Stats
Actions
Tags
Hunts WMI event subscription persistence (MITRE T1546.003) in Windows via Sysmon events 19/20/21, PowerShell enumeration of filters/consumers/bindings, Splunk queries, and KQL for WmiPrvSe.exe spawns.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:hunting-for-persistence-via-wmi-subscriptionsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- 主动搜索 Windows 环境中的无文件持久化机制时
mofcomp.exe 的使用——它用于编译 MOF 文件以编程方式创建 WMI 订阅。| 概念 | 描述 |
|---|---|
| T1546.003 | 事件触发执行:WMI 事件订阅 |
| __EventFilter | 定义触发条件的 WMI 类 |
| __EventConsumer | 定义执行操作的 WMI 类 |
| __FilterToConsumerBinding | 将过滤器链接到消费者 |
| ActiveScriptEventConsumer | 运行 VBScript 或 JScript 的消费者 |
| CommandLineEventConsumer | 执行命令行的消费者 |
| WmiPrvSe.exe | 执行订阅操作的 WMI 提供程序主机 |
| MOF 文件 | 用于定义 WMI 对象的托管对象格式 |
index=sysmon (EventCode=19 OR EventCode=20 OR EventCode=21)
| eval event_type=case(EventCode=19, "EventFilter", EventCode=20, "EventConsumer", EventCode=21, "FilterToConsumerBinding")
| table _time Computer User event_type EventNamespace Name Query Destination Operation
index=wineventlog source="Microsoft-Windows-WMI-Activity/Operational" EventCode=5861
| table _time Computer NamespaceName Operation PossibleCause
Get-WmiObject -Namespace root\subscription -Class __EventFilter
Get-WmiObject -Namespace root\subscription -Class __EventConsumer
Get-WmiObject -Namespace root\subscription -Class __FilterToConsumerBinding
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "wmiprvse.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine
title: WMI Event Subscription Persistence
status: stable
logsource:
product: windows
category: wmi_event
detection:
selection_consumer:
EventID: 20
Destination|contains:
- 'ActiveScriptEventConsumer'
- 'CommandLineEventConsumer'
condition: selection_consumer
level: high
tags:
- attack.persistence
- attack.t1546.003
mofcomp.exe 编译,静默创建持久化订阅。狩猎 ID:TH-WMI-[日期]-[序号]
主机:[主机名]
订阅名称:[过滤器/消费者名称]
过滤器查询:[WQL 触发条件]
消费者类型:[ActiveScript/CommandLine]
消费者操作:[脚本内容或命令]
绑定:[过滤器到消费者的链接]
创建时间:[时间戳]
用户上下文:[SYSTEM/用户]
风险等级:[严重/高/中/低]
npx claudepluginhub killvxk/cybersecurity-skills-zhHunts persistence via WMI event subscriptions in Windows using Sysmon EIDs 19/20/21, WMI consumers/filters/bindings, and WmiPrvSe.exe processes. For threat hunting when reboots persist malware.
Hunts for adversary persistence via WMI event subscriptions in Windows by monitoring Sysmon events 19/20/21, consumer types, and bindings. Ideal for threat hunting and incident response on endpoints.
Hunts for adversary persistence via WMI event subscriptions by analyzing Sysmon events 19/20/21, WMI activity logs, and WmiPrvSe.exe child processes to detect malicious event consumer and filter creation.