Detection and response

Detecting WMI: Your top questions answered

Experts from Red Canary, MITRE, and Microsoft share practical strategies and tactics for observing and detecting Windows Management Instrumentation (WMI).

Windows Management Instrumentation [T1047] is an execution technique that adversaries use for lateral movement and discovery, and it’s been a very popular topic around our halls for a number of years now. In fact, one of Red Canary’s most popular blog posts ever is about lateral movement using WMI, written nearly five years ago.

WMI was clearly past due for a deep dive, so we gathered top experts from Red Canary, MITRE, and Microsoft for a two-part webinar and hands-on challenge aimed at thoroughly exploring the execution technique. The full recording is now available to view on demand, but read on for some highlights.

 
Greg Bailey
Director, Incident Handling, Red Canary
 
Christopher Glyer
Principal Software Engineer, Cloud Security R&D, Microsoft
 
Jamie Williams
Lead Cyber Adversarial Engineer, MITRE
 
Joe Savini
Principal Solutions Specialist, Red Canary
 
Julie Brown
Detection Engineer, Red Canary
 
Matt Graeber
Director of Threat Research

Q: Why do I need to know about WMI?

“WMI is a super powerful tool for attackers,” said Matt Graeber, Red Canary’s Director of Threat Research, in the webinar. “There is very little that you can’t do across the kill chain or MITRE ATT&CK framework in WMI, whether it’s discovery, lateral movement, or persistence.”

Thanks to high engagement from our audience, we extended part two of the virtual event to allow extra time to make sure all questions were answered.

Q: Can I leverage Sysmon for logging WMI activity?

In the extended Q&A, the panelists covered topics related to administrative access, logging, custom objects, parent processes, persistence, and more. For instance, we learned that Sysmon is not built to detect every conceivable method of the wide range of WMI tradecraft; however, a fantastic source of logging for just WMI persistence would be Event ID 5861 in Windows 10, which is in the WMI activity log.

Q: How can I detect custom objects in WMI?

As for detecting custom objects in WMI, there’s no built-in logging that would surface events such as a new WMI class being created and inserted into the WMI repository. You can, however, create a query to action on new WMI classes being created.

We’ve pulled out clips of just the Q&A portion of the event below for your viewing convenience. Watch the full 2-part webinar on demand here to get a complete picture of WMI.

 

Additional resources

For those looking to learn everything they possibly can about WMI, check out these other helpful resources we’ve shared on our blog or otherwise.

Resources referenced in the live event:

 

Intelligence Insights: October 2021

 

Better know a data source: Process command line

 

Intelligence Insights: September 2021

 

Microsoft Identity: An intro to Windows Active Directory

Subscribe to our blog