Detects WMI event subscription persistence (MITRE T1546.003) by analyzing Sysmon events ID 19, 20, 21 for malicious EventFilter, EventConsumer, and FilterToConsumerBinding creations. For threat hunting and incident response.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
- 狩猎 WMI 事件订阅持久化(MITRE ATT&CK T1546.003)时
Detects WMI event subscription persistence (T1546.003) by analyzing Sysmon Event IDs 19, 20, 21 for malicious EventFilter, EventConsumer, and FilterToConsumerBinding in threat hunts.
Detects WMI event subscription persistence (MITRE T1546.003) by analyzing Sysmon Event IDs 19, 20, 21 for malicious EventFilters, Consumers, and Bindings. For threat hunting and incident response on Windows.
Hunts WMI event subscription persistence (MITRE T1546.003) in Windows via Sysmon events 19/20/21, PowerShell enumeration of filters/consumers/bindings, Splunk queries, and KQL for WmiPrvSe.exe spawns.
Share bugs, ideas, or general feedback.
| 概念 | 描述 |
|---|---|
| Sysmon 事件 19 | 检测到 WmiEventFilter 创建 |
| Sysmon 事件 20 | 检测到 WmiEventConsumer 创建 |
| Sysmon 事件 21 | 检测到 WmiEventConsumerToFilter 绑定 |
| T1546.003 | 事件触发执行:WMI 事件订阅 |
| CommandLineEventConsumer | 过滤器触发时执行系统命令 |
| ActiveScriptEventConsumer | 过滤器触发时运行 VBScript/JScript |
| 工具 | 用途 |
|---|---|
| Sysmon | WMI 活动的 Windows 事件监控 |
| WMI Explorer | 浏览 WMI 命名空间的 GUI 工具 |
| Autoruns | 列出持久化机制的 Sysinternals 工具 |
| PowerShell Get-WMIObject | 枚举 WMI 事件订阅 |
| Splunk | Sysmon WMI 事件的 SIEM 分析 |
| Velociraptor | 终端 WMI 工件收集 |
Hunt ID: TH-WMI-[DATE]-[SEQ]
Technique: T1546.003
Host: [主机名]
Event Type: [EventFilter|EventConsumer|Binding]
Consumer Type: [CommandLine|ActiveScript]
WQL Query: [过滤器查询文本]
Command: [执行的命令或脚本]
Risk Level: [Critical/High/Medium/Low]
Recommended Action: [删除订阅,调查横向移动]