Overview
Explore techniques for detecting WMI exploitation in this 51-minute conference talk from Derbycon 2018. Delve into the importance of WMI, its location within Windows systems, and essential tools like Windows Sysinternals AutoRuns and Sysmon. Learn about process execution, command line analysis, WMI activity monitoring, and authentication methods. Discover strategies for identifying lateral movement, remote WMI execution, and PowerShell usage. Gain insights into WMI tools, hunting techniques, and receive recommendations for effective WMI monitoring. Conclude with additional reading suggestions and a Q&A session to enhance your understanding of WMI exploitation detection.
Syllabus
Whoami
Why care about WMI?
What is WMI
Where does WMI live?
Windows Sysinternals AutoRuns
Windows Sysinternals Sysmon
Do you have a tool that...
WMI PWNAGE TOOLS
Process Execution
Process Command Line tells all
WMI Activity
Authentication
Parent-Child Processes
Lateral Movement - Push Payloads
Remote WMI Execution
WMI Service Starting
Details - Sysmon is an option
Details - Windows Logging Service WLS
PowerShell
How do I Hunt for PS?
WMI Tools
WMIC Use
Hunting for WMI Pwnage
Recommendations
Monitor WMI
Conclusion
Additional Reading
Questions