Detecting WMI Exploitation
Offered By: YouTube
Course Description
Overview
Explore techniques for detecting WMI exploitation in this 51-minute conference talk from Derbycon 2018. Delve into the importance of WMI, its location within Windows systems, and essential tools like Windows Sysinternals AutoRuns and Sysmon. Learn about process execution, command line analysis, WMI activity monitoring, and authentication methods. Discover strategies for identifying lateral movement, remote WMI execution, and PowerShell usage. Gain insights into WMI tools, hunting techniques, and receive recommendations for effective WMI monitoring. Conclude with additional reading suggestions and a Q&A session to enhance your understanding of WMI exploitation detection.
Syllabus
Whoami
Why care about WMI?
What is WMI
Where does WMI live?
Windows Sysinternals AutoRuns
Windows Sysinternals Sysmon
Do you have a tool that...
WMI PWNAGE TOOLS
Process Execution
Process Command Line tells all
WMI Activity
Authentication
Parent-Child Processes
Lateral Movement - Push Payloads
Remote WMI Execution
WMI Service Starting
Details - Sysmon is an option
Details - Windows Logging Service WLS
PowerShell
How do I Hunt for PS?
WMI Tools
WMIC Use
Hunting for WMI Pwnage
Recommendations
Monitor WMI
Conclusion
Additional Reading
Questions
Related Courses
Learn Windows PowerShell in a Month of LunchesYouTube PowerShell for IT Professionals
YouTube Investigating PowerShell Attacks
BruCON Security Conference via YouTube Catching WMI Lateral Movement in an Enterprise Network
BruCON Security Conference via YouTube Blinding Endpoint Security Solutions - WMI Attack Vectors
Ekoparty Security Conference via YouTube