Q: Why do I need to know about WMI?
“WMI is a super powerful tool for attackers,” said Matt Graeber, Red Canary’s Director of Threat Research, in the webinar. “There is very little that you can’t do across the kill chain or MITRE ATT&CK framework in WMI, whether it’s discovery, lateral movement, or persistence.”
Thanks to high engagement from our audience, we extended part two of the virtual event to allow extra time to make sure all questions were answered.
Q: Can I leverage Sysmon for logging WMI activity?
In the extended Q&A, the panelists covered topics related to administrative access, logging, custom objects, parent processes, persistence, and more. For instance, we learned that Sysmon is not built to detect every conceivable method of the wide range of WMI tradecraft; however, a fantastic source of logging for just WMI persistence would be Event ID 5861 in Windows 10, which is in the WMI activity log.
Q: How can I detect custom objects in WMI?
As for detecting custom objects in WMI, there’s no built-in logging that would surface events such as a new WMI class being created and inserted into the WMI repository. You can, however, create a query to action on new WMI classes being created.
We’ve pulled out clips of just the Q&A portion of the event below for your viewing convenience. Watch the full 2-part webinar on demand here to get a complete picture of WMI.
For those looking to learn everything they possibly can about WMI, check out these other helpful resources we’ve shared on our blog or otherwise.
Resources referenced in the live event: