Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Detecting WMI Exploitation

via YouTube

Overview

Explore techniques for detecting WMI exploitation in this 51-minute conference talk from Derbycon 2018. Delve into the importance of WMI, its location within Windows systems, and essential tools like Windows Sysinternals AutoRuns and Sysmon. Learn about process execution, command line analysis, WMI activity monitoring, and authentication methods. Discover strategies for identifying lateral movement, remote WMI execution, and PowerShell usage. Gain insights into WMI tools, hunting techniques, and receive recommendations for effective WMI monitoring. Conclude with additional reading suggestions and a Q&A session to enhance your understanding of WMI exploitation detection.

Syllabus

Whoami
Why care about WMI?
What is WMI
Where does WMI live?
Windows Sysinternals AutoRuns
Windows Sysinternals Sysmon
Do you have a tool that...
WMI PWNAGE TOOLS
Process Execution
Process Command Line tells all
WMI Activity
Authentication
Parent-Child Processes
Lateral Movement - Push Payloads
Remote WMI Execution
WMI Service Starting
Details - Sysmon is an option
Details - Windows Logging Service WLS
PowerShell
How do I Hunt for PS?
WMI Tools
WMIC Use
Hunting for WMI Pwnage
Recommendations
Monitor WMI
Conclusion
Additional Reading
Questions

Reviews

Start your review of Detecting WMI Exploitation

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.