free web page hit counter
πŸ›‘οΈ
Copyright Notice: This video is officially sourced and embedded from YouTube. For all copyright inquiries, reports, or removals, please contact YouTube's legal team here.
13Cubed

13Cubed

67,800 subscribers

⏱ πŸ‘ 21,675 views

The ABCs of WMI - Finding Evil in Plain Sight

Video Overview & Insights

To date, WMI is one of the few forensic topics that hasn't been widely covered on this channel. Let's fix that and explore how we can separate legitimate WMI usage from attacker activity. We'll start with a review and cover the basics of this technology. Then we'll spend the rest of the episode looking at how we can enumerate the contents of the WMI database on a live system and on a dead system.

@13Cubed the transcript for this video seems to be in Korean or something - might be worth regenerating it?

β€” @GraemeMeyer-g4q

*** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. ***

πŸ“– Chapters

Great content! still applicable even up to this date.
I hope you could continue working on more dfir videos specially with the new OS releases and updates.
Thank you very much for this!

β€” @ianthecat2541

00:00 - Intro

04:37 - Analyzing WMI with Autoruns for Windows

Nice presentation. One question. CanΒ΄t we just check with Wbemtest?

β€” @paulosilva-dm1qb

06:41 - Analyzing WMI with PowerShell

09:48 - Using KAPE to Acquire WMI Artifacts

Thanks for all your videos, I’m really liking them a lot ! :D
Have you planned to do some video on the methodology for finding evidence of intrusion ?
It could start with one of those : a. Email containing a malicious file, b. Accessing a malicious URL in the browser, c. After a web server is compromised and a webshell deployed.
It would be great to see how you start an investigation in those cases. What kind of artifacts do you analyze first ? What assumptions do you take to build from there ? Etc. :-)

β€” @john23232

11:09 - Using PyWMIPersistenceFinder.py

14:16 - Recap

That repo is also has script for parsing OBJECT.DATA for recently used applications. I wish you talked about that script too. Great video as always.

β€” @gokhanaydn2094

πŸ›  Resources

Autoruns for Windows:

Awesome content

β€” @prasanthkumar6808

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

KAPE:

Another great video, as always. Are there any other good resources for learning WMI forensics? Also, do you like Microsoft flight simulator?

β€” @TheKiller7276

https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-parser-extractor-kape

PyWMIPersistenceFinder.py:

Thanks, very useful content for DFIR Practitioners at this moment. Almost every Security Incident and Threat actor has been leveraging WMI and PsExec capabilities!

β€” @NaveenKumarDevaraja

https://github.com/davidpany/WMI_Forensics

MITRE ATT&CK - Windows Management Instrumentation:

nice

β€” @CatSmiling

https://attack.mitre.org/techniques/T1047/

#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics