module
WMI Event Subscription Logon Timer Persistence
| Disclosed | Created |
|---|---|
| Jun 6, 2017 | Jan 14, 2026 |
Disclosed
Jun 6, 2017
Created
Jan 14, 2026
Description
This module will create a permanent WMI event subscription to achieve file-less persistence using an event filter that
will trigger the payload after the system has a certain uptime. Payloads will trigger every minute until the set end time.
Additionally a custom command can be specified to run once the trigger is
activated using the advanced option CustomPsCommand. This module requires administrator level privileges as well as a
high integrity process. It is also recommended to use staged payloads due to powershell script length limitations.
will trigger the payload after the system has a certain uptime. Payloads will trigger every minute until the set end time.
Additionally a custom command can be specified to run once the trigger is
activated using the advanced option CustomPsCommand. This module requires administrator level privileges as well as a
high integrity process. It is also recommended to use staged payloads due to powershell script length limitations.
Authors
Nick Tyrer @NickTyrer
h00die
h00die
Platform
Windows
Architectures
x64, x86, aarch64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.