detecting-wmi-persistence

by mukul975

The detecting-wmi-persistence skill helps threat hunters and DFIR analysts detect WMI event subscription persistence in Windows telemetry using Sysmon Event IDs 19, 20, and 21. Use it to identify malicious EventFilter, EventConsumer, and FilterToConsumerBinding activity, validate findings, and separate attacker persistence from benign admin automation.

Stars0

Favorites0

Comments0

AddedMay 11, 2026

CategoryThreat Hunting

Install Command

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill detecting-wmi-persistence

Curation Score

This skill scores 78/100 and is worth listing: it gives directory users a concrete WMI-persistence hunting workflow, enough context to trigger it correctly, and a supporting script/reference set. It is solid for install decisions, though users should note that it is oriented to Windows/Sysmon environments and is more detection-oriented than fully end-to-end automated.

78/100

Strengths

Clear, specific trigger: hunting WMI event subscription persistence via Sysmon Event IDs 19, 20, and 21.
Operational workflow is spelled out with prerequisites, suspicious consumer types, and PowerShell/WMI enumeration examples.
Support files add leverage: a Python agent script and an API reference for Sysmon/WMI fields and commands.

Cautions

Requires a fairly specific environment: Sysmon WMI logging, SIEM ingestion, and PowerShell/WMI access on Windows endpoints.
Installability is somewhat limited by missing install command and only moderate workflow signal density beyond the core detection path.

Wmi Persistence Sysmon Windows Mitre Attack Dfir Event Logs Endpoint Security

Overview

Overview of detecting-wmi-persistence skill

The detecting-wmi-persistence skill helps you hunt for WMI event subscription persistence in Windows telemetry, especially Sysmon Event IDs 19, 20, and 21. It is best for threat hunters, DFIR analysts, and blue teams who need to confirm whether suspicious WMI activity is benign admin automation or attacker persistence.

What detecting-wmi-persistence is for

This detecting-wmi-persistence skill is designed for a specific job: identify malicious EventFilter, EventConsumer, and FilterToConsumerBinding activity tied to MITRE ATT&CK T1546.003. It is most useful when you already have telemetry or an alert and need a fast path from signal to evidence.

Why it is different from a generic prompt

Unlike a broad “check for persistence” prompt, detecting-wmi-persistence gives you a concrete data model: Sysmon logs, WMI namespace queries, suspicious consumer types, and cleanup steps. That makes it more reliable for repeatable investigations and easier to apply in a SIEM or endpoint workflow.

Best-fit users and environments

Use detecting-wmi-persistence if you have Sysmon deployed, Windows event forwarding or SIEM ingestion, and enough access to query root\subscription. It fits hunt engineering, incident response, and purple team validation better than lightweight desktop-only investigations.

How to Use detecting-wmi-persistence skill

Install the detecting-wmi-persistence skill

Install with:

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill detecting-wmi-persistence

Then open skills/detecting-wmi-persistence/SKILL.md first, followed by references/api-reference.md and scripts/agent.py to understand the event mapping and detection logic.

Start with the right input

The detecting-wmi-persistence usage works best when you provide one of these: a Sysmon event excerpt, a suspicious host name, a time window, or a specific WMI consumer/filter name. A weak request like “check WMI persistence” is slower to act on than “investigate Sysmon Event IDs 19-21 from host X between 02:00 and 06:00 UTC.”

Suggested workflow for threat hunting

For detecting-wmi-persistence for Threat Hunting, begin with Sysmon Event IDs 19, 20, and 21, then inspect whether the consumer is CommandLineEventConsumer or ActiveScriptEventConsumer, then verify the binding in root\subscription. If you have a candidate filter or consumer name, use it to narrow the hunt before you enumerate everything.

What to read first in the repo

Read references/api-reference.md for event IDs, PowerShell enumeration, and suspicious consumer classes. Read scripts/agent.py if you want to understand how the skill automates collection, what it considers suspicious, and what assumptions it makes about Windows access and telemetry availability.

detecting-wmi-persistence skill FAQ

Is detecting-wmi-persistence only for Sysmon users?

Mostly yes. The skill is built around Sysmon Event IDs 19, 20, and 21, so if you do not have Sysmon WMI logging enabled, the detecting-wmi-persistence skill will be much less effective. You can still use the WMI query ideas, but you will lose the strongest detection path.

Do I need to be a WMI expert to use it?

No. The detecting-wmi-persistence guide is useful for beginners who can provide logs or host context, because it turns a niche persistence check into a structured hunt. You do need enough Windows access to validate subscriptions or work with someone who has it.

When should I not use this skill?

Do not use detecting-wmi-persistence as a general malware triage skill or as a replacement for full endpoint forensic analysis. If the problem is broader than WMI persistence, you may want a more general hunting or IR skill first.

How does it compare to a normal prompt?

A normal prompt usually asks the model to infer the workflow from memory. The detecting-wmi-persistence skill gives you a tighter path: event IDs, likely artifact classes, and repo-backed validation steps, which usually means fewer false starts and better investigation structure.

How to Improve detecting-wmi-persistence skill

Give higher-quality telemetry up front

The biggest improvement for detecting-wmi-persistence is better input. Provide raw Sysmon XML, forwarded event snippets, the host role, and the time range. For example, “Host WS-17, Sysmon 19-21 events, suspicious CommandLineEventConsumer, user context unknown” is far stronger than “I think WMI is weird.”

Separate benign automation from suspicious persistence

A common failure mode is overcalling legitimate admin WMI usage. Improve detecting-wmi-persistence results by telling the skill what normal looks like in your environment: known deployment tools, scheduled management agents, or approved scripts. That context helps the hunt focus on unusual filters, consumers, and bindings.

Iterate with targeted follow-up questions

After the first pass, ask the detecting-wmi-persistence skill to narrow on one artifact type at a time: filter, consumer, or binding. You can also ask for a validation checklist, a cleanup-oriented query plan, or a SIEM query translation. Iterating this way usually produces more actionable output than asking for a single broad verdict.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

detecting-s3-data-exfiltration-attempts

by mukul975

detecting-s3-data-exfiltration-attempts helps investigate possible AWS S3 data theft by correlating CloudTrail S3 data events, GuardDuty findings, Amazon Macie alerts, and S3 access patterns. Use this detecting-s3-data-exfiltration-attempts skill for Security Audit, incident response, and suspicious bulk-download analysis.

Security Audit

Favorites 0GitHub 6.2k

analyzing-usb-device-connection-history

by mukul975

analyzing-usb-device-connection-history helps investigate USB device connection history on Windows using registry hives, event logs, and setupapi.dev.log for Digital Forensics, insider threat work, and incident response. It supports timeline reconstruction, device correlation, and removable-media evidence analysis.

Digital Forensics

Favorites 0GitHub 6.2k

analyzing-bootkit-and-rootkit-samples

by mukul975

analyzing-bootkit-and-rootkit-samples is a malware analysis skill for MBR, VBR, UEFI, and rootkit investigations. Use it to inspect boot sectors, firmware modules, and anti-rootkit indicators when compromise persists below the OS layer. It is suited for analysts who need a practical guide, clear workflow, and evidence-based triage for Malware Analysis.

Malware Analysis

Favorites 0GitHub 6.2k

detecting-ransomware-encryption-behavior

by mukul975

detecting-ransomware-encryption-behavior helps defenders spot ransomware-style encryption using entropy analysis, file I/O monitoring, and behavioral heuristics. It is suited for incident response, SOC tuning, and red-team validation when you need to detect mass file changes, rename bursts, and suspicious process activity quickly.

Incident Response

Favorites 0GitHub 0

detecting-privilege-escalation-attempts

by mukul975

detecting-privilege-escalation-attempts helps hunt privilege escalation on Windows and Linux, including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse. Built for threat hunting teams that need a practical workflow, reference queries, and helper scripts.

Threat Hunting

Favorites 0GitHub 0

detecting-evasion-techniques-in-endpoint-logs

by mukul975

The detecting-evasion-techniques-in-endpoint-logs skill helps hunt defense evasion in Windows endpoint logs, including log clearing, timestomping, process injection, and security tool disabling. Use it for threat hunting, detection engineering, and incident triage with Sysmon, Windows Security, or EDR telemetry.

Threat Hunting

Favorites 0GitHub 0

analyzing-network-traffic-for-incidents

by mukul975

analyzing-network-traffic-for-incidents helps incident responders analyze PCAPs, flow logs, and packet captures to confirm C2, lateral movement, exfiltration, and exploitation attempts. Built for analyzing-network-traffic-for-incidents for Incident Response with Wireshark, Zeek, and NetFlow-style investigation.

Incident Response

Favorites 0GitHub 0

detecting-process-injection-techniques

by mukul975

detecting-process-injection-techniques helps analyze suspicious in-memory activity, validate EDR alerts, and identify process hollowing, APC injection, thread hijacking, reflective loading, and classic DLL injection for Security Audit and malware triage.

Security Audit

Favorites 0GitHub 0

detecting-process-hollowing-technique

by mukul975

detecting-process-hollowing-technique helps hunt process hollowing (T1055.012) in Windows telemetry by correlating suspended launches, memory tampering, parent-child anomalies, and API evidence. Built for threat hunters, detection engineers, and responders who need a practical detecting-process-hollowing-technique for Threat Hunting workflow.

Threat Hunting

Favorites 0GitHub 0

detecting-rdp-brute-force-attacks

by mukul975

detecting-rdp-brute-force-attacks helps analyze Windows Security Event Logs for RDP brute force patterns, including repeated 4625 failures, 4624 success after failures, NLA-related logons, and source-IP concentration. Use it for Security Audit, threat hunting, and repeatable EVTX-based investigations.

Security Audit

Favorites 0GitHub 6.2k

analyzing-linux-kernel-rootkits

by mukul975

analyzing-linux-kernel-rootkits helps DFIR and threat-hunting workflows detect Linux kernel rootkits with Volatility3 cross-view checks, rkhunter scans, and /proc vs /sys analysis for hidden modules, hooked syscalls, and tampered kernel structures. It is a practical analyzing-linux-kernel-rootkits guide for forensic triage.

Digital Forensics

Favorites 0GitHub 0

detecting-mimikatz-execution-patterns

by mukul975

detecting-mimikatz-execution-patterns helps analysts detect Mimikatz execution using command-line patterns, LSASS access signals, binary indicators, and memory artifacts. Use this detecting-mimikatz-execution-patterns skill install for Security Audit, hunting, and incident response with templates, references, and workflow guidance.

Security Audit

Favorites 0GitHub 0

exploiting-kerberoasting-with-impacket

by mukul975

exploiting-kerberoasting-with-impacket helps authorized testers plan Kerberoasting with Impacket GetUserSPNs.py, from SPN enumeration to TGS ticket extraction, offline cracking, and detection-aware reporting. Use this exploiting-kerberoasting-with-impacket guide for penetration testing workflows with clear install and usage context.

Penetration Testing

Favorites 0GitHub 6.2k

detecting-shadow-it-cloud-usage

by mukul975

detecting-shadow-it-cloud-usage helps identify unauthorized SaaS and cloud usage from proxy logs, DNS queries, and netflow. It classifies domains, compares them with approved lists, and supports security audit workflows with structured evidence from the detecting-shadow-it-cloud-usage skill guide.

Security Audit

Favorites 0GitHub 6.2k

detecting-service-account-abuse

by mukul975

detecting-service-account-abuse is a threat-hunting skill for finding service account misuse across Windows, AD, SIEM, and EDR telemetry. It focuses on suspicious interactive logons, privilege escalation, lateral movement, and access anomalies, with a hunt template, event IDs, and workflow references for repeatable investigation.

Threat Hunting

Favorites 0GitHub 6.2k

analyzing-browser-forensics-with-hindsight

by mukul975

analyzing-browser-forensics-with-hindsight helps Digital Forensics teams analyze Chromium browser artifacts with Hindsight, including history, downloads, cookies, autofill, bookmarks, saved credentials metadata, cache, and extensions. Use it to reconstruct web activity, review timelines, and investigate Chrome, Edge, Brave, and Opera profiles.

Digital Forensics

Favorites 0GitHub 6.2k