DET0086: Detect WMI Event Subscription for Persistence via WmiPrvSE Process and MOF Compilation
This detection strategy matters because WMI event subscriptions can let malicious code re-run automatically when normal Windows events occur, supporting pe...
Analyst context for executives and security teams
This detection strategy matters because WMI event subscriptions can let malicious code re-run automatically when normal Windows events occur, supporting persistence and possible privilege escalation. Even though the ATT&CK detection object has no official detection text, its relationship to T1546.003 makes the defensive question clear: can the organization see and investigate WMI subscription creation, WmiPrvSE-related execution, and MOF compilation activity before it becomes a hidden persistence mechanism?
Executive priority
Treat this as a Windows persistence-readiness validation item. Security leaders should ask whether endpoint logging, managed detection, and incident response playbooks can prove visibility into WMI filters, consumers, providers, bindings, and related process activity. This is useful for resilience planning, audit evidence around endpoint monitoring, and prioritizing controls that reduce attacker dwell time after initial access.
Technical view
The supplied relationship links DET0086 to ATT&CK technique T1546.003, Windows Management Instrumentation Event Subscription, under persistence and privilege escalation. SOC and IR teams should validate that they can identify creation or modification of WMI event subscription components and correlate them with WmiPrvSE process behavior and MOF compilation activity referenced by the strategy name. Because no official detection logic is provided, detection engineering should build local baselines for legitimate administrative WMI usage and investigate unusual subscriptions that execute content on triggers such as login, time, or system uptime.
Likely telemetry
- WMI event filter, consumer, provider, and binding inventory or change records
- Endpoint process telemetry involving WmiPrvSE
- Telemetry showing MOF compilation activity
- Host-based audit or EDR records for WMI namespace/object changes
- Incident response collection of WMI subscription artifacts from Windows systems
Detection direction
- Validate that WMI subscription creation and modification are logged or otherwise collectible on relevant Windows endpoints.
- Correlate WMI subscription artifacts with WmiPrvSE activity and MOF compilation rather than relying on a single event source.
- Tune against known administrative or management tooling that legitimately uses WMI to reduce false positives.
- Review persistence-focused detections for blind spots where WMI repository changes are not captured by standard process monitoring.
- Use the related T1546.003 context to prioritize alerts where the subscription can execute code on recurring system or user events.
Mitigation priorities
- First, confirm endpoint visibility for WMI subscription components and related process activity.
- Next, restrict and review administrative permissions that allow WMI subscription creation or modification.
- Establish periodic review or response collection procedures for WMI filters, consumers, providers, and bindings on high-value Windows systems.
- Document detection and response evidence for compliance or audit needs where persistence monitoring is required.
- Ensure IR playbooks include validation and removal review for WMI-based persistence, with care to distinguish legitimate management use.
Analyst notes and limits
The object itself is a detection strategy, not a technique, and its official description and detection fields are not provided. The practical guidance above is derived from the strategy name and its explicit detects relationship to T1546.003.
No ATT&CK-provided detection logic, data sources, platforms, or tactics are present on DET0086 itself. Windows, persistence, and privilege-escalation context comes from the related technique. Local logging configuration and legitimate WMI administration patterns are required to determine actual coverage and alert quality.
Detect WMI Event Subscription for Persistence via WmiPrvSE Process and MOF Compilation
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1546.003 | Windows Management Instrumentation Event Subscription Sub-technique | This object detects Windows Management Instrumentation Event Subscription. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 092292902175… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0086Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.