Detecting WMI Persistence

When to Use

When hunting for WMI event subscription persistence (MITRE ATT&CK T1546.003)
After detecting suspicious WMI activity in endpoint telemetry
During incident response to identify attacker persistence mechanisms
When Sysmon alerts trigger on Event IDs 19, 20, or 21
During purple team exercises testing WMI-based persistence

Prerequisites

Sysmon v6.1+ deployed with WMI event logging enabled (Event IDs 19, 20, 21)
Windows Security Event Log forwarding configured
SIEM with Sysmon data ingested (Splunk, Elastic, Sentinel)
PowerShell access for WMI enumeration on endpoints
Sysinternals Autoruns for manual WMI subscription review

Workflow

Collect Telemetry: Parse Sysmon Event IDs 19 (WmiEventFilter), 20 (WmiEventConsumer), 21 (WmiEventConsumerToFilter).
Identify Suspicious Consumers: Flag CommandLineEventConsumer and ActiveScriptEventConsumer types executing code.
Analyze Event Filters: Examine WQL queries in EventFilters for process start triggers or timer-based execution.
Correlate Bindings: Match FilterToConsumerBindings linking suspicious filters to consumers.
Check Persistence Locations: Query WMI namespaces root\subscription and root\default for active subscriptions.
Validate Findings: Cross-reference with known-good WMI subscriptions (SCCM, AV products).
Document and Remediate: Remove malicious subscriptions and update detection rules.

Key Concepts

Concept	Description
Sysmon Event 19	WmiEventFilter creation detected
Sysmon Event 20	WmiEventConsumer creation detected
Sysmon Event 21	WmiEventConsumerToFilter binding detected
T1546.003	Event Triggered Execution: WMI Event Subscription
CommandLineEventConsumer	Executes system commands when filter triggers
ActiveScriptEventConsumer	Runs VBScript/JScript when filter triggers

Tools & Systems

Tool	Purpose
Sysmon	Windows event monitoring for WMI activity
WMI Explorer	GUI tool for browsing WMI namespaces
Autoruns	Sysinternals tool listing persistence mechanisms
PowerShell Get-WMIObject	Enumerate WMI event subscriptions
Splunk	SIEM analysis of Sysmon WMI events
Velociraptor	Endpoint WMI artifact collection

Output Format

Hunt ID: TH-WMI-[DATE]-[SEQ]
Technique: T1546.003
Host: [Hostname]
Event Type: [EventFilter|EventConsumer|Binding]
Consumer Type: [CommandLine|ActiveScript]
WQL Query: [Filter query text]
Command: [Executed command or script]
Risk Level: [Critical/High/Medium/Low]
Recommended Action: [Remove subscription, investigate lateral movement]

Verification Criteria

Confirm successful execution by validating:

[ ] All prerequisite tools and access requirements are satisfied
[ ] Each workflow step completed without errors
[ ] Output matches expected format and contains expected data
[ ] No security warnings or misconfigurations detected
[ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC7.2 (Anomaly Detection), CC7.3 (Incident Identification)
ISO 27001: A.12.4 (Logging & Monitoring), A.16.1 (Security Incident Management)
NIST 800-53: SI-4 (System Monitoring), IR-4 (Incident Handling), RA-5 (Vulnerability Scanning)
NIST CSF: DE.AE (Anomalies & Events), DE.CM (Continuous Monitoring), DE.DP (Detection Processes)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add detecting-wmi-persistence

# Or load dynamically via MCP
grc.load_skill("detecting-wmi-persistence")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Detecting WMI Persistence

When to Use

When hunting for WMI event subscription persistence (MITRE ATT&CK T1546.003)
After detecting suspicious WMI activity in endpoint telemetry
During incident response to identify attacker persistence mechanisms
When Sysmon alerts trigger on Event IDs 19, 20, or 21
During purple team exercises testing WMI-based persistence

Prerequisites

Sysmon v6.1+ deployed with WMI event logging enabled (Event IDs 19, 20, 21)
Windows Security Event Log forwarding configured
SIEM with Sysmon data ingested (Splunk, Elastic, Sentinel)
PowerShell access for WMI enumeration on endpoints
Sysinternals Autoruns for manual WMI subscription review

Workflow

Collect Telemetry: Parse Sysmon Event IDs 19 (WmiEventFilter), 20 (WmiEventConsumer), 21 (WmiEventConsumerToFilter).
Identify Suspicious Consumers: Flag CommandLineEventConsumer and ActiveScriptEventConsumer types executing code.
Analyze Event Filters: Examine WQL queries in EventFilters for process start triggers or timer-based execution.
Correlate Bindings: Match FilterToConsumerBindings linking suspicious filters to consumers.
Check Persistence Locations: Query WMI namespaces root\subscription and root\default for active subscriptions.
Validate Findings: Cross-reference with known-good WMI subscriptions (SCCM, AV products).
Document and Remediate: Remove malicious subscriptions and update detection rules.

Key Concepts

Concept	Description
Sysmon Event 19	WmiEventFilter creation detected
Sysmon Event 20	WmiEventConsumer creation detected
Sysmon Event 21	WmiEventConsumerToFilter binding detected
T1546.003	Event Triggered Execution: WMI Event Subscription
CommandLineEventConsumer	Executes system commands when filter triggers
ActiveScriptEventConsumer	Runs VBScript/JScript when filter triggers

Tools & Systems

Tool	Purpose
Sysmon	Windows event monitoring for WMI activity
WMI Explorer	GUI tool for browsing WMI namespaces
Autoruns	Sysinternals tool listing persistence mechanisms
PowerShell Get-WMIObject	Enumerate WMI event subscriptions
Splunk	SIEM analysis of Sysmon WMI events
Velociraptor	Endpoint WMI artifact collection

Output Format

Hunt ID: TH-WMI-[DATE]-[SEQ]
Technique: T1546.003
Host: [Hostname]
Event Type: [EventFilter|EventConsumer|Binding]
Consumer Type: [CommandLine|ActiveScript]
WQL Query: [Filter query text]
Command: [Executed command or script]
Risk Level: [Critical/High/Medium/Low]
Recommended Action: [Remove subscription, investigate lateral movement]

Verification Criteria

Confirm successful execution by validating:

[ ] All prerequisite tools and access requirements are satisfied
[ ] Each workflow step completed without errors
[ ] Output matches expected format and contains expected data
[ ] No security warnings or misconfigurations detected
[ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC7.2 (Anomaly Detection), CC7.3 (Incident Identification)
ISO 27001: A.12.4 (Logging & Monitoring), A.16.1 (Security Incident Management)
NIST 800-53: SI-4 (System Monitoring), IR-4 (Incident Handling), RA-5 (Vulnerability Scanning)
NIST CSF: DE.AE (Anomalies & Events), DE.CM (Continuous Monitoring), DE.DP (Detection Processes)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add detecting-wmi-persistence

# Or load dynamically via MCP
grc.load_skill("detecting-wmi-persistence")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Prerequisites

MITRE ATT&CK Coverage

Detecting WMI Persistence

When to Use

Prerequisites

Workflow

Key Concepts

Tools & Systems

Output Format

Verification Criteria

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Hunting for Lateral Movement Via Wmi

Hunting for Persistence Mechanisms in Windows

Hunting for Registry Persistence Mechanisms

Hunting for Registry Run Key Persistence

Detecting Email Forwarding Rules Attack

Detecting Malicious Scheduled Tasks with Sysmon

Prerequisites

MITRE ATT&CK Coverage

Detecting WMI Persistence

When to Use

Prerequisites

Workflow

Key Concepts

Tools & Systems

Output Format

Verification Criteria

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Hunting for Lateral Movement Via Wmi

Hunting for Persistence Mechanisms in Windows

Hunting for Registry Persistence Mechanisms

Hunting for Registry Run Key Persistence

Detecting Email Forwarding Rules Attack

Detecting Malicious Scheduled Tasks with Sysmon