WMI Event Subscription Persistence in C#

Interactive PowerShell framework for testing WMI, COM, LOLBAS, and persistence techniques

A repo to hold some scripts pertaining WMI (Windows implementation of WBEM) forensics

No description available

Parses the WMI object database....looking for persistence

No description available

No description available

A powershell script to create WMI Event subscription persistence

WMI persistence code snippets

The script realizes intranet lateral movement and permission persistence through WMI event subscription.

PowerShell reverse shell with AMSI bypass, PsExec download and persistence via WMI event subscription

Slides from ‘Next-gen Fileless Malware - Beyond WMI’ at Tradahacking 2018, analyzing advanced fileless malware techniques, WMI-based persistence, stealthy C&C communication, and detection challenges.

TEST--WMI_Fileless_Persistence

No description available

All public tools (as far as I know) can’t parse properly offline WBEM (offline WMI) objects on newer editions of Windows. This tool is designed to parse the newer formats (objects.data and index.btr). It is based on the dissect.cim library (https://github.com/fox-it/dissect.cim)

Use WMI and powershell commands to establish persistence

C++ WMI event consumer hunter for persistence mechanism detection

This is Ultimate C2 using Discord bot and running on WMI persistence

Hands-on Windows persistence lab using PowerShell (Registry, Startup folder, PowerShell profile, WMI) on a BO-BOBO VM.

End-to-end investigation of the APT29 emulation dataset using Splunk, including detection development, evidence-backed timelines, and MITRE ATT&CK mapping. The project covers decoded obfuscated PowerShell payloads, LSASS credential dumping, WinRM/WMI lateral movement, and covert credential staging and persistence, culminating in a full DFIR report.