The ABCs of WMI - Finding Evil in Plain Sight

preview_player
Показать описание
To date, WMI is one of the few forensic topics that hasn't been widely covered on this channel. Let's fix that and explore how we can separate legitimate WMI usage from attacker activity. We'll start with a review and cover the basics of this technology. Then we'll spend the rest of the episode looking at how we can enumerate the contents of the WMI database on a live system and on a dead system.

📖 Chapters

00:00 - Intro
04:37 - Analyzing WMI with Autoruns for Windows
06:41 - Analyzing WMI with PowerShell
09:48 - Using KAPE to Acquire WMI Artifacts
14:16 - Recap

🛠 Resources

Autoruns for Windows:

KAPE:

MITRE ATT&CK - Windows Management Instrumentation:

#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics
  1. 13Cubed
  2. forensics
  3. digital forensics
  4. DFIR
  5. WMI
  6. Windows Management Instrumentation
Рекомендации по теме
The ABCs of 0:15:56

The ABCs of WMI - Finding Evil in Plain Sight

Windows Management Instrumentation 0:00:41

Windows Management Instrumentation WMI

GHOSTS IN THE 0:06:56

GHOSTS IN THE WMI

What is WMI? 0:00:15

What is WMI?

What is WMI? 0:00:15

What is WMI?

WMI Permissions for 0:04:12

WMI Permissions for non-admin user

How to use 0:06:11

How to use WMI Explorer

Windows Pentesting Lab 0:04:57

Windows Pentesting Lab Walkthrough: WMI: Post Exploitation

WMI testing & 0:02:49

WMI testing & Windows firewall settings for WMI

WMI Attacks and 0:09:41

WMI Attacks and Defense: Course Introduction

Windows Management Instrumentation 0:05:08

Windows Management Instrumentation (WMI) and AutoHotkey

Windows 8.0 Professional 0:01:12

Windows 8.0 Professional - Use the WMI Control

WMIC: Desinstalando Software 0:07:26

WMIC: Desinstalando Software remotamente

Working with WMI 0:38:24

Working with WMI Enzo DeStephano

BSidesCharm - 2018 0:17:51

BSidesCharm - 2018 - Basic Offensive Application of MOF Files in WMI Scripting

Windows WMI Demystified: 0:27:04

Windows WMI Demystified: From Repositories to Namespaces

Demo 16 - 0:05:17

Demo 16 - WMI as a Persistence and C2 Mechanism

How to Resolve: 0:03:22

How to Resolve: Cannot Connect to WMI Provider (SQL Server Configuration Manager)

Black Hat USA 0:50:01

Black Hat USA 2015 - Abusing Windows Management Instrumentation WMI To Build A Persistent, Asyn

GroupPolicy (Part11) Wmi 0:08:15

GroupPolicy (Part11) Wmi Filter haqqında

Remote administration with 0:02:29

Remote administration with free WMI Tools

UAC Bypass -Fiber 0:01:50

UAC Bypass -Fiber Injection -WMI Persistence

What is WMI 0:28:52

What is WMI for SCCM - Admin Secrets

Комментарии
Автор

Great content! still applicable even up to this date.
I hope you could continue working on more dfir videos specially with the new OS releases and updates.
Thank you very much for this!

ianthecat
Автор

Thanks, very useful content for DFIR Practitioners at this moment. Almost every Security Incident and Threat actor has been leveraging WMI and PsExec capabilities!

NaveenKumarDevaraja
Автор

Another great video, as always. Are there any other good resources for learning WMI forensics? Also, do you like Microsoft flight simulator?

TheKiller
Автор

Thanks for all your videos, I’m really liking them a lot ! :D
Have you planned to do some video on the methodology for finding evidence of intrusion ?
It could start with one of those : a. Email containing a malicious file, b. Accessing a malicious URL in the browser, c. After a web server is compromised and a webshell deployed.
It would be great to see how you start an investigation in those cases. What kind of artifacts do you analyze first ? What assumptions do you take to build from there ? Etc. :-)

john
Автор

@13Cubed the transcript for this video seems to be in Korean or something - might be worth regenerating it?

GraemeMeyer-gq
Автор

Nice presentation. One question. Can´t we just check with Wbemtest?

paulosilva-dmqb
visit shbcf.ru