WMI Temporary Event Subscription

Status: experimental
Severity: medium
Group by: computer_name, query
Author: Rico Valdez, Splunk
Source: github.com/splunk/security_content

The following analytic detects the creation of WMI temporary event subscriptions. It leverages Windows Event Logs, specifically EventCode 5860, to identify these activities. This detection is significant because attackers often use WMI to execute commands, gather information, or maintain persistence within a compromised system. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, escalate privileges, or persist in the environment. Analysts should review the specific WMI queries and assess their intent, considering potential false positives from legitimate administrative tasks.

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1047` Windows Management Instrumentation

Rule body splunk

name: WMI Temporary Event Subscription
id: 38cbd42c-1098-41bb-99cf-9d6d2b296d83
version: 10
creation_date: '2020-04-29'
modification_date: '2026-05-13'
author: Rico Valdez, Splunk
status: experimental
type: TTP
description: The following analytic detects the creation of WMI temporary event subscriptions. It leverages Windows Event Logs, specifically EventCode 5860, to identify these activities. This detection is significant because attackers often use WMI to execute commands, gather information, or maintain persistence within a compromised system. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, escalate privileges, or persist in the environment. Analysts should review the specific WMI queries and assess their intent, considering potential false positives from legitimate administrative tasks.
data_source: []
search: |-
    `wmi`
    EventCode=5860
    Temporary
    | rex field=Message "NotificationQuery =\s+(?<query>[^;|^$]+)"
    | search
        query!="FROM Win32_ProcessStartTrace WHERE ProcessName = 'wsmprovhost.exe'"
        AND
        query!="FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'"
    | stats count min(_time) as firstTime
                  max(_time) as lastTime
      by ComputerName, query
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `wmi_temporary_event_subscription_filter`
how_to_implement: To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational].
known_false_positives: Some software may create WMI temporary event subscriptions for various purposes. The included search contains an exception for two of these that occur by default on Windows 10 systems. You may need to modify the search to create exceptions for other legitimate events.
references: []
finding:
    title: WMI Temporary event subscription detected on $dest$
    entity:
        field: dest
        type: system
        score: 50
analytic_story:
    - Suspicious WMI Use
asset_type: Endpoint
mitre_attack_id:
    - T1047
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint

Stages and Predicates

Stage 1: `search`

`wmi`
EventCode=5860
Temporary

Stage 2: `rex`

| rex field=Message "NotificationQuery =\s+(?<query>[^;|^$]+)"

Stage 3: `search`

| search
    query!="FROM Win32_ProcessStartTrace WHERE ProcessName = 'wsmprovhost.exe'"
    AND
    query!="FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'"

Stage 4: `stats`

| stats count min(_time) as firstTime
              max(_time) as lastTime
  by ComputerName, query

Stage 5: `search`

| `security_content_ctime(firstTime)`

Stage 6: `search`

| `security_content_ctime(lastTime)`

Stage 7: `search`

| `wmi_temporary_event_subscription_filter`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EventCode`	eq	`5860`
`query`	ne	`"FROM Win32_ProcessStartTrace WHERE ProcessName = 'wsmprovhost.exe'"` `"FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'"`

Search terms

Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.

Stage	Term
1	`Temporary`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

WMI Temporary Event Subscription

MITRE ATT&CK coverage

Rule body splunk

Stages and Predicates

Stage 1: `search`

Stage 2: `rex`

Stage 3: `search`

Stage 4: `stats`

Stage 5: `search`

Stage 6: `search`

Stage 7: `search`

Indicators

Search terms

Keyboard shortcuts

Search operators

WMI Temporary Event Subscription

MITRE ATT&CK coverage

Rule body splunk

Stages and Predicates

Stage 1: search

Stage 2: rex

Stage 3: search

Stage 4: stats

Stage 5: search

Stage 6: search

Stage 7: search

Indicators

Search terms

Stage 1: `search`

Stage 2: `rex`

Stage 3: `search`

Stage 4: `stats`

Stage 5: `search`

Stage 6: `search`

Stage 7: `search`