Overview
The WMIEventFilter command enumerates WMI Event Filters configured on the system. WMI Event Filters define the conditions that trigger WMI events. When combined with Event Consumers through Filter-to-Consumer bindings, they create a complete WMI-based persistence or automation mechanism.Syntax
This command does not support remote execution.
Output
Returns WMI Event Filter information:- Filter name
- Event namespace
- Query language (WQL)
- Query/Condition
- Creation timestamp
- Creator SID
Use Cases
- Red Team
- Blue Team
- Identify existing WMI event triggers
- Understand WMI event infrastructure
- Find appropriate events for persistence
- Discover timing-based triggers
Example Output
Remote Execution
Detection Considerations
- WMI Namespace: Queries
root\subscriptionnamespace - Sysmon Events: Event ID 19 logs filter creation/modification
- Event Logs: WMI-Activity logs may capture filter activity
- Persistence: Filters survive reboots
Common Filter Patterns
Legitimate vs Malicious Filters
Legitimate vs Malicious Filters
Legitimate Uses:
- System monitoring and alerting
- Automated maintenance tasks
- Performance monitoring
- Software deployment triggers
- Boot/startup time triggers
- User logon triggers
- Process creation monitoring (specific targets)
- Timer-based execution
- File creation in specific directories
WMI Event Classes
Common WMI Event Types
Common WMI Event Types
Intrinsic Events:
__InstanceCreationEvent- Object created__InstanceModificationEvent- Object modified__InstanceDeletionEvent- Object deleted__InstanceOperationEvent- Any instance operation
__IntervalTimerInstruction- Periodic timer__AbsoluteTimerInstruction- Specific time
- Custom event types
- Application-defined events
Related Commands
- WMIEventConsumer - WMI event consumers
- WMIFilterBinding - Filter-consumer bindings
- WMI - Custom WMI queries
- AutoRuns - Auto-start programs
- Sysmon - Sysmon configuration