Stats
Actions
Tags
Detects WMI event subscription persistence (MITRE T1546.003) by analyzing Sysmon events ID 19, 20, 21 for malicious EventFilter, EventConsumer, and FilterToConsumerBinding creations. For threat hunting and incident response.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:detecting-wmi-persistenceThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- 狩猎 WMI 事件订阅持久化(MITRE ATT&CK T1546.003)时
| 概念 | 描述 |
|---|---|
| Sysmon 事件 19 | 检测到 WmiEventFilter 创建 |
| Sysmon 事件 20 | 检测到 WmiEventConsumer 创建 |
| Sysmon 事件 21 | 检测到 WmiEventConsumerToFilter 绑定 |
| T1546.003 | 事件触发执行:WMI 事件订阅 |
| CommandLineEventConsumer | 过滤器触发时执行系统命令 |
| ActiveScriptEventConsumer | 过滤器触发时运行 VBScript/JScript |
| 工具 | 用途 |
|---|---|
| Sysmon | WMI 活动的 Windows 事件监控 |
| WMI Explorer | 浏览 WMI 命名空间的 GUI 工具 |
| Autoruns | 列出持久化机制的 Sysinternals 工具 |
| PowerShell Get-WMIObject | 枚举 WMI 事件订阅 |
| Splunk | Sysmon WMI 事件的 SIEM 分析 |
| Velociraptor | 终端 WMI 工件收集 |
Hunt ID: TH-WMI-[DATE]-[SEQ]
Technique: T1546.003
Host: [主机名]
Event Type: [EventFilter|EventConsumer|Binding]
Consumer Type: [CommandLine|ActiveScript]
WQL Query: [过滤器查询文本]
Command: [执行的命令或脚本]
Risk Level: [Critical/High/Medium/Low]
Recommended Action: [删除订阅,调查横向移动]
npx claudepluginhub killvxk/cybersecurity-skills-zhDetects WMI event subscription persistence (MITRE T1546.003) by analyzing Sysmon Event IDs 19, 20, 21 for malicious EventFilters, Consumers, and Bindings. For threat hunting and incident response on Windows.
Detects WMI event subscription persistence (T1546.003) by analyzing Sysmon Event IDs 19, 20, and 21 for malicious EventFilter, EventConsumer, and FilterToConsumerBinding creation.
Detects WMI event subscription persistence (T1546.003) by analyzing Sysmon Event IDs 19, 20, and 21 for malicious EventFilter, EventConsumer, and FilterToConsumerBinding creation.