Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0236: Analytic 0236

Monitor for creation of WMI EventFilter, EventConsumer, and FilterToConsumerBinding objects through WMI or MOF file execution. Detect command-line execution of `mofcomp.exe`, usage of `Register-WmiEvent` via PowerShell, and anomalous child processes of `WmiPrvSE.exe` that indicate triggered execution. Look for lateral anomalies in process lineage and WMI logging channels.

EnterpriseAN0236AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because persistent or event-triggered WMI activity on Windows can turn routine administration infrastructure into a hard-to-see execution path. For leaders, the decision value is whether SOC and IR teams can prove they collect the right Windows process and WMI evidence to distinguish legitimate management activity from suspicious WMI event filter, consumer, and binding creation.

Executive priority

Prioritize this as a Windows monitoring and incident-readiness validation item. Ask whether the organization can show audit evidence for WMI object creation, mofcomp.exe execution, PowerShell Register-WmiEvent usage, and unusual child processes from WmiPrvSE.exe. The business risk is not defined by attribution in the supplied object, but by a potential visibility gap in a common Windows management subsystem that may affect containment speed and investigation quality.

Technical view

For Windows SOC and detection teams, validate telemetry around creation of WMI EventFilter, EventConsumer, and FilterToConsumerBinding objects through WMI or MOF file execution. Monitor command-line execution of mofcomp.exe, PowerShell use of Register-WmiEvent, anomalous child processes spawned by WmiPrvSE.exe, lateral anomalies in process lineage, and relevant WMI logging channels. No ATT&CK tactic or relationship context was supplied, so tuning should be based on local administrative baselines and known management tooling.

Likely telemetry

  • Windows process creation events with command line and parent-child lineage
  • PowerShell execution logs or script/block-level evidence where available
  • WMI logging channels covering event filter, consumer, and binding activity
  • Command execution evidence for mofcomp.exe
  • Process lineage showing child processes of WmiPrvSE.exe

Detection direction

  • Baseline legitimate WMI administration, MOF compilation, and PowerShell event registration activity before treating all matches as suspicious.
  • Alert or hunt for creation of WMI EventFilter, EventConsumer, and FilterToConsumerBinding objects, especially when paired with unusual accounts, hosts, or timing.
  • Review WmiPrvSE.exe child processes for anomalous execution chains, while accounting for legitimate management and monitoring tools.
  • Correlate WMI object creation with process command lines and PowerShell telemetry to reduce false positives.
  • Confirm WMI logging channels are enabled and retained long enough to support incident response.

Mitigation priorities

  • Inventory legitimate WMI-based administration and monitoring use cases to support accurate allowlisting and exception handling.
  • Ensure Windows endpoint logging captures process creation, command line, parent process, PowerShell activity, and WMI event activity.
  • Restrict administrative privileges and WMI management rights to approved users and systems where operationally feasible.
  • Review retention and accessibility of WMI and process telemetry for SOC triage and incident response evidence.
  • Use detection validation exercises to confirm mofcomp.exe, Register-WmiEvent, and WmiPrvSE.exe child-process scenarios are visible in current tooling.
Analyst notes and limits

This is a detection analytic object, not a full technique entry. The supplied official description is specific to Windows WMI monitoring and mentions WMI EventFilter, EventConsumer, FilterToConsumerBinding, mofcomp.exe, Register-WmiEvent, WmiPrvSE.exe child processes, process lineage, and WMI logging channels. No tactic, relationship, alias, label, or official detection block was provided.

The source object does not include ATT&CK tactics, related techniques, data component mappings, mitigation references, or a formal detection query. Local Windows configuration, logging policy, administrative baselines, and EDR/SIEM coverage are required to determine actual detection quality.

Official MITRE ATT&CK definition

Analytic 0236

Monitor for creation of WMI EventFilter, EventConsumer, and FilterToConsumerBinding objects through WMI or MOF file execution. Detect command-line execution of `mofcomp.exe`, usage of `Register-WmiEvent` via PowerShell, and anomalous child processes of `WmiPrvSE.exe` that indicate triggered execution. Look for lateral anomalies in process lineage and WMI logging channels.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
1eabe7984505aff6...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 1eabe7984505…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0236
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use