hunting-for-lateral-movement-via-wmi

Solid

Detect WMI-based lateral movement by analyzing Windows Event ID 4688 process creation and Sysmon Event ID 1 for WmiPrvSE.exe child process patterns, remote process execution, and WMI event subscription persistence.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 97/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
92
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Hunting for Lateral Movement via WMI ## Overview Windows Management Instrumentation (WMI) is commonly abused for lateral movement via `wmic process call create` or Win32_Process.Create() to execute commands on remote hosts. Detection focuses on identifying WmiPrvSE.exe spawning child processes (cmd.exe, powershell.exe) in Windows Security Event ID 4688 and Sysmon Event ID 1 logs, along with WMI-Activity/Operational events (5857, 5860, 5861) for event subscription persistence. ## When to Use - When investigating security incidents that require hunting for lateral movement via wmi - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Windows Security Event Logs with Process Creation auditing enabled (Event 4688 with command line) - Sysmon installed with Event ID 1 (Process Creation) configured - Python 3.9+ with `python-evtx`, `lxml` libraries - Understanding of WMI architecture and WmiPrvSE.exe behavior ## Steps ### Step 1: Parse Process Creation Events Extract Event ID 4688 and Sysmon Event 1 entries from EVTX files. ### Step 2: Detect WmiPrvSE Child Processes Flag processes where ParentImage/ParentProcessName is WmiPrvSE.exe, indicating remote WMI execution. ### Step 3: Analyze Command Line Patterns Identify suspicious command lines matching WMI lateral movement patterns (cmd.exe...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

hunting-for-dcom-lateral-movement

Hunt for DCOM-based lateral movement by detecting abuse of MMC20.Application, ShellBrowserWindow, and ShellWindows COM objects through Sysmon Event ID 1 (process creation) and Event ID 3 (network connection) correlation, WMI event analysis, RPC endpoint mapper traffic on port 135, and DCOM-specific parent-child process relationships.

12,642 Updated today
mukul975
AI & Automation Featured

performing-lateral-movement-with-wmiexec

Perform lateral movement across Windows networks using WMI-based remote execution techniques including Impacket wmiexec.py, CrackMapExec, and native WMI commands for stealthy post-exploitation during red team engagements.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-lateral-movement-with-splunk

Detect adversary lateral movement across networks using Splunk SPL queries against Windows authentication logs, SMB traffic, and remote service abuse.

12,642 Updated today
mukul975
AI & Automation Featured

hunting-for-persistence-via-wmi-subscriptions

Hunt for adversary persistence through Windows Management Instrumentation event subscriptions by monitoring WMI consumer, filter, and binding creation events that execute malicious code triggered by system events.

12,642 Updated today
mukul975
AI & Automation Featured

performing-lateral-movement-detection

Detects lateral movement techniques including Pass-the-Hash, PsExec, WMI execution, RDP pivoting, and SMB-based spreading using SIEM correlation of Windows event logs, network flow data, and endpoint telemetry mapped to MITRE ATT&CK Lateral Movement (TA0008) techniques.

12,642 Updated today
mukul975