Many security professionals and Blue Team members appreciate a good and detailed written APT report by any renowned security company. This is especially true, if they document and explain some new and stealthy technique that was used and not well known yet by defenders.

One such technique is “WMI event subscription” for persistence, which has been used by APT29.
Another one is the “Logon Script” technique (“UserInitMprLogonScript” reg key) used by APT28.
A third technique that is discussed very often is (ab-)using Powershell and “living off the land” (LOL).
To even top this one, attackers are using “unmanaged Powershell” (e.g. using PowerPick) to evade command line based detection. But thanks to the Powershell logging features available since version 5, even this can be detected.

I will discuss and show how to detect all of these techniques by using Sysmon data and Powershell logging (with Splunk as a SIEM).