Initial Access Chain: VBA-DLL-WMI-EXECUTION

Sensors ingested an interesting initial access chain that leverages a DLL load via VBS. After, the chain executes leveraging WMI to become a subprocess of svchost.exe (not from WINWORD.EXE in this case), providing a much more opsec friendly, parent-child relationship. I am looking at expanding my research by developing a macro that will covertly inject a process and establish a C2 implant connection. This was an interesting repo to help with the brainstorming for that macro.  
 
Repo:
VBA-DLL-WMI-EXECUTION/shell.cpp at master · mobdk/VBA-DLL-WMI-EXECUTION (github.com)
 
Video Demo:
​https://www.youtube.com/watch?v=0dEMQ_Iht98
 
#cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam