Last active
June 9, 2019 14:56
-
-
Save Bonjour123/d227d20f4673c38a4f900b5598f0348f to your computer and use it in GitHub Desktop.
Getting all permanent WMI subscriptions for all classes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
##########################Author: Bonjour123############################# | |
# Althought really convenient, WMI permanent subscriptions can also # | |
# be used by malwares. They usually are set to get events and trigger # | |
# some actions (like downloading some scripts), thus allowing some # | |
# persistance mechanisms. # | |
# This script returns a list of all the permanent WMI subscriptions for # | |
# all the different classes, allowing an overall view. # | |
# More info: https://www.fireeye.com/blog/threat-research/2016/08/wmi_vs_wmi_monitor.html | |
######################################################################### | |
$classes = get-wmiobject -namespace root\Subscription -list|select Name|Foreach-object {$_ -split "`r`n"} | |
ForEach ($item In $classes) { | |
$tmp = $item.Substring(7) | |
$tmp2 = $tmp.Substring(0, $tmp.length-1) | |
Get-WMIObject -Namespace root\Subscription -Class $tmp2 | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment