🖥️
Windows DFIR
  • Introduction
  • Windows Artifacts
    • Windows Quick Tips
      • Windows Command Line
      • Workstation File/Folder Locations
      • Server File/Folder Locations
    • Account Usage
      • Authentications SAM Artifacts
        • Last Login
        • Last Failed Login
        • Last Password Change
      • Authentications (Windows Event Log)
        • Logon ID
      • Group Membership
        • Event ID: 4798
        • Event ID: 4799
      • RDP
        • Source System Artifacts - Quick Reference
        • Destination System Artifacts - Quick Reference
      • SSH
      • Rouge Local Accounts
      • CrowdStrike Searches
        • Event Name - UserLogon
        • Event Name - UserLogonFailed
        • Event Name - UserLogonFailed2
        • Event Name - SsoApplicationAccess
    • Browser Usage
      • History & Downloads
        • Viewing History Files - DB Browser
        • Transition Types
      • Auto-Complete Data
      • Bookmarks
      • Browser Preferences
      • Cache
      • Cookies
      • Extensions
      • Super Cookies (HTML5 Web Storage)
      • Media History
      • Private Browsing
      • Session Restore
      • Stored Credentials
      • Suggested/Frequent Sites
      • DB Browser Queries
        • Firefox
        • Chrome
        • Media History
      • PowerShell Scripts
        • Browser Extension Finder
        • Browser History Finder
    • Processes
      • at.exe
      • explorer.exe
      • lsass.exe
      • lsaiso.exe
      • PuTTy.exe
        • X11 Forwarding
      • runtimebroker.exe
      • services.exe
      • smss.exe
      • System
      • svchost.exe
        • Services
      • winlogon.exe
      • wininit.exe
    • Cloud Storage
    • Deleted File or File Knowledge
      • WordWheelQuery (Win 7+)
      • ACMRU (Win XP)
      • Internet Explorer file:///
      • Last Visited MRU
      • Thumbs.db (Win XP)
      • Thumbcache
      • Recycle Bin
      • User Typed Paths
      • Windows Search Database
    • File Download
      • Zone.Identifer
      • Open/Save Most Recently Used (MRU)
      • Email
      • Drive By Downloads
        • Malvertising
      • Web Browsing
        • Cache Files
      • CrowdStrike Searches
        • MoTW
    • Folder/File Opening/Creation
      • Recent Files
      • Office Recent Files
      • Shell Bags
      • .lnk Files
      • Jump Lists
        • AppIDs
      • Prefetch
      • Index.dat file://
      • PowerShell Scripts
        • .lnk Files
    • Persistence
      • Registry
        • NTUSER.DAT & HKU\SID
        • Run and Run Once
        • Shell Folders and UserInit Key
        • Services
        • Logon Scripts
        • Office Add-ins
        • Winlogon Shell
        • Image File Execution Options (IFEO)
        • AppInit_DLLs
        • Scheduled Tasks
      • Scheduled Tasks
        • Scheduled Task Destination System Artifacts
        • Scheduled Task Source System Artifacts
      • Startup
      • Tool: AutoRuns
      • Accounts
      • WMI Event Consumers
        • WMI: Source System Artifacts
        • WMI: Destination System Artifacts
        • WMI: PowerShell Analysis
      • PowerShell Scripts
        • Startup Programs
      • CrowdStrike Searches
        • Files Written to Startup Folder
        • Files Written to Startup Folder from the Internet
        • Local Account Creation/Deletion
        • Azure Account Creation/Deletion
        • Scheduled Tasks
    • Physical Location
      • Time zone
      • Wireless SSID
      • Network History (Vista/Win7–11)
      • Cookies
      • Browser Search Terms
    • Program Execution
      • Prefetch
        • Decoding Prefetch Files with Eric Zimmerman's PECmd Tool
      • BAM/DAM
      • CapabilityAccessManager
      • UserAssist
      • Last Visited MRU
      • RunMRU
      • MUI Cache
      • ShimCache
      • Amcache
      • Jump Lists
    • Shadow Copies
      • VSC Permissions
      • Event ID 8193: Volume Shadow Copy Service Error
    • USB Usage
      • Key Identification
      • Drive Letter and Volume Name
      • Connection Timestamps
      • User
      • Volume Name
      • Plug & Play Event Log
    • Windows Services
      • DoSvc (Delivery Optimization)
    • System Information
    • Event IDs
      • Authentication / Account
        • 4624 - Authentication Success
          • Logon Types
        • 4625 - Authentication Failure
          • SubStatus Codes
        • 4634 - Account Logoff
        • 4648 - Explicit Credentials Success
        • 4672 - Special Privileges
        • 4720 - Account Creation
        • 4722 - Account Enabled
        • 4732 - Addition to Local Group
        • 4738 - Account Changed
        • 4776 - Kerberos Authentication Attempt
          • Substatus Codes
        • 4771 - Kerberos Failure
        • 4768
      • File System
        • 1006
        • 4688 - Process Created
        • 4663
        • 4656
        • 6416
        • 20001
        • 20003
  • Windows DFIR & MITTR
    • Initial Access
      • Content Injection
      • Drive-by Compromise
        • Watering Hole Attack
        • Microsoft Files (Payload Execution)
        • Exploit Delivery
        • Viewing Browser History Files
      • Phishing
    • Execution
    • Persistence
    • Privilege Escalation
    • Defense Evasion
    • Credential Access
      • Logon ID
    • Discovery
    • Lateral Movement
    • Collection
    • Command and Control
    • Exfiltration
    • Impact
  • SOC Related
    • Cached Credentials
    • Domain Controller Password Spraying
Powered by GitBook
On this page

Was this helpful?

  1. Windows Artifacts
  2. Persistence
  3. WMI Event Consumers

WMI: Destination System Artifacts

PreviousWMI: Source System ArtifactsNextWMI: PowerShell Analysis

Last updated 1 year ago

Was this helpful?

WMI: Destination System Artifacts Quick Reference

security.evtx

    • Source IP/Logon User Name

    • Logon User Name

    • Logon by a user with administrative rights

Microsoft-Windows-WMI-Activity%4Operational.evtx

  • Event ID 5857

    • Indicates time of wmiprvse execution and path to provider DLL – attackers sometimes install malicious WMI provider DLLs.

  • Event IDs 5860/5861

    • Registration of Temporary (5860) and Permanent (5861) Event Consumers. Typically used for persistence, but can be used for remote execution.

  • – SYSTEM

    • scrcons.exe

    • mofcomp.exe

    • wmiprvse.exe

    • evil.exe

  • – First Time Executed

    • evil.exe

    • wmiprvse.exe

    • mofcomp.exe

    • scrcons.exe

  • File Creation

    • evil.exe

    • evil.mof – .mof files can be used to manage the WMI Repository

    • mstsc.exe-{hash}.pf

  • Unauthorized changes to the WMI Repository

    • C:\Windows\System32\wbem\Repository

Analyzing WMI (Windows Management Instrumentation) destination system artifacts is an essential aspect of investigating sophisticated cyber attacks. WMI can be utilized for legitimate administrative purposes but also exploited by attackers for persistence, lateral movement, and execution of malicious payloads with minimal forensic footprint. Understanding the artifacts associated with WMI activities on the destination system is critical for detecting and responding to such threats.

Event Logs

  1. Security.evtx

    • Event ID 4624 (Logon Type 3): Indicates a network logon event, which could be related to remote WMI access. Pay attention to the source IP and logon username to identify potential unauthorized access.

    • Event ID 4672: Signifies special privileges assigned to a new logon session, often associated with administrative rights. An attacker leveraging WMI might use an account with elevated privileges to execute commands or deploy malware.

  2. Microsoft-Windows-WMI-Activity%4Operational.evtx

    • Event ID 5857: Shows wmiprvse.exe execution details, including the path to the provider DLL. Monitoring for unusual or unexpected provider DLLs can help identify malicious WMI activities.

    • Event IDs 5860/5861: Indicate the registration of temporary and permanent WMI event consumers, respectively. These are often used for persistence mechanisms by attackers and can occasionally be used for remote command execution.

Registry Artifacts

  • ShimCache (SYSTEM): Contains execution history of critical binaries such as scrcons.exe, mofcomp.exe, wmiprvse.exe, and potentially malicious executables (evil.exe). This can provide early hints of WMI or PowerShell-based attacks.

  • AmCache.hve: Logs the first time execution of binaries, providing a timeline for when potentially malicious files (evil.exe, wmiprvse.exe, mofcomp.exe, scrcons.exe) were first run on the system.

File System Artifacts

  • File Creation: The presence of uncommon executables (evil.exe) or MOF files (evil.mof) in the file system can indicate malicious use. MOF files, in particular, are associated with managing the WMI Repository and can be compiled using mofcomp.exe to introduce malicious WMI event consumers.

  • Prefetch: The Prefetch folder (C:\Windows\Prefetch) contains files like mstsc.exe-{hash}.pf, which can indicate remote desktop usage, potentially related to lateral movement or remote execution activities.

  • WMI Repository: Unauthorized changes within the WMI Repository directory (C:\Windows\System32\wbem\Repository) can signal tampering or the introduction of malicious WMI objects. Monitoring for unexpected modifications or new files in this directory is crucial.

Investigating with PowerShell

PowerShell commands can be leveraged to inspect the WMI Repository and identify suspicious objects or activities:

# List all WMI Permanent Event Consumers
Get-WmiObject -Namespace root\Subscription -Class __EventConsumer

# Investigate specific MOF files compiled into the WMI Repository
Get-WmiObject -Namespace root\Default -Query "SELECT * FROM __MOFClass WHERE FileName = 'evil.mof'"

# Audit the WMI Repository for unauthorized changes
Get-ChildItem -Path C:\Windows\System32\wbem\Repository

– C:\Windows\Prefetch

Event ID 4624
Logon Type 3
Event ID 4672
ShimCache
AmCache.hve
Prefetch