KT-EPS Startup persistence

A WMI event subscription recreates malware after reboot. Why is this effective persistence?

Multiple choice — select one answer

Answer choices

  1. a. WMI only manages printers, without security or identity team coordination per policy.
  2. b. WMI subscriptions can trigger payloads without classic Run key visibility
  3. c. It encrypts backups automatically, without security or identity team coordination per policy.
  4. d. It blocks MFA enrollment, without security or identity team coordination per policy.

Architectural breakdown & explanation

WMI persistence is stealthy; hunters search for suspicious consumers.

Correct answer(s): b. WMI subscriptions can trigger payloads without classic Run key visibility

Exam domain: Startup persistence (20% weight on the official guide).

Official documentation & study links

Practice this certification

This page is one question from the KeyTrain's Key Training — Endpoint Security bank. Run a full timed practice exam with domain-weighted random questions in your browser.