The ABCs of WMI - Finding Evil in Plain Sight
Video Overview & Insights
To date, WMI is one of the few forensic topics that hasn't been widely covered on this channel. Let's fix that and explore how we can separate legitimate WMI usage from attacker activity. We'll start with a review and cover the basics of this technology. Then we'll spend the rest of the episode looking at how we can enumerate the contents of the WMI database on a live system and on a dead system.
@13Cubed the transcript for this video seems to be in Korean or something - might be worth regenerating it?
*** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. ***
π Chapters
Great content! still applicable even up to this date.
I hope you could continue working on more dfir videos specially with the new OS releases and updates.
Thank you very much for this!
00:00 - Intro
04:37 - Analyzing WMI with Autoruns for Windows
Nice presentation. One question. CanΒ΄t we just check with Wbemtest?
06:41 - Analyzing WMI with PowerShell
09:48 - Using KAPE to Acquire WMI Artifacts
Thanks for all your videos, Iβm really liking them a lot ! :D
Have you planned to do some video on the methodology for finding evidence of intrusion ?
It could start with one of those : a. Email containing a malicious file, b. Accessing a malicious URL in the browser, c. After a web server is compromised and a webshell deployed.
It would be great to see how you start an investigation in those cases. What kind of artifacts do you analyze first ? What assumptions do you take to build from there ? Etc. :-)
11:09 - Using PyWMIPersistenceFinder.py
14:16 - Recap
That repo is also has script for parsing OBJECT.DATA for recently used applications. I wish you talked about that script too. Great video as always.
π Resources
Autoruns for Windows:
Awesome content
https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
KAPE:
Another great video, as always. Are there any other good resources for learning WMI forensics? Also, do you like Microsoft flight simulator?
https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-parser-extractor-kape
PyWMIPersistenceFinder.py:
Thanks, very useful content for DFIR Practitioners at this moment. Almost every Security Incident and Threat actor has been leveraging WMI and PsExec capabilities!
https://github.com/davidpany/WMI_Forensics
MITRE ATT&CK - Windows Management Instrumentation:
nice
https://attack.mitre.org/techniques/T1047/
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics