Anthropic-Cybersecurity-Skills detecting-wmi-persistence
Detect WMI event subscription persistence by analyzing Sysmon Event IDs 19, 20, and 21 for malicious EventFilter,
install
source · Clone the upstream repo
git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/mukul975/Anthropic-Cybersecurity-Skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/detecting-wmi-persistence" ~/.claude/skills/mukul975-anthropic-cybersecurity-skills-detecting-wmi-persistence && rm -rf "$T"
manifest:
skills/detecting-wmi-persistence/SKILL.mdsource content
Detecting WMI Persistence
When to Use
- When hunting for WMI event subscription persistence (MITRE ATT&CK T1546.003)
- After detecting suspicious WMI activity in endpoint telemetry
- During incident response to identify attacker persistence mechanisms
- When Sysmon alerts trigger on Event IDs 19, 20, or 21
- During purple team exercises testing WMI-based persistence
Prerequisites
- Sysmon v6.1+ deployed with WMI event logging enabled (Event IDs 19, 20, 21)
- Windows Security Event Log forwarding configured
- SIEM with Sysmon data ingested (Splunk, Elastic, Sentinel)
- PowerShell access for WMI enumeration on endpoints
- Sysinternals Autoruns for manual WMI subscription review
Workflow
- Collect Telemetry: Parse Sysmon Event IDs 19 (WmiEventFilter), 20 (WmiEventConsumer), 21 (WmiEventConsumerToFilter).
- Identify Suspicious Consumers: Flag CommandLineEventConsumer and ActiveScriptEventConsumer types executing code.
- Analyze Event Filters: Examine WQL queries in EventFilters for process start triggers or timer-based execution.
- Correlate Bindings: Match FilterToConsumerBindings linking suspicious filters to consumers.
- Check Persistence Locations: Query WMI namespaces root\subscription and root\default for active subscriptions.
- Validate Findings: Cross-reference with known-good WMI subscriptions (SCCM, AV products).
- Document and Remediate: Remove malicious subscriptions and update detection rules.
Key Concepts
| Concept | Description |
|---|---|
| Sysmon Event 19 | WmiEventFilter creation detected |
| Sysmon Event 20 | WmiEventConsumer creation detected |
| Sysmon Event 21 | WmiEventConsumerToFilter binding detected |
| T1546.003 | Event Triggered Execution: WMI Event Subscription |
| CommandLineEventConsumer | Executes system commands when filter triggers |
| ActiveScriptEventConsumer | Runs VBScript/JScript when filter triggers |
Tools & Systems
| Tool | Purpose |
|---|---|
| Sysmon | Windows event monitoring for WMI activity |
| WMI Explorer | GUI tool for browsing WMI namespaces |
| Autoruns | Sysinternals tool listing persistence mechanisms |
| PowerShell Get-WMIObject | Enumerate WMI event subscriptions |
| Splunk | SIEM analysis of Sysmon WMI events |
| Velociraptor | Endpoint WMI artifact collection |
Output Format
Hunt ID: TH-WMI-[DATE]-[SEQ] Technique: T1546.003 Host: [Hostname] Event Type: [EventFilter|EventConsumer|Binding] Consumer Type: [CommandLine|ActiveScript] WQL Query: [Filter query text] Command: [Executed command or script] Risk Level: [Critical/High/Medium/Low] Recommended Action: [Remove subscription, investigate lateral movement]