Forked from mattifestation/autodump_powershell_process.ps1
Created
June 8, 2016 15:49
-
-
Save z3v2cicidi/01434e8b45508a79633ae6e5bd0a8489 to your computer and use it in GitHub Desktop.
Revisions
-
mattifestation revised this gist
Jun 7, 2016 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,7 +1,7 @@ $EventFilterArgs = @{ EventNamespace = 'root/cimv2' Name = 'PowerShellProcessStarted' Query = 'SELECT FileName, ProcessID FROM Win32_ModuleLoadTrace WHERE FileName LIKE "%System.Management.Automation%.dll"' QueryLanguage = 'WQL' } -
Jun 7, 2016 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,28 @@ $EventFilterArgs = @{ EventNamespace = 'root/cimv2' Name = 'PowerShellProcessStarted' Query = 'SELECT FileName, ProcessID FROM Win32_ModuleLoadTrace WHERE FileName LIKE "%System.Management.Automation[.][n][i].dll"' QueryLanguage = 'WQL' } $Filter = New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $EventFilterArgs $CommandLineConsumerArgs = @{ Name = 'PowershellMemoryCapture' CommandLineTemplate = 'procdump.exe -accepteula -g -e -t -ma %ProcessID% C:\dumps' } $Consumer = New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $CommandLineConsumerArgs $FilterToConsumerArgs = @{ Filter = [Ref] $Filter Consumer = [Ref] $Consumer } $FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs <# Cleanup Get-CimInstance -Namespace root/subscription -ClassName __EventFilter | Remove-CimInstance Get-CimInstance -Namespace root/subscription -ClassName __EventConsumer | Remove-CimInstance Get-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding | Remove-CimInstance #>