Adversary Emulation w/ Carlos Perez - PSW #789
Security Weekly Podcast Network (Audio)
00:00
How to Disable WMI Event Logs
I prefer to modify existing WMI permanent events than create new ones. That's a technique that I learned from APT 28. And the other thing is I like using WMI providers where I can to just create that permanent backdoor and machine. So when we go over here, I can refresh as much as I want and nothing's there. Now the log here says disabled. so now I did all of my malicious stuff. The same query had the problem several times. In fact, let me run it several times. It works in whatever language support to link 32 APIs.
Play episode from 59:14
Transcript
