nerdexam
GIAC

GCIH · Question #729

Which persistence mechanism will evade detection by Sysinternals AutoRuns?

The correct answer is D. WMI event subscription. WMI event subscriptions store persistence logic inside the WMI repository rather than in locations AutoRuns prominently monitors, making them harder to detect than registry or service-based persistence.

Malware Analysis & Advanced Persistent Threats

Question

Which persistence mechanism will evade detection by Sysinternals AutoRuns?

Options

  • AConfiguring scheduled tasks
  • BAdding user accounts
  • CNew service creation
  • DWMI event subscription

How the community answered

(52 responses)
  • A
    6% (3)
  • B
    10% (5)
  • C
    2% (1)
  • D
    83% (43)

Why each option

WMI event subscriptions store persistence logic inside the WMI repository rather than in locations AutoRuns prominently monitors, making them harder to detect than registry or service-based persistence.

AConfiguring scheduled tasks

Scheduled tasks are displayed in the 'Scheduled Tasks' tab of AutoRuns and are easily detected.

BAdding user accounts

Adding user accounts is not a startup-based persistence mechanism and is trivially detected via user account auditing and security event logs, not AutoRuns.

CNew service creation

New service creation is listed under the 'Services' tab in AutoRuns and is straightforward to identify.

DWMI event subscriptionCorrect

WMI event subscriptions persist within the WMI repository and execute code in response to system events, bypassing the registry run keys, scheduled task XML files, and the service control manager that AutoRuns prominently surfaces. While modern AutoRuns versions include a WMI tab, this mechanism is frequently overlooked and was historically absent from default AutoRuns views, making it a preferred evasion technique. It is also fileless, leaving minimal artifacts on disk.

Concept tested: WMI event subscription fileless persistence evasion technique

Source: https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns

Topics

#WMI persistence#AutoRuns evasion#ASEP#advanced persistence

Community Discussion

No community discussion yet for this question.

Full GCIH Practice