Auteur Sujet: [FireEye]Windows Management Instrumentation (WMI) Offense, Defense, and Forensics  (Lu 20 fois)

0 Membres et 1 Invité sur ce sujet

Hors ligne igor51

  • Admin
  • Mega Power Members
  • *****
  • Messages: 10331
Windows Management Instrumentation (WMI) Offense, Defense, and Forensics

Windows Management Instrumentation (WMI) is a remote management
  framework that enables the collection of host information, execution
  of code, and provides an eventing system that can respond to operating
  system events in real time. FireEye has recently seen a surge in
  attacker use of WMI to carry out objectives such as system
  reconnaissance, remote code execution, persistence, lateral movement,
  covert data storage, and VM detection. Defenders and forensic analysts
  have largely remained unaware of the value of WMI due to its relative
  obscurity and completely undocumented file format. After extensive
  reverse engineering, the FireEye FLARE team has documented the WMI
  repository file format in detail, developed libraries to parse it, and
  formed a methodology for finding evil in the repository.


The FLARE team is now publishing a whitepaper that takes a deep dive
  into the architecture of WMI, reveals case studies in attacker use of
  WMI in the wild, describes WMI attack mitigation strategies, and shows
  how to mine its repository for forensic artifacts. The document also
  demonstrates how to detect attacker activity in real-time by tapping
  into the WMI eventing system. WMI is a valuable asset not just for
  system administrators and attackers, but equally so for defenders and
  forensic analysts.     href="/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf">Download
    a copy of the whitepaper today!

Source: Windows Management Instrumentation (WMI) Offense, Defense, and Forensics