Welcome to our

Cyber Security News Aggregator

.

Cyber Tzar

provide a

cyber security risk management

platform; including automated penetration tests and risk assesments culminating in a "cyber risk score" out of 1,000, just like a credit score.

Windows Management Instrumentation (WMI) Offense, Defense, and Forensics

published on 2015-08-08 18:45:00 UTC by William Ballenthin
Content:

Windows Management Instrumentation (WMI) is a remote management framework that enables the collection of host information, execution of code, and provides an eventing system that can respond to operating system events in real time. FireEye has recently seen a surge in attacker use of WMI to carry out objectives such as system reconnaissance, remote code execution, persistence, lateral movement, covert data storage, and VM detection. Defenders and forensic analysts have largely remained unaware of the value of WMI due to its relative obscurity and completely undocumented file format. After extensive reverse engineering, the FireEye FLARE team has documented the WMI repository file format in detail, developed libraries to parse it, and formed a methodology for finding evil in the repository.

The FLARE team is now publishing a whitepaper that takes a deep dive into the architecture of WMI, reveals case studies in attacker use of WMI in the wild, describes WMI attack mitigation strategies, and shows how to mine its repository for forensic artifacts. The document also demonstrates how to detect attacker activity in real-time by tapping into the WMI eventing system. WMI is a valuable asset not just for system administrators and attackers, but equally so for defenders and forensic analysts. Download a copy of the whitepaper today!

Article: Windows Management Instrumentation (WMI) Offense, Defense, and Forensics - published over 9 years ago.

http://www.fireeye.com/blog/threat-research/2015/08/windows_managementi.html   
Published: 2015 08 08 18:45:00
Received: 2021 11 03 23:00:23
Feed: FireEye Blog
Source: FireEye Blog
Category: Cyber Security
Topic: Cyber Security
Views: 2

Custom HTML Block

Click to Open Code Editor