url': 'https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96'},
{'description': 'French, D., Murphy, B. (2020, March '
'24). Adversary tradecraft 101: '
'Hunting for persistence using '
'Elastic Security (Part 1). Retrieved '
'December 21, 2020.',
'source_name': 'Elastic - Hunting for Persistence '
'Part 1',
'url': 'https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1'},
{'description': 'Mandiant. (2015, February 24). '
'M-Trends 2015: A View from the Front '
'Lines. Retrieved November 17, 2024.',
'source_name': 'Mandiant M-Trends 2015',
'url': 'https://web.archive.org/web/20160629094859/https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf'},
{'description': 'Microsoft. (n.d.). Retrieved January '
'24, 2020.',
'source_name': 'Microsoft Register-WmiEvent',
'url': 'https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/register-wmievent?view=powershell-5.1'},
{'description': 'Russinovich, M. (2016, January 4). '
'Autoruns for Windows v13.51. '
'Retrieved June 6, 2016.',
'source_name': 'TechNet Autoruns',
'url': 'https://technet.microsoft.com/en-us/sysinternals/bb963902'},
{'description': 'Satran, M. (2018, May 30). Managed '
'Object Format (MOF). Retrieved '
'January 24, 2020.',
'source_name': 'Microsoft MOF May 2018',
'url': 'https://docs.microsoft.com/en-us/windows/win32/wmisdk/managed-object-format--mof-'}],
'id': 'attack-pattern--910906dd-8c0a-475a-9cc1-5e029e2fad58',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'}],
'modified': '2025-10-24T17:49:06.119Z',
'name': 'Windows Management Instrumentation Event Subscription',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Brent Murphy, Elastic',
'David French, Elastic',
'Viren Chaudhari, Qualys'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.5'}