WMI event consumers will continue to be abused in the wild as long as organizations fail to discover and remediate them. While live collection and analysis is preferable to scale efforts across a network, this post covered disk-based artifacts and tools available for use during deeper forensic investigations. A KAPE target exists to collect the required files for offline analysis, making it an easy check to perform during incident response forensic investigations.