Automatically generated based on tag:

ETW - WMI events Page For WMI activity.

Tracking process execution is the only way to natively detect lateral movement leveraging WMI. With out "Audit process tracking" enabled to log process creation event 4688 (or a dedicated product tracking process creation, such as Sysmon or an EDR), lateral movement over WMI cannot be reliably investigated.

Main events:

Channel: Security.
Event ID 4688: "A new process has been created", to track WMI process execution (wmic.exe and WmiPrvSE.exe notably).

Channel: Microsoft-Windows-WMI-Activity/Operational.
Event ID 5860 for temporary WMI Event subscription creation.
Event ID 5861 for permanent WMI Event subscription creation.

Event: 4688.

Events: 5857, 5858, 5859, 5860, 5861.
WMI - Event Subscription Page WMI Event Subscriptions can be used to maintain persistence on a Windows system, with permanent event subscriptions persisting across system reboots.

Permanent event subscriptions are composed of: an "event filter" (event that will trigger the consumer), an "event consumer" (that will perform an action, such as executing a command), and a "filter to consumer binding".

Event subscriptions are written to disk in the "OBJECTS.DATA" file that notably contains the event filters and event consumers.
WMI repository files under <SYSTEMROOT>\System32\wbem\Repository\:
WMI - Processes Page The following processes are related to WMI activity:

- wmic.exe: client command line utility to interact with WMI (locally or on a remote computer). The PowerShell Invoke-WmiMethod cmdlet can be used as an alternative to wmic.

- WmiPrvSE.exe: WMI Provider Host program that is executed to run WMI commands. If a program is executed through WMI, it will be spawned as a child of a wmiprvse.exe process.

View on GitHub