WMI for Defenders

Presented at ShellCon 2021 Virtual, Oct. 8, 2021, 3 p.m. (55 minutes)

This talk will dive into WMI/MI and what it can do for both administrators and adversaries. We will cover the history of WMI/MI, how it works, how it is used normally, and how it can be used maliciously and finally how to spot misuse. Real world scenarios will be discussed along with more theoretical capabilities of WMI/MI misuse. We will be discussing modern (last 6 months) techniques that are being seen in the wild utilizing WMI and the challenges faced by defenders to identify these techniques. Since many tools do not fully detect these WMI events it can be difficult for administrators and incident responders to clearly and easily contain WMI worms or malicious activity.

Presenters:

• Wasabi
  Wasabi is a security researcher who dabbles in the arts of system administration. He participated in CCDC, CPTC, and many CTFs as a competitor before starting to help organize cyber defense competitions himself. He is now the Black Team lead for .

Links:

• https://shellcon.io/talks/2021/wmi-for-defenders/

Similar Presentations:

• DerbyCon 8.0 Evolution (2018) / Detecting WMI exploitation
• Black Hat USA 2022 / Blasting Event-Driven Cornucopia: WMI-based User-Space Attacks Blind SIEMs and EDRs
• BSidesLV 2015 / WhyMI so Sexy? WMI Attacks, Real-Time Defense, and Advanced Forensic Analysis