SOC Event Lookup
Event ID 20WMIP2

Sysmon Event ID 20: WmiEvent - WmiEventConsumer activity detected

Sysmon Event ID 20 records WMI event consumer registration activity.

Applicable version
Sysmon with this event enabled
Last reviewed
2026-07-13

Trigger Scenarios

Sysmon emits this event when a WMI event consumer is registered. Microsoft documents that the event records the consumer name, log, and destination.

Key Fields

Name

The WMI consumer name recorded by Sysmon. Correlate it with the Event 21 consumer path to prove a complete subscription.

Destination

The destination recorded for the consumer. Command execution destinations that reference powershell.exe, cmd.exe, or C:\\Users\\ paths are high-risk because the consumer can execute attacker content.

Log

The log field recorded by Sysmon for the consumer and useful for identifying scripted, command-line, or log-backed consumers.

Common False Positives

  • Approved administration, management agents, and deployment tools can generate this telemetry.
  • Baseline expected hosts, signed binaries, and change windows before suppression.

Related Events

MITRE ATT&CK Mapping

  • T1546.003Event Triggered Execution: Windows Management Instrumentation Event Subscription

Detection Notes

Alert when Destination references powershell.exe, cmd.exe, wscript.exe, mshta.exe, or a payload under C:\\Users\\, C:\\ProgramData\\, or C:\\Windows\\Temp. Microsoft documents Event 20 as recording consumer name, log, and destination, and MITRE T1546.003 covers WMI consumers used to execute code from event subscriptions. Correlate the consumer Name with Event 19 filter registration and Event 21 binding to determine whether the executable destination is armed for persistence.

Microsoft Sentinel KQL
Sysmon
| where EventID == 20
| project TimeGenerated, Computer, Image, ProcessGuid
Splunk SPL
index=sysmon EventCode=20 | table _time, host, Image, ProcessGuid
Sample Log
UtcTime: 2026-07-13 01:00:00.000
Name: UpdaterConsumer
Log: CommandLineEventConsumer
Destination: powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\\ProgramData\\updater.ps1

Source