Рет қаралды 17,137
To date, WMI is one of the few forensic topics that hasn't been widely covered on this channel. Let's fix that and explore how we can separate legitimate WMI usage from attacker activity. We'll start with a review and cover the basics of this technology. Then we'll spend the rest of the episode looking at how we can enumerate the contents of the WMI database on a live system and on a dead system.
** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. **
📖 Chapters
00:00 - Intro
04:37 - Analyzing WMI with Autoruns for Windows
06:41 - Analyzing WMI with PowerShell
09:48 - Using KAPE to Acquire WMI Artifacts
11:09 - Using PyWMIPersistenceFinder.py
14:16 - Recap
🛠 Resources
Autoruns for Windows:
docs.microsoft.com/en-us/sysi...
KAPE:
www.kroll.com/en/insights/pub...
PyWMIPersistenceFinder.py:
github.com/davidpany/WMI_Fore...
MITRE ATT&CK - Windows Management Instrumentation:
attack.mitre.org/techniques/T...
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics