WMI Event Subscriptions

Adversaries may leverage WMI event subscriptions to evade detection by triggering malicious actions only under specific conditions that are unlikely to occur in a sandboxed environment. For instance, a threat actor might configure an event subscription to monitor file system, network, or logon activity, ensuring that their second-stage payload is only downloaded and executed when a particular event suggests real user activity, thereby bypassing automated analysis

Technique Identifier

U1353

Evasion Categories

Sandbox Evasion

Code Snippets

# This requires file auditing from GPO to be applied to work
$query = "SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_NTLogEvent' AND (TargetInstance.EventCode = '4663')"
Register-WmiEvent -Query $query -Action {
	Write-Host '[+] File deletion or network share access detected. Likely not a sandbox...'
	New-Item -Path "C:\Users\Administrator\Desktop\SandboxStop.txt" -ItemType File
}

About Author Open Snippet

Author: Issac Briones (1d8) / Target Platform: Windows

Contributor

Issac Briones (1d8)

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

Created

April 2, 2025

Last Revised

March 24, 2026