hunting-for-persistence-via-wmi-subscriptions

Featured

Hunt for adversary persistence through Windows Management Instrumentation event subscriptions by monitoring WMI consumer, filter, and binding creation events that execute malicious code triggered by system events.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Hunting for Persistence via WMI Subscriptions ## When to Use - When proactively searching for fileless persistence mechanisms in Windows environments - After threat intelligence reports indicate WMI-based persistence by APT groups (APT29, APT32, FIN8) - When investigating systems where malware persists across reboots despite cleanup attempts - During incident response when standard persistence locations (Run keys, scheduled tasks) are clean - When WmiPrvSe.exe is observed spawning unexpected child processes ## Prerequisites - Sysmon Event ID 19, 20, 21 (WMI Event Filter/Consumer/Binding) enabled - Windows Event ID 5861 (WMI activity logging) from Microsoft-Windows-WMI-Activity - PowerShell logging enabled (Script Block Logging, Module Logging) - WMI repository access for enumeration - SIEM platform for event correlation ## Workflow 1. **Enumerate Existing WMI Subscriptions**: Query all permanent WMI event subscriptions on target systems. A clean system typically has very few or zero permanent subscriptions, making anomalies easy to spot. 2. **Monitor WMI Event Creation (Sysmon 19/20/21)**: Sysmon Event 19 captures WmiEventFilter activity, Event 20 captures WmiEventConsumer activity, and Event 21 captures WmiEventConsumerToFilter binding. 3. **Analyze Consumer Types**: Focus on ActiveScriptEventConsumer (runs VBScript/JScript) and CommandLineEventConsumer (executes commands) -- these are the dangerous types used for persistence. 4. **Check Event Filter Triggers**: Exam...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

detecting-wmi-persistence

Detect WMI event subscription persistence by analyzing Sysmon Event IDs 19, 20, and 21 for malicious EventFilter, EventConsumer, and FilterToConsumerBinding creation.

12,642 Updated today
mukul975
AI & Automation Featured

hunting-for-persistence-mechanisms-in-windows

Systematically hunt for adversary persistence mechanisms across Windows endpoints including registry, services, startup folders, and WMI subscriptions.

12,642 Updated today
mukul975
AI & Automation Solid

hunting-for-lateral-movement-via-wmi

Detect WMI-based lateral movement by analyzing Windows Event ID 4688 process creation and Sysmon Event ID 1 for WmiPrvSE.exe child process patterns, remote process execution, and WMI event subscription persistence.

12,642 Updated today
mukul975
AI & Automation Featured

hunting-for-scheduled-task-persistence

Hunt for adversary persistence via Windows Scheduled Tasks by analyzing task creation events, suspicious task actions, and unusual scheduling patterns.

12,642 Updated today
mukul975
AI & Automation Featured

hunting-for-registry-persistence-mechanisms

Hunt for registry-based persistence mechanisms including Run keys, Winlogon modifications, IFEO injection, and COM hijacking in Windows environments.

12,642 Updated today
mukul975