Skill

hunting-for-lateral-movement-via-wmi

From asi

Detects WMI-based lateral movement by analyzing Windows Event ID 4688 process creation and Sysmon Event ID 1 logs for WmiPrvSE.exe child processes, remote execution, and event subscription persistence.

Python

Powershell

security

npx claudepluginhub plurigrid/asi --plugin asi

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Windows Management Instrumentation (WMI) is commonly abused for lateral movement via `wmic process call create` or Win32_Process.Create() to execute commands on remote hosts. Detection focuses on identifying WmiPrvSE.exe spawning child processes (cmd.exe, powershell.exe) in Windows Security Event ID 4688 and Sysmon Event ID 1 logs, along with WMI-Activity/Operational events (5857, 5860, 5861) f...

SKILL.md

Similar Skills

hunting-for-lateral-movement-via-wmi

5.9k

Hunts WMI-based lateral movement by parsing Windows Event 4688, Sysmon Event 1, and WMI logs for WmiPrvSE.exe children, remote execution, and persistence. For SOC threat hunting.

3 files

cybersecurity-skills

hunting-for-lateral-movement-via-wmi

Detects WMI-based lateral movement by analyzing Windows event ID 4688 process creations, Sysmon ID 1 WmiPrvSE.exe child processes, remote executions, and event subscription persistence in logs.

3 files

cybersecurity-skills-zh

detecting-wmi-persistence

Detects WMI event subscription persistence (MITRE T1546.003) by analyzing Sysmon Event IDs 19, 20, 21 for malicious EventFilters, Consumers, and Bindings. For threat hunting and incident response on Windows.

asi

Stats

Parent Repo Stars16

Parent Repo Forks5

Last CommitApr 4, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Hunting for Lateral Movement via WMI

Overview

Windows Management Instrumentation (WMI) is commonly abused for lateral movement via wmic process call create or Win32_Process.Create() to execute commands on remote hosts. Detection focuses on identifying WmiPrvSE.exe spawning child processes (cmd.exe, powershell.exe) in Windows Security Event ID 4688 and Sysmon Event ID 1 logs, along with WMI-Activity/Operational events (5857, 5860, 5861) for event subscription persistence.

When to Use

When investigating security incidents that require hunting for lateral movement via wmi

When building detection rules or threat hunting queries for this domain

When SOC analysts need structured procedures for this analysis type

When validating security monitoring coverage for related attack techniques

Prerequisites

Windows Security Event Logs with Process Creation auditing enabled (Event 4688 with command line)

Sysmon installed with Event ID 1 (Process Creation) configured

Python 3.9+ with python-evtx, lxml libraries

Understanding of WMI architecture and WmiPrvSE.exe behavior

Steps

Step 1: Parse Process Creation Events

Extract Event ID 4688 and Sysmon Event 1 entries from EVTX files.

Step 2: Detect WmiPrvSE Child Processes

Flag processes where ParentImage/ParentProcessName is WmiPrvSE.exe, indicating remote WMI execution.

Step 3: Analyze Command Line Patterns

Identify suspicious command lines matching WMI lateral movement patterns (cmd.exe /q /c, output redirection to admin$ share).

Step 4: Check WMI Event Subscriptions

Parse WMI-Activity/Operational log for event consumer creation indicating persistence.

Expected Output

JSON report with WMI-spawned processes, suspicious command lines, WMI event subscription alerts, and timeline of lateral movement activity.