The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/agent.py utilizes subprocess.run to execute local system commands including wmic and powershell. These commands are used to query the root\subscription WMI namespace to identify event filters and consumers, which is a standard procedure for security auditing and threat hunting.
[EXTERNAL_DOWNLOADS]: The skill identifies a dependency on the python-evtx library for parsing Windows Event Log (.evtx) files. This is a well-recognized open-source library used in digital forensics and incident response (DFIR).
[DATA_EXPOSURE & EXFILTRATION]: The scripts access sensitive system metadata and event logs for analysis. The analysis results are either printed to the standard output or saved to a local JSON file. No network operations or external data transmissions were detected.
[REMOTE_CODE_EXECUTION]: While the skill executes shell commands via subprocess, the commands are defined as static lists or hardcoded strings without direct interpolation of unvalidated user input, reducing the risk of command injection.

hunting-for-persistence-via-wmi-subscriptions