Windows Powershell for WMI - Use and Forensics

Presented at CactusCon 11 (2023), Jan. 27, 2023, 10 p.m. (60 minutes).

WMIC is being depreciated, and Powershell for WMI is the way of the future. I'm aiming this talk to those looking to start porting WMIC to Powershell, or just needing a refresher on forensicating WMI.

Presenters:

• Kyle Nordby - DFIR Enthusiast
  Kyle Nordby is an information security professional that has years of experience. With multiple GIAC certifications, he is currently working on his Master's with an IR focus. His work ranges in threat hunting, IR, SOC operations, and endpoint triage. He is survived by his two cats, Lina and Jupiter.

Links:

• https://cactuscon-11.sessionize.com/session/395017

Similar Presentations:

• ShellCon 2021 Virtual / WMI for Defenders
• Black Hat USA 2022 / Blasting Event-Driven Cornucopia: WMI-based User-Space Attacks Blind SIEMs and EDRs
• DerbyCon 8.0 Evolution (2018) / Detecting WMI exploitation