Rapid7

module

WMI Event Subscription Event Log Persistence

Try Surface Command
Back to search
Disclosed
Jun 6, 2017
Created
Jan 14, 2026

Description

This module will create a permanent WMI event subscription to achieve file-less persistence using an event filter
that will query the event log for an EVENT_ID_TRIGGER
(default: failed logon request id 4625) that also contains a specified USERNAME_TRIGGER (note: failed logon auditing
must be enabled on the target for this method to work, this can be enabled using "auditpol.exe /set /subcategory:Logon
/failure:Enable"). When these criteria are met a command line event consumer will trigger an encoded powershell payload.

Additionally a custom command can be specified to run once the trigger is
activated using the advanced option CustomPsCommand. This module requires administrator level privileges as well as a
high integrity process. It is also recommended to use staged payloads due to powershell script length limitations.

Authors

Nick Tyrer @NickTyrer
h00die

Platform

Windows

Architectures

x64, x86, aarch64

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


    msf > use exploit/windows/persistence/wmi/wmi_event_subscription_event_log
    msf exploit(wmi_event_subscription_event_log) > show targets
        ...targets...
    msf exploit(wmi_event_subscription_event_log) > set TARGET < target-id >
    msf exploit(wmi_event_subscription_event_log) > show options
        ...show and set options...
    msf exploit(wmi_event_subscription_event_log) > exploit
Title
Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report