{
  "id": "20",
  "source": "sysmon",
  "category": "WMI",
  "name": "WmiEvent - WmiEventConsumer activity detected",
  "priority": "P2",
  "applicable_version": "Sysmon with this event enabled",
  "last_reviewed": "2026-07-13",
  "definition": "Sysmon Event ID 20 records WMI event consumer registration activity.",
  "trigger_scenarios": "Sysmon emits this event when a WMI event consumer is registered. Microsoft documents that the event records the consumer name, log, and destination.",
  "key_fields": [
    {
      "field": "Name",
      "explanation": "The WMI consumer name recorded by Sysmon. Correlate it with the Event 21 consumer path to prove a complete subscription."
    },
    {
      "field": "Destination",
      "explanation": "The destination recorded for the consumer. Command execution destinations that reference powershell.exe, cmd.exe, or C:\\\\Users\\\\ paths are high-risk because the consumer can execute attacker content."
    },
    {
      "field": "Log",
      "explanation": "The log field recorded by Sysmon for the consumer and useful for identifying scripted, command-line, or log-backed consumers."
    }
  ],
  "false_positives": [
    "Approved administration, management agents, and deployment tools can generate this telemetry.",
    "Baseline expected hosts, signed binaries, and change windows before suppression."
  ],
  "related_event_ids": [
    "1"
  ],
  "attck_mapping": [
    {
      "technique_id": "T1546.003",
      "technique_name": "Event Triggered Execution: Windows Management Instrumentation Event Subscription"
    }
  ],
  "detection_notes": "Alert when Destination references powershell.exe, cmd.exe, wscript.exe, mshta.exe, or a payload under C:\\\\Users\\\\, C:\\\\ProgramData\\\\, or C:\\\\Windows\\\\Temp. Microsoft documents Event 20 as recording consumer name, log, and destination, and MITRE T1546.003 covers WMI consumers used to execute code from event subscriptions. Correlate the consumer Name with Event 19 filter registration and Event 21 binding to determine whether the executable destination is armed for persistence.",
  "kql_snippet": "Sysmon\n| where EventID == 20\n| project TimeGenerated, Computer, Image, ProcessGuid",
  "spl_snippet": "index=sysmon EventCode=20 | table _time, host, Image, ProcessGuid",
  "sample_log": "UtcTime: 2026-07-13 01:00:00.000\nName: UpdaterConsumer\nLog: CommandLineEventConsumer\nDestination: powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\\\\ProgramData\\\\updater.ps1",
  "source_url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon",
  "route": "/sysmon-events/20/",
  "canonical_url": "https://soceventlookup.com/sysmon-events/20/",
  "json_url": "/api/events/sysmon/20.json"
}
