UAC Bypass -> WMI Event -> Inject nslookup.exe -> SYSTEM

​A dirty UAC bypass is just enough time to register a WMI permanent event subscription (which needs to be registered with Admin privs), executing a binary that injects into nslookup.exe, every time the Microsoft Store app process is started. The injection results in a persistent, SYSTEM level implant phoning home to a Covenant C2 listener, provided the artifacts on disk aren’t discovered. There are other vectors available a little more OpSec friendly 😊. MS for Endpoint flags the UAC bypass as malicious (doesn’t stop it) but doesn’t see the WMI event subscription, therefore does not indicate a persistent SYSTEM level shell is present. The device timeline does register the script that is fired by the WMI event subscription and the binary that hollows the process nslookup.exe – but neither are flagged. Checking for WMI event subscriptions is a good way to find nastiness with the following commands:
 
EventFilters: Get-WMIObject -Namespace root\Subscription -Class __EventFilter
 
EventConsumers: Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer
 
Bindings: Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding