Deceive, Detect, Engage

Fake WMI Provider with Deceptive Data

Create a decoy WMI provider that responds to attacker queries with fabricated or misleading information. This can be used to confuse attackers, disrupt their reconnaissance efforts, or gather information about their WMI-based tools and techniques.

Engage Goals: EGO0003 Elicit

Engage Approach: EAP0001 Collect

Engage Actions: EAC0015 Information Manipulation, EAC0018 Security Controls

Name of Element: Fake WMI Provider with Deceptive Data

Description of Element:

Technical Context:

Placement: Registered within the WMI repository, alongside legitimate WMI providers.

Develop a custom WMI provider using C++ or .NET that implements specific WMI classes and methods. Configure the provider to return deceptive data or trigger alerts upon access. Monitor WMI activity using system auditing tools or custom logging mechanisms.

Other:

Att&ck/Engage Mapping: T1047 Windows Management Instrumentation, E1504 Decoy Content

Fake WMI Provider with Deceptive Data

Leave a Reply Cancel reply

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense