GCIH · Question #729
Which persistence mechanism will evade detection by Sysinternals AutoRuns?
The correct answer is D. WMI event subscription. WMI event subscriptions store persistence logic inside the WMI repository rather than in locations AutoRuns prominently monitors, making them harder to detect than registry or service-based persistence.
Question
Which persistence mechanism will evade detection by Sysinternals AutoRuns?
Options
- AConfiguring scheduled tasks
- BAdding user accounts
- CNew service creation
- DWMI event subscription
How the community answered
(52 responses)- A6% (3)
- B10% (5)
- C2% (1)
- D83% (43)
Why each option
WMI event subscriptions store persistence logic inside the WMI repository rather than in locations AutoRuns prominently monitors, making them harder to detect than registry or service-based persistence.
Scheduled tasks are displayed in the 'Scheduled Tasks' tab of AutoRuns and are easily detected.
Adding user accounts is not a startup-based persistence mechanism and is trivially detected via user account auditing and security event logs, not AutoRuns.
New service creation is listed under the 'Services' tab in AutoRuns and is straightforward to identify.
WMI event subscriptions persist within the WMI repository and execute code in response to system events, bypassing the registry run keys, scheduled task XML files, and the service control manager that AutoRuns prominently surfaces. While modern AutoRuns versions include a WMI tab, this mechanism is frequently overlooked and was historically absent from default AutoRuns views, making it a preferred evasion technique. It is also fileless, leaving minimal artifacts on disk.
Concept tested: WMI event subscription fileless persistence evasion technique
Source: https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
Topics
Community Discussion
No community discussion yet for this question.