Skip to content


Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


Developed by @jaredcatkinson, @mattifestation, @harmj0y, @sixdub


Uproot is a Host Based Intrusion Detection System (HIDS) that leverages Permanent Windows Management Instrumentation (WMI) Event Susbcriptions to detect malicious activity on a network. For more details on WMI Event Subscriptions please see the WMIEventing Module

For best results, it is recommended to use Uproot's AS_GenericHTTP consumer and an Uproot Listening Post to forward events via syslog to a log aggregator such as Splunk.

Note: Uproot was designed for a controller with >= PowerShell v3 compatibility. The module can be used with PowerShell v2, but will be missing a great deal of functionality. Although, Microsoft has consistently included WMI in Microsoft Windows since Windows NT 4.0 and Windows 95. Because of this, Uproot can be used with Windows OS endpoints from Windows NT 4.0 forward.


Signature Sets - Prebuilt sets of filters, consumers, and subscriptions

Install-UprootSignature - Adds prebuilt signatures (sets of filters and consumers) to any specified computer.

Uproot Listening Post

The Uproot project includes a service executable that can be used as a Listening Post (LP) (a point in the network that aggregates and forwards on events). The Listening Post receives HTTP POST requests, converts the recieved data to Syslog, and forwards the data to any specified location (ex. Splunk).

You can have multiple Listening Posts throughout your network to allow for load distribution, or to work with firewall restrictions.

Below is a list of Cmdlets to install/configure an Uproot Listening Post:

Get-UprootLP - Lists Uproot Listening Posts on a local or remote computer.
New-UprootLP - Creates a new Uproot Listening Post on a local or remote computer.
Remove-UprootLP - Removes the Uproot Listening Post from a local or remote computer.
Restart-UprootLP - Restarts the Uproot Listening Post on a local or remote computer with new configs.
Start-UprootLP - Starts the Uproot Listening Post on a local or remote computer.
Stop-UprootLP - Stops the Uproot Listening Post on a local or remote computer.

NOTE: To avoid creating a privilege escalation vulnerability, we recommend that you move uprootd.exe to C:\Windows\system32\ before using New-UprootLP


(Write something about Intrinsic vs. Extrinsic) BOTTOM LINE: Whenever possible, use Extrinsic events instead of Intrinsic events. Intrinsic events require polling, which is more resource intensive (although I haven't come across any major issues yet) than Extrinsic events.


DriverCreation - Intrinsic Event monitoring for the creation/registration of System Drivers
LoggedOnUserCreation - 
NetworkConnectionCreation - 
ProcessCreation - Intrinsic Event monitoring for process creation
ProcessStartTrace - Extrinsic Event monitoring for process creation 
ScheduledJobCreation - Intrinsic Event monitoring for the creation/registration of "AT" jobs
ServerConnectionCreation - 
ServiceCreation - 
ShadowCopyCreation - Intrinsic Event monitoring for the creation of a Volume Shadow Copy
ShareCreation - Intrinsic Event monitoring for the creation of a File Share
StartupCommandCreation - 
UserCreation - Intrinsic Event monitoring for the creation of a local user
UserProfileCreation - 


AS_GenericHTTP - Generic ActiveScriptEventConsumer for All Events (this is the recommended consumer)
AS_ExtrinsicHTTP - Generic ActiveScriptEventConsumer for Extrinsic Events (Win32_ProcessStartTrace)
AS_IntrinsicHTTP - Generic ActiveScriptEventConsumer for Intrinsic Events (Win32_ProcessCreation)



Prebuilt Sigs

Basic - An example signature file

Module Installation

Jakub Jareš wrote an excellent introduction to module installation, so I decided to adapt his example for Uproot.

To begin open an internet browser and navigate to the main Uproot github page. Once on this page you will need to download and extract the module into your modules directory.

If you used Internet Explorer to download the archive, you need to unblock the archive before extraction, otherwise PowerShell will complain when you import the module. If you are using PowerShell 3.0 or newer you can use the Unblock-File cmdlet to do that:

Unblock-File -Path "$env:UserProfile\Downloads\"

If you are using an older version of PowerShell you will have to unblock the file manually. Go to your Downloads folder and right-click and select "Properties". On the general tab click Unblock and then click OK to close the dialog.

Open your Modules directory and create a new folder called Uproot. You can use this script to open the correct folder effortlessly:

function Get-UserModulePath {
    $Path = $env:PSModulePath -split ";" -match $env:USERNAME
    if (-not (Test-Path -Path $Path))
        New-Item -Path $Path -ItemType Container | Out-Null
Invoke-Item (Get-UserModulePath)

Extract the archive to the Uproot folder. When you are done you should have all these files in your Uproot directory:

Start a new PowerShell session and import the Uproot module using the commands below:

Get-Module -ListAvailable -Name Uproot
Import-Module Uproot
Get-Command -Module Uproot

You are now ready to use the Uproot PowerShell module!


Install Signature File

Install-UprootSignature -ComputerName (Get-Content .\hostlist.txt) -SigFile Basic

Install Local Listening Post

Copy-Item $PSModulePath\Uproot\bin\uprootd.exe C:\windows\System32\uprootd.exe
New-UprootLP -BinaryPathName C:\windows\System32\uprootd.exe
Start-UprootLP -Server

Install Remote Listening Post

Copy-Item $PSModulePath\Uproot\bin\uprootd.exe \\LPHost\C$\windows\System32\uprootd.exe
New-UprootLP -ComputerName LPHost -BinaryPathName C:\windows\System32\uprootd.exe
Start-UprootLP -ComputerName LPHost -Server

Remove Local Listening Post


Remove Remote Listening Post

Get-UprootLP -ComputerName LPHost
Stop-UprootLP -ComputerName LPHost
Remove-UprootLP -ComputerName LPHost


Currently not updated for WMIEvent module...







No releases published


No packages published