<< All versions
Skill v1.0.1
currentAutomated scan96/100mukul975/anthropic-cybersecurity-skills/detecting-wmi-persistence
+3 new
──Details
PublishedJune 8, 2026 at 03:29 PM
Content Hashsha256:5d08db7a305683ec...
Git SHA04450304b126
Bump Typepatch
──Files
Files (1 file, 3.3 KB)
SKILL.md3.3 KBactive
SKILL.md · 100 lines · 3.3 KB
name: detecting-wmi-persistence description: Detect WMI event subscription persistence by analyzing Sysmon Event IDs 19, 20, and 21 for malicious EventFilter, EventConsumer, and FilterToConsumerBinding creation. domain: cybersecurity subdomain: threat-hunting tags:
- threat-hunting
- wmi
- persistence
- sysmon
- t1546.003
- mitre-attack
- windows
- dfir
version: '1.0' author: mahipal license: Apache-2.0 d3fend_techniques:
- Application Protocol Command Analysis
- Network Isolation
- Network Traffic Analysis
- Client-server Payload Profiling
- Platform Monitoring
nist_csf:
- DE.CM-01
- DE.AE-02
- DE.AE-07
- ID.RA-05
mitre_attack:
- T1546.003
- T1047
- T1059.001
Detecting WMI Persistence
When to Use
- When hunting for WMI event subscription persistence (MITRE ATT&CK T1546.003)
- After detecting suspicious WMI activity in endpoint telemetry
- During incident response to identify attacker persistence mechanisms
- When Sysmon alerts trigger on Event IDs 19, 20, or 21
- During purple team exercises testing WMI-based persistence
Prerequisites
- Sysmon v6.1+ deployed with WMI event logging enabled (Event IDs 19, 20, 21)
- Windows Security Event Log forwarding configured
- SIEM with Sysmon data ingested (Splunk, Elastic, Sentinel)
- PowerShell access for WMI enumeration on endpoints
- Sysinternals Autoruns for manual WMI subscription review
Workflow
- Collect Telemetry: Parse Sysmon Event IDs 19 (WmiEventFilter), 20 (WmiEventConsumer), 21 (WmiEventConsumerToFilter).
- Identify Suspicious Consumers: Flag CommandLineEventConsumer and ActiveScriptEventConsumer types executing code.
- Analyze Event Filters: Examine WQL queries in EventFilters for process start triggers or timer-based execution.
- Correlate Bindings: Match FilterToConsumerBindings linking suspicious filters to consumers.
- Check Persistence Locations: Query WMI namespaces root\subscription and root\default for active subscriptions.
- Validate Findings: Cross-reference with known-good WMI subscriptions (SCCM, AV products).
- Document and Remediate: Remove malicious subscriptions and update detection rules.
Key Concepts
| Concept | Description | |
|---|---|---|
| Sysmon Event 19 | WmiEventFilter creation detected | |
| Sysmon Event 20 | WmiEventConsumer creation detected | |
| Sysmon Event 21 | WmiEventConsumerToFilter binding detected | |
| T1546.003 | Event Triggered Execution: WMI Event Subscription | |
| CommandLineEventConsumer | Executes system commands when filter triggers | |
| ActiveScriptEventConsumer | Runs VBScript/JScript when filter triggers |
Tools & Systems
| Tool | Purpose | |
|---|---|---|
| Sysmon | Windows event monitoring for WMI activity | |
| WMI Explorer | GUI tool for browsing WMI namespaces | |
| Autoruns | Sysinternals tool listing persistence mechanisms | |
| PowerShell Get-WMIObject | Enumerate WMI event subscriptions | |
| Splunk | SIEM analysis of Sysmon WMI events | |
| Velociraptor | Endpoint WMI artifact collection |
Output Format
Hunt ID: TH-WMI-[DATE]-[SEQ]Technique: T1546.003Host: [Hostname]Event Type: [EventFilter|EventConsumer|Binding]Consumer Type: [CommandLine|ActiveScript]WQL Query: [Filter query text]Command: [Executed command or script]Risk Level: [Critical/High/Medium/Low]Recommended Action: [Remove subscription, investigate lateral movement]