The ABCs of WMI - Finding Evil in Plain Sight

Рет қаралды 17,137

Күн бұрын

To date, WMI is one of the few forensic topics that hasn't been widely covered on this channel. Let's fix that and explore how we can separate legitimate WMI usage from attacker activity. We'll start with a review and cover the basics of this technology. Then we'll spend the rest of the episode looking at how we can enumerate the contents of the WMI database on a live system and on a dead system.
** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. **
📖 Chapters
00:00 - Intro
04:37 - Analyzing WMI with Autoruns for Windows
06:41 - Analyzing WMI with PowerShell
09:48 - Using KAPE to Acquire WMI Artifacts
11:09 - Using PyWMIPersistenceFinder.py
14:16 - Recap
🛠 Resources
Autoruns for Windows:
docs.microsoft.com/en-us/sysi...
KAPE:
www.kroll.com/en/insights/pub...
PyWMIPersistenceFinder.py:
github.com/davidpany/WMI_Fore...
MITRE ATT&CK - Windows Management Instrumentation:
attack.mitre.org/techniques/T...
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics

Пікірлер: 10

@NaveenKumarDevaraja 3 жыл бұрын

Thanks, very useful content for DFIR Practitioners at this moment. Almost every Security Incident and Threat actor has been leveraging WMI and PsExec capabilities!

@TheKiller7276 3 жыл бұрын

Another great video, as always. Are there any other good resources for learning WMI forensics? Also, do you like Microsoft flight simulator?

@13Cubed 3 жыл бұрын

SANS has some good free material, but outside of that, I am not aware of any. Regarding MSFS 2020, yes! It's awesome.

@john23232 3 жыл бұрын

Thanks for all your videos, I’m really liking them a lot ! :D Have you planned to do some video on the methodology for finding evidence of intrusion ? It could start with one of those : a. Email containing a malicious file, b. Accessing a malicious URL in the browser, c. After a web server is compromised and a webshell deployed. It would be great to see how you start an investigation in those cases. What kind of artifacts do you analyze first ? What assumptions do you take to build from there ? Etc. :-)

@13Cubed 3 жыл бұрын

Maybe one day. It takes so long to produce these episodes as it is, so until I can streamline my current workflow (or dedicate more time to this) it just doesn't seem feasible.