Malicious Behavior Detection using WMI presented at BSidesManchester 2019

by Ben Lister,

Summary : How do we know when trusted applications that are integral to the operating system are being used for evil?How do determine is the behaviour is normal or has malicious intent?Through this talk I will discuss the challenges around detecting the malicious use of native windows application or so called Living Off The Land binaries. I will explore Windows Management Instrumentation (WMI) in depth, and show how it can be used to detect changes to various aspects of Windows.Demonstrating how we can combine simple behavioural indicators of suspicious activity with aspects of WMI to create a framework for detecting malicious behaviour.