Git Product home page Git Product logo

wmieventing's Introduction

#WMIEventing Build status

Developed by @jaredcatkinson, @harmj0y, @sixdub

Overview

An Event Filter (__EventFilter) is a WMI Query Language (WQL) query that specifies the type of object to look for (for more details on WQL please check out Ravikanth Chaganti's free ebook). Event Consumers (__EventConsumer) are the action component of the Event Subscription. Event Consumers tell the subscription what to do with an object that makes it past the filter. There are five default event consumers in Windows: ActionScriptEventConsumer (runs arbitrary vbscript or jscript code), CommandLineEventConsumer (executes an arbitrary command), LogFileEventConsumer (writes to a specified flat log file), NtEventLogEventConsumer (creates a new event log), and SMTPEventConsumer (sends an email). Lastly, the Binding (__FilterToConsumerBinding) pairs a Filter with a Consumer.

Cmdlets

Event Filter (__EventFilter):

Add-WmiEventFilter - Adds a WMI Event Filter to a local or remote computer.
Get-WmiEventFilter - Gets the WMI Event Filters that are "installed" on the local or a remote computer.
Remove-WmiEventFilter - Removes a WMI Event Filter to a local or remote computer.

Event Consumers (__EventConsumer):

Add-WmiEventConsumer - Adds a WMI Event Consumer to a local or remote computer.
Get-WmiEventConsumer - Gets the WMI Event Consumers that are "installed" on the local computer or a remote computer.
Remove-WmiEventConsumer - Removes a WMI Event Consumer to a local or remote computer.

Event Subscription (__FilterToConsumerBinding):

Add-WmiEventSubscription - Adds a WMI Event Subscription to a local or remote computer.
Get-WmiEventSubscription - Gets the WMI Event Subscriptions that are "installed" on the local computer or a remote computer.
Remove-WmiEventSubscription - Removes a WMI Event Subscriptions to a local or remote computer.

Module Installation

Jakub Jareš wrote an excellent introduction to module installation, so I decided to adapt his example for WMIEventing.

To begin open an internet browser and navigate to the main WMIEventing github page. Once on this page you will need to download and extract the module into your modules directory.

If you used Internet Explorer to download the archive, you need to unblock the archive before extraction, otherwise PowerShell will complain when you import the module. If you are using PowerShell 3.0 or newer you can use the Unblock-File cmdlet to do that:

Unblock-File -Path "$env:UserProfile\Downloads\WMIEventing-master.zip"

If you are using an older version of PowerShell you will have to unblock the file manually. Go to your Downloads folder and right-click WMIEventing-master.zip and select "Properties". On the general tab click Unblock and then click OK to close the dialog.

Open your Modules directory and create a new folder called WMIEventing. You can use this script to open the correct folder effortlessly:

function Get-UserModulePath {
 
    $Path = $env:PSModulePath -split ";" -match $env:USERNAME
 
    if (-not (Test-Path -Path $Path))
    {
        New-Item -Path $Path -ItemType Container | Out-Null
    }
    
    $Path
}
 
Invoke-Item (Get-UserModulePath)

Extract the archive to the WMIEventing folder. When you are done you should have all these files in your WMIEventing directory:

Start a new PowerShell session and import the WMIEventing module using the commands below:

Get-Module -ListAvailable -Name WMIEventing
Import-Module WMIEventing
Get-Command -Module WMIEventing

You are now ready to use the WMIEventing PowerShell module!

Examples

Add-WmiEventFilter

Add an Event Filter named "ProcessStartTrace" that monitors for instances of the Win32_ProcessStartTrace WMI Class:

Add-WmiEventFilter -Name ProcessStartTrace -Query "SELECT * FROM Win32_ProcessStartTrace"

Add-WmiEventConsumer (ActiveScriptEventConsumer Script Text)

Add an ActiveScriptEventConsumer call "AS_GenericHTTP" with an embedded ScriptText:

$script = @"
Set objSysInfo = CreateObject("WinNTSystemInfo")
Set objHTTP = CreateObject("Microsoft.XMLHTTP")

objHTTP.open "POST", "http://$($ListeningPostIP)/", False
objHTTP.setRequestHeader "User-Agent", "UprootIDS"


Dim ipString

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\localhost\root\cimv2")
Set IPConfigSet = objWMIService.ExecQuery("Select * from Win32_NetworkAdapterConfiguration Where IPEnabled=TRUE")

For Each IPConfig in IPConfigSet
    If Not IsNull(IPConfig.IPAddress) Then 
         ipString = IPConfig.IPAddress(0)
    End If
Next


Dim outputString

outputString = outputString & "{""TargetEvent"":{"
outputString = outputString & """TimeCreated"":""" & TargetEvent.Time_Created & ""","
outputString = outputString & """SourceIP"":""" & ipString & ""","
outputString = outputString & """Server"":""" & objSysInfo.ComputerName & ""","

If ((TargetEvent.Path_.Class = "__NamespaceOperationEvent") Or (TargetEvent.Path_.Class = "__NamespaceModificationEvent") Or (TargetEvent.Path_.Class = "__NamespaceDeletionEvent") Or (TargetEvent.Path_.Class = "__NamespaceCreationEvent") Or (TargetEvent.Path_.Class = "__ClassOperationEvent") Or (TargetEvent.Path_.Class = "__ClassModificationEvent") Or (TargetEvent.Path_.Class = "__ClassCreationEvent") Or (TargetEvent.Path_.Class = "__InstanceOperationEvent") Or (TargetEvent.Path_.Class = "__InstanceCreationEvent") Or (TargetEvent.Path_.Class = "__MethodInvocationEvent") Or (TargetEvent.Path_.Class = "__InstanceModificationEvent") Or (TargetEvent.Path_.Class = "__InstanceDeletionEvent") Or (TargetEvent.Path_.Class = "__TimerEvent")) Then
    outputString = outputString & """EventType"":""" & TargetEvent.Path_.Class & ""","
    outputString = outputString & """InstanceType"":""" & TargetEvent.TargetInstance.Path_.Class & ""","
    outputString = outputString & """TargetInstance"":{"

    For Each oProp in TargetEvent.TargetInstance.Properties_
         outputString = outputString & """" & oProp.Name & """:""" & oProp & ""","
    Next
Else
    outputString = outputString & """EventType"":""ExtrinsicEvent"","
    outputString = outputString & """InstanceType"":""" & TargetEvent.Path_.Class & ""","
    outputString = outputString & """TargetInstance"":{"

    For Each oProp in TargetEvent.Properties_
         If oProp.Name <> "Sid" Then
            outputString = outputString & """" & oProp.Name & """:" & """" & oProp & ""","
        End If
    Next
End If

outputString = Left(outputString, Len(outputString) - 1)
outputString = outputString & "}"
outputString = outputString & "}}"

objHTTP.send outputString

Set objHTTP = Nothing
"@

Add-WmiEventConsumer -Name AS_GenericHTTP -ScriptingEngine VBScript -ScriptText $script

Add-WmiEventSubscription

Add a Subscription that pairs the "ProcessStartTrace" Filter with the "AS_GenericHTTP" ActiveScriptEventConsumer:

Add-WmiEventSubscription -FilterName ProcessStartTrace -ConsumerName AS_GenericHTTP -ConsumerType ActiveScriptEventConsumer

Get-WmiEventFilter

Get all Event Filters on the local system:

Get-WmiEventFilter

Get the Event Filter named "ProcessStartTrace" on the local system

Get-WmiEventFilter -Name ProcessStartTrace

Get-WmiEventConsumer

Get all Event Consumers on the local system:

Get-WmiEventConsumer

Get the Event Consumer named "AS_GenericHTTP" on the local system:

Get-WmiEventConsumer -Name AS_GenericHTTP

Get-WmiEventSubscription

Get all Event Subscriptions on the local system:

Get-WmiEventSubscripton

Remove-WmiEventFilter

Remove all Event Filters from the local system:

Remove-WmiEventFilter

Remove the Event Filter named "ProcessStartTrace" from the local system:

Remove-WmiEventFilter -Name ProcessStartTrace

Get all Event Filters and pass them through the pipeline for removal:

Get-WmiEventFilter | Remove-WmiEventFilter

Remove-WmiEventConsumer

Remove all Event Consumers from the local system:

Remove-WmiEventConsumer

Remove the Event Consumer named "AS_GenericHTTP" from the local system:

Remove-WmiEventConsumer -Name AS_GenericHTTP

Get all Event Consumers and pass them through the pipeline for removal:

Get-WmiEventConsumer | Remove-WmiEventConsumer

Remove-WmiEventSubscription

Remove all Event Subscriptions from the local system:

Remove-WmiEventSubscription

Get all Event Subscriptions and pass them through the pipeline for removal:

Get-WmiEventSubscription | Remove-WmiEventSubscription

wmieventing's People

Contributors

jaredcatkinson avatar

Watchers

avatar avatar

Forkers

453483289 jajp777

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.