Skip to content
/ WMI_Monitor Public

Log newly created WMI consumers and processes to the Windows Application event log

122 stars 24 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

realparisi/WMI_Monitor

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
WMIMonitor.ps1
WMIMonitor.ps1
 
 

Repository files navigation

WMI_Monitor

Log newly created WMI consumers and processes

https://www.fireeye.com/blog/threat-research/2016/08/wmi_vs_wmi_monitor.html

Note: You must run PowerShell as administrator before using the script. The script requires PowerShell version 3 or above and will run in its current state as two separate PowerShell functions.

  1. Open an Administrator PS window and type:

    Import-Module .\<path to WMIMonitor.ps1>

New-EventSubscriberMonitor

    You should see a message "The new event subscriber has been successfully created!"

    In a new PowerShell window, test a process call create function

    wmic process call create "notepad.exe"

  2. Check the Application Event log for EID 8. When new WMI process call creates or consumers are created, these events will be recorded in the Details section of the log event

  3. To disable logging, open an Administrator PS shell and type:

    Remove-SubscriberMonitor

You should see a message "The event subscriber and all associated WMI objects have been successfully removed."

About

Log newly created WMI consumers and processes to the Windows Application event log

Resources

Readme
Activity

Stars

122 stars

Watchers

8 watching

Forks

24 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages