UAC Bypass -Fiber Injection -WMI Persistence

​“Recorded Future expects further adoption of open source tools that have recently gained popularity, specifically Covenant, Octopus C2, Sliver, and Mythic." We have strung together some trending, open source tradecraft, utilizing a UAC bypass that has had significant human momentum behind it, showing the potential for serious compromise, with very little modification to the open source tool systems.
 
1. Modify UAC bypass to execute WMIPers.cmd with High integrity
 
2. WMIPers.cmd runs command “PowerShell Set-ExecutionPolicy Unrestricted” to change the execution policy
 
3. WMIPers.cmd executes EventSubWMI.ps1 (High Integrity required) to create a WMI permanent event subscription (SYSTEM). The subscription executes a script when the Windows Store app is opened, firing binary Fibre.exe (a shellcode injector utilizing process fibers to execute)
 
4. WMIPers.cmd also executes Fibre.exe to establish an initial C2 channel in High Integrity
 
5.The Windows Store app is opened, creating a second channel back to the C2 in SYSTEM context
 
*Better OpSec needed (cleanup, windows, etc) for real engagement*
 
#cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam