I've recently taken an interest in WMI because of its prevalence in my network. I got a general understanding of it through the popular Manning book on learning Powershell and of some of the common attack vectors through the Blackhat article on abusing it for persistence. With that understanding, I'm not really seeing anything obviously malicious in the WMI-Activity event logs, but my knowledge is pretty limited in how to really look at it from a defensive perspective. I'll often see svchost receiving commands telling them to create WmiPrvSe processes with "-embedded" command lines and the processes that are created will kick off various WMI queries, but I'm not positive where to go from here or how to figure out what the embedded command was.
I thought the Blackhat article was great, and I'll link it below, but does anyone have suggestions on where I should go next with researching the subject or tips based on how you personally monitor WMI?
Edited by SwingJitsu, 13 October 2018 - 01:05 PM.