WMIFilterBinding

Overview

The WMIFilterBinding command enumerates WMI Filter-to-Consumer bindings. These bindings connect WMI Event Filters (triggers) to Event Consumers (actions), creating complete event-driven automation or persistence mechanisms. A binding is necessary for a WMI event to actually execute an action - the filter and consumer alone are not sufficient.

Syntax

Seatbelt.exe WMIFilterBinding

This command does not support remote execution.

Output

Returns WMI Filter Binding information:

Filter name (trigger condition)
Consumer name (action to execute)
Binding creation timestamp
Creator SID

Use Cases

Red Team
Blue Team

Identify active WMI persistence mechanisms
Understand complete event-action chains
Find orphaned filters or consumers
Discover WMI-based automation

Example Output

====== WMIFilterBinding ======

[*] Listing WMI Filter-to-Consumer Bindings...

Filter             : BVTFilter
Consumer           : BVTConsumer
Binding Path       : \\.\root\subscription:__FilterToConsumerBinding.Consumer="CommandLineEventConsumer.Name='BVTConsumer'",Filter="__EventFilter.Name='BVTFilter'"
Creator SID        : S-1-5-21-...
Creation Time      : 1/15/2023 10:00:00 AM

[*] Active WMI Persistence Mechanism:
    Filter: SELECT * FROM __InstanceCreationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_Process' AND TargetInstance.Name = 'notepad.exe'
    Consumer: C:\Windows\System32\cmd.exe /c C:\Tools\cleanup.bat

Filter             : SystemBootTrigger
Consumer           : MaliciousConsumer
Binding Path       : \\.\root\subscription:__FilterToConsumerBinding.Consumer="CommandLineEventConsumer.Name='MaliciousConsumer'",Filter="__EventFilter.Name='SystemBootTrigger'"
Creator SID        : S-1-5-21-...
Creation Time      : 10/1/2024 3:45:22 PM
[!] Suspicious boot-time persistence detected!

[*] Active WMI Persistence Mechanism:
    Filter: Boot time trigger (4-5 minutes after system start)
    Consumer: powershell.exe -WindowStyle Hidden -enc <base64>

Remote Execution

This command does NOT support remote execution.

Detection Considerations

Active WMI bindings represent complete persistence mechanisms and should be carefully reviewed.

WMI Namespace: Queries root\subscription namespace for __FilterToConsumerBinding instances
Sysmon Events: Event ID 21 logs binding creation/modification
Event Logs: WMI-Activity logs may capture binding activity
Persistence: Bindings survive reboots and execute with SYSTEM privileges

Understanding the Binding Relationship

WMI Persistence Components

Three Required Components:

Event Filter (Trigger)
- Defines WHEN something happens
- WQL query monitoring system events
- Example: Process creation, system boot, time interval
Event Consumer (Action)
- Defines WHAT to execute
- Command, script, or other action
- Example: Run executable, execute script
Filter-to-Consumer Binding (Connection)
- Links filter to consumer
- Activates the persistence mechanism
- Without binding, filter and consumer are inactive

Complete Chain:

Event Occurs → Filter Matches → Binding Triggers → Consumer Executes

Detection Strategy

Hunting for WMI Persistence

Step 1: Enumerate All Components

# Find all filters
Seatbelt.exe WMIEventFilter

# Find all consumers
Seatbelt.exe WMIEventConsumer

# Find all bindings
Seatbelt.exe WMIFilterBinding

Step 2: Correlate Components

Match binding filter/consumer names
Verify all three components exist
Check creation timestamps
Validate creator SIDs

Step 3: Analyze Legitimacy

Review filter WQL queries
Examine consumer commands
Check for obfuscation (Base64, encoding)
Validate business justification

Step 4: Investigate Suspicious Indicators

Recently created bindings
Boot/logon triggers
PowerShell execution
Encoded commands
Non-standard paths
SYSTEM privilege consumers

Removal Procedure

Removing WMI Persistence

PowerShell Method:

# List all bindings
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding

# Remove specific binding
$binding = Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%BindingName%'"
$binding | Remove-WmiObject

# Remove filter
$filter = Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='FilterName'"
$filter | Remove-WmiObject

# Remove consumer
$consumer = Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='ConsumerName'"
$consumer | Remove-WmiObject

Note: Remove all three components (binding, filter, consumer) for complete cleanup.

WMIEventFilter - WMI event filters (triggers)
WMIEventConsumer - WMI event consumers (actions)
WMI - Custom WMI queries
AutoRuns - Auto-start programs
Services - Windows services
Sysmon - Sysmon event monitoring

Getting Started

System - OS & Environment

System - Security Configuration

System - Authentication & Access

System - Network

System - Monitoring & Enterprise

System - Advanced

User - Credentials

User - Browser Data

User - Cloud & Remote Access

User - Recent Activity

User - Communication

Misc - Event Logs

Misc - Browser History

Misc - File & Registry

Misc - System Details

Overview

Syntax

Output

Use Cases

Example Output

Remote Execution

Detection Considerations

Understanding the Binding Relationship

Detection Strategy

Removal Procedure

Getting Started

System - OS & Environment

System - Security Configuration

System - Authentication & Access

System - Network

System - Monitoring & Enterprise

System - Advanced

User - Credentials

User - Browser Data

User - Cloud & Remote Access

User - Recent Activity

User - Communication

Misc - Event Logs

Misc - Browser History

Misc - File & Registry

Misc - System Details

​Overview

​Syntax

​Output

​Use Cases

​Example Output

​Remote Execution

​Detection Considerations

​Understanding the Binding Relationship

​Detection Strategy

​Removal Procedure

​Related Commands

Overview

Syntax

Output

Use Cases

Example Output

Remote Execution

Detection Considerations

Understanding the Binding Relationship

Detection Strategy

Removal Procedure

Related Commands