Sysmon Event ID 21


21: WmiEventConsumerToFilter activity detected

This is an event from Sysmon.

On this page

Attackers have developed a particularly sophisticated way to persist malware perhaps elevate privileges with WMI Event Filters and Consumers.

WMI allows you to link these 2 objects in order to execute a custom action whenever specified things happen in Windows. WMI events are related to but more general than the events we all know and love in the event log. WMI events include system startup, time intervals, program execution and many, many other things. You can define a __EventFilter which is basically a WQL query that specifies what events you want to catch in WMI. This is a permanent object saved in the WMI repository. It’s passive until you create a consumer and link them with a binding. The WMI event consumer defines what the system should do with any events caught by the filter. There are different kinds of event consumers for action like running a script, executing a command line, sending an email or writing to a log file. Finally, you link the filter and consumer with a __FilterToConsumerBinding. After saving the binding, everything is now active and whenever events matching the filter occur, they are fed to the consumer. 

This event tells you when a WMI event filter (Event ID 19) is connected to a consumer (Event ID 20).  In an attack this is the final of 3 steps.  

To learn more about this kind of attack see my blog

Free Security Log Resources by Randy

Description Fields in 21

  • Log Name
  • Source
  • Date
  • Event ID
  • Task Category
  • Level
  • Keywords
  • User
  • Computer
  • Description
  • EventType
  • UtcTime
  • Operation
  • User
  • Consumer
  • Filter

Supercharger Free Edition

Your entire Windows Event Collection environment on a single pane of glass.



Examples of 21

Log Name:       Microsoft-Windows-Sysmon/Operational
Source:         Microsoft-Windows-Sysmon
Date:           4/11/2018 9:27:02 AM
Event ID:       21
Task Category: WmiEventConsumerToFilter activity detected (rule: WmiEvent)
Level:          Information
User:           SYSTEM
Computer:       rfsh.lab.local
WmiEventConsumerToFilter activity detected:
EventType: WmiBindingEvent
UtcTime: 2018-04-11 16:27:02.565
Operation: Created
User: LAB\rsmith
Consumer:   "CommandLineEventConsumer.Name=\"BotConsumer23\""
Filter:   "__EventFilter.Name=\"BotFilter82\""
Event Xml:
<Event xmlns="">
    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
    <TimeCreated SystemTime="2018-04-11T16:27:02.565587100Z" />
    <Correlation />
    <Execution ProcessID="7620" ThreadID="21880" />
    <Security UserID="S-1-5-18" />
    <Data Name="EventType">WmiBindingEvent</Data>
    <Data Name="UtcTime">2018-04-11 16:27:02.565</Data>
    <Data Name="Operation">Created</Data>
    <Data Name="User">LAB\rsmith</Data>
    <Data Name="Consumer"> "CommandLineEventConsumer.Name=\"BotConsumer23\""</Data>
    <Data Name="Filter"> "__EventFilter.Name=\"BotFilter82\""</Data>

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Upcoming Webinars
    Additional Resources