Last active
May 16, 2020 00:05
-
-
Save wumb0/875c89d6e087a2cd09efd8e5d3711a9a to your computer and use it in GitHub Desktop.
WMI consumer and filter that trigger on a windows defender malware alert with details
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $argss = @{Name="MonitorMalwareFilt";QueryLanguage="WQL";Query="select * from __instancecreationevent within 5 where targetinstance isa 'Malware'";EventNamespace="root\Microsoft\SecurityClient"} | |
| $filt = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments $argss | |
| $argss = @{Name="MonitorMalwareCons";CommandLineTemplate="msg * Malware: %TargetInstance.ThreatName% from %TargetInstance.User% at %TargetInstance.Path% (Severity: %TargetInstance.SeverityID%)"} | |
| $cons = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments $argss | |
| $argss = @{Filter=$filt;Consumer=$cons} | |
| Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments $argss |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment