There’s Something About WMI - DFIR Summit 2015
by Devon Kerr, Senior Consultant, Mandiant, A FireEye Company
This presentation will describe the purpose and
components of Windows Management Instrumentation
(WMI) from the incident response and forensics
perspectives. Attendees will learn how targeted threats
are using WMI during each phase of the compromise, case
studies and examples, the artifacts generated by those
activities, some of the tools used to interact with WMI,
using WMI for persistent access that defeats antivirus and
application whitelisting, and the benefits of enabling WMI
trace logging for additional detection and improved analysis
Devon Kerr, Senior Consultant, Mandiant
Devon Kerr is a Principal Consultant at Mandiant, an enterprise
incident response(IR) and remediation lead, and has supported
investigations by providing host, network, and log analysis. Mr. Kerr developed and maintains Mandiant methodologies and documentation for the Compromise Assessment service, OpenIOC utilization, and hunting with the FireEye Threat Analytics Platform(TAP). @_devonkerr_
Видео There’s Something About WMI - DFIR Summit 2015 канала SANS Digital Forensics and Incident Response
This presentation will describe the purpose and
components of Windows Management Instrumentation
(WMI) from the incident response and forensics
perspectives. Attendees will learn how targeted threats
are using WMI during each phase of the compromise, case
studies and examples, the artifacts generated by those
activities, some of the tools used to interact with WMI,
using WMI for persistent access that defeats antivirus and
application whitelisting, and the benefits of enabling WMI
trace logging for additional detection and improved analysis
Devon Kerr, Senior Consultant, Mandiant
Devon Kerr is a Principal Consultant at Mandiant, an enterprise
incident response(IR) and remediation lead, and has supported
investigations by providing host, network, and log analysis. Mr. Kerr developed and maintains Mandiant methodologies and documentation for the Compromise Assessment service, OpenIOC utilization, and hunting with the FireEye Threat Analytics Platform(TAP). @_devonkerr_
Видео There’s Something About WMI - DFIR Summit 2015 канала SANS Digital Forensics and Incident Response
Показать
Комментарии отсутствуют
Информация о видео
11 декабря 2015 г. 4:23:43
01:06:54
Другие видео канала
Investigating WMI Attacks
ShimCache and AmCache enterprise-wide hunting - SANS Threat Hunting Summit 2017
Abusing Windows Management Instrumentation (WMI)
AmCache Investigation - SANS Digital Forensics & Incident Response Summit 2019
Windows Application Compatibility Forensics
HIP18 - Talk 14 - No Win32_Process Needed Expanding the WMI Lateral Movement Arsenal
Persistence Mechanisms
Track 3 03 Detecting WMI exploitation Michael Gough![WMI - Windows Management Instrumentation - [#12] PowerShell for IT Professionals](https://i.ytimg.com/vi/_NadlLhLldY/default.jpg)
WMI - Windows Management Instrumentation - [#12] PowerShell for IT Professionals
Use PowerShell & WMI to Manage User Profiles
STAR Webcast: Spooky RYUKy: The Return of UNC1878
SaaS Hunting | 2020 Threat Hunting & Incident Response Summit
ProblemChild: Discovering Anomalous Patterns based on Parent-Child Process Relationships
Windows Command Prompt for Forensics
From One Sec Guy to the Team that Saved the CISO’s Day | Threat Hunting & Incident Response Summit
How To Detect Lateral Movement Using Zeek/Bro: Scheduled Tasks
Chapter 11 - Simple WMI.mp4
GHOSTS IN THE WMI
DFIR in 120 Seconds - Shimcache
Big Game Hunting: Major FIN threat joins the targeted ransomware-as-a-Service (RaaS) scene