[Osquery_manager] WMI artifacts saved query #16227
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Comprehensive osquery query detecting WMI-based persistence: - Bound subscriptions (active filter-consumer chains) - Orphaned consumers (residual malware indicators) - Orphaned filters (incomplete cleanup detection) - Hash and authenticode enrichment for executables - Supports CommandLineEventConsumer and ActiveScriptEventConsumer Uses relative_path JOINs per osquery schema for accurate binding correlation. ECS mappings included for Elastic Security integration.
tomsonpl
changed the title
tomsonpl
requested review from
ashokaditya and
parkiino
and removed request for
a team
andrewkroh
added
documentation
…RE ATT&CK coverage - Add event.kind, event.module, event.dataset, host.os.type ECS fields - Add MITRE ATT&CK T1546.003 (Event Triggered Execution: WMI Event Subscription) threat context - Fix ECS mapping: subject_name→signature_signer for process.code_signature.subject_name - Remove incorrect threat.indicator.description mapping - Enhance tags with osquery and windows identifiers - Fix query column alias: a.subject_name AS signature_signer for proper ECS mapping
- Add ECS mappings for file.created, file.mtime, file.accessed, file.ctime, file.size - Join with file table to retrieve timestamp metadata for referenced executables/scripts - Convert timestamps to UTC ISO 8601 format using datetime() for ECS standardization - Update description to mention file timestamp enrichment
calladoum-elastic
approved these changes
Dec 11, 2025
calladoum-elastic
left a comment
calladoum-elastic
left a comment
There was a problem hiding this comment.
minor comment, otherwise lgtm
| "id": "wmi_persistence_event_subscriptions_windows_elastic", | ||
| "interval": "3600", | ||
| "platform": "windows", | ||
| "query": "-- WMI Persistence Event Subscriptions - Complete Coverage (T1546.003)\n-- Detects bound subscriptions and orphaned components for full forensic visibility\n-- Timestamps converted to UTC ISO 8601 format per ECS standardization\n\nWITH wmi_subscriptions AS (\n -- Part 1: Bound subscriptions (complete filter-consumer chains)\n SELECT\n 'bound' AS status,\n filter.name AS filter_name,\n filter.query AS filter_query,\n filter.query_language,\n filter.class AS filter_class,\n COALESCE(cli.name, script.name) AS consumer_name,\n CASE\n WHEN cli.name IS NOT NULL THEN 'CommandLineEventConsumer'\n WHEN script.name IS NOT NULL THEN 'ActiveScriptEventConsumer'\n ELSE 'Unknown'\n END AS consumer_type,\n COALESCE(cli.class, script.class) AS consumer_class,\n COALESCE(cli.relative_path, script.relative_path) AS consumer_relative_path,\n cli.command_line_template,\n cli.executable_path,\n script.scripting_engine,\n script.script_file_name,\n script.script_text,\n COALESCE(\n NULLIF(cli.executable_path, ''),\n NULLIF(cli.command_line_template, ''),\n NULLIF(script.script_file_name, '')\n ) AS hashable_path\n FROM wmi_filter_consumer_binding binding\n LEFT JOIN wmi_event_filters filter ON binding.filter = filter.relative_path\n LEFT JOIN wmi_cli_event_consumers cli ON binding.consumer = cli.relative_path\n LEFT JOIN wmi_script_event_consumers script ON binding.consumer = script.relative_path\n\n UNION ALL\n\n -- Part 2: Orphaned CLI consumers (possible residual malware)\n SELECT\n 'orphaned_consumer' AS status,\n '' AS filter_name,\n '' AS filter_query,\n '' AS query_language,\n '' AS filter_class,\n cli.name AS consumer_name,\n 'CommandLineEventConsumer' AS consumer_type,\n cli.class AS consumer_class,\n cli.relative_path AS consumer_relative_path,\n cli.command_line_template,\n cli.executable_path,\n '' AS scripting_engine,\n '' AS script_file_name,\n '' AS script_text,\n COALESCE(NULLIF(cli.executable_path, ''), NULLIF(cli.command_line_template, '')) AS hashable_path\n FROM wmi_cli_event_consumers cli\n WHERE NOT EXISTS (\n SELECT 1 FROM wmi_filter_consumer_binding binding\n WHERE binding.consumer = cli.relative_path\n )\n\n UNION ALL\n\n -- Part 3: Orphaned Script consumers (possible residual malware)\n SELECT\n 'orphaned_consumer' AS status,\n '' AS filter_name,\n '' AS filter_query,\n '' AS query_language,\n '' AS filter_class,\n script.name AS consumer_name,\n 'ActiveScriptEventConsumer' AS consumer_type,\n script.class AS consumer_class,\n script.relative_path AS consumer_relative_path,\n '' AS command_line_template,\n '' AS executable_path,\n script.scripting_engine,\n script.script_file_name,\n script.script_text,\n NULLIF(script.script_file_name, '') AS hashable_path\n FROM wmi_script_event_consumers script\n WHERE NOT EXISTS (\n SELECT 1 FROM wmi_filter_consumer_binding binding\n WHERE binding.consumer = script.relative_path\n )\n\n UNION ALL\n\n -- Part 4: Orphaned filters (possible residual malware)\n SELECT\n 'orphaned_filter' AS status,\n filter.name AS filter_name,\n filter.query AS filter_query,\n filter.query_language,\n filter.class AS filter_class,\n '' AS consumer_name,\n '' AS consumer_type,\n '' AS consumer_class,\n '' AS consumer_relative_path,\n '' AS command_line_template,\n '' AS executable_path,\n '' AS scripting_engine,\n '' AS script_file_name,\n '' AS script_text,\n '' AS hashable_path\n FROM wmi_event_filters filter\n WHERE NOT EXISTS (\n SELECT 1 FROM wmi_filter_consumer_binding binding\n WHERE binding.filter = filter.relative_path\n )\n)\n\nSELECT\n ws.status,\n ws.filter_name,\n ws.filter_query,\n ws.query_language,\n ws.filter_class,\n ws.consumer_name,\n ws.consumer_type,\n ws.consumer_class,\n ws.consumer_relative_path,\n ws.command_line_template,\n ws.executable_path,\n ws.scripting_engine,\n ws.script_file_name,\n ws.script_text,\n h.md5,\n h.sha256,\n a.subject_name AS signature_signer,\n a.result AS signature_status,\n -- File timestamps converted to UTC ISO 8601 with readable aliases (ECS standard)\n datetime(f.btime, 'unixepoch') AS created_time,\n datetime(f.mtime, 'unixepoch') AS modified_time,\n datetime(f.atime, 'unixepoch') AS accessed_time,\n datetime(f.ctime, 'unixepoch') AS changed_time,\n f.size AS file_size\nFROM wmi_subscriptions ws\nLEFT JOIN hash h ON h.path = ws.hashable_path AND ws.hashable_path != ''\nLEFT JOIN authenticode a ON a.path = ws.hashable_path AND ws.hashable_path != ''\nLEFT JOIN file f ON f.path = ws.hashable_path AND ws.hashable_path != ''", |
There was a problem hiding this comment.
h.sha1 is missing. Is that on purpose?
#16059 exposed the 3 (i.e. md5/sha1/sha256)
ferullo
reviewed
Dec 15, 2025
| { | ||
| "key": "file.path", | ||
| "value": { | ||
| "field": "script_file_name" |
Contributor
There was a problem hiding this comment.
I don't think this is the same file that all the other file.* fields correspond to. I think they all correspond to process.* info, right? It feels like this needs to be addressed somehow. Do we need the script_file_name mapped to ECS? If not could the process.* and file.* fielsets be merged?
Contributor
Author
There was a problem hiding this comment.
Good idea, let me keep these fields unmapped for forensics purposes, so in the end we're end up with having just one namespace - file.
Would this work for you?
- Replace event.kind/module/dataset with event.action mapping - Move code signature fields from process.* to file.* namespace - Remove redundant MITRE ATT&CK threat.* static mappings (covered in description) - Add VirusTotal link generation for hash lookups - Simplify tags array - Update timestamps to 2025-12-31
- Add h.sha1 hash column and file.hash.sha1 mapping - Consolidate hash mappings to file.* namespace - Remove path field mappings to prevent inconsistent field population
💚 Build Succeeded
History
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
WMI Persistence Event Subscriptions
Summary
This PR adds an osquery saved query to detect WMI Event Subscription persistence (MITRE ATT&CK T1546.003) on Windows systems. WMI eventing is a powerful persistence mechanism that allows attackers to execute arbitrary commands or scripts when specific system events occur, making it difficult to detect without specialized tooling.
The query provides complete forensic visibility by detecting:
Results are enriched with file hashes and code signatures for referenced executables and scripts.
Core Forensic Artifacts Coverage
MITRE ATT&CK Coverage
Queries by Platform
🪟 Windows - WMI Event Subscription Persistence Detection
Description
Detects WMI event subscriptions used for persistence (MITRE ATT&CK T1546.003). Includes bound subscriptions (active persistence) AND orphaned components (filters/consumers without bindings) which may indicate residual or partially removed malware. WMI eventing allows attackers to execute arbitrary commands or scripts when specific system events occur. Enriched with file hashes and code signatures for referenced executables and scripts.
Detection Focus:
Result
Query returns WMI subscription components with their relationships and enrichment data:
boundorphaned_consumerorphaned_filterPlatform
windowsInterval
3600seconds (1 hour)Query ID
wmi_persistence_event_subscriptions_windows_elasticECS Field Mappings
Event Context:
event.category→["configuration"]event.type→["info"]event.kind→"state"event.module→"osquery"event.dataset→"osquery.wmi_persistence"host.os.type→"windows"Process/Executable Fields:
process.command_line→command_line_templateprocess.executable→executable_pathprocess.hash.md5→md5process.hash.sha256→sha256process.code_signature.subject_name→signature_signerprocess.code_signature.status→signature_statusFile Fields:
file.path→script_file_nameThreat Context:
threat.framework→"MITRE ATT&CK"threat.tactic.id→["TA0003"]threat.tactic.name→["Persistence"]threat.technique.id→["T1546.003"]threat.technique.name→["Event Triggered Execution: Windows Management Instrumentation Event Subscription"]Tags:
osquery,persistence,wmi,event_subscription,mitre_t1546_003,windowsSQL Query