Added WMI Event Subscriptions (T1546.003)

last-byte / PersistenceSniper

Powershell module that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. Official Twitter/X account @PersistSniper. Made with ❤️ by @last0x00 and @dottor_morte

Other

1.83k stars 180 forks source link

Added WMI Event Subscriptions (T1546.003) #2

Closed cecio closed 1 year ago

cecio commented 1 year ago

Hey,

great project, thanks for sharing it!

I added a new persistence method if you accept pull requests: WMI events.

I have only a doubt on the implementation: in the Value field I'd like to insert more than on field coming from the WMI object. So far I did it in this way:

ScriptingEngine: <engine> / ScriptFileName: <name> / ScriptText: <text>

but I'm not sure is the best way...anyway I can re-work it if you want to handle it in a different way.

Thanks,

last-byte commented 1 year ago

Hey, thanks for the kind words AND the pull request. Of course I accept them, yours specifically looks perfectly integrated with the rest of the code to say the least. About the Value field, I think the way you implemented it is just fine, so I'll merge it!