Windows Management Instrumentation [T1047] is an execution technique that adversaries use for lateral movement and discovery, and it’s been a very popular topic around our halls for a number of years now. In fact, one of Red Canary’s most popular blog posts ever is about lateral movement using WMI, written nearly five years ago.
WMI was clearly past due for a deep dive, so we gathered top experts from Red Canary, MITRE, and Microsoft for a two-part webinar and hands-on challenge aimed at thoroughly exploring the execution technique. The full recording is now available to view on demand, but read on for some highlights.
SPEAKERS
Greg Bailey
Director, Incident Handling, Red Canary
Christopher Glyer
Principal Software Engineer, Cloud Security R&D, Microsoft
Jamie Williams
Lead Cyber Adversarial Engineer, MITRE
Joe Savini
Principal Solutions Specialist, Red Canary
Julie Brown
Detection Engineer, Red Canary
Matt Graeber
Director of Threat Research
Q: Why do I need to know about WMI?
“WMI is a super powerful tool for attackers,” said Matt Graeber, Red Canary’s Director of Threat Research, in the webinar. “There is very little that you can’t do across the kill chain or MITRE ATT&CK framework in WMI, whether it’s discovery, lateral movement, or persistence.”
Thanks to high engagement from our audience, we extended part two of the virtual event to allow extra time to make sure all questions were answered.
Q: Can I leverage Sysmon for logging WMI activity?
In the extended Q&A, the panelists covered topics related to administrative access, logging, custom objects, parent processes, persistence, and more. For instance, we learned that Sysmon is not built to detect every conceivable method of the wide range of WMI tradecraft; however, a fantastic source of logging for just WMI persistence would be Event ID 5861 in Windows 10, which is in the WMI activity log.
Q: How can I detect custom objects in WMI?
As for detecting custom objects in WMI, there’s no built-in logging that would surface events such as a new WMI class being created and inserted into the WMI repository. You can, however, create a query to action on new WMI classes being created.
We’ve pulled out clips of just the Q&A portion of the event below for your viewing convenience. Watch the full 2-part webinar on demand here to get a complete picture of WMI.
Additional resources
For those looking to learn everything they possibly can about WMI, check out these other helpful resources we’ve shared on our blog or otherwise.
- Windows Management Instrumentation [T1047]
- Lateral Movement Using WinRM and WMI
- Threat Hunting for PsExec, Open-Source Clones, and Other Lateral Movement Tools
- Detecting All the Things with Limited Data
- Mining off the Land: Cryptomining Enabled by Native Windows Tools
- Detection deja vu: a tale of two incident response engagements
- Shutting Down Lateral Movement
Resources referenced in the live event:
Related Articles
From the dreamhouse to the SOC: Ken’s guide to security
Artificial authentication: Understanding and observing Azure OpenAI abuse
Artificial authentication: Understanding and observing Azure OpenAI abuse
Apple picking: Bobbing for Atomic Stealer & other macOS malware
Apple picking: Bobbing for Atomic Stealer & other macOS malware
Keep track of AWS user activity with SourceIdentity attribute