Stats
Actions
Tags
From cybersecurity-skills
Hunts for adversary persistence via WMI event subscriptions by analyzing Sysmon events 19/20/21, WMI activity logs, and WmiPrvSe.exe child processes to detect malicious event consumer and filter creation.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills:hunting-for-persistence-via-wmi-subscriptionsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- When proactively searching for fileless persistence mechanisms in Windows environments
mofcomp.exe usage which compiles MOF files to create WMI subscriptions programmatically.| Concept | Description |
|---|---|
| T1546.003 | Event Triggered Execution: WMI Event Subscription |
| __EventFilter | WMI class defining the trigger condition |
| __EventConsumer | WMI class defining the action to perform |
| __FilterToConsumerBinding | Links a filter to a consumer |
| ActiveScriptEventConsumer | Consumer that runs VBScript or JScript |
| CommandLineEventConsumer | Consumer that executes command lines |
| WmiPrvSe.exe | WMI Provider Host that executes subscription actions |
| MOF File | Managed Object Format used to define WMI objects |
index=sysmon (EventCode=19 OR EventCode=20 OR EventCode=21)
| eval event_type=case(EventCode=19, "EventFilter", EventCode=20, "EventConsumer", EventCode=21, "FilterToConsumerBinding")
| table _time Computer User event_type EventNamespace Name Query Destination Operation
index=wineventlog source="Microsoft-Windows-WMI-Activity/Operational" EventCode=5861
| table _time Computer NamespaceName Operation PossibleCause
Get-WmiObject -Namespace root\subscription -Class __EventFilter
Get-WmiObject -Namespace root\subscription -Class __EventConsumer
Get-WmiObject -Namespace root\subscription -Class __FilterToConsumerBinding
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "wmiprvse.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine
title: WMI Event Subscription Persistence
status: stable
logsource:
product: windows
category: wmi_event
detection:
selection_consumer:
EventID: 20
Destination|contains:
- 'ActiveScriptEventConsumer'
- 'CommandLineEventConsumer'
condition: selection_consumer
level: high
tags:
- attack.persistence
- attack.t1546.003
mofcomp.exe to silently create persistent subscriptions.Hunt ID: TH-WMI-[DATE]-[SEQ]
Host: [Hostname]
Subscription Name: [Filter/Consumer name]
Filter Query: [WQL trigger condition]
Consumer Type: [ActiveScript/CommandLine]
Consumer Action: [Script content or command]
Binding: [Filter-to-Consumer link]
Created: [Timestamp]
User Context: [SYSTEM/User]
Risk Level: [Critical/High/Medium/Low]
npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skillsHunts for adversary persistence via WMI event subscriptions by monitoring Sysmon events 19/20/21 and analyzing ActiveScriptEventConsumer/CommandLineEventConsumer for malicious code execution.
Hunts for adversary persistence via WMI event subscriptions in Windows by monitoring Sysmon events 19/20/21, consumer types, and bindings. Ideal for threat hunting and incident response on endpoints.
Hunts persistence via WMI event subscriptions in Windows using Sysmon EIDs 19/20/21, WMI consumers/filters/bindings, and WmiPrvSe.exe processes. For threat hunting when reboots persist malware.