🖥️
Windows DFIR
  • Introduction
  • Windows Artifacts
    • Windows Quick Tips
      • Windows Command Line
      • Workstation File/Folder Locations
      • Server File/Folder Locations
    • Account Usage
      • Authentications SAM Artifacts
        • Last Login
        • Last Failed Login
        • Last Password Change
      • Authentications (Windows Event Log)
        • Logon ID
      • Group Membership
        • Event ID: 4798
        • Event ID: 4799
      • RDP
        • Source System Artifacts - Quick Reference
        • Destination System Artifacts - Quick Reference
      • SSH
      • Rouge Local Accounts
      • CrowdStrike Searches
        • Event Name - UserLogon
        • Event Name - UserLogonFailed
        • Event Name - UserLogonFailed2
        • Event Name - SsoApplicationAccess
    • Browser Usage
      • History & Downloads
        • Viewing History Files - DB Browser
        • Transition Types
      • Auto-Complete Data
      • Bookmarks
      • Browser Preferences
      • Cache
      • Cookies
      • Extensions
      • Super Cookies (HTML5 Web Storage)
      • Media History
      • Private Browsing
      • Session Restore
      • Stored Credentials
      • Suggested/Frequent Sites
      • DB Browser Queries
        • Firefox
        • Chrome
        • Media History
      • PowerShell Scripts
        • Browser Extension Finder
        • Browser History Finder
    • Processes
      • at.exe
      • explorer.exe
      • lsass.exe
      • lsaiso.exe
      • PuTTy.exe
        • X11 Forwarding
      • runtimebroker.exe
      • services.exe
      • smss.exe
      • System
      • svchost.exe
        • Services
      • winlogon.exe
      • wininit.exe
    • Cloud Storage
    • Deleted File or File Knowledge
      • WordWheelQuery (Win 7+)
      • ACMRU (Win XP)
      • Internet Explorer file:///
      • Last Visited MRU
      • Thumbs.db (Win XP)
      • Thumbcache
      • Recycle Bin
      • User Typed Paths
      • Windows Search Database
    • File Download
      • Zone.Identifer
      • Open/Save Most Recently Used (MRU)
      • Email
      • Drive By Downloads
        • Malvertising
      • Web Browsing
        • Cache Files
      • CrowdStrike Searches
        • MoTW
    • Folder/File Opening/Creation
      • Recent Files
      • Office Recent Files
      • Shell Bags
      • .lnk Files
      • Jump Lists
        • AppIDs
      • Prefetch
      • Index.dat file://
      • PowerShell Scripts
        • .lnk Files
    • Persistence
      • Registry
        • NTUSER.DAT & HKU\SID
        • Run and Run Once
        • Shell Folders and UserInit Key
        • Services
        • Logon Scripts
        • Office Add-ins
        • Winlogon Shell
        • Image File Execution Options (IFEO)
        • AppInit_DLLs
        • Scheduled Tasks
      • Scheduled Tasks
        • Scheduled Task Destination System Artifacts
        • Scheduled Task Source System Artifacts
      • Startup
      • Tool: AutoRuns
      • Accounts
      • WMI Event Consumers
        • WMI: Source System Artifacts
        • WMI: Destination System Artifacts
        • WMI: PowerShell Analysis
      • PowerShell Scripts
        • Startup Programs
      • CrowdStrike Searches
        • Files Written to Startup Folder
        • Files Written to Startup Folder from the Internet
        • Local Account Creation/Deletion
        • Azure Account Creation/Deletion
        • Scheduled Tasks
    • Physical Location
      • Time zone
      • Wireless SSID
      • Network History (Vista/Win7–11)
      • Cookies
      • Browser Search Terms
    • Program Execution
      • Prefetch
        • Decoding Prefetch Files with Eric Zimmerman's PECmd Tool
      • BAM/DAM
      • CapabilityAccessManager
      • UserAssist
      • Last Visited MRU
      • RunMRU
      • MUI Cache
      • ShimCache
      • Amcache
      • Jump Lists
    • Shadow Copies
      • VSC Permissions
      • Event ID 8193: Volume Shadow Copy Service Error
    • USB Usage
      • Key Identification
      • Drive Letter and Volume Name
      • Connection Timestamps
      • User
      • Volume Name
      • Plug & Play Event Log
    • Windows Services
      • DoSvc (Delivery Optimization)
    • System Information
    • Event IDs
      • Authentication / Account
        • 4624 - Authentication Success
          • Logon Types
        • 4625 - Authentication Failure
          • SubStatus Codes
        • 4634 - Account Logoff
        • 4648 - Explicit Credentials Success
        • 4672 - Special Privileges
        • 4720 - Account Creation
        • 4722 - Account Enabled
        • 4732 - Addition to Local Group
        • 4738 - Account Changed
        • 4776 - Kerberos Authentication Attempt
          • Substatus Codes
        • 4771 - Kerberos Failure
        • 4768
      • File System
        • 1006
        • 4688 - Process Created
        • 4663
        • 4656
        • 6416
        • 20001
        • 20003
  • Windows DFIR & MITTR
    • Initial Access
      • Content Injection
      • Drive-by Compromise
        • Watering Hole Attack
        • Microsoft Files (Payload Execution)
        • Exploit Delivery
        • Viewing Browser History Files
      • Phishing
    • Execution
    • Persistence
    • Privilege Escalation
    • Defense Evasion
    • Credential Access
      • Logon ID
    • Discovery
    • Lateral Movement
    • Collection
    • Command and Control
    • Exfiltration
    • Impact
  • SOC Related
    • Cached Credentials
    • Domain Controller Password Spraying
Powered by GitBook
On this page
  • Prerequisites
  • Step 1: Access the WMI Namespace
  • Step 2: List WMI Event Consumers
  • Step 3: Investigate Event Filters
  • Step 4: Examine Filter to Consumer Bindings
  • Step 5: Inspect Specific Consumers for Malicious Activity
  • Step 6: Analyze Scripts and Executables
  • Step 7: Review the WMI Activity Log

Was this helpful?

  1. Windows Artifacts
  2. Persistence
  3. WMI Event Consumers

WMI: PowerShell Analysis

Analyzing the WMI (Windows Management Instrumentation) Repository is a critical task for both system administrators and security professionals. The WMI Repository, located in %SystemRoot%\System32\wbem\Repository, stores definitions for WMI Classes, Instances, and Event Consumers. Malicious actors may exploit WMI for persistence, lateral movement, or to execute malicious payloads, often leaving traces in the WMI Repository. This tutorial outlines steps to analyze the WMI Repository for signs of malicious activity.

Prerequisites

  • Administrative access on the Windows system.

  • Basic familiarity with WMI concepts and PowerShell.

  • PowerShell scripting enabled on the system.

Step 1: Access the WMI Namespace

Start by accessing the WMI namespace where most system and security information is stored. The root\cimv2 namespace is commonly used for system management tasks, but for investigating malicious activity, the root\subscription namespace is more relevant because it contains information about WMI Event Subscriptions.

# Open PowerShell with administrative privileges
# Navigate to the root\subscription namespace
Get-WmiObject -Namespace "root\subscription" -List

Step 2: List WMI Event Consumers

Event Consumers are the actions taken in response to an event. Malicious scripts or commands can be hidden within these consumers.

Get-WmiObject -Namespace "root\subscription" -Class __EventConsumer

Pay attention to any consumers that execute scripts or commands, particularly those with unfamiliar or suspicious paths and commands.

Step 3: Investigate Event Filters

Event Filters define the criteria for the events that trigger the consumers. Understanding what triggers a suspicious consumer can provide context to the malicious activity.

Get-WmiObject -Namespace "root\subscription" -Class __EventFilter

Look for filters with unusual queries that might relate to system startup, user logon events, or other common persistence mechanisms.

Step 4: Examine Filter to Consumer Bindings

Bindings connect filters to consumers. Analyzing these can help you understand which filters trigger which consumers.

Get-WmiObject -Namespace "root\subscription" -Class __FilterToConsumerBinding

Identify any bindings that link suspicious filters to consumers, as these are potential indicators of compromise.

Step 5: Inspect Specific Consumers for Malicious Activity

Dive deeper into any suspicious consumers you've identified, examining their properties and the scripts or commands they execute.

# Replace "SuspiciousConsumer" with the actual name of the consumer you're investigating
Get-WmiObject -Namespace "root\subscription" -Class CommandLineEventConsumer -Filter "Name='SuspiciousConsumer'"

Step 6: Analyze Scripts and Executables

If the consumer involves executing a script or binary, manually review the content of these files or execute them in a controlled environment to understand their behavior.

Step 7: Review the WMI Activity Log

Windows logs WMI activity in the Microsoft-Windows-WMI-Activity/Operational log. Review this log for any recent activity related to the suspicious consumers, filters, or bindings you've identified.

Get-WinEvent -LogName "Microsoft-Windows-WMI-Activity/Operational"
PreviousWMI: Destination System ArtifactsNextPowerShell Scripts

Last updated 1 year ago

Was this helpful?