In short, the WMI event subscription method will create an "event" with certain criteria that will result in persistent and fileless execution of our payload. There are different methods for this particular attack, but today we're using the logon method. This will create a WMI event filter that will execute the payload after an uptime of four minutes. After entering the module mode with use powershell/persistence/elevated/wmi, set the agent that will receive the persistence task. Make sure you select the elevated one! It's the agent with a star next to the username:
Note that we're configuring both set Agent and set Listener.