WMI Archives

Tech Optimizer

December 3, 2025

Fileless protection explained: Blocking the invisible threat others miss

Fileless malware operates within a computer's active memory, avoiding detection by traditional antivirus solutions that rely on file scanning. It uses legitimate tools like PowerShell to execute harmful commands without creating files, making it difficult to identify. Cybercriminals can use fileless malware for various malicious activities, including data theft and cryptocurrency mining. Malwarebytes combats fileless attacks through two defense layers: Script Monitoring, which intercepts potentially dangerous scripts at execution, and Command-Line Protection, which scrutinizes command-line tools for suspicious activities. Examples of fileless attacks include malicious email attachments activating PowerShell to download ransomware, hidden JavaScript on websites mining cryptocurrency, and attackers using Windows Management Instrumentation (WMI) to create backdoors. Malwarebytes' Fileless Protection operates automatically in the background, ensuring legitimate applications function normally while monitoring for threats. It is part of a comprehensive security framework that includes machine-learning detection and web protection, designed to stop attacks that do not write files. This protection is included with Malwarebytes Premium, aimed at safeguarding personal and small business systems.

Winsage

November 19, 2025

Sysmon – Go-to Tool for IT Admins, Security Pros, and Threat Hunters Coming to Windows

Microsoft will integrate native System Monitor (Sysmon) functionality into Windows 11 and Windows Server 2025, enhancing security operations for IT teams. This integration will provide instant threat visibility, automate compliance through Windows Update, and include features such as process monitoring, network connection tracking, credential access detection, file system monitoring, process tampering detection, WMI persistence tracking, and custom configuration support. It will also offer official customer service support and allow seamless access to events through Windows Event Logs or Security Information and Event Management (SIEM) systems. Administrators can enable Sysmon using the command "sysmon -i." Future plans include expanding Sysmon’s capabilities with enterprise-scale management and AI-powered detection.

Winsage

November 18, 2025

Microsoft is bringing native Sysmon support to Windows 11, Server 2025

Microsoft is integrating Sysmon into Windows 11 and Windows Server 2025, eliminating the need for separate deployments of Sysinternals tools. This integration will allow users to utilize custom configuration files for filtering captured events, which will be logged in the Windows event log. Sysmon is a free tool that monitors and blocks suspicious activities while logging events such as process creation, DNS queries, and executable file creation. It will be easily installable via the "Optional features" settings in Windows 11, with updates delivered through Windows Update. Sysmon will retain its standard features, including support for custom configuration files and advanced event filtering. Key events logged by Sysmon include process creation, network connections, process access, file creation, process tampering, and WMI events. Comprehensive documentation and new enterprise management features will be released next year.

Winsage

November 18, 2025

Microsoft to integrate Sysmon directly into Windows 11, Server 2025

Microsoft will integrate Sysmon into Windows 11 and Windows Server 2025, eliminating the need for standalone deployment. Sysmon will allow users to utilize custom configuration files for event filtering, logging events in the Windows event log. It tracks events such as process creation, DNS queries, executable file creation, changes to the clipboard, and auto-backup of deleted files. Users can access Sysmon through "Optional features" in Windows 11 and receive updates via Windows Update. Key events logged by Sysmon include process creation, network connections, process access, file creation, process tampering, and WMI events. Comprehensive documentation and new enterprise management features will be released next year.

Winsage

November 4, 2025

Hackers Use Hyper-V to Deploy Linux Malware on Windows Systems

The Russian-aligned APT group Curly COMrades has been using hidden Alpine Linux virtual machines (VMs) on compromised Windows hosts via Microsoft Hyper-V to evade detection and maintain covert access. This technique was uncovered in mid-2025 through an investigation by Bitdefender and the Georgian CERT, which traced suspicious activities to a compromised Georgian website. The attackers activated Hyper-V on the infected machines, downloaded a disguised VM image, and named it “WSL.” The VM, operating on Alpine Linux, had a small disk footprint and low RAM usage, minimizing alerts from security systems. Within this environment, they deployed two malware implants: CurlyShell, a reverse shell for command execution, and CurlCat, a reverse proxy tool for SSH traffic. Both implants were designed to maintain a low forensic footprint. The attackers also used a PowerShell script to inject encrypted Kerberos tickets into LSASS for lateral movement and employed various tunneling tools for communication. Artifacts from their operations were stored in directories that blended with legitimate Windows files. Security teams are advised to audit Hyper-V usage, monitor for hidden VMs, and enable host-based network inspection.

Winsage

October 20, 2025

5 PowerShell tricks that beat Bash on Windows

Bash is the preferred shell for many developers in Linux environments due to its robust capabilities and flexibility. PowerShell is gaining popularity on Windows for its modern functionalities, user-friendly interface, and integration with the operating system. PowerShell handles output as objects, allowing for easier data manipulation compared to Bash, which outputs plain text. PowerShell can interact with system-level components like the registry and services, enabling tasks such as querying startup applications or managing services directly. It features cmdlets that follow a Verb-Noun syntax, making commands intuitive and reusable, and supports modules for enhanced functionality. PowerShell also excels in file management and offers remoting capabilities, allowing command execution on remote machines without third-party tools. Overall, PowerShell provides better scripting and ease of use for Windows users compared to Bash.

Tech Optimizer

October 10, 2025

From infostealer to full RAT: dissecting the PureRAT attack chain

An investigation revealed that a Python-based infostealer campaign led to the deployment of PureRAT, a sophisticated remote access trojan (RAT). The campaign began with a phishing email containing a ZIP archive that included a legitimate PDF reader executable and a malicious DLL. The DLL executed a series of payloads, including a Python info-stealer that harvested sensitive data and exfiltrated it via the Telegram API. The attack progressed to a .NET executable, which employed techniques like process hollowing and evasion tactics to load additional payloads. The final payload, Mhgljosy.dll, was identified as PureRAT, which established an encrypted command-and-control (C2) channel and allowed for extensive control over the compromised host. The C2 server was traced to Vietnam, suggesting a connection to the PXA group. The malware's functionality included host fingerprinting, command execution, and potential access to sensitive information and resources. Indicators of compromise included specific file hashes, registry keys, and IP addresses associated with the C2 server.

Tech Optimizer

October 6, 2025

Ransomware Gangs Exploit Remote Access Tools to Stay Hidden and Maintain Control

Modern ransomware operations have evolved into complex, multi-stage campaigns that utilize legitimate Remote Access Tools (RATs) to maintain stealth and persistently dismantle organizational defenses. Ransomware encrypts critical data and demands ransom for restoration, with current operations being highly targeted compared to earlier mass phishing attacks. Attackers exploit trusted administrative software like AnyDesk, UltraViewer, RustDesk, and Splashtop to establish backdoors, escalate privileges, and deploy payloads across networks, moving laterally and evading detection. The ransomware kill chain consists of several stages: 1. Initial Access: Attackers gain access through credential compromise, often targeting administrator accounts. 2. Remote Tool Abuse: Attackers deploy RATs either by hijacking existing tools or performing silent installations. 3. Persistence & Privilege Consolidation: They maintain persistence using registry keys and scheduled tasks while escalating privileges. 4. Antivirus Neutralization & Anti-Forensics: Attackers stop antivirus services, manipulate policies, and clear logs to evade detection. 5. Payload Deployment & Execution: Ransomware is delivered and executed within remote sessions to avoid suspicion. Commonly abused RATs include AnyDesk, UltraViewer, AppAnywhere, RustDesk, Splashtop, and TightVNC, which have been associated with various ransomware campaigns. Understanding the tactics and techniques used by adversaries is crucial for effective defense, as they exploit legitimate tools to bypass security measures. Emerging trends include AI-driven RAT deployment, cloud-based RAT abuse, and the integration of RATs in ransomware-as-a-service offerings. A comprehensive defense strategy involves multiple layers of security, including virus protection, behavior-based detection, and application control, to counter the risks posed by RAT abuse in ransomware attacks.

Winsage

September 17, 2025

Microsoft: WMIC will be removed after Windows 11 25H2 upgrade

Microsoft has announced the removal of the Windows Management Instrumentation Command-line (WMIC) tool, effective with the upgrade to Windows 11 25H2 and subsequent versions. IT administrators are urged to transition to Windows PowerShell for WMI-related tasks, as WMIC will be phased out. While WMIC is being deprecated, the Windows Management Instrumentation (WMI) will remain operational. WMIC has been declining since its deprecation in Windows Server 2012 and Windows 10 21H1 and was converted into a Feature on Demand starting with Windows 11 22H2. Microsoft stated that the removal of WMIC is intended to enhance security by mitigating malware and attack strategies that exploit this tool, which has been used by ransomware operators and other malicious actors.