BSidesLV 2015 has ended
Back To Schedule
Wednesday, August 5 • 10:00 - 10:55
WhyMI so Sexy? WMI Attacks, Real-Time Defense, and Advanced Forensic Analysis

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Windows Management Instrumentation (WMI) is a remote management framework that enables the collection of host information, execution of code, and provides an eventing system that can respond to operating system events in real time. FireEye has recently seen a surge in attacker use of WMI to carry out objectives such as system reconnaissance, remote code execution, persistence, lateral movement, covert data storage, and VM detection. Defenders and forensicators have largely remained unaware of the value of WMI due to its relative obscurity and completely undocumented file format. After extensive reverse engineering, our team has documented the WMI repository file format in detail, developed libraries to parse it, and formed a methodology for finding evil in the repository.
In this talk, we will take a deep dive into the architecture of WMI, reveal a case study in attacker use of WMI in the wild, describe WMI attack mitigation strategies, show how to mine its repository for forensic artifacts, and demonstrate how to detect attacker activity in real-time by tapping into the WMI eventing system. By the end of this talk, we will have convinced the audience that WMI is a valuable asset not just for system administrators and attackers, but equally so for defenders and forensic analysts.


William Ballenthin

Willi Ballenthin is a reverse engineer in the FireEye Labs Advanced Reverse Engineering (FLARE) Team who specializes in incident response and computer forensics. He can typically be found investigating intrusions at Fortune 500 companies and enjoys reverse engineering malware, developing... Read More →

Matthew Graeber

Staff Reverse Engineer, FireEye, Inc.
Matt Graeber (@mattifestation) is a reverse engineer in the FireEye Labs Advanced Reverse Engineering (FLARE) Team with a varied background in reverse engineering, red teaming, and offensive tool development. Since joining FireEye, Matt has reversed a vast quantity of targeted and... Read More →

Claudiu Teodorescu

Staff Reverse Engineer, FireEye, Inc
Claudiu Teodorescu is a reverse engineer in the FireEye Labs Advanced Reverse Engineering (FLARE) Team. Prior to joining FireEye, Claudiu worked for Guidance Software, writing forensic parsers for different file formats to support the EnCase forensic tool. Also, as the Cryptographic... Read More →

Wednesday August 5, 2015 10:00 - 10:55 PDT
Breaking Ground Florentine A

Attendees (0)