Skill

detecting-wmi-persistence

From asi

Detects WMI event subscription persistence (MITRE T1546.003) by analyzing Sysmon Event IDs 19, 20, 21 for malicious EventFilters, Consumers, and Bindings. For threat hunting and incident response on Windows.

Powershell

security

npx claudepluginhub plurigrid/asi --plugin asi

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- When hunting for WMI event subscription persistence (MITRE ATT&CK T1546.003)

SKILL.md

Similar Skills

detecting-wmi-persistence

5.9k

Detects WMI event subscription persistence (T1546.003) by analyzing Sysmon Event IDs 19, 20, 21 for malicious EventFilter, EventConsumer, and FilterToConsumerBinding in threat hunts.

3 files

cybersecurity-skills

detecting-wmi-persistence

Detects WMI event subscription persistence (MITRE T1546.003) by analyzing Sysmon events ID 19, 20, 21 for malicious EventFilter, EventConsumer, and FilterToConsumerBinding creations. For threat hunting and incident response.

3 files

cybersecurity-skills-zh

hunting-for-persistence-via-wmi-subscriptions

Hunts for adversary persistence via WMI event subscriptions in Windows by monitoring Sysmon events 19/20/21, consumer types, and bindings. Ideal for threat hunting and incident response on endpoints.

asi

Stats

Parent Repo Stars16

Parent Repo Forks5

Last CommitApr 4, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Detecting WMI Persistence

When to Use

When hunting for WMI event subscription persistence (MITRE ATT&CK T1546.003)
After detecting suspicious WMI activity in endpoint telemetry
During incident response to identify attacker persistence mechanisms
When Sysmon alerts trigger on Event IDs 19, 20, or 21
During purple team exercises testing WMI-based persistence

Prerequisites

Sysmon v6.1+ deployed with WMI event logging enabled (Event IDs 19, 20, 21)
Windows Security Event Log forwarding configured
SIEM with Sysmon data ingested (Splunk, Elastic, Sentinel)
PowerShell access for WMI enumeration on endpoints
Sysinternals Autoruns for manual WMI subscription review

Workflow

Collect Telemetry: Parse Sysmon Event IDs 19 (WmiEventFilter), 20 (WmiEventConsumer), 21 (WmiEventConsumerToFilter).
Identify Suspicious Consumers: Flag CommandLineEventConsumer and ActiveScriptEventConsumer types executing code.
Analyze Event Filters: Examine WQL queries in EventFilters for process start triggers or timer-based execution.
Correlate Bindings: Match FilterToConsumerBindings linking suspicious filters to consumers.
Check Persistence Locations: Query WMI namespaces root\subscription and root\default for active subscriptions.
Validate Findings: Cross-reference with known-good WMI subscriptions (SCCM, AV products).
Document and Remediate: Remove malicious subscriptions and update detection rules.

Key Concepts

Concept	Description
Sysmon Event 19	WmiEventFilter creation detected
Sysmon Event 20	WmiEventConsumer creation detected
Sysmon Event 21	WmiEventConsumerToFilter binding detected
T1546.003	Event Triggered Execution: WMI Event Subscription
CommandLineEventConsumer	Executes system commands when filter triggers
ActiveScriptEventConsumer	Runs VBScript/JScript when filter triggers

Tools & Systems

Tool	Purpose
Sysmon	Windows event monitoring for WMI activity
WMI Explorer	GUI tool for browsing WMI namespaces
Autoruns	Sysinternals tool listing persistence mechanisms
PowerShell Get-WMIObject	Enumerate WMI event subscriptions
Splunk	SIEM analysis of Sysmon WMI events
Velociraptor	Endpoint WMI artifact collection

Output Format

Hunt ID: TH-WMI-[DATE]-[SEQ]
Technique: T1546.003
Host: [Hostname]
Event Type: [EventFilter|EventConsumer|Binding]
Consumer Type: [CommandLine|ActiveScript]
WQL Query: [Filter query text]
Command: [Executed command or script]
Risk Level: [Critical/High/Medium/Low]
Recommended Action: [Remove subscription, investigate lateral movement]