Bonjour123/getPermanentWMISubscriptionsForAllClasses.ps1

## getPermanentWMISubscriptionsForAllClasses.ps1
##########################Author: Bonjour123#############################
# Althought really convenient, WMI permanent subscriptions can also     #
# be used by malwares. They usually are set to get events and trigger   #
# some actions (like downloading some scripts), thus allowing some      #
# persistance mechanisms.                                               #
# This script returns a list of all the permanent WMI subscriptions for #
# all the different classes, allowing an overall view.			#
# More info: https://www.fireeye.com/blog/threat-research/2016/08/wmi_vs_wmi_monitor.html
#########################################################################
$classes =  get-wmiobject -namespace root\Subscription  -list|select Name|Foreach-object {$_ -split "`r`n"}
ForEach ($item In $classes) {
	$tmp = $item.Substring(7)
	$tmp2 = $tmp.Substring(0, $tmp.length-1)
	Get-WMIObject -Namespace root\Subscription -Class $tmp2
}
	##########################Author: Bonjour123#############################
	# Althought really convenient, WMI permanent subscriptions can also #
	# be used by malwares. They usually are set to get events and trigger #
	# some actions (like downloading some scripts), thus allowing some #
	# persistance mechanisms. #
	# This script returns a list of all the permanent WMI subscriptions for #
	# all the different classes, allowing an overall view. #
	# More info: https://www.fireeye.com/blog/threat-research/2016/08/wmi_vs_wmi_monitor.html
	#########################################################################
	$classes = get-wmiobject -namespace root\Subscription -list\|select Name\|Foreach-object {$_ -split "`r`n"}
	ForEach ($item In $classes) {
	$tmp = $item.Substring(7)
	$tmp2 = $tmp.Substring(0, $tmp.length-1)
	Get-WMIObject -Namespace root\Subscription -Class $tmp2
	}