One of the other methods attackers are using to establish persistence is through Windows Management Instrumentation (WMI) This started to gain popularity around 2015 when Matt Graeber presented a talk at Blackhat. Shortly after that, several of the common attacker tools added automated scripts for establishing persistence via WMI. Depending on the version of Windows and its patching level, WMI Event entries may not show up in the Windows event log. But don’t worry, you can query the database directly via Powershell to look for persistence.
The command we will run to do this is
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer
This will show us all of the WMI root subscriptions for the EventConsumer class. By default, this is where Metasploit and Koadic both write their entries. Below we can see the results for WMI persistence that was established with Koadic.
In the Microsoft-Windows-WMI-Activity event log we can also see the persistence established.
If you are running an older version of Windows, you most likely will not see this type of entry. Instead you will see entries for Event ID 5857. If you see entries like this, it is a good indicator that you should examine the WMI database more closely using the Powershell command from above.
