Event Triggered Execution: Windows Management Instrumentation Event Subscription

Other sub-techniques of Event Triggered Execution (18)

ID	Name
ATAGS-T1069.001	Accessibility Features
ATAGS-T1069.002	AppCert DLLs
ATAGS-T1069.003	AppInit DLLs
ATAGS-T1069.004	Application Shimming
ATAGS-T1069.005	Change Default File Association
ATAGS-T1069.006	Component Object Model Hijacking
ATAGS-T1069.007	Emond
ATAGS-T1069.008	Image File Execution Options Injection
ATAGS-T1069.009	Installer Packages
ATAGS-T1069.010	LC_LOAD_DYLIB Addition
ATAGS-T1069.011	Netsh Helper DLL
ATAGS-T1069.012	PowerShell Profile
ATAGS-T1069.013	Python Startup Hooks
ATAGS-T1069.014	Screensaver
ATAGS-T1069.015	Trap
ATAGS-T1069.016	Udev Rules
ATAGS-T1069.017	Unix Shell Configuration Modification
ATAGS-T1069.018	Windows Management Instrumentation Event Subscription

Threat Actors may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user login, or the computer's uptime.

ID: ATAGS-T1069.018

Sub-technique of: ATAGS-T1069

ⓘ

Tactic: Persistence

ⓘ

Targeted Components: Software

ⓘ

Responsibility: Provider

Created: 18 April 2026

Last Modified: 18 April 2026

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.