Discover WMI (Windows Management Instrumentation) based attack and analysis techniques in new Academy module

The

WMI Tradecraft Analysis

module provides a deep technical analysis of WMI tradecraft from both attacker and defender perspectives. While completing the module, you will learn how WMI is abused for execution, lateral movement, persistence, and stealthy backdoor deployment, as well as how to detect, hunt, and investigate malicious WMI activity using logs, ETW, and low-level artifacts.

Key learning outcomes:

Understanding WMI architecture and execution flow, including providers, namespaces, repositories, and COM-based service activation
Querying and analyzing WMI data using PowerShell to assess system configuration, processes, and services
Identifying malicious and anomalous WMI activity by examining execution context, process relationships, and remote usage patterns
Mapping WMI abuse to MITRE ATT&CK techniques and applying monitoring strategies to detect lateral movement, living-off-the-land execution, and persistence in Windows environments