recentpopularlog in


« earlier
In this two-part blog series, we’ll share the details of what was covered during our webinar with the goal of helping security practitioners improve their visibility of these offensive persistence techniques and help to undermine the efficacy of these attacks against their organization.

Part 1 will explain what persistence is and why attackers need it. We’ll introduce the Event Query Language (EQL) before showing its practical use cases for threat hunting. We will examine a popular technique used by adversaries to maintain persistence, Windows Management Instrumentation (WMI) Event Subscription (T1084). We’ll also share how Elastic Security users can hunt for and detect this technique being used in their environment.

In part 2, we’ll explore two additional persistence techniques that are being used by attackers in the wild: BITS Jobs (T1197) and Scheduled Tasks (T1053). This follow-up post will walk through real world examples of these techniques being used and how we can hunt for, detect, and prevent them using Elastic Security.
wmi  security  elasticsearch  windows 
12 days ago by unclespeedo
How to Script to List Installed Software on Multiple Computers | Action1
How to create a script to list installed software on multiple computers and use powershell script to get a list of installed software on remote computer.
powershell  wmi  installed  program  windows  query 
4 weeks ago by gilberto5757
Mr-Un1k0d3r/PoisonHandler: lateral movement techniques that can be used during red team exercises
This technique is registering a protocol handler remotely and invoke it to execute arbitrary code on the remote host. The idea is to simply invoke start handler:// to execute commands and evade detection.

This cmdlet create a protocol handler that will call your payload. Then execute it over WMI using explorer.exe.
windows  pentest  redteam  wmi 
11 weeks ago by whip_lash
Restricting Group Policy with WMI Filtering | Windows OS Hub
Select * from Win32_OperatingSystem where Version like "10.%" and ProductType="1"
december 2019 by vdubgeek
Be careful what you ask for (especially in WMI queries) – peteronprogramming
TL;DR: In exotic environments, WMI queries might take longer than you think. Recently, we've received a report from a user claiming that our product was taking ages to launch. According to the report the program started eventually, but a few minutes of delay was inconvenient enough for the client to file a support case (unsurprisingly).…
wmi  query  example 
december 2019 by gilberto5757
The WMI Query From Hell – Alois Kraus
An analysis of a Windows machine "slowdown" using Windows Performance Recorder (WPR), ETW and Windows Performance Toolkit (WPT) reveals the problem to be a slow WMI query being run by a third party application.
AloisKraus  WMI  WPR  WPT  ETW  Tutorial  PerformanceAnalysis  Windows  2019 
november 2019 by dlb

Copy this bookmark:

to read