![]() We were recently onsite for a Red Teaming for Security Operations engagement, where our Red Team utilized WMI as a remote execution utility (similar to PsExec) and as a malware persistence mechanism (similar to a system service). In this blog post we will discuss how attackers can use WMI as a remote execution utility and as a persistence mechanism to execute malware, as well as what you can do to detect this activity at enterprise scale. Though WMI does not provide a default detailed tracing log of execution or persistence activity. From an investigative perspective, WMI has only recently been used by a select few groups of attackers and it is an artifact that may be overlooked during investigations. ![]() WMI was developed as Microsoft’s interpretation of web-based enterprise management (WBEM) for system management and auditing however, adversaries can use it for all stages of the Attack Lifecycle (shown in Figure 1), from creating the initial foothold on a system to stealing data from the environment and everything in-between. WMI more closely resembles that bottle of ‘61 Bordeaux wine that continues to impress us as it ages and matures. WMI has been a core component of Windows since Windows 98, but it is not exactly old wine in a new bottle. ![]() ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |