POC WMI_Backdoor  - is a crude WMI backdoor (Disclosure).

POC WMI_Backdoor – is a crude WMI backdoor (Disclosure).

WMI_Backdoor : A tool that’s useful to a sysadmin is useful to an attacker.
WMI Basics – Introduction:
•Windows Management Instrumentation
•Powerful local & remote system management infrastructure
•Present since Win98 and NT4. Seriously.
•Can be used to:
–Obtain system information
•File system
–Execute commands
–Subscribe to events

WMI Basics – Architecture:
•Persistent WMI objects are stored in the WMI repository
–Valuable for forensics yet no parsers exist until now!
•WMI Settings
–Win32_WmiSetting class
–E.g. AutoRecover MOFs are listed here

WMI Attacks:
•From an attackers perspective, WMI can be used but is not limited to the following:
–VM/Sandbox Detection
–Code execution and lateral movement
–Data storage
–C2 communication

WMI Attacks – Data Storage (Screen-Capture)

WMI Attacks – Data Storage (Screen-Capture)

WMI – Benefits to an Attacker
•Service enabled and remotely available on all Windows systems by default
•Runs as SYSTEM
•Relatively esoteric persistence mechanism
•Other than insertion into the WMI repository, nothing touches disk!
•Defenders are generally unaware of WMI as an attack vector
•Uses an existing, non-suspicious protocol
•Nearly everything on the operating

PoC WMI Backdoor Background:
•A pure WMI backdoor
•PowerShell installer
•PowerShell not required on victim
•Intuitive syntax
•Relies exclusively upon permanent WMI event subscriptions

WMIBackdoor.ps1 Script:

Source : https://github.com/mattifestation