Why might an attacker replace WMI commands with registry modifications when using Logon Scripts?
Antivirus software like 360 often intercepts WMI calls used to create environment variables. Since adding environment variables via WMI is equivalent to writing to the registry (specifically `HKCU\Environment`), an attacker can bypass the WMI interception by directly writing to the registry using PowerShell or similar tools. This makes the technique stealthier and more reliable.
---
**Related reading:**
- Use Logon Scripts to maintain persistence — original article
- Penetration Techniques - Obtaining Net-NTLM Hash via HTTP Protocol
- Webmin<=1.920-Unauthenticated_RCE(CVE-2019-15107) Exploitation Test
- Pupy Exploitation Analysis - Features on Windows Platform
---
**Related reading:**
- Use Logon Scripts to maintain persistence — original article
- Penetration Techniques - Obtaining Net-NTLM Hash via HTTP Protocol
- Webmin<=1.920-Unauthenticated_RCE(CVE-2019-15107) Exploitation Test
- Pupy Exploitation Analysis - Features on Windows Platform
registry modificationWMI bypassenvironment variablesPowerShellantivirus evasion