Command Line Event Consumers

Overview

Evidence: WMI Command Line Description: Dump WMI Command Line Event Consumers Category: System Platform: windows Short Name: wmicec Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

WMI CommandLineEventConsumers execute command-line programs when specific WMI events occur. This persistence mechanism allows attackers to launch executables or scripts with SYSTEM privileges in response to system events.

CommandLine consumers can execute any command-line program, including PowerShell, cmd.exe, or malicious executables.

Data Collected

This collector gathers structured data about wmi command line.

WMI Command Line Data

Field

Description

Example

Name

Consumer name

BadConsumer

PayloadCommand

Command template to execute

cmd.exe /c powershell.exe -enc ...

PayloadExecutable

Executable path

C:\Windows\System32\cmd.exe

Collection Method

This collector queries WMI for CommandLineEventConsumer instances in multiple namespaces:

ROOT\Subscription
ROOT\DEFAULT
ROOT\CIMV2

Forensic Value

CommandLine consumers enable command execution persistence. Investigators use this data to detect WMI command-based persistence, identify malicious command payloads, track PowerShell execution via WMI, and detect living-off-the-land persistence.

PreviousComboFix NextCortana History

Last updated 3 days ago

Was this helpful?