How can attackers bypass 360 antivirus's interception of WMI calls when setting environment variables for persistence?

Question

How can attackers bypass 360 antivirus's interception of WMI calls when setting environment variables for persistence?

Accepted Answer

360 antivirus intercepts WMI calls like `wmic ENVIRONMENT create`, but attackers can bypass this by writing directly to the registry using PowerShell. For example, `New-ItemProperty "HKCU:\Environment\" COR_ENABLE_PROFILING -value "1" -propertyType string` achieves the same effect as the WMI command without triggering antivirus alerts, as described in the Logon Scripts article.

How can attackers bypass 360 antivirus's interception of WMI calls when setting environment variables for persistence?

Explore More Q&A