https://github.com/realparisi/WMI_Monitor

Log newly created WMI consumers and processes to the Windows Application event log
https://github.com/realparisi/WMI_Monitor

Last synced: 2 months ago
JSON representation

Log newly created WMI consumers and processes to the Windows Application event log

• Host: GitHub
• URL: https://github.com/realparisi/WMI_Monitor
• Owner: realparisi
• Created: 2016-08-05T17:44:36.000Z (almost 8 years ago)
• Default Branch: master
• Last Pushed: 2018-02-28T22:25:46.000Z (over 6 years ago)
• Last Synced: 2024-01-24T22:38:52.184Z (5 months ago)
• Language: PowerShell
• Homepage:
• Size: 12.7 KB
• Stars: 120
• Watchers: 8
• Forks: 23
• Open Issues: 2
• Metadata Files:
  • Readme: README.md

Lists

• awesome-cybersecurity-blueteam - WMI Monitor - Log newly created WMI consumers and processes to the Windows Application event log. (Windows-based defenses / Overlay and Virtual Private Networks (VPNs))
• awesome-cybersecurity-blueteam - WMI Monitor - Log newly created WMI consumers and processes to the Windows Application event log. (Windows-based defenses / Overlay and Virtual Private Networks (VPNs))
• awesome-blueteam - WMI Monitor - Log newly created WMI consumers and processes to the Windows Application event log. (Windows-based defenses / Threat signature packages and collections)
• awesome-cybersecurity-blueteam-cn - WMI Monitor - 该工具可将新创建的WMI使用者和进程记录到Windows应用程序事件日志中 (基于Windows的防护 / 威胁狩猎)

README

        
# WMI_Monitor

Log newly created WMI consumers and processes

https://www.fireeye.com/blog/threat-research/2016/08/wmi_vs_wmi_monitor.html

Note: You must run PowerShell as administrator before using the script. 

The script requires PowerShell version 3 or above and will run in its current state as two separate PowerShell functions.

1. Open an Administrator PS window and type:

    ```

    Import-Module .\

    

    New-EventSubscriberMonitor 

    ```    

    You should see a message "The new event subscriber has been successfully created!"

    

    In a new PowerShell window, test a process call create function 

    ```    

    wmic process call create "notepad.exe" 

    ```    

2. Check the Application Event log for EID 8. When new WMI process call creates or consumers are created, these events will be recorded in the Details section of the log event

3. To disable logging, open an Administrator PS shell and type:

    ```

    Remove-SubscriberMonitor

    ```

  You should see a message "The event subscriber and all associated WMI objects have been successfully removed."