Created
August 4, 2016 04:35
-
-
Save vector-sec/873eb96251f3bd4bbbd509de9c5fd926 to your computer and use it in GitHub Desktop.
An example of how to use permanent WMI event subscriptions to log that a keyboard/mouse was connected to the windows event log
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Based off @mattifestation's example: https://gist.github.com/mattifestation/aff0cb8bf66c7f6ef44a | |
| # Define the signature - i.e. __EventFilter | |
| $EventFilterArgs = @{ | |
| EventNamespace = 'root/cimv2' | |
| Name = 'HumanInterfaceDevice' | |
| Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA "Win32_PointingDevice" OR TargetInstance ISA "Win32_KeyBoard"' | |
| QueryLanguage = 'WQL' | |
| } | |
| $InstanceArgs = @{ | |
| Namespace = 'root/subscription' | |
| Class = '__EventFilter' | |
| Arguments = $EventFilterArgs | |
| } | |
| $Filter = Set-WmiInstance @InstanceArgs | |
| # Define the event log template and parameters | |
| # Because this is an intrinsic event, you must reference TargetInstance when accessing columns from the WQL results | |
| $Template = @( | |
| 'HID Device Connected', | |
| 'Name: %TargetInstance.Name%', | |
| 'Description: %TargetInstance.Description%', | |
| 'Type: %TargetInstance.CreationClassName%', | |
| 'PNPDeviceID: %TargetInstance.PNPDeviceID%' | |
| ) | |
| $NtEventLogArgs = @{ | |
| Name = 'HIDConnectionEvent' | |
| Category = [UInt16] 0 | |
| EventType = [UInt32] 2 # Warning | |
| EventID = [UInt32] 8 | |
| SourceName = 'WSH' | |
| NumberOfInsertionStrings = [UInt32] $Template.Length | |
| InsertionStringTemplates = $Template | |
| } | |
| $InstanceArgs = @{ | |
| Namespace = 'root/subscription' | |
| Class = 'NTEventLogEventConsumer' | |
| Arguments = $NtEventLogArgs | |
| } | |
| $Consumer = Set-WmiInstance @InstanceArgs | |
| $FilterConsumerBingingArgs = @{ | |
| Filter = $Filter | |
| Consumer = $Consumer | |
| } | |
| $InstanceArgs = @{ | |
| Namespace = 'root/subscription' | |
| Class = '__FilterToConsumerBinding' | |
| Arguments = $FilterConsumerBingingArgs | |
| } | |
| # Run the following code from an elevated PowerShell console. | |
| # Register the alert | |
| $Binding = Set-WmiInstance @InstanceArgs | |
| # Delete the permanent WMI event subscriptions you just made | |
| <# | |
| Get-WmiObject -Namespace 'root/subscription' -Class '__EventFilter' -Filter 'Name="HumanInterfaceDevice"' | Remove-WmiObject | |
| Get-WmiObject -Namespace 'root/subscription' -Class 'NTEventLogEventConsumer' -Filter 'Name="HIDConnectionEvent"' | Remove-WmiObject | |
| Get-WmiObject -Namespace 'root/subscription' -Class '__FilterToConsumerBinding' -Filter 'Filter="__EventFilter.Name=\"HumanInterfaceDevice\""' | Remove-WmiObject | |
| #> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment