Skip to content

Instantly share code, notes, and snippets.

@sasqwatch

sasqwatch/Example_WMI_Detection_EventLogAlert.ps1

Created September 21, 2022 23:09
Show Gist options
  • Save sasqwatch/cc910f4319211e457b5f2ab1b0526f3b to your computer and use it in GitHub Desktop.
Save sasqwatch/cc910f4319211e457b5f2ab1b0526f3b to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @mattifestation mattifestation created this gist Jan 14, 2016.
    68 changes: 68 additions & 0 deletions Example_WMI_Detection_EventLogAlert.ps1
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,68 @@
    # Define the signature - i.e. __EventFilter
    $EventFilterArgs = @{
    EventNamespace = 'root/cimv2'
    Name = 'LateralMovementEvent'
    Query = 'SELECT * FROM MSFT_WmiProvider_ExecMethodAsyncEvent_Pre WHERE ObjectPath="Win32_Process" AND MethodName="Create"'
    QueryLanguage = 'WQL'
    }

    $InstanceArgs = @{
    Namespace = 'root/subscription'
    Class = '__EventFilter'
    Arguments = $EventFilterArgs
    }

    $Filter = Set-WmiInstance @InstanceArgs

    # Define the event log template and parameters
    $Template = @(
    'Lateral movement detected!',
    'Namespace: %Namespace%',
    'Object: %ObjectPath%',
    'Method Executed: %MethodName%',
    'Command Executed: %InputParameters.CommandLine%'
    )

    $NtEventLogArgs = @{
    Name = 'LogLateralMovementEvent'
    Category = [UInt16] 0
    EventType = [UInt32] 2 # Warning
    EventID = [UInt32] 8
    SourceName = 'WSH'
    NumberOfInsertionStrings = [UInt32] $Template.Length
    InsertionStringTemplates = $Template
    }

    $InstanceArgs = @{
    Namespace = 'root/subscription'
    Class = 'NTEventLogEventConsumer'
    Arguments = $NtEventLogArgs
    }

    $Consumer = Set-WmiInstance @InstanceArgs

    $FilterConsumerBingingArgs = @{
    Filter = $Filter
    Consumer = $Consumer
    }

    $InstanceArgs = @{
    Namespace = 'root/subscription'
    Class = '__FilterToConsumerBinding'
    Arguments = $FilterConsumerBingingArgs
    }

    # Run the following code from an elevated PowerShell console.

    # Register the alert
    $Binding = Set-WmiInstance @InstanceArgs

    # Now, this will automatically generate an event log entry in the Application event log.
    Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList notepad.exe

    # Delete the permanent WMI event subscriptions you just made
    <#
    Get-WmiObject -Namespace 'root/subscription' -Class '__EventFilter' -Filter 'Name="LateralMovementEvent"' | Remove-WmiObject
    Get-WmiObject -Namespace 'root/subscription' -Class 'NTEventLogEventConsumer' -Filter 'Name="LogLateralMovementEvent"' | Remove-WmiObject
    Get-WmiObject -Namespace 'root/subscription' -Class '__FilterToConsumerBinding' -Filter 'Filter="__EventFilter.Name=\"LateralMovementEvent\""' | Remove-WmiObject
    #>