← Back to SOC feed Coverage →

detect-impacket-wmipersist

kql MEDIUM Azure-Sentinel
T1546.003
DeviceEvents
huntingmicrosoftofficialpersistencewmi
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-05-23T23:00:00Z · Confidence: medium

Hunt Hypothesis

Adversaries may use Impacket’s wmiPersist method to establish persistent access to a Windows system via WMI, allowing long-term command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential persistence mechanisms used by advanced threats.

KQL Query

let LookupTime = 30d; 
DeviceEvents 
| where Timestamp > ago(LookupTime) 
| where ActionType == "WmiBindEventFilterToConsumer" 
| where AdditionalFields contains "ActiveScriptEventConsumer" 
| extend Consumer = extractjson("$.Consumer", AdditionalFields, typeof(string)),ESS = extractjson("$.ESS", AdditionalFields, typeof(string)), Namespace = extractjson("$.Namespace", AdditionalFields, typeof(string)), PossibleCause = extractjson("$.PossibleCause", AdditionalFields, typeof(string)) 
| extend ScriptText = extract(@'\ScriptText = (.*;)',1,PossibleCause), ScriptingEngine = extract(@'\ScriptingEngine = (.*;)',1,PossibleCause) 
| project-reorder Timestamp, DeviceName, Consumer, Namespace, ScriptingEngine, ScriptText

Analytic Rule Definition

id: 34167b0d-f295-4b30-8555-d8fa6990cde5
name: detect-impacket-wmipersist
description: |
  This query looks for signs of impacket wmipersist usage and should work for other wmi based persistence methods. Requires analysis.
  Author: Jouni Mikkola
  More info: https://threathunt.blog/impacket-part-2/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceEvents
tactics:
- Persistence
relevantTechniques:
  - T1546.003
query: |
  let LookupTime = 30d; 
  DeviceEvents 
  | where Timestamp > ago(LookupTime) 
  | where ActionType == "WmiBindEventFilterToConsumer" 
  | where AdditionalFields contains "ActiveScriptEventConsumer" 
  | extend Consumer = extractjson("$.Consumer", AdditionalFields, typeof(string)),ESS = extractjson("$.ESS", AdditionalFields, typeof(string)), Namespace = extractjson("$.Namespace", AdditionalFields, typeof(string)), PossibleCause = extractjson("$.PossibleCause", AdditionalFields, typeof(string)) 
  | extend ScriptText = extract(@'\ScriptText = (.*;)',1,PossibleCause), ScriptingEngine = extract(@'\ScriptingEngine = (.*;)',1,PossibleCause) 
  | project-reorder Timestamp, DeviceName, Consumer, Namespace, ScriptingEngine, ScriptText

Required Data Sources

Sentinel TableNotes
DeviceEventsEnsure this data connector is enabled

MITRE ATT&CK Context

References

False Positive Guidance

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Persistence/detect-impacket-wmipersist.yaml