Agent-Skills.md

Agent Skills: Detecting WMI Persistence

Detect WMI event subscription persistence by analyzing Sysmon Event IDs 19, 20, and 21 for malicious EventFilter, EventConsumer, and FilterToConsumerBinding creation.

UncategorizedID: plurigrid/asi/detecting-wmi-persistence

Repository

plurigrid/asi
plurigridLicense: MIT
165

Install this agent skill to your local

pnpm dlx add-skill https://github.com/plurigrid/asi/tree/HEAD/plugins/asi/skills/detecting-wmi-persistence

Skill Files

Browse the full folder contents for detecting-wmi-persistence.

Download Skill

Loading file tree…

plugins/asi/skills/detecting-wmi-persistence/SKILL.md

Skill Metadata

Name
detecting-wmi-persistence
Description
Detect WMI event subscription persistence by analyzing Sysmon Event IDs 19, 20, and 21 for malicious EventFilter, EventConsumer, and FilterToConsumerBinding creation.

Detecting WMI Persistence

When to Use

  • When hunting for WMI event subscription persistence (MITRE ATT&CK T1546.003)
  • After detecting suspicious WMI activity in endpoint telemetry
  • During incident response to identify attacker persistence mechanisms
  • When Sysmon alerts trigger on Event IDs 19, 20, or 21
  • During purple team exercises testing WMI-based persistence

Prerequisites

  • Sysmon v6.1+ deployed with WMI event logging enabled (Event IDs 19, 20, 21)
  • Windows Security Event Log forwarding configured
  • SIEM with Sysmon data ingested (Splunk, Elastic, Sentinel)
  • PowerShell access for WMI enumeration on endpoints
  • Sysinternals Autoruns for manual WMI subscription review

Workflow

  1. Collect Telemetry: Parse Sysmon Event IDs 19 (WmiEventFilter), 20 (WmiEventConsumer), 21 (WmiEventConsumerToFilter).
  2. Identify Suspicious Consumers: Flag CommandLineEventConsumer and ActiveScriptEventConsumer types executing code.
  3. Analyze Event Filters: Examine WQL queries in EventFilters for process start triggers or timer-based execution.
  4. Correlate Bindings: Match FilterToConsumerBindings linking suspicious filters to consumers.
  5. Check Persistence Locations: Query WMI namespaces root\subscription and root\default for active subscriptions.
  6. Validate Findings: Cross-reference with known-good WMI subscriptions (SCCM, AV products).
  7. Document and Remediate: Remove malicious subscriptions and update detection rules.

Key Concepts

| Concept | Description | |---------|-------------| | Sysmon Event 19 | WmiEventFilter creation detected | | Sysmon Event 20 | WmiEventConsumer creation detected | | Sysmon Event 21 | WmiEventConsumerToFilter binding detected | | T1546.003 | Event Triggered Execution: WMI Event Subscription | | CommandLineEventConsumer | Executes system commands when filter triggers | | ActiveScriptEventConsumer | Runs VBScript/JScript when filter triggers |

Tools & Systems

| Tool | Purpose | |------|---------| | Sysmon | Windows event monitoring for WMI activity | | WMI Explorer | GUI tool for browsing WMI namespaces | | Autoruns | Sysinternals tool listing persistence mechanisms | | PowerShell Get-WMIObject | Enumerate WMI event subscriptions | | Splunk | SIEM analysis of Sysmon WMI events | | Velociraptor | Endpoint WMI artifact collection |

Output Format

Hunt ID: TH-WMI-[DATE]-[SEQ]
Technique: T1546.003
Host: [Hostname]
Event Type: [EventFilter|EventConsumer|Binding]
Consumer Type: [CommandLine|ActiveScript]
WQL Query: [Filter query text]
Command: [Executed command or script]
Risk Level: [Critical/High/Medium/Low]
Recommended Action: [Remove subscription, investigate lateral movement]