4 comments on “Cleaning up MOF persistence using powershell

  1. Pingback: Meterpreter Post Module – Persistence via MOF/powershell | khr@sh#: echo $GREETING

  2. Hi, which $EventFilter query would you use to fire an event as soon as WMI service is started at boot time ?
    I’ve tried :
    Select * From __instanceCreationEvent within 1 WHERE TargetInstance ISA ‘Win32_Process” AND Targetinstance.name = “services.exe”
    with LogFileEventConsumer to create a csv file, but it did not create the file. I guess WMI was not yet started.
    How would you do that ?
    Thanks.

    • Where were you trying to write the csv to? Could it be an issue with write permissions? Also, remember, anything started by your MOF will run as SYSTEM. I’ll take a look at when exactly WMI starts and see if it catches anything at startup. Do you have a link to the MOF you were using?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s