![]() Both standards aim to provide an industry-agnostic means of collecting and transmitting information related to any managed component in an enterprise. WMI Architecture 1 4cfb1-ef67-471d c2b1014a31e&displaylang=en 2 4C5BA-337B-4E92-8C18-A EA5&displaylang=en 3ΔΆ WMI is the Microsoft implementation of the Web-Based Enterprise Management (WBEM) 4 and Common Information Model (CIM) 5 standards published by the Distributed Management Task Force (DMTF) 6. This whitepaper will introduce the reader to WMI, actual and proof-of-concept attacks using WMI, how WMI can be used as a rudimentary intrusion detection system (IDS), and how to perform forensics on the WMI repository file format. As attackers increasingly utilize WMI, it is important for defenders, incident responders, and forensic analysts to have knowledge of WMI and to know how they can wield it to their advantage. Since then, WMI has been gaining popularity amongst attackers for its ability to perform system reconnaissance, AV and VM detection, code execution, lateral movement, persistence, and data theft. While it has been well known and utilized heavily by system administrators since its inception, WMI was likely introduced to the mainstream security community when it was discovered that it was used maliciously as one component in the suite of exploits and implants used by Stuxnet 3. Present on all Windows operating systems, WMI is comprised of a powerful set of tools used to manage Windows systems both locally and remotely. 1 Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asyncronous, and Fileless Backdoor Matt Graeber Black Hat 2015 Introduction As technology is introduced and subsequently deprecated over time in the Windows operating system, one powerful technology that has remained consistent since Windows NT and Windows 95 2 is Windows Management Instrumentation (WMI).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |