GIM Category: wmi
The WMI category represents events related to the creation, modification, and execution of Windows Management Instrumentation (WMI) components, including filters, consumers, and bindings. WMI is a core subsystem in Windows used for management and automation, but it is also frequently abused by attackers for persistence and lateral movement. This category captures WMI-related activity to support detection, investigation, and baselining of normal versus suspicious system behavior.
filter
Events that describe the creation, modification, or removal of WMI filters. WMI filters define query-based conditions that determine when specific management actions or consumers should be executed. Changes to filters can indicate normal administrative activity or the setup of persistence mechanisms.
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
240000 |
wmi |
wmi.filter |
wmi filter created |
A WMI filter was created on the system. WMI filters define query-based conditions that trigger actions through WMI consumers. Creation events may indicate legitimate administrative configuration or the setup of persistence by attackers. |
|
|
240001 |
wmi |
wmi.filter |
wmi filter removed |
A WMI filter was deleted or removed from the system. Filter removal may indicate cleanup after administrative configuration changes or attempts to conceal persistence mechanisms. |
consumer
Events that describe the creation, modification, or removal of WMI consumers. WMI consumers define actions executed when a filter condition is met, such as running a command or launching a script. Monitoring consumer activity is critical for detecting persistence or malicious code execution via WMI.
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
240500 |
wmi |
wmi.consumer |
wmi consumer created |
A WMI consumer was created on the system. Consumers define what actions occur when WMI filter conditions are met, such as executing commands, launching scripts, or writing data. These events are high-value indicators for persistence creation. |
|
|
240501 |
wmi |
wmi.consumer |
wmi consumer removed |
A WMI consumer was deleted or removed. Removal can indicate decommissioning of management automation or cleanup of a persistence mechanism. |
binding
Events that describe the creation or modification of WMI bindings. A binding associates a WMI filter with a consumer, forming a complete trigger-action pair. These events are essential for detecting persistence mechanisms that rely on WMI automation.
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
241000 |
wmi |
wmi.binding |
wmi binding created |
A WMI binding was created or modified. A binding associates a filter with a consumer, enabling automated execution when the filter condition is met. Creation or modification of bindings is rare and often associated with persistent automation or malicious configuration. |
default
Events related to general WMI activity that do not fit a more specific subcategory. This may include instrumentation queries, provider registrations, or generic system management operations.
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
249999 |
wmi |
wmi.default |
wmi event |
A general WMI-related event that does not fit into a specific subcategory. This may represent WMI provider activity, query execution, or other instrumentation events used for system management or monitoring. |
