Files
Anthropic-Cybersecurity-Skills/skills/detecting-wmi-persistence/SKILL.md
T
mukul975 cb8d79e068 Map all 754 skills to MITRE ATT&CK v19.1
- Add validated mitre_attack frontmatter to all 754 skills (286 distinct
  techniques), verified against MITRE ATT&CK v19.1 via the official
  mitreattack-python library: 0 revoked, deprecated, or invalid IDs
- Curate precise per-skill technique IDs for forensics, malware-analysis,
  threat-intel, and red-team skills (e.g. DCSync -> T1003.006,
  Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003)
- Reconcile v19.1 tactic restructuring: Defense Evasion split into
  Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.*
  family and T1070.001/.002 remapped to active equivalents (T1685.*)
- Normalize word-split tags across 35 skills (remove filename-derived
  stopword tags, add semantic cybersecurity tags)
- Add api-reference.md for 3 skills that were missing it
- Update README ATT&CK section with accurate v19.1 tactic distribution
2026-06-01 12:13:29 +02:00

3.3 KiB

name, description, domain, subdomain, tags, version, author, license, d3fend_techniques, nist_csf, mitre_attack
name description domain subdomain tags version author license d3fend_techniques nist_csf mitre_attack
detecting-wmi-persistence Detect WMI event subscription persistence by analyzing Sysmon Event IDs 19, 20, and 21 for malicious EventFilter, EventConsumer, and FilterToConsumerBinding creation. cybersecurity threat-hunting
threat-hunting
wmi
persistence
sysmon
t1546.003
mitre-attack
windows
dfir
1.0 mahipal Apache-2.0
Application Protocol Command Analysis
Network Isolation
Network Traffic Analysis
Client-server Payload Profiling
Platform Monitoring
DE.CM-01
DE.AE-02
DE.AE-07
ID.RA-05
T1546.003
T1047
T1059.001

Detecting WMI Persistence

When to Use

  • When hunting for WMI event subscription persistence (MITRE ATT&CK T1546.003)
  • After detecting suspicious WMI activity in endpoint telemetry
  • During incident response to identify attacker persistence mechanisms
  • When Sysmon alerts trigger on Event IDs 19, 20, or 21
  • During purple team exercises testing WMI-based persistence

Prerequisites

  • Sysmon v6.1+ deployed with WMI event logging enabled (Event IDs 19, 20, 21)
  • Windows Security Event Log forwarding configured
  • SIEM with Sysmon data ingested (Splunk, Elastic, Sentinel)
  • PowerShell access for WMI enumeration on endpoints
  • Sysinternals Autoruns for manual WMI subscription review

Workflow

  1. Collect Telemetry: Parse Sysmon Event IDs 19 (WmiEventFilter), 20 (WmiEventConsumer), 21 (WmiEventConsumerToFilter).
  2. Identify Suspicious Consumers: Flag CommandLineEventConsumer and ActiveScriptEventConsumer types executing code.
  3. Analyze Event Filters: Examine WQL queries in EventFilters for process start triggers or timer-based execution.
  4. Correlate Bindings: Match FilterToConsumerBindings linking suspicious filters to consumers.
  5. Check Persistence Locations: Query WMI namespaces root\subscription and root\default for active subscriptions.
  6. Validate Findings: Cross-reference with known-good WMI subscriptions (SCCM, AV products).
  7. Document and Remediate: Remove malicious subscriptions and update detection rules.

Key Concepts

Concept Description
Sysmon Event 19 WmiEventFilter creation detected
Sysmon Event 20 WmiEventConsumer creation detected
Sysmon Event 21 WmiEventConsumerToFilter binding detected
T1546.003 Event Triggered Execution: WMI Event Subscription
CommandLineEventConsumer Executes system commands when filter triggers
ActiveScriptEventConsumer Runs VBScript/JScript when filter triggers

Tools & Systems

Tool Purpose
Sysmon Windows event monitoring for WMI activity
WMI Explorer GUI tool for browsing WMI namespaces
Autoruns Sysinternals tool listing persistence mechanisms
PowerShell Get-WMIObject Enumerate WMI event subscriptions
Splunk SIEM analysis of Sysmon WMI events
Velociraptor Endpoint WMI artifact collection

Output Format

Hunt ID: TH-WMI-[DATE]-[SEQ]
Technique: T1546.003
Host: [Hostname]
Event Type: [EventFilter|EventConsumer|Binding]
Consumer Type: [CommandLine|ActiveScript]
WQL Query: [Filter query text]
Command: [Executed command or script]
Risk Level: [Critical/High/Medium/Low]
Recommended Action: [Remove subscription, investigate lateral movement]