Command Line Event Consumers

Overview

Evidence: Command Line Event Consumers Description: Dump WMI Command Line Event Consumers Category: Persistence Platform: Windows Short Name: wmicec Is Parsed: Yes - WMI consumers parsed into structured format Sent to Investigation Hub: Yes Collect File(s): No

Background

WMI CommandLineEventConsumers execute command-line programs when specific WMI events occur. This persistence mechanism allows attackers to launch executables or scripts with SYSTEM privileges in response to system events.

CommandLine consumers can execute any command-line program, including PowerShell, cmd.exe, or malicious executables.

Data Collected

Field

Description

Example

Name

Consumer name

BadConsumer

PayloadCommand

Command template to execute

cmd.exe /c powershell.exe -enc ...

PayloadExecutable

Executable path

C:\Windows\System32\cmd.exe

Collection Method

This collector queries WMI for CommandLineEventConsumer instances in multiple namespaces:

ROOT\Subscription
ROOT\DEFAULT
ROOT\CIMV2

Usage

CommandLine consumers enable command execution persistence. Investigators use this data to detect WMI command-based persistence, identify malicious command payloads, track PowerShell execution via WMI, and detect living-off-the-land persistence.

Known Limitations

Only shows current consumers
Can be in non-standard namespaces
Legitimate administrative consumers may exist
Requires WMI service

Notes

CommandLineEventConsumers that launch PowerShell, especially with encoded commands, are highly suspicious and commonly used by attackers (MITRE ATT&CK T1546.003).

PreviousClipboard NextCrash Dump Information

Last updated 46 minutes ago

Was this helpful?