Detecting and Investigating Windows Management Instrumentation (WMI) Based Remote Attacks in Windows Operating Systems

Abstract

The ability to watch the network traffic generated by client – server applications can greatly assist in both understanding how client – server applications works as well as identifying the issues related to the technology. The research focuses the concept for Detecting and Investigating Windows Management Instrumentation (WMI) Based Remote Attacks in Windows Operating Environment. Windows Management Instrumentation (WMI) is the main source of management data and functionality on local and remote computers that run Microsoft Windows Operating Systems. As existing technologies for packet sniffing and intrusion detection has proven to be inadequate to detect WMI based remote attacks on Windows Operating Environments, an urge has arrived to find a mechanism to detect remote attacks which uses WMI. In this context DCERPC (Distributed Computing Environment / Remote Procedure Calls) stub-data has used to detect the mentioned attacks. The resulting system is required to capture packets with DCERPC payloads, decode the captured payload to get DCERPC stub data and explore the hidden Microsoft COM (Component Object Model) Request.