Persistence and logging¶

WMI Subscription Monitoring¶

Detects malicious WMI event subscriptions (e.g., __EventFilter).

Finds APT29 implants that use WMI for persistence.

Script:

Get-WmiObject -Namespace root\Subscription -Class __EventFilter

Windows Event Forwarding (WEF)¶

Centralises logs (Security, Sysmon, PowerShell Operational).

Essential for threat hunting (e.g., detecting Invoke-Mimikatz).

Deploy:

wecutil qc /q