Deploying Defender ASR – Block persistence through WMI event subscription

Last week Microsoft released the DRAFT Security baseline for Windows 10 and Windows Server, version 20H2. Although available since Windows 10 1903, the attack surface reduction rule ‘Block persistence through WMI event subscription’ is now being included into the recommended security control configurations. The technique is included in the MITRE ATT&CK framework: T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription When we head over to the Microsoft docs, Block persistence through WMI event subscription Read More …