WMI-Activity Operational Log

WindowsPersistence MechanismsDisk ImageSIEM / Log Aggregator

Location

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

Description

WMI Activity operational log capturing Event 5861 (new permanent WMI event subscription created) and Event 5857-5860 (provider loading and query execution errors).

Forensic Value

Event 5861 is the timestamped companion to OBJECTS.DATA persistence analysis, recording exactly when a new WMI event subscription was created and the subscription details including the consumer command. This timestamps the WMI persistence installation whereas OBJECTS.DATA alone does not contain creation timestamps. Provider load events (5857) can reveal malicious WMI providers loaded from unusual paths.

Tools Required

KAPEEvtxECmd (Eric Zimmerman)Event Log ExplorerChainsaw

Collection Commands

KAPE

kape.exe --tsource C: --tdest C:\output --target EventLogs

EvtxECmd

EvtxECmd.exe -f "C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx" --csv C:\output --csvf WMI_Activity.csv

PowerShell

Get-WinEvent -FilterHashtable @{LogName="Microsoft-Windows-WMI-Activity/Operational"; Id=5857,5858,5859,5860,5861} | Export-Csv C:\output\wmi_activity.csv

Collection Constraints

•Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.
•Centralized log copies may normalize, truncate, or drop fields relative to the original on-host artifact. Preserve the local source when scope and access permit.

MITRE ATT&CK Techniques

T1546.003T1047

References

Windows PowerShell Logging NTFS Change Journals Additional LSA Protection

Acquisition Methods

KAPE Triage Collection

windows — triage

FTK Imager Logical Image (AD1)

windows — logical

Velociraptor Remote Collection

windows — remote