Blasting Event-Driven Cornucopia: WMI-based User-Space Attacks Blind SIEMs and EDRs

Security solutions engineers always find new ways to monitor OS events to mitigate threats on endpoints. These approaches typically reuse different built-in Windows mechanisms that were never designed with security first in mind. At Black Hat Europe 2021, we publicly showed how to blind an entire class of endpoint security products by disabling ETW. Our current research focus is Windows Management Instrumentation (WMI), a mechanism that allows filtering without registering kernel callbacks... By: Andrey Golchikov , Igor Korkin , Claudiu Teodorescu Full Abstract & Presentation Materials: #blasting-event-driven-cornucopia-wmi-based-user-space-attacks-blind-siems-and-edrs-27211