Why would an attacker replace WMI commands with direct registry edits?
WMI operations (e.g., wmic ENVIRONMENT create) are often monitored and blocked by security software like 360. Since WMI ultimately writes to the registry (HKCU\Environment), attackers can bypass detection by using PowerShell or reg commands to directly create the same registry entries, avoiding WMI-based alerts.
---
**Related reading:**
- Use Logon Scripts to maintain persistence — original article
- Penetration Basics - Obfuscating Strings Using Unicode Encoding
- Sophos UTM Analysis - Clearing Last WebAdmin Sessions Records
- Penetration Basics - Methods to Continuously Obtain Exchange User Inbox Emails
---
**Related reading:**
- Use Logon Scripts to maintain persistence — original article
- Penetration Basics - Obfuscating Strings Using Unicode Encoding
- Sophos UTM Analysis - Clearing Last WebAdmin Sessions Records
- Penetration Basics - Methods to Continuously Obtain Exchange User Inbox Emails
WMI bypassregistryHKCU\EnvironmentPowerShellevasion