Hiding Persistence in the WMI Repository & “C:\Windows\System32\spool\drivers\color Folder

In this scenario, we are working with a customer’s EDR independent of any Microsoft native or Microsoft cloud delivered security technologies. We are assuming initial access has taken place, accompanied with a download event to “C:\Windows\System32\spool\drivers\color” folder, which only requires regular user access to write to. First to fire is MS-printcolor.exe (UAC bypass) which hands execution to colorconf.cmd (batch file) that executes with high integrity. The batch file fires mofcomf.exe which registers a persistent WMI event subscription (colorwheel.mof), finally executing a SYSTEM level C2 channel anytime the WinStore.App.exe process is executed. Any day with WMI is a fun day!



#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam