Detecting WMI exploitation

Michael Gough

Derbycon 2018

Windows Management Instrumentation (WMI) is loved by the Red Team, Pentesters, and the criminals. There are a few exploitation tools available such as WMImplant, WMILM, and Metasploit. Utilizing WMI in attacks is popular since it does not log much, is very good for remote attacks, and includes a database to hide persistence and payloads. The use of WMI has also been used in what is referred to as fileless malware, and can even include PowerShell. WMI attacks CAN be detected, and everyone should understand how to search for, detect, and all the Fu that goes along with WMI attacks. The reason? By default, Windows does log much to detect WMI exploitation, so there is some work to do you need to know about. This talk will show a few examples of WMI exploitation, what and why it can be detected, what you need to configure to catch attacks, what additional things you will need to hunt for WMI pwnage across your environment. Also discussed will be some examples of log management queries, tools you might use to capture malicious WMI activity.

Michael is a Malware Archaeologist, Blue Team defender, Incident Responder and logoholic. Michael developed several Windows logging cheat sheets to help the security industry understand Windows logging, where to start and what to look for. Michael is co-developer of LOG-MD, a free tool that audits the settings, harvests and reports on malicious Windows log data and malicious system artifacts. Michael also blogs on HackerHurricane.com on various InfoSec topics. Michael also is co-host of the “Brakeing Down Incident Response” BDIR Podcast to education on Incident Response daily tasks. Michael also ran BSides Texas for five years for the Austin, San Antonio, Dallas and Houston cons.

@HackerHurricane

Back to Derbycon 2018 video list