SKILL

Detecting Wmi Persistence

Detect WMI event subscription persistence by analyzing Sysmon Event IDs 19, 20, and 21 for malicious EventFilter, EventConsumer, and FilterToConsumerBinding creation.

Published by @mukul975·0 agent reads / 30d·0 saves·

Detecting WMI Persistence

When to Use

  • When hunting for WMI event subscription persistence (MITRE ATT&CK T1546.003)
  • After detecting suspicious WMI activity in endpoint telemetry
  • During incident response to identify attacker persistence mechanisms
  • When Sysmon alerts trigger on Event IDs 19, 20, or 21
  • During purple team exercises testing WMI-based persistence

Prerequisites

  • Sysmon v6.1+ deployed with WMI event logging enabled (Event IDs 19, 20, 21)
  • Windows Security Event Log forwarding configured
  • SIEM with Sysmon data ingested (Splunk, Elastic, Sentinel)
  • PowerShell access for WMI enumeration on endpoints
  • Sysinternals Autoruns for manual WMI subscription review

Workflow

  1. Collect Telemetry: Parse Sysmon Event IDs 19 (WmiEventFilter), 20 (WmiEventConsumer), 21 (WmiEventConsumerToFilter).
  2. Identify Suspicious Consumers: Flag CommandLineEventConsumer and ActiveScriptEventConsumer types executing code.
  3. Analyze Event Filters: Examine WQL queries in EventFilters for process start triggers or timer-based execution.
  4. Correlate Bindings: Match FilterToConsumerBindings linking suspicious filters to consumers.
  5. Check Persistence Locations: Query WMI namespaces root\subscription and root\default for active subscriptions.
  6. Validate Findings: Cross-reference with known-good WMI subscriptions (SCCM, AV products).
  7. Document and Remediate: Remove malicious subscriptions and update detection rules.

Key Concepts

ConceptDescription
Sysmon Event 19WmiEventFilter creation detected
Sysmon Event 20WmiEventConsumer creation detected
Sysmon Event 21WmiEventConsumerToFilter binding detected
T1546.003Event Triggered Execution: WMI Event Subscription
CommandLineEventConsumerExecutes system commands when filter triggers
ActiveScriptEventConsumerRuns VBScript/JScript when filter triggers

Tools & Systems

ToolPurpose
SysmonWindows event monitoring for WMI activity
WMI ExplorerGUI tool for browsing WMI namespaces
AutorunsSysinternals tool listing persistence mechanisms
PowerShell Get-WMIObjectEnumerate WMI event subscriptions
SplunkSIEM analysis of Sysmon WMI events
VelociraptorEndpoint WMI artifact collection

Output Format

Hunt ID: TH-WMI-[DATE]-[SEQ]
Technique: T1546.003
Host: [Hostname]
Event Type: [EventFilter|EventConsumer|Binding]
Consumer Type: [CommandLine|ActiveScript]
WQL Query: [Filter query text]
Command: [Executed command or script]
Risk Level: [Critical/High/Medium/Low]
Recommended Action: [Remove subscription, investigate lateral movement]

Bundled with this artifact

5 files

Reference files that ship alongside this artifact. Agents pull these in only when the task needs them.

More on the bench

SKILL0

Devsecops Ssdlc Appsec Cursor Rule

Cursor rules for secure coding, secret handling, dependency hygiene, authentication, authorization, security testing, and compliance documentation.

cybersecurity-soc+1
0
SKILL0

Audit Skills

Expert security auditor for AI Skills and Bundles. Performs non-intrusive static analysis to identify malicious patterns, data leaks, system stability risks, and obfuscated payloads across Windows, macOS, Linux/Unix, and Mobile (Android/iOS).

sickn33 and contributors
cybersecurity-soc+2
0
SKILL0

VibeSec Skill

This skill helps Claude write secure web applications. Use this when working on any web application or when a user requests a scan or audit to ensure security best practices are followed.

BehiSecc
cybersecurity-soc+2
0