Persistence and logging¶
WMI Subscription Monitoring¶
Detects malicious WMI event subscriptions (e.g., __EventFilter).
Finds APT29 implants that use WMI for persistence.
Script:
Get-WmiObject -Namespace root\Subscription -Class __EventFilter
Windows Event Forwarding (WEF)¶
Centralises logs (Security, Sysmon, PowerShell Operational).
Essential for threat hunting (e.g., detecting Invoke-Mimikatz).
Deploy:
wecutil qc /q
Last update:
2025-06-07 06:04