The ABCs of WMI - Finding Evil in Plain Sight

Поделиться
HTML-код
  • Опубликовано: 14 июл 2024
  • To date, WMI is one of the few forensic topics that hasn't been widely covered on this channel. Let's fix that and explore how we can separate legitimate WMI usage from attacker activity. We'll start with a review and cover the basics of this technology. Then we'll spend the rest of the episode looking at how we can enumerate the contents of the WMI database on a live system and on a dead system.
    ** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. **
    📖 Chapters
    00:00 - Intro
    04:37 - Analyzing WMI with Autoruns for Windows
    06:41 - Analyzing WMI with PowerShell
    09:48 - Using KAPE to Acquire WMI Artifacts
    11:09 - Using PyWMIPersistenceFinder.py
    14:16 - Recap
    🛠 Resources
    Autoruns for Windows:
    docs.microsoft.com/en-us/sysi...
    KAPE:
    www.kroll.com/en/insights/pub...
    PyWMIPersistenceFinder.py:
    github.com/davidpany/WMI_Fore...
    MITRE ATT&CK - Windows Management Instrumentation:
    attack.mitre.org/techniques/T...
    #Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics
  • НаукаНаука

Комментарии • 10

  • @NaveenKumarDevaraja
    @NaveenKumarDevaraja 3 года назад +2

    Thanks, very useful content for DFIR Practitioners at this moment. Almost every Security Incident and Threat actor has been leveraging WMI and PsExec capabilities!

  • @prasanthkumar6808
    @prasanthkumar6808 3 года назад +1

    Awesome content

  • @john23232
    @john23232 3 года назад +1

    Thanks for all your videos, I’m really liking them a lot ! :D
    Have you planned to do some video on the methodology for finding evidence of intrusion ?
    It could start with one of those : a. Email containing a malicious file, b. Accessing a malicious URL in the browser, c. After a web server is compromised and a webshell deployed.
    It would be great to see how you start an investigation in those cases. What kind of artifacts do you analyze first ? What assumptions do you take to build from there ? Etc. :-)

    • @13Cubed
      @13Cubed  3 года назад

      Maybe one day. It takes so long to produce these episodes as it is, so until I can streamline my current workflow (or dedicate more time to this) it just doesn't seem feasible.

  • @TheKiller7276
    @TheKiller7276 3 года назад +6

    Another great video, as always. Are there any other good resources for learning WMI forensics? Also, do you like Microsoft flight simulator?

    • @13Cubed
      @13Cubed  3 года назад +2

      SANS has some good free material, but outside of that, I am not aware of any. Regarding MSFS 2020, yes! It's awesome.

  • @paulosilva-dm1qb
    @paulosilva-dm1qb 2 года назад

    Nice presentation. One question. Can´t we just check with Wbemtest?

  • @CatSmiling
    @CatSmiling 3 года назад +1

    nice

  • @1YaHaa
    @1YaHaa 3 года назад +1

    Dope

Следующие
Автовоспроизведение
Let's Talk About Shimcache - The Most Misunderstood Artifact21:51Let's Talk About Shimcache - The Most Misunderstood Artifact
Let's Talk About Shimcache - The Most Misunderstood Artifact13Cubed
Просмотров 13 тыс.
Windows MACB Timestamps (NTFS Forensics)28:09Windows MACB Timestamps (NTFS Forensics)
Windows MACB Timestamps (NTFS Forensics)13Cubed
Просмотров 26 тыс.
Prefetch Deep Dive36:15Prefetch Deep Dive
Prefetch Deep Dive13Cubed
Просмотров 16 тыс.
Longlegs - Movie Review07:08Longlegs - Movie Review
Longlegs - Movie ReviewChris Stuckmann
Просмотров 298 тыс.
My Puzzle Robot is 200x Faster Than a Human21:21My Puzzle Robot is 200x Faster Than a Human
My Puzzle Robot is 200x Faster Than a HumanMark Rober
Просмотров 6 млн
Fanum Makes 3 Classic New York Inspired Sandwiches | GQ15:48Fanum Makes 3 Classic New York Inspired Sandwiches | GQ
Fanum Makes 3 Classic New York Inspired Sandwiches | GQGQ
Просмотров 758 тыс.
Learn This Skill, Win $1,00028:23Learn This Skill, Win $1,000
Learn This Skill, Win $1,000Lachlan
Просмотров 443 тыс.
GUIDs and UUIDs are cool, but this is cooler15:55GUIDs and UUIDs are cool, but this is cooler
GUIDs and UUIDs are cool, but this is coolerNick Chapsas
Просмотров 177 тыс.
Persistence Mechanisms15:39Persistence Mechanisms
Persistence Mechanisms13Cubed
Просмотров 16 тыс.
Detecting PsExec Usage23:16Detecting PsExec Usage
Detecting PsExec Usage13Cubed
Просмотров 10 тыс.
MemProcFS - This Changes Everything17:11MemProcFS - This Changes Everything
MemProcFS - This Changes Everything13Cubed
Просмотров 15 тыс.
How To Game On The Worst Modern GPU...10:04How To Game On The Worst Modern GPU...
How To Game On The Worst Modern GPU...Dawid Does Tech Stuff
Просмотров 135 тыс.
5 Tips to Help You Learn Windows PowerShell18:345 Tips to Help You Learn Windows PowerShell
5 Tips to Help You Learn Windows PowerShellGary Explains
Просмотров 41 тыс.
Is it time to switch? // Docker vs Podman Desktop16:05Is it time to switch? // Docker vs Podman Desktop
Is it time to switch? // Docker vs Podman DesktopChristian Lempa
Просмотров 223 тыс.
Investigating WMI Attacks1:00:43Investigating WMI Attacks
Investigating WMI AttacksSANS Digital Forensics and Incident Response
Просмотров 26 тыс.
😱Самая ДОРОГАЯ мышка от китайцев WLmouse Beast X Max 8K00:37😱Самая ДОРОГАЯ мышка от китайцев WLmouse Beast X Max 8K
😱Самая ДОРОГАЯ мышка от китайцев WLmouse Beast X Max 8KAproxe Tech
Просмотров 19 тыс.
Как сделать так, чтобы в солнечную погоду видеть дисплей телефона?00:14Как сделать так, чтобы в солнечную погоду видеть дисплей телефона?
Как сделать так, чтобы в солнечную погоду видеть дисплей телефона?anasrassia
Просмотров 371 тыс.
🔥 Лютая вещь для геймеров Да и вообще для тех кто проводит время за компом 💻00:20🔥 Лютая вещь для геймеров Да и вообще для тех кто проводит время за компом 💻
🔥 Лютая вещь для геймеров Да и вообще для тех кто проводит время за компом 💻Pochinka_blog
Просмотров 3,7 млн
iPhone 15 Pro в реальной жизни24:07iPhone 15 Pro в реальной жизни
iPhone 15 Pro в реальной жизниHUDAKOV
Просмотров 289 тыс.
OZON РАЗБИЛИ 3 КОМПЬЮТЕРА00:57OZON РАЗБИЛИ 3 КОМПЬЮТЕРА
OZON РАЗБИЛИ 3 КОМПЬЮТЕРАКинг Комп Shorts
Просмотров 1,7 млн
ИГРОВАЯ СБОРКА ПК ЗА 30К ОТ А ДО Я21:13ИГРОВАЯ СБОРКА ПК ЗА 30К ОТ А ДО Я
ИГРОВАЯ СБОРКА ПК ЗА 30К ОТ А ДО ЯMaddy MURK
Просмотров 93 тыс.
Acer Predator Тараканьи Бега!01:00Acer Predator Тараканьи Бега!
Acer Predator Тараканьи Бега!Sergey Delaisy
Просмотров 456 тыс.
Сложный РЕМОНТ ТОПОВОГО Samsung Galaxy S22 ULTRA SM-S908E после залития / НЕ ЛОВИТ СЕТИ20:45Сложный РЕМОНТ ТОПОВОГО Samsung Galaxy S22 ULTRA SM-S908E после залития / НЕ ЛОВИТ СЕТИ
Сложный РЕМОНТ ТОПОВОГО Samsung Galaxy S22 ULTRA SM-S908E после залития / НЕ ЛОВИТ СЕТИnotebook-31
Просмотров 107 тыс.