Look Ma, No Win32_Process Needed: Expanding Your WMI Lateral Movement Arsenal


For quite some time now, WMI has resided in the main roster of techniques used by threat actors to perform lateral movement between endpoints. Despite the vast scope of classes and methods available through WMI, attackers moving laterally seem to rely almost exclusively on the “Create” method of the “Win32_Process” class , diving further into the depths of the WMI model only to perform reconnaissance and establish persistence.

This talk will exhibit various never-before-seen techniques for authenticated (file-based and fileless) remote execution, using only pure-WMI methods, along with stealthier enhancements of known techniques, all of which subvert many host and network-based methods of detection without using the notorious Win32_Process class.

The talk will also describe the strengths and weaknesses and provide detection methods for every technique described

Location: Track 1 Date: April 13, 2018 Time: 4:30 pm - 5:30 pm Philip Tsukerman