CYBER MONGOL
  • Our Journey
  • Counter Cyber Intelligence
  • ASATA
  • Human-Machine Teaming
  • Operator Research
  • Offensive Intelligence
  • Our Journey
  • Counter Cyber Intelligence
  • ASATA
  • Human-Machine Teaming
  • Operator Research
  • Offensive Intelligence
Search by typing & pressing enter

YOUR CART

1/5/2021

UAC Bypass -> WMI Event -> Inject nslookup.exe -> SYSTEM

​A dirty UAC bypass is just enough time to register a WMI permanent event subscription (which needs to be registered with Admin privs), executing a binary that injects into nslookup.exe, every time the Microsoft Store app process is started. The injection results in a persistent, SYSTEM level implant phoning home to a Covenant C2 listener, provided the artifacts on disk aren’t discovered. There are other vectors available a little more OpSec friendly 😊. MS for Endpoint flags the UAC bypass as malicious (doesn’t stop it) but doesn’t see the WMI event subscription, therefore does not indicate a persistent SYSTEM level shell is present. The device timeline does register the script that is fired by the WMI event subscription and the binary that hollows the process nslookup.exe – but neither are flagged. Checking for WMI event subscriptions is a good way to find nastiness with the following commands:
 
EventFilters: Get-WMIObject -Namespace root\Subscription -Class __EventFilter
 
EventConsumers: Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer
 
Bindings: Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding

Comments are closed.

    Archives

    April 2021
    March 2021
    February 2021
    January 2021
    September 2020
    August 2020
    July 2020

    Categories

    All

    RSS Feed

contact us:
© COPYRIGHT 2015. ALL RIGHTS RESERVED.