Skip to main content

Overview

The WMIEventConsumer command enumerates WMI Event Consumers configured on the system. WMI Event Consumers are actions that execute when specific WMI events occur. They are commonly abused for persistence, as they can execute commands or scripts based on system events without requiring traditional startup locations.

Syntax

Seatbelt.exe WMIEventConsumer
This command does not support remote execution.

Output

Returns WMI Event Consumer information:
  • Consumer name
  • Consumer type (CommandLineEventConsumer, ActiveScriptEventConsumer, etc.)
  • Command or script to execute
  • Consumer creation timestamp
  • Associated filter (if bound)

Use Cases

  • Red Team
  • Blue Team
  • Identify existing WMI persistence mechanisms
  • Find opportunities for WMI-based persistence
  • Discover legitimate consumers to blend with
  • Understand WMI event infrastructure

Example Output

====== WMIEventConsumer ======

[*] Listing WMI Event Consumers...

Consumer Name      : BVTConsumer
Consumer Type      : CommandLineEventConsumer
Command            : C:\Windows\System32\cmd.exe /c C:\Tools\cleanup.bat
Creator SID        : S-1-5-21-...
Creation Time      : 1/15/2023 10:00:00 AM

Consumer Name      : SystemMonitor
Consumer Type      : ActiveScriptEventConsumer
Script Language    : VBScript
Script Text        : Set objShell = CreateObject("WScript.Shell")
                     objShell.Run "powershell.exe -enc <base64>", 0, False
Creator SID        : S-1-5-21-...
Creation Time      : 10/1/2024 3:45:22 PM
[!] Suspicious PowerShell execution detected

Remote Execution

This command does NOT support remote execution.

Detection Considerations

WMI Event Consumers are a common persistence technique.
  • WMI Namespace: Queries root\subscription namespace
  • Sysmon Events: Event ID 20 logs WMI consumer creation/modification
  • Event Logs: WMI-Activity logs may capture consumer activity
  • Persistence: Consumers survive reboots

Consumer Types

CommandLineEventConsumer:
  • Executes command-line programs
  • Most common for malicious use
  • Runs with SYSTEM privileges
ActiveScriptEventConsumer:
  • Executes VBScript or JScript
  • Can run encoded/obfuscated scripts
  • High abuse potential
LogFileEventConsumer:
  • Writes to log files
  • Lower risk, monitoring/audit use
SMTPEventConsumer:
  • Sends email notifications
  • Can exfiltrate data
NTEventLogEventConsumer:
  • Writes to Windows Event Log
  • Legitimate administrative use

Defensive Recommendations

Detection:
  • Enable Sysmon Event ID 19-21 (WMI events)
  • Monitor root\subscription namespace
  • Alert on new consumer creation
  • Baseline legitimate consumers
Investigation:
  • Check consumer creation timestamps
  • Validate consumer legitimacy
  • Review associated filters and bindings
  • Correlate with other persistence indicators
Prevention:
  • Restrict WMI namespace permissions
  • Monitor GPO for WMI filters
  • Implement application whitelisting
  • Use attack surface reduction rules