Build a FLASK API that’ll serve what actions the RAT need to preform and how often the RAT will check the API(1).
Serve the attacker to execute general and specific WMI Queries.
- Clients
- WMIActions
- Client_WMIActions - Association table
Client can have many WMIActions and WMIAction can have many Clients – Many to Many relasionship (2):
- https://blog.miguelgrinberg.com/post/the-flask-mega-tutorial-part-xxiii-application-programming-interfaces-apis
- https://blog.miguelgrinberg.com/post/the-flask-mega-tutorial-part-viii-followers
Query – WQL Query (We’ll use it from the C2).
- WMI Class - Win32_OperatingSystem
- Class attributes - *
- “build” query function
Object to communicate with the C&C server Contains client's information:
static HttpClient client = new HttpClient();
private string id;
private string ipAddress;
private string username;
private string os;
private string uri;
private Status clientStatus;Handle wmi execution at runtime. Contains the following attributes:
this.scope = scope;
this.wmiClass = wmi_class;
this.wmiAttributes = wmiAttributes;
this.query = new Query(this.scope, this.wmiAttributes, this.wmiClass);
this.wmiActionId = wmiActionId;- WMI Interaction
- Capture screenshot
- Keylogger
- Browse files
- https://docs.microsoft.com/en-us/dotnet/api/system.management.propertydata?view=dotnet-plat-ext-6.0 – Refer to each property from the WQL execution.