MITRE ATT&CK Technique
Persistence
T1084
Description
Windows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. Adversaries may attempt to evade detection of this technique by compiling WMI scripts into Windows Management Object (MOF) files (.mof extension). (Citation: Dell WMI Persistence) Examples of events that may be subscribed to are the wall clock time or the computer's uptime. (Citation: Kazanciyan 2014) Several threat groups have reportedly used this technique to maintain persistence. (Citation: Mandiant M-Trends 2015)
Supported Platforms
Windows
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-05-31T21:31:05.140Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Windows Management Instrumentation (WMI) can be used to '
'install event filters, providers, consumers, and bindings '
'that execute code when a defined event occurs. Adversaries '
'may use the capabilities of WMI to subscribe to an event and '
'execute arbitrary code when that event occurs, providing '
'persistence on a system. Adversaries may attempt to evade '
'detection of this technique by compiling WMI scripts into '
'Windows Management Object (MOF) files (.mof extension). '
'(Citation: Dell WMI Persistence) Examples of events that may '
"be subscribed to are the wall clock time or the computer's "
'uptime. (Citation: Kazanciyan 2014) Several threat groups '
'have reportedly used this technique to maintain persistence. '
'(Citation: Mandiant M-Trends 2015)',
'external_references': [{'external_id': 'T1084',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1084'},
{'description': 'Dell SecureWorks Counter Threat '
'Unit™ (CTU) Research Team. (2016, '
'March 28). A Novel WMI Persistence '
'Implementation. Retrieved March 30, '
'2016.',
'source_name': 'Dell WMI Persistence',
'url': 'https://www.secureworks.com/blog/wmi-persistence'},
{'description': 'Kazanciyan, R. & Hastings, M. '
'(2014). Defcon 22 Presentation. '
'Investigating PowerShell Attacks '
'[slides]. Retrieved November '
'3, 2014.',
'source_name': 'Kazanciyan 2014',
'url': 'https://www.defcon.org/images/defcon-22/dc-22-presentations/Kazanciyan-Hastings/DEFCON-22-Ryan-Kazanciyan-Matt-Hastings-Investigating-Powershell-Attacks.pdf'},
{'description': 'Mandiant. (2015, February 24). '
'M-Trends 2015: A View from the Front '
'Lines. Retrieved May 18, 2016.',
'source_name': 'Mandiant M-Trends 2015',
'url': 'https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf'},
{'description': 'Russinovich, M. (2016, January 4). '
'Autoruns for Windows v13.51. '
'Retrieved June 6, 2016.',
'source_name': 'TechNet Autoruns',
'url': 'https://technet.microsoft.com/en-us/sysinternals/bb963902'},
{'description': 'French, D. (2018, October 9). '
'Detecting & Removing an Attacker’s '
'WMI Persistence. Retrieved October '
'11, 2019.',
'source_name': 'Medium Detecting WMI Persistence',
'url': 'https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96'}],
'id': 'attack-pattern--e906ae4d-1d3a-4675-be23-22f7311c0da4',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'}],
'modified': '2025-10-24T17:49:33.155Z',
'name': 'Windows Management Instrumentation Event Subscription',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.2'}