Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

References and tips for looking into WMI/CIM


  • Please log in to reply
No replies to this topic

#1 SwingJitsu

SwingJitsu

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:14 AM

Posted 13 October 2018 - 06:16 AM

Hey all,

 

I've recently taken an interest in WMI because of its prevalence in my network. I got a general understanding of it through the popular Manning book on learning Powershell and of some of the common attack vectors through the Blackhat article on abusing it for persistence. With that understanding, I'm not really seeing anything obviously malicious in the WMI-Activity event logs, but my knowledge is pretty limited in how to really look at it from a defensive perspective. I'll often see svchost receiving commands telling them to create WmiPrvSe processes with "-embedded" command lines and the processes that are created will kick off various WMI queries, but I'm not positive where to go from here or how to figure out what the embedded command was. 

 

I thought the Blackhat article was great, and I'll link it below, but does anyone have suggestions on where I should go next with researching the subject or tips based on how you personally monitor WMI?

 

https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf

 

Thanks,

SJ


Edited by SwingJitsu, 13 October 2018 - 01:05 PM.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users