Explore the offensive capabilities of Windows Management Instrumentation (WMI) in this 50-minute Black Hat conference talk by Matthew Graeber. Delve into a powerful technology built into every Windows operating system since Windows 95 that runs as System, executes arbitrary code, persists across reboots, and operates without dropping files to disk. Learn how advanced red teams and attackers leverage WMI to blend into high-security environments without introducing binaries. Discover WMI's unique ability to conditionally execute code asynchronously in response to operating system events, setting it apart from other persistence techniques. Gain insights into WMI's structure, its current usage by attackers in the wild, and techniques for constructing a full-featured backdoor. Conclude with essential knowledge on detecting and preventing WMI-based attacks, equipping yourself with valuable cybersecurity skills for both offensive and defensive operations.
Overview
Syllabus
Abusing Windows Management Instrumentation (WMI)
Taught by
Black Hat