WMI Event Subscriptions (OBJECTS.DATA)

WindowsPersistence MechanismsDisk Image

Location

C:\Windows\System32\wbem\Repository\OBJECTS.DATA

Description

WMI repository containing permanent event subscriptions (EventFilter, EventConsumer, FilterToConsumerBinding) that execute arbitrary commands or scripts in response to system events.

Forensic Value

WMI event subscriptions are a stealthy persistence mechanism favored by advanced adversaries because they do not appear in traditional autoruns locations. Parsing OBJECTS.DATA reveals the trigger condition (e.g., system startup, user logon, interval timer) and the exact command or script payload. This persistence survives reboots and does not require files on disk if using ActiveScriptEventConsumer.

Tools Required

KAPEPyWMIPersistenceFinderAutoruns (Sysinternals)wmi-parser

Collection Commands

KAPE

kape.exe --tsource C: --tdest C:\output --target WMI

PyWMIPersistenceFinder

python3 PyWMIPersistenceFinder.py "C:\Windows\System32\wbem\Repository\OBJECTS.DATA"

PowerShell

Get-WMIObject -Namespace root\Subscription -Class __EventFilter; Get-WMIObject -Namespace root\Subscription -Class __EventConsumer; Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding

Autoruns

autorunsc.exe -a w -ct -h -s > C:\output\autoruns_wmi.csv

Collection Constraints

•Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.

MITRE ATT&CK Techniques

T1546.003T1047

References

Windows PowerShell Logging NTFS Change Journals Additional LSA Protection

Acquisition Methods

KAPE Triage Collection

windows — triage

FTK Imager Logical Image (AD1)

windows — logical

Velociraptor Remote Collection

windows — remote