Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save mattifestation/aff0cb8bf66c7f6ef44a to your computer and use it in GitHub Desktop.
Save mattifestation/aff0cb8bf66c7f6ef44a to your computer and use it in GitHub Desktop.
An example of how to use permanent WMI event subscriptions to log a malicious action to the event log
# Define the signature - i.e. __EventFilter
$EventFilterArgs = @{
EventNamespace = 'root/cimv2'
Name = 'LateralMovementEvent'
Query = 'SELECT * FROM MSFT_WmiProvider_ExecMethodAsyncEvent_Pre WHERE ObjectPath="Win32_Process" AND MethodName="Create"'
QueryLanguage = 'WQL'
}
$InstanceArgs = @{
Namespace = 'root/subscription'
Class = '__EventFilter'
Arguments = $EventFilterArgs
}
$Filter = Set-WmiInstance @InstanceArgs
# Define the event log template and parameters
$Template = @(
'Lateral movement detected!',
'Namespace: %Namespace%',
'Object: %ObjectPath%',
'Method Executed: %MethodName%',
'Command Executed: %InputParameters.CommandLine%'
)
$NtEventLogArgs = @{
Name = 'LogLateralMovementEvent'
Category = [UInt16] 0
EventType = [UInt32] 2 # Warning
EventID = [UInt32] 8
SourceName = 'WSH'
NumberOfInsertionStrings = [UInt32] $Template.Length
InsertionStringTemplates = $Template
}
$InstanceArgs = @{
Namespace = 'root/subscription'
Class = 'NTEventLogEventConsumer'
Arguments = $NtEventLogArgs
}
$Consumer = Set-WmiInstance @InstanceArgs
$FilterConsumerBingingArgs = @{
Filter = $Filter
Consumer = $Consumer
}
$InstanceArgs = @{
Namespace = 'root/subscription'
Class = '__FilterToConsumerBinding'
Arguments = $FilterConsumerBingingArgs
}
# Run the following code from an elevated PowerShell console.
# Register the alert
$Binding = Set-WmiInstance @InstanceArgs
# Now, this will automatically generate an event log entry in the Application event log.
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList notepad.exe
# Delete the permanent WMI event subscriptions you just made
<#
Get-WmiObject -Namespace 'root/subscription' -Class '__EventFilter' -Filter 'Name="LateralMovementEvent"' | Remove-WmiObject
Get-WmiObject -Namespace 'root/subscription' -Class 'NTEventLogEventConsumer' -Filter 'Name="LogLateralMovementEvent"' | Remove-WmiObject
Get-WmiObject -Namespace 'root/subscription' -Class '__FilterToConsumerBinding' -Filter 'Filter="__EventFilter.Name=\"LateralMovementEvent\""' | Remove-WmiObject
#>
@rugabunda
Copy link

rugabunda commented Jul 24, 2020

@mattifestation here is a little batch file to go along with your wmi logs:

WMI Payload

@ECHO off
rundll32 user32.dll,MessageBeep
color 09
echo Failed to load, run: 'sc continue winmgmt', to unpause, or 'net start Winmgmt /y' to start
::set-date-file-name-properties
FOR /f %%a IN ('WMIC OS GET LocalDateTime ^| FIND "."') DO SET DTS=%%a
SET DateTime=%DTS:~0,4%-%DTS:~4,2%-%DTS:~6,2%_%DTS:~8,2%.%DTS:~10,2%.%DTS:~12,2%

::save WMI payload data to-date-folder-txt
mkdir %userprofile%\Documents\#WMI\
wmic /namespace:\\root\subscription PATH __EventConsumer get/format:list > %userprofile%\Documents\#WMI\%DateTime:/=%_EventConsumer_payload.txt
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter get/FORMAT:list  > %userprofile%\Documents\#WMI\%DateTime:/=%_EventFilter_payload.txt
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding get/FORMAT:list  > %userprofile%\Documents\#WMI\%DateTime:/=%_FilterToConsumerBinding_payload.txt
wmic /NAMESPACE:"\\root\subscription" PATH __TimerInstruction get/FORMAT:list  > %userprofile%\Documents\#WMI\%DateTime:/=%_TimerInstruction_payload.txt
cls
color 09
ECHO===================-----------
ECHO WARNING: WMI Execution/Payload detected
ECHO===================-----------
ECHO.
ECHO Verifying WMI repository consistency, take note of following line!
ECHO.
winmgmt /verifyrepository
:Begin
ECHO.
ECHO PAUSING WMI SERVICE # Check Event Viewer / Autoruns
sc pause winmgmt
ECHO.
ECHO WMI SERVICE is paused, you are protected against WMI attacks for now; Test with T, Te, TT
ECHO.
ECHO (V)iew    (View WMI payload)
ECHO (B)ackup  (Backup WMI repository)
ECHO (S)alvage (WMI Repository Inconsistency detected? Run winmgmt /salvagerepository)
ECHO (R)eset   (Salvage failed? Backup and reset Repository [warning, know what you are doing])
ECHO (D)isable (Disable WMI, net stop Winmgmt /y), (E)nable, net start Winmgmt /y)
ECHO (C)reate  (Create Scheduled Task, trigger WMI.bat on Event WSH)
ECHO (Q)uit    (Unpause WMI, clean exit)

ECHO.

set /p choice=Type:
::rem if not '%choice%'=='' set choice=%choice:~0;1% ( don`t use this command, because it takes only first digit in the case you type more digits. After that for example choice 23455666 is 
if '%choice%'=='' ECHO "%choice%" is not valid please try again
if '%choice%'=='r' GOTO Repair
if '%choice%'=='s' GOTO Salvage
if '%choice%'=='b' GOTO Backup
if '%choice%'=='d' GOTO Disable
if '%choice%'=='v' GOTO View
if '%choice%'=='R' GOTO Repair
if '%choice%'=='S' GOTO Salvage
if '%choice%'=='B' GOTO Backup
if '%choice%'=='D' GOTO Disable
if '%choice%'=='V' GOTO View
if '%choice%'=='E' GOTO Enable 
if '%choice%'=='e' GOTO Enable
if '%choice%'=='c' GOTO Create
if '%choice%'=='C' GOTO Create
if '%choice%'=='t' GOTO Test
if '%choice%'=='T' GOTO Test
if '%choice%'=='tt' GOTO Test2
if '%choice%'=='TT' GOTO Test2
if '%choice%'=='Q' GOTO Exit
if '%choice%'=='q' GOTO Exit
if '%choice%'=='Te' GOTO Test3
if '%choice%'=='TE' GOTO Test3
if '%choice%'=='tE' GOTO Test3
if '%choice%'=='te' GOTO Test3

:Exit
ECHO.
net continue winmgmt
GOTO End2

:View 
GOTO End

:Disable
ECHO Disabling Winmgmt (WMI), re-start with "net start Winmgmnt /y" or use main menu
net stop Winmgmt /y
GOTO Begin

:Test
Echo wmic process call create "notepad.exe"
wmic process call create "notepad.exe"
Echo Test Complete
GOTO Begin

:Test2
Echo DISABLE PROTECTION, UNPAUSE WINMGMT
Echo net continue winmgmt
net continue winmgmt
Echo wmic process call create "notepad.exe"
wmic process call create "notepad.exe"
Echo UNPROTECTED Test Complete
GOTO Begin

:Test3
ECHO powershell.exe Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList notepad.exe
powershell Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList notepad.exe
Echo Test Complete
GOTO Begin

:Create 
mkdir "%userprofile%\Documents\#WMI\"
ECHO copy wmi.bat "%userprofile%\Documents\#WMI\"  (Make sure batch name = wmi.bat, launch from within CMD)
ECHO SCHTASKS /Create /TN "WMI.bat" /TR "%userprofile%\Documents\#WMI\wmi.bat" /SC ONEVENT /RL Highest /EC Application /MO *[System[Provider[@Name='WSH']]]
copy wmi.bat "%userprofile%\Documents\#WMI\"
SCHTASKS /Create /TN "WMI.bat" /TR "%userprofile%\Documents\#WMI\wmi.bat" /SC ONEVENT /RL Highest /EC Application /MO *[System[Provider[@Name='WSH']]]
ECHO Scheduled Task Created
Pause
GOTO Begin

:Salvage
ECHO Salvaging WMI Repository, if consistent, skip repair
net continue winmgmt
winmgmt /salvagerepository
net pause winmgmt
PAUSE
GOTO Begin

:Backup
ECHO press any key to backup wmi repo "%userprofile%\Documents\#WMI\MyW10WMI.(backup).data
pause
ECHO.
ECHO.
net stop Winmgmt /y
winmgmt /backup "%userprofile%\Documents\#WMI\MyW10WMI.(backup).data"
ECHO net start Winmgmt /y & dependencies
net start Winmgmt /y
net start vmms
ECHO.
net pause winmgmt
ECHO backup completed!
GOTO Begin

:Repair
ECHO Backing up AND Resetting WMI Repository to Windows Fresh Install State
ECHO.
Close window now to stop, or
net continue winmgmt
ECHO.
net stop Winmgmt /y
ECHO Saving to %userprofile%\Documents\#WMI\MyW10WMI.(restore.backup).data
winmgmt /backup "%userprofile%\Documents\#WMI\MyW10WMI.(restore.backup).data"
ECHO net start Winmgmt /y & dependencies
net start Winmgmt /y
net start vmms /y
ECHO winmgmt /resetrepository
winmgmt /resetrepository

ECHO.
ECHO complete, return to menu
pause
GOTO Begin

:Enable 
echo Enabling WMI, net start Winmgmt /y & dependencies
net start Winmgmt /y
net start vmms /y
GOTO Begin

:End
explorer %userprofile%\Documents\#WMI
GOTO Begin

:End2

@mattifestation
Copy link
Author

Wow, you are indeed a master of batch. Thank you for sharing!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment