YoVDO

Detecting WMI Exploitation

Offered By: YouTube

Tags

Conference Talks Courses Cybersecurity Courses PowerShell Courses Threat Hunting Courses Windows Management Instrumentation (WMI) Courses

Course Description

Overview

Explore techniques for detecting WMI exploitation in this 51-minute conference talk from Derbycon 2018. Delve into the importance of WMI, its location within Windows systems, and essential tools like Windows Sysinternals AutoRuns and Sysmon. Learn about process execution, command line analysis, WMI activity monitoring, and authentication methods. Discover strategies for identifying lateral movement, remote WMI execution, and PowerShell usage. Gain insights into WMI tools, hunting techniques, and receive recommendations for effective WMI monitoring. Conclude with additional reading suggestions and a Q&A session to enhance your understanding of WMI exploitation detection.

Syllabus

Whoami
Why care about WMI?
What is WMI
Where does WMI live?
Windows Sysinternals AutoRuns
Windows Sysinternals Sysmon
Do you have a tool that...
WMI PWNAGE TOOLS
Process Execution
Process Command Line tells all
WMI Activity
Authentication
Parent-Child Processes
Lateral Movement - Push Payloads
Remote WMI Execution
WMI Service Starting
Details - Sysmon is an option
Details - Windows Logging Service WLS
PowerShell
How do I Hunt for PS?
WMI Tools
WMIC Use
Hunting for WMI Pwnage
Recommendations
Monitor WMI
Conclusion
Additional Reading
Questions


Related Courses

Learn Windows PowerShell in a Month of Lunches
YouTube
PowerShell for IT Professionals
YouTube
Investigating PowerShell Attacks
BruCON Security Conference via YouTube
Catching WMI Lateral Movement in an Enterprise Network
BruCON Security Conference via YouTube
Blinding Endpoint Security Solutions - WMI Attack Vectors
Ekoparty Security Conference via YouTube