There’s Something About WMI - DFIR Summit 2015
by Devon Kerr, Senior Consultant, Mandiant, A FireEye Company
This presentation will describe the purpose and
components of Windows Management Instrumentation
(WMI) from the incident response and forensics
perspectives. Attendees will learn how targeted threats
are using WMI during each phase of the compromise, case
studies and examples, the artifacts generated by those
activities, some of the tools used to interact with WMI,
using WMI for persistent access that defeats antivirus and
application whitelisting, and the benefits of enabling WMI
trace logging for additional detection and improved analysis
Devon Kerr, Senior Consultant, Mandiant
Devon Kerr is a Principal Consultant at Mandiant, an enterprise
incident response(IR) and remediation lead, and has supported
investigations by providing host, network, and log analysis. Mr. Kerr developed and maintains Mandiant methodologies and documentation for the Compromise Assessment service, OpenIOC utilization, and hunting with the FireEye Threat Analytics Platform(TAP). @_devonkerr_
Видео There’s Something About WMI - DFIR Summit 2015 канала SANS Digital Forensics and Incident Response
This presentation will describe the purpose and
components of Windows Management Instrumentation
(WMI) from the incident response and forensics
perspectives. Attendees will learn how targeted threats
are using WMI during each phase of the compromise, case
studies and examples, the artifacts generated by those
activities, some of the tools used to interact with WMI,
using WMI for persistent access that defeats antivirus and
application whitelisting, and the benefits of enabling WMI
trace logging for additional detection and improved analysis
Devon Kerr, Senior Consultant, Mandiant
Devon Kerr is a Principal Consultant at Mandiant, an enterprise
incident response(IR) and remediation lead, and has supported
investigations by providing host, network, and log analysis. Mr. Kerr developed and maintains Mandiant methodologies and documentation for the Compromise Assessment service, OpenIOC utilization, and hunting with the FireEye Threat Analytics Platform(TAP). @_devonkerr_
Видео There’s Something About WMI - DFIR Summit 2015 канала SANS Digital Forensics and Incident Response
Показать
Комментарии отсутствуют
Информация о видео
11 декабря 2015 г. 4:23:43
01:06:54
Другие видео канала
![Investigating WMI Attacks](https://i.ytimg.com/vi/aBQ1vEjK6v4/default.jpg)
![ShimCache and AmCache enterprise-wide hunting - SANS Threat Hunting Summit 2017](https://i.ytimg.com/vi/-0bYcD3_bBs/default.jpg)
![Abusing Windows Management Instrumentation (WMI)](https://i.ytimg.com/vi/0SjMgnGwpq8/default.jpg)
![AmCache Investigation - SANS Digital Forensics & Incident Response Summit 2019](https://i.ytimg.com/vi/_DqTBYeQ8yA/default.jpg)
![Windows Application Compatibility Forensics](https://i.ytimg.com/vi/ZKlyu-HOvxY/default.jpg)
![HIP18 - Talk 14 - No Win32_Process Needed Expanding the WMI Lateral Movement Arsenal](https://i.ytimg.com/vi/iiaPeXEn5_E/default.jpg)
![Persistence Mechanisms](https://i.ytimg.com/vi/ImGaqVHAbCk/default.jpg)
![Track 3 03 Detecting WMI exploitation Michael Gough](https://i.ytimg.com/vi/w-UFEKR2lO8/default.jpg)
![WMI - Windows Management Instrumentation - [#12] PowerShell for IT Professionals](https://i.ytimg.com/vi/_NadlLhLldY/default.jpg)
![Use PowerShell & WMI to Manage User Profiles](https://i.ytimg.com/vi/VuIE4YWoAKM/default.jpg)
![STAR Webcast: Spooky RYUKy: The Return of UNC1878](https://i.ytimg.com/vi/BhjQ6zsCVSc/default.jpg)
![SaaS Hunting | 2020 Threat Hunting & Incident Response Summit](https://i.ytimg.com/vi/boW-yAArbTo/default.jpg)
![ProblemChild: Discovering Anomalous Patterns based on Parent-Child Process Relationships](https://i.ytimg.com/vi/FXbdANtUE_k/default.jpg)
![Windows Command Prompt for Forensics](https://i.ytimg.com/vi/TBR0bJaDBmw/default.jpg)
![From One Sec Guy to the Team that Saved the CISO’s Day | Threat Hunting & Incident Response Summit](https://i.ytimg.com/vi/qNBsGMQ2NG0/default.jpg)
![How To Detect Lateral Movement Using Zeek/Bro: Scheduled Tasks](https://i.ytimg.com/vi/EUbu7ljpGg0/default.jpg)
![Chapter 11 - Simple WMI.mp4](https://i.ytimg.com/vi/WsATPfshNjM/default.jpg)
![GHOSTS IN THE WMI](https://i.ytimg.com/vi/OdW2Do3elNE/default.jpg)
![DFIR in 120 Seconds - Shimcache](https://i.ytimg.com/vi/7MUnauoRrZE/default.jpg)
![Big Game Hunting: Major FIN threat joins the targeted ransomware-as-a-Service (RaaS) scene](https://i.ytimg.com/vi/PCvdgQnsRco/default.jpg)