🦦
Otter's Notes
  • Introduction
  • Articles
    • Dumping data from the Microsoft Recall folder
    • Gaining persistence on Windows with Time Providers
    • Reverse engineering LSASS to decrypt DPAPI keys
    • Intro to Hypervisor Implants
    • In-depth Windows Telemetry
  • Notes
    • Active Directory
      • Active Directory Structure
      • Active Directory Terminology
      • Active Directory Objects
      • Active Directory Groups
      • Active Directory Functionality
      • Active Directory Protocols
      • Active Directory Rights and Privileges
      • Security in Active Directory
      • Users and Machine Accounts
      • NTLM
      • LDAP
      • Making a Target User List
      • Enumerating & Retrieving Password Policies
      • Enumerating Security Controls
      • Examining Group Policy
      • GPOs
      • LAPS
      • LLMNR & NBT-NS Poisoning
      • LOLBIN Enumeration
    • AAD
      • Useful Links
      • Overview of Azure & M365
      • Enumerate Users and Domains
      • Post-exploitation Reconnaissance
      • OAuth 2.0 Abuse
      • Abusing Device Code Authentication
      • Abusing Cloud Administrator Role
      • Abusing User Administrator Role
      • AAD Federated Backdoor
      • Service Principal Abuse
      • Compromising Azure Blobs and Storage Accounts
      • Malicious Device Join
      • Disabling Auditing (Unified Audit Logs)
      • Spoofing Azure Sign-In Logs
      • Registering Fake Agents for Log Spoofing
      • Pass the PRT
      • Pass the Cookie
      • Abusing Managed Identities
      • Virtual Machine Abuse
      • Attacking Key Vaults
    • Forest Trust Abuse
      • Parent-Child Trust Abuse
      • One-Way Inbound Trust Abuse
      • Foreign Group Membership
      • Foreign ACL Principals
      • SID History
      • SID Filter Bypass
      • Intra-Forest Attacks
        • Configuration Naming Context Replication
        • ADCS NC Replication Attack
        • GPO On-Site Attack
        • GoldenGMSA Attack
        • DNS Trust Attack
      • Cross-Forest Attacks
        • Trust Account Attack
        • Abusing SQL Linked Servers
        • Abusing PAM Trusts
    • Kerberos
      • Overview of Kerberos Authentication
      • Silver Tickets
      • Golden Tickets
      • Diamond Tickets
      • Kerberoasting
      • AS-REPRoasting
      • Resource-Based Constrained Delegation
      • Constrained Delegation
      • Unconstrained Delegation
      • S4U2Self & S4U2Proxy
      • Golden Certificates
    • DACL Abuse
      • DACL Overview
      • DACLs Enumeration
      • AddMembers
      • GPO Attacks
      • Granting Rights and Ownership
      • Logon Scripts
      • NoPAC
      • Password Abuse
      • SPN Jacking
      • Shadow Credentials
      • Targeted Kerberoasting
    • ADCS
      • Introduction to ADCS
      • ESC1
      • ESC2
      • ESC3
      • ESC4
      • ESC5
      • ESC6
      • ESC7
      • ESC8
      • ESC9
      • ESC10
      • ESC11
      • Certificate Mapping
    • PowerShell
      • PowerShell Basics
      • PowerShell Remoting
      • Alternate PowerShell Hosts
      • PowerShell Pipeline Runners
      • PowerShell Code Signing
      • Scriptblock Logging
      • PowerShell CLM
      • AMSI
      • PowerShell Reflection
      • WMI - Windows Management Instrumentation
      • Interfacing with AD
      • PowerShell Snippets
        • Bypass application whitelisting and CLM with runscripthelper and WMI
        • Create fake PowerShell logs
        • Enumerate AD ACLs
        • Enumerate WMI events
        • Enumerate Domain Trusts
        • Enumerate change metadata
        • Enumerate non-signed service binaries
        • Enumerate with GPOs
        • Find signed alternate PowerShell hosts
        • Get AMSI module
        • Group processes by user with WMI
        • Hide processes from Get-Process
        • Malware re-purposing with PowerShell reflection
        • Monitor PowerShell hosts with WMI
        • PowerShell reflection offensive use-case
        • Query PowerShell alternative hosts with WMI
        • Retrieve file certificate
        • Search LDAP for misconfigurations
        • Sign custom code with PowerShell
        • WMI service creation
        • Weak folder permission enumeration
    • AWS
      • AWS Organizations
      • AWS Principals
    • Binary Exploitation
      • Environment setup for Browser Exploitation
      • Browser Overview and Components
    • Kernel Development
      • Windows
        • Configuring a VM for driver development
Powered by GitBook
On this page
  1. Notes
  2. PowerShell
  3. PowerShell Snippets

Enumerate WMI events

PreviousEnumerate AD ACLsNextEnumerate Domain Trusts

Last updated 8 months ago

This snippet enumerates both .

function Get-WmiNamespace {
<#
.SYNOPSIS

Returns a list of WMI namespaces present within the specified namespace.

.PARAMETER Namespace

Specifies the WMI repository namespace in which to list sub-namespaces. Get-WmiNamespace defaults to the ROOT namespace.

.PARAMETER Recurse

Specifies that namespaces should be recursed upon starting from the specified root namespace.

.EXAMPLE

Get-WmiNamespace

.EXAMPLE

Get-WmiNamespace -Recurce

.EXAMPLE

Get-WmiNamespace -Namespace ROOT\CIMV2

.EXAMPLE

Get-WmiNamespace -Namespace ROOT\CIMV2 -Recurse

.OUTPUTS

System.String

Get-WmiNamespace returns fully-qualified namespace names.
#>

    [OutputType([String])]
    Param (
        [String]
        [ValidateNotNullOrEmpty()]
        $Namespace = 'ROOT',

        [Switch]
        $Recurse
    )

    $BoundParamsCopy = $PSBoundParameters
    $null = $BoundParamsCopy.Remove('Namespace')

    # exclude locale specific namespaces
    Get-WmiObject -Class __NAMESPACE -Namespace $Namespace -Filter 'NOT Name LIKE "ms_4%"' | ForEach-Object {
        $FullyQualifiedNamespace = '{0}\{1}' -f $_.__NAMESPACE, $_.Name
        $FullyQualifiedNamespace

        if ($Recurse) {
            Get-WmiNamespace -Namespace $FullyQualifiedNamespace @BoundParamsCopy
        }
    }
}

filter Get-WmiExtrinsicEvent {
<#
.SYNOPSIS

Returns all WMI extrinsic event types for the specified namespace.

.PARAMETER Namespace

Specifies the WMI repository namespace in which to list extrinsic event types.

.EXAMPLE

Get-WmiExtrinsicEvent

.EXAMPLE

Get-WmiNamespace -Recurce | Get-WmiExtrinsicEvent

.INPUTS

System.String

Get-WmiExtrinsicEvent accepts fully-qualified namespace names returned from Get-WmiNamespace.

.OUTPUTS

System.Management.ManagementClass

Get-WmiExtrinsicEvent returns extrinsic WMI class objects.
#>

    [OutputType([Management.ManagementClass])]
    Param (
        [Parameter(ValueFromPipeline = $True)]
        [String]
        $Namespace = 'ROOT\CIMV2'
    )

    # exclude generic, system generated extrinsic events
    $ExclusionList = @(
        '__SystemEvent',
        '__EventDroppedEvent',
        '__EventQueueOverflowEvent',
        '__QOSFailureEvent',
        '__ConsumerFailureEvent')

    Get-WmiObject -Class Meta_Class -Namespace $Namespace |
        Where-Object { $_.Name -eq '__TimerEvent' -or ($_.Derivation.Contains('__ExtrinsicEvent') -and (-not ($ExclusionList -contains $_.Name))) }
}

filter Get-WmiIntrinsicEvent {
<#
.SYNOPSIS

Returns all WMI intrinsic event types for the specified namespace.

.PARAMETER Namespace

Specifies the WMI repository namespace in which to list intrinsic event types.

.EXAMPLE

Get-WmiIntrinsicEvent

.EXAMPLE

Get-WmiNamespace -Recurce | Get-WmiIntrinsicEvent

.INPUTS

System.String

Get-WmiIntrinsicEvent accepts fully-qualified namespace names returned from Get-WmiNamespace.

.OUTPUTS

System.Management.ManagementClass

Get-WmiIntrinsicEvent returns intrinsic WMI class objects.
#>

    [OutputType([Management.ManagementClass])]
    Param (
        [Parameter(ValueFromPipeline = $True)]
        [String]
        $Namespace = 'ROOT\CIMV2'
    )

    $ExclusionList = @(
        '__ExtrinsicEvent',
        '__TimerEvent'
    )

    Get-WmiObject -Class Meta_Class -Namespace $Namespace |
        Where-Object { $_.Derivation.Contains('__Event') -and (-not $_.Derivation.Contains('__ExtrinsicEvent') -and (-not ($ExclusionList -contains $_.Name))) }
}
intrinsic and extrinsic WMI events