Detecting WMI Persistence When to Use - When hunting for WMI event subscription persistence (MITRE ATT&CK T1546.003) - After detecting suspicious WMI activity in endpoint telemetry - During incident response to identify attacker persistence mechanisms - When Sysmon alerts trigger on Event IDs 19, 20, or 21 - During purple team exercises testing WMI-based persistence Prerequisites - Sysmon v6.1+ deployed with WMI event logging enabled (Event IDs 19, 20, 21) - Windows Security Event Log forwarding configured - SIEM with Sysmon data ingested (Splunk, Elastic, Sentinel) - PowerShell access for WM…