nerdexam
ExamsGCIHQuestions#729
GIAC

GCIH · Question #729

GCIH Question #729: Real Exam Question with Answer & Explanation

The correct answer is D: WMI event subscription. WMI event subscriptions store persistence logic inside the WMI repository rather than in locations AutoRuns prominently monitors, making them harder to detect than registry or service-based persistence.

Question

Which persistence mechanism will evade detection by Sysinternals AutoRuns?

Options

  • AConfiguring scheduled tasks
  • BAdding user accounts
  • CNew service creation
  • DWMI event subscription

Explanation

WMI event subscriptions store persistence logic inside the WMI repository rather than in locations AutoRuns prominently monitors, making them harder to detect than registry or service-based persistence.

Common mistakes.

  • A. Scheduled tasks are displayed in the 'Scheduled Tasks' tab of AutoRuns and are easily detected.
  • B. Adding user accounts is not a startup-based persistence mechanism and is trivially detected via user account auditing and security event logs, not AutoRuns.
  • C. New service creation is listed under the 'Services' tab in AutoRuns and is straightforward to identify.

Concept tested. WMI event subscription fileless persistence evasion technique

Reference. https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full GCIH Practice