mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-16 12:45:17 +03:00
3.1 KiB
3.1 KiB
Detailed Hunting Workflow - WMI Subscription Persistence
Phase 1: Enumerate Existing Subscriptions
Step 1.1 - PowerShell Enumeration
# List all event filters
Get-WMIObject -Namespace root\Subscription -Class __EventFilter | Select-Object Name, Query, QueryLanguage
# List all event consumers
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer | Select-Object Name, __CLASS
# List all bindings
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding | Select-Object Filter, Consumer
# Detailed ActiveScriptEventConsumer inspection
Get-WMIObject -Namespace root\Subscription -Class ActiveScriptEventConsumer | Select-Object Name, ScriptingEngine, ScriptText
# Detailed CommandLineEventConsumer inspection
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer | Select-Object Name, ExecutablePath, CommandLineTemplate
Step 1.2 - WMIC Enumeration
wmic /namespace:\\root\subscription path __EventFilter get Name, Query
wmic /namespace:\\root\subscription path __EventConsumer get Name, __CLASS
wmic /namespace:\\root\subscription path __FilterToConsumerBinding get Filter, Consumer
Phase 2: Monitor Creation Events
Step 2.1 - Sysmon WMI Event Detection
index=sysmon (EventCode=19 OR EventCode=20 OR EventCode=21)
| eval event_type=case(
EventCode=19, "EventFilter Created",
EventCode=20, "EventConsumer Created",
EventCode=21, "Binding Created"
)
| table _time Computer User event_type Name Query Consumer Destination
Step 2.2 - Windows WMI Activity Log
index=wineventlog source="Microsoft-Windows-WMI-Activity/Operational"
| where EventCode IN (5857, 5858, 5859, 5860, 5861)
| table _time Computer EventCode NamespaceName Query Operation PossibleCause
Phase 3: Hunt for WmiPrvSe.exe Suspicious Children
Step 3.1 - Process Tree Analysis
index=sysmon EventCode=1
| where match(ParentImage, "(?i)WmiPrvSe\.exe$")
| where match(Image, "(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32)\.exe$")
| table _time Computer Image CommandLine User ParentImage
Step 3.2 - MOF Compilation Detection
index=sysmon EventCode=1 Image="*\\mofcomp.exe"
| table _time Computer User CommandLine ParentImage
Phase 4: Removal and Cleanup
Step 4.1 - Remove Malicious Subscription
# Remove specific subscription components
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='MaliciousFilter'" | Remove-WmiObject
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='MaliciousConsumer'" | Remove-WmiObject
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "Filter=""__EventFilter.Name='MaliciousFilter'""" | Remove-WmiObject
Phase 5: Response
- Document all found subscriptions with full details
- Remove malicious subscriptions from all affected hosts
- Block WMI subscription creation via Group Policy where possible
- Deploy ongoing monitoring via Sysmon Events 19/20/21
- Investigate initial infection vector that created the subscription