detecting-wmi-persistence
Detect WMI event subscription persistence by analyzing Sysmon Event IDs 19, 20, and 21 for malicious EventFilter, EventConsumer, and FilterToConsumerBinding creation.
Best use case
detecting-wmi-persistence is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Detect WMI event subscription persistence by analyzing Sysmon Event IDs 19, 20, and 21 for malicious EventFilter, EventConsumer, and FilterToConsumerBinding creation.
Teams using detecting-wmi-persistence should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/detecting-wmi-persistence/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How detecting-wmi-persistence Compares
| Feature / Agent | detecting-wmi-persistence | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Detect WMI event subscription persistence by analyzing Sysmon Event IDs 19, 20, and 21 for malicious EventFilter, EventConsumer, and FilterToConsumerBinding creation.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Detecting WMI Persistence ## When to Use - When hunting for WMI event subscription persistence (MITRE ATT&CK T1546.003) - After detecting suspicious WMI activity in endpoint telemetry - During incident response to identify attacker persistence mechanisms - When Sysmon alerts trigger on Event IDs 19, 20, or 21 - During purple team exercises testing WMI-based persistence ## Prerequisites - Sysmon v6.1+ deployed with WMI event logging enabled (Event IDs 19, 20, 21) - Windows Security Event Log forwarding configured - SIEM with Sysmon data ingested (Splunk, Elastic, Sentinel) - PowerShell access for WMI enumeration on endpoints - Sysinternals Autoruns for manual WMI subscription review ## Workflow 1. **Collect Telemetry**: Parse Sysmon Event IDs 19 (WmiEventFilter), 20 (WmiEventConsumer), 21 (WmiEventConsumerToFilter). 2. **Identify Suspicious Consumers**: Flag CommandLineEventConsumer and ActiveScriptEventConsumer types executing code. 3. **Analyze Event Filters**: Examine WQL queries in EventFilters for process start triggers or timer-based execution. 4. **Correlate Bindings**: Match FilterToConsumerBindings linking suspicious filters to consumers. 5. **Check Persistence Locations**: Query WMI namespaces root\subscription and root\default for active subscriptions. 6. **Validate Findings**: Cross-reference with known-good WMI subscriptions (SCCM, AV products). 7. **Document and Remediate**: Remove malicious subscriptions and update detection rules. ## Key Concepts | Concept | Description | |---------|-------------| | Sysmon Event 19 | WmiEventFilter creation detected | | Sysmon Event 20 | WmiEventConsumer creation detected | | Sysmon Event 21 | WmiEventConsumerToFilter binding detected | | T1546.003 | Event Triggered Execution: WMI Event Subscription | | CommandLineEventConsumer | Executes system commands when filter triggers | | ActiveScriptEventConsumer | Runs VBScript/JScript when filter triggers | ## Tools & Systems | Tool | Purpose | |------|---------| | Sysmon | Windows event monitoring for WMI activity | | WMI Explorer | GUI tool for browsing WMI namespaces | | Autoruns | Sysinternals tool listing persistence mechanisms | | PowerShell Get-WMIObject | Enumerate WMI event subscriptions | | Splunk | SIEM analysis of Sysmon WMI events | | Velociraptor | Endpoint WMI artifact collection | ## Output Format ``` Hunt ID: TH-WMI-[DATE]-[SEQ] Technique: T1546.003 Host: [Hostname] Event Type: [EventFilter|EventConsumer|Binding] Consumer Type: [CommandLine|ActiveScript] WQL Query: [Filter query text] Command: [Executed command or script] Risk Level: [Critical/High/Medium/Low] Recommended Action: [Remove subscription, investigate lateral movement] ```
Related Skills
performing-malware-persistence-investigation
Systematically investigate all persistence mechanisms on Windows and Linux systems to identify how malware survives reboots and maintains access.
hunting-for-startup-folder-persistence
Detect T1547.001 startup folder persistence by monitoring Windows startup directories for suspicious file creation, analyzing autoruns entries, and using Python watchdog for real-time filesystem monitoring.
hunting-for-registry-run-key-persistence
Detect MITRE ATT&CK T1547.001 registry Run key persistence by analyzing Sysmon Event ID 13 logs and registry queries to identify malicious auto-start entries.
hunting-for-registry-persistence-mechanisms
Hunt for registry-based persistence mechanisms including Run keys, Winlogon modifications, IFEO injection, and COM hijacking in Windows environments.
hunting-for-persistence-via-wmi-subscriptions
Hunt for adversary persistence through Windows Management Instrumentation event subscriptions by monitoring WMI consumer, filter, and binding creation events that execute malicious code triggered by system events.
hunting-for-persistence-mechanisms-in-windows
Systematically hunt for adversary persistence mechanisms across Windows endpoints including registry, services, startup folders, and WMI subscriptions.
hunting-for-dns-based-persistence
Hunt for DNS-based persistence mechanisms including DNS hijacking, dangling CNAME records, wildcard DNS abuse, and unauthorized zone modifications using passive DNS databases, SecurityTrails API, and DNS audit log analysis.
detecting-typosquatting-packages-in-npm-pypi
Detects typosquatting attacks in npm and PyPI package registries by analyzing package name similarity using Levenshtein distance and other string metrics, examining publish date heuristics to identify recently created packages mimicking established ones, and flagging download count anomalies where suspicious packages have disproportionately low usage compared to their legitimate targets. The analyst queries the PyPI JSON API and npm registry API to gather package metadata for automated comparison. Activates for requests involving package typosquatting detection, dependency confusion analysis, malicious package identification, or software supply chain threat hunting in package registries.
detecting-t1548-abuse-elevation-control-mechanism
Detect abuse of elevation control mechanisms including UAC bypass, sudo exploitation, and setuid/setgid manipulation by monitoring registry modifications, process elevation flags, and unusual parent-child process relationships.
detecting-t1055-process-injection-with-sysmon
Detect process injection techniques (T1055) including classic DLL injection, process hollowing, and APC injection by analyzing Sysmon events for cross-process memory operations, remote thread creation, and anomalous DLL loading patterns.
detecting-t1003-credential-dumping-with-edr
Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.
detecting-suspicious-powershell-execution
Detect suspicious PowerShell execution patterns including encoded commands, download cradles, AMSI bypass attempts, and constrained language mode evasion.