Persistence and logging

WMI Subscription Monitoring

Detects malicious WMI event subscriptions (e.g., __EventFilter).

Finds APT29 implants that use WMI for persistence.

Script:

Get-WmiObject -Namespace root\Subscription -Class __EventFilter

Windows Event Forwarding (WEF)

Centralises logs (Security, Sysmon, PowerShell Operational).

Essential for threat hunting (e.g., detecting Invoke-Mimikatz).

Deploy:

wecutil qc /q

Last update: 2025-06-07 06:04