detecting-wmi-persistence
$
npx mdskill add mukul975/Anthropic-Cybersecurity-Skills/detecting-wmi-persistenceScan Sysmon logs for WMI persistence mechanisms.
- Identify malicious EventFilter and EventConsumer subscriptions.
- Requires Sysmon v6.1+ with WMI event logging enabled.
- Flags suspicious consumers executing code or malicious queries.
- Outputs flagged events for SIEM correlation and investigation.
SKILL.md
.github/skills/detecting-wmi-persistenceView on GitHub ↗
--- name: detecting-wmi-persistence description: Detect WMI event subscription persistence by analyzing Sysmon Event IDs 19, 20, and 21 for malicious EventFilter, EventConsumer, and FilterToConsumerBinding creation. domain: cybersecurity subdomain: threat-hunting tags: [threat-hunting, wmi, persistence, sysmon, t1546.003, mitre-attack, windows, dfir] version: "1.0" author: mahipal license: Apache-2.0 --- # Detecting WMI Persistence ## When to Use - When hunting for WMI event subscription persistence (MITRE ATT&CK T1546.003) - After detecting suspicious WMI activity in endpoint telemetry - During incident response to identify attacker persistence mechanisms - When Sysmon alerts trigger on Event IDs 19, 20, or 21 - During purple team exercises testing WMI-based persistence ## Prerequisites - Sysmon v6.1+ deployed with WMI event logging enabled (Event IDs 19, 20, 21) - Windows Security Event Log forwarding configured - SIEM with Sysmon data ingested (Splunk, Elastic, Sentinel) - PowerShell access for WMI enumeration on endpoints - Sysinternals Autoruns for manual WMI subscription review ## Workflow 1. **Collect Telemetry**: Parse Sysmon Event IDs 19 (WmiEventFilter), 20 (WmiEventConsumer), 21 (WmiEventConsumerToFilter). 2. **Identify Suspicious Consumers**: Flag CommandLineEventConsumer and ActiveScriptEventConsumer types executing code. 3. **Analyze Event Filters**: Examine WQL queries in EventFilters for process start triggers or timer-based execution. 4. **Correlate Bindings**: Match FilterToConsumerBindings linking suspicious filters to consumers. 5. **Check Persistence Locations**: Query WMI namespaces root\subscription and root\default for active subscriptions. 6. **Validate Findings**: Cross-reference with known-good WMI subscriptions (SCCM, AV products). 7. **Document and Remediate**: Remove malicious subscriptions and update detection rules. ## Key Concepts | Concept | Description | |---------|-------------| | Sysmon Event 19 | WmiEventFilter creation detected | | Sysmon Event 20 | WmiEventConsumer creation detected | | Sysmon Event 21 | WmiEventConsumerToFilter binding detected | | T1546.003 | Event Triggered Execution: WMI Event Subscription | | CommandLineEventConsumer | Executes system commands when filter triggers | | ActiveScriptEventConsumer | Runs VBScript/JScript when filter triggers | ## Tools & Systems | Tool | Purpose | |------|---------| | Sysmon | Windows event monitoring for WMI activity | | WMI Explorer | GUI tool for browsing WMI namespaces | | Autoruns | Sysinternals tool listing persistence mechanisms | | PowerShell Get-WMIObject | Enumerate WMI event subscriptions | | Splunk | SIEM analysis of Sysmon WMI events | | Velociraptor | Endpoint WMI artifact collection | ## Output Format ``` Hunt ID: TH-WMI-[DATE]-[SEQ] Technique: T1546.003 Host: [Hostname] Event Type: [EventFilter|EventConsumer|Binding] Consumer Type: [CommandLine|ActiveScript] WQL Query: [Filter query text] Command: [Executed command or script] Risk Level: [Critical/High/Medium/Low] Recommended Action: [Remove subscription, investigate lateral movement] ```
More from mukul975/Anthropic-Cybersecurity-Skills
- acquiring-disk-image-with-dd-and-dcflddCreate forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
- analyzing-active-directory-acl-abuseDetect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
- analyzing-android-malware-with-apktoolPerform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
- analyzing-api-gateway-access-logs>
- analyzing-apt-group-with-mitre-navigatorAnalyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
- analyzing-azure-activity-logs-for-threats>
- analyzing-bootkit-and-rootkit-samples>
- analyzing-browser-forensics-with-hindsightAnalyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
- analyzing-campaign-attribution-evidenceCampaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
- analyzing-certificate-transparency-for-phishingMonitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.