homepage
Open menu
Contact Sales
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Overview
      • Full Course List
      • By Focus Areas
        • Cloud Security
        • Cyber Defense
        • Cybersecurity and IT Essentials
        • DFIR
        • Industrial Control Systems
        • Offensive Operations
        • Management, Legal, and Audit
      • By Skill Levels
        • New to Cyber
        • Essentials
        • Advanced
        • Expert
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
      • Free Course Demos
    • Training Roadmaps
      • Skills Roadmap
      • Focus Area Job Roles
        • Cyber Defense Job Roles
        • Offensive Operations Job Roles
        • DFIR Job Roles
        • Cloud Job Roles
        • ICS Job Roles
        • Leadership Job Roles
      • NICE Framework
        • Security Provisionals
        • Operate and Maintain
        • Oversee and Govern
        • Protect and Defend
        • Analyze
        • Collect and Operate
        • Investigate
        • Industrial Control Systems
      • European Skills Framework
    • GIAC Certifications
    • Training Events & Summits
      • Events Overview
      • In-Person Event Locations
        • Asia
        • Australia & New Zealand
        • Latin America
        • Mainland Europe
        • Middle East & Africa
        • Scandinavia
        • United Kingdom & Ireland
        • United States & Canada
      • Live Online Events List
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Overview
      • Degree and Certificate Programs
      • Scholarships
      • Free Training & Resources
    • Cyber Ranges
  • Enterprise Solutions
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
    • Group Purchasing
    • Build Your Team
      • Assessments
      • Private Training
      • By Industry
        • Health Care
        • Industrial Control Systems Security
        • Military
    • Leadership Training
      • Leadership Courses
      • Executive Cybersecurity Exercises
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • IT Administrator
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
      • Overview
      • Training & Courses
      • Professional Credential
    • Blog
    • Partners
    • Reports & Case Studies
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
      • Webinars
      • Live Streams
        • Wait Just An Infosec
        • Cybersecurity Leadership
        • SANS Threat Analysis Rundown (STAR)
    • Free Cybersecurity Events
      • Free Events Overview
      • Summits
      • Solutions Forums
      • Community Nights
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
        • Blueprint
        • Trust Me, I'm Certified
        • Cloud Ace
        • Wait Just an Infosec
      • Summit Presentations
      • Posters & Cheat Sheets
    • Internet Storm Center
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
      • Open-Source Intelligence (OSINT)
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
      • Contact Customer Service
      • Contact Sales
      • Press & Media Enquiries
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • Contact Sales
  • SANS Sites
    • Australia
    • Brazil
    • France
    • India
    • Japan
    • Middle East & Africa
    • United Kingdom
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Finding Evil WMI Event Consumers with Disk Forensics
370x370_Chad-Tilbury.jpg
Chad Tilbury

Finding Evil WMI Event Consumers with Disk Forensics

This blog covers disk-based artifacts and tools available for use during deeper forensic investigations.

May 22, 2023

Finding Evil WMI Event Consumers with Disk Forensics

WMI abuse remains an easy and stealthy component of many modern attacks targeting Microsoft Windows. WMI can facilitate every aspect of the post-exploit kill chain using built-in tools with the added bonus (from the attacker’s perspective) of minimal available logging. WMI event consumers are a specialized form of persistence and code execution that can be traced back to the venerable Stuxnet and continue to be used by a wide variety of threat actors, including top-tier groups with ties to Russia and China like Cozy Bear, Mustang Panda, and Turla. WMI event filters can monitor for specific events and when triggered, enact event consumers that can then do things like run scripts and execute code. Event triggers can be based on time (e.g., every twenty seconds), the start of a specific service, at boot, whenever a user logs in, or thousands of other options. Administrative privileges are necessary, but once achieved, attackers can use WMI to create a backdoor that can be difficult to detect without proper monitoring. If you would like a deeper dive into WMI attacks, the research paper Windows Management Instrumentation Offense, Defense, and Forensics by Ballenthin, Graeber, and Teodorescu is still the definitive reference.

Auditing the Local WMI Repository

PowerShell-based collections, Event Logs, and Sysmon are all viable (and easy) options for discovering malicious WMI Event Consumers, but what about if you are looking at evidence from a system that is no longer running? While not ideal, there are situations where WMI analysis is necessary using only a copy of a hard drive (or equivalent).Luckily there are some capabilities available to assist. WMI event consumers are stored in a local database located in the \Windows\System32\wbem\Repositoryfolder.The WMI database consists of several files with the bulk of the information present in a file named OBJECTS.DATA. The WMI database is in a compressed binary format, making it challenging to interact with. Microsoft provides only sparse documentation on the database format and contents and a typical interaction with these files would normally consist of PowerShell or WMIC queries accomplished while the system is running. Another option is WMI Explorer, an open-source tool facilitating GUI introspection of the database. It can be an excellent tool when searching for something deep within the WMI database or for better understanding how it is composed.

Figure 1: WMI Explorer Showing a Malicious CommandLineEvent Consumer

A big limitation of WMI Explorer is it presumes you have access to the live system you are auditing. However, if you only have a disk image or a triage collection of the WMI folder, you can still perform similar analysis of the database. flare-wmi, from The Mandiant FLARE Team, is a set of Python-based code projects for parsing and interacting with the WMI database including a proof-of-concept GUI database parser. The figure below shows data within the GUI browser, but there are several even more useful command line scripts present in this repository such as show_filtertoconsumerbindings.py.

Figure 2: flare-wmi Offline WMI Parser

If you are looking only to audit WMI Event Consumers (a good idea to start with), David Pany wrote a simple script to search the OBJECTS.DATA file for instances of WMI event consumers and display the results.PyWMIPersistenceFinder.py provides output similar to what you might get from using the PowerShell cmdlet Get-WmiObject on a live system. For offline purposes, this script makes it dead simple to pull out WMI consumers—just export/collect the WMI repository folder and point the script at OBJECTS.DATA file. You will encounter false positives, but they are largely predictable, and the “evil” consumers will almost always stick out. As an example, the consumer on this slide is yet another encoded PowerShell script. By decoding the include base64 data, the script could be analyzed for malicious intent.

Figure 3: PyWMIPersistenceFinder Script Results

Tracking the Creation of Event Consumers

While auditing the local WMI repository is a good first step, it is also possible to identify the initial creation of a WMI event consumer. Evil WMI event consumers are created on a system via two primary methods: MOF compilation and PowerShell. Each has the potential to leave behind valuable clues.

MOF Residue

What exactly is a Managed Object Format (MOF) file? Think of it as a text file representing WMI class definitions and instances. MOF files are used by Windows to build the WMI repo. Many WMI repository definitions are initially defined via the MOF format. They can also be used to extend WMI and hence they are a common way to introduce malicious classes into the WMI repository. References to MOF files can be found in the WMI binary tree index, C:\Windows\System32\wbem\Repository\index.btr.

Standard system MOF files and most subsystem MOF files are all stored in the WBEM folder. While this is standard practice, MOFs can actually be stored anywhere and only the compiled MOF file is required to be present in the repository. Sadly, a MOF file can be named anything, be located anywhere, and even be deleted after it is introduced into the WMI repository. This makes finding malicious MOF files very difficult (though you might get lucky!)Mofcomp.exe is used to compile .MOF files and add them to the WMI repository. While the execution of mofcomp.exe could be an indicator, in practice it is used by the system frequently. The WMI database files are also updated frequently, meaning the NTFS modification times for Prefetch and the files in the \Windows\System32\wbem\Repository cannot be reliably used to identify when something malicious was added. Thus, there are few timeline artifacts available for this activity. To make matters worse, the MOF compiler allows remote namespaces, so supplying the “-N” switch with a remote machine name and MOF file will compile and insert the new classes into a remote system’s WMI database:

mofcomp -N \\[machinename]\root\subscription test.mof

In this scenario, the MOF file is not written to disk on the remote system, leaving even less artifacts. This is why collecting command lines from systems is so important (“mofcomp -N” would make an excellent threat hunting search).Luckily, there is still a chance MOF file residue may be left behind even if the originals are long gone. Our best chance is when the MOF file includes something named “#PRAGMA AUTORECOVER”. This is an optional field included near the top of a MOF file. “PRAGMA AUTORECOVER” ensures a copy of the MOF file is stored in case the WMI repository needs to rebuild itself. Think of this as a precaution to make sure your malicious entries do not eventually age out of the database. Figure 4 shows the compilation of a malicious MOF file using mofcomp.exe and the subsequent error provided when autorecover is not present.

Figure 4: MOF File Lacking Pragma Autorecover Directive

If an attacker chooses to include this statement, there should be some excellent forensic artifacts left behind to find the original MOF files. If this is the case, why do we see a lot of malicious MOF files in the wild that include this? The answer is probably a mix of ignorance of the detection risk along with the desire to keep the malicious classes in the WMI repository indefinitely. Remember that the use case for MOF files is largely persistence, which means they may be the only way the attacker has of getting back into the compromised network.When #PRAGMA AUTORECOVER is included within a MOF file, a copy of the file is stored within the C:\Windows\System32\wbem\AutoRecover folder. This provides an excellent opportunity to identify malicious introductions in the WMI database. The autorecover feature can also be accomplished via the mofcomp.exe tool by using the “-autorecover” parameter. When a backup copy is stored in this folder, it is renamed, so do not expect to see “evil.mof” within this folder. You may only see a handful of files in this folder and they will all be text-based, making analysis straightforward. Additionally, the file timestamps (creation and modification) can help identify outliers and help focus analysis on items modified or created during the expected time range of an attack.

Figure 5: MOF Files Present in AutoRecover Folder

When #PRAGMA AUTORECOVER is included within a MOF file, a Windows Registry entry is also created for that file. This will be located in the HKLM\SOFTWARE\Microsoft\Wbem\CIMOM key, under a value named “Autorecover MOFs.” The name recorded in this value will not be the original name, but it will include the folder path where it existed during compilation. The provided name may also indicate the type of consumer—in the following example, an evil “ActiveScript” consumer was present. The path is particularly important because almost all legitimate MOF files will be in the WBEM folder. Thus, anything present outside of the \Windows folder should be a prompt to perform a thorough review of the C:\Windows\System32\wbem\AutoRecover folder files on disk.

Figure 6: HKLM\SOFTWARE\Microsoft\Wbem\CIMOM Registry Key

PowerShell Creation Artifacts

You do not need a MOF file to set up an evil WMI event consumer. WMI object definitions can be created without a MOF file via direct insertion into the CIM repository using .NET code (PowerShell is often the common choice). It is a trade-off: PowerShell commands to import items are relatively straightforward (see Figure 7), but a MOF file can be a bit cleaner or easier when doing more complicated events like ActiveScript. More advanced adversaries may prefer PowerShell because it has the potential to be stealthier, effectively taking away even the nominal artifacts discussed above with respect to MOF files. However, if the system has at least PowerShell version 5, there are opportunities to collect artifacts via command-line auditing, local PowerShell ScriptBlock Logging and the PSReadline ConsoleHost_history.txt file. The PowerShell commands used are not particularly common and can make good search terms during threat hunting. As an example, the following PowerShell sets up c:\alg.exe as the evil payload with an event trigger of within 10 seconds of any service modification. Clearly some good search terms can be derived from these commands.

Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=“wmi”;EventNameSpace="root\cimv2"; QueryLanguage="WQL";Query="SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_Service'"}

Set-WmiInstance -Class CommandLineEventConsumer -Namespace "root\subscription" -Arguments @{Name=“wmi”;ExecutablePath=‘C:\alg.exe’;CommandLineTemplate =‘C:\alg.exe’}

Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=“wmi”;Consumer=“wmi”}

Figure 7: Sample PowerShell Commands for WMI Event Consumer Creation

Conclusion

WMI event consumers will continue to be abused in the wild as long as organizations fail to discover and remediate them. While live collection and analysis is preferable to scale efforts across a network, this post covered disk-based artifacts and tools available for use during deeper forensic investigations. A KAPE target exists to collect the required files for offline analysis, making it an easy check to perform during incident response forensic investigations.

Chad Tilbury has spent over twenty years conducting computer crime investigations ranging from hacking to espionage to multimillion-dollar fraud cases. He is a SANS Institute Fellow and co-author of FOR500 Windows Forensic Analysis and FOR508 Advanced Incident Response, Threat Hunting, and Digital Forensics. Find him on Twitter @chadtilbury

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Recommended Training

  • FOR532: Enterprise Memory Forensics In-Depth
  • SEC501: Advanced Security Essentials - Enterprise Defender
  • FOR608: Enterprise-Class Incident Response & Threat Hunting

Tags:
  • Digital Forensics, Incident Response & Threat Hunting

Related Content

Blog
Malware_Blogs.png
Digital Forensics, Incident Response & Threat Hunting
September 21, 2023
Latest Must-Read Malware Analysis Blogs
In this post, we present a selection of recent malware analysis write-ups to highlight individuals' passion for malware analysis
Anuj_Soni_370x370.png
Anuj Soni
read more
Blog
FOR508_Update.png
Digital Forensics, Incident Response & Threat Hunting
September 3, 2023
Next Generation FOR508
The latest FOR508 update represents a major upgrade to the courseware with a complete replacement of every hands-on exercise in the course.
370x370_Chad-Tilbury.jpg
Chad Tilbury
read more
Blog
Blog_teaser_images_(19).png
Digital Forensics, Incident Response & Threat Hunting, Open-Source Intelligence (OSINT)
August 31, 2023
FOR589: Cybercrime Intelligence - NEW SANS DFIR Course coming in 2024
Learn to traverse the cyber underground, social engineer cybercriminals and investigate illicit cryptocurrency activity.
Sean_O_Connor_370x370.png
Sean O'Connor
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters & Cheat Sheets
  • White Papers
  • Focus Areas
  • Cyber Defense
  • Cloud Security
  • Cybersecurity Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • © 2023 SANS™ Institute
  • Privacy Policy
  • Terms and Conditions
  • Do Not Sell/Share My Personal Information
  • Contact
  • Careers
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn