The ABCs of WMI - Finding Evil in Plain Sight
To date, WMI is one of the few forensic topics that hasn't been widely covered on this channel. Let's fix that and explore how we can separate legitimate WMI usage from attacker activity. We'll start with a review and cover the basics of this technology. Then we'll spend the rest of the episode looking at how we can enumerate the contents of the WMI database on a live system and on a dead system.
*** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. ***
📖 Chapters
00:00 - Intro
04:37 - Analyzing WMI with Autoruns for Windows
06:41 - Analyzing WMI with PowerShell
09:48 - Using KAPE to Acquire WMI Artifacts
11:09 - Using PyWMIPersistenceFinder.py
14:16 - Recap
🛠 Resources
Autoruns for Windows:
https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
KAPE:
https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-parser-extractor-kape
PyWMIPersistenceFinder.py:
https://github.com/davidpany/WMI_Forensics
MITRE ATT&CK - Windows Management Instrumentation:
https://attack.mitre.org/techniques/T1047/
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics
Видео The ABCs of WMI - Finding Evil in Plain Sight канала 13Cubed
*** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. ***
📖 Chapters
00:00 - Intro
04:37 - Analyzing WMI with Autoruns for Windows
06:41 - Analyzing WMI with PowerShell
09:48 - Using KAPE to Acquire WMI Artifacts
11:09 - Using PyWMIPersistenceFinder.py
14:16 - Recap
🛠 Resources
Autoruns for Windows:
https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
KAPE:
https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-parser-extractor-kape
PyWMIPersistenceFinder.py:
https://github.com/davidpany/WMI_Forensics
MITRE ATT&CK - Windows Management Instrumentation:
https://attack.mitre.org/techniques/T1047/
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics
Видео The ABCs of WMI - Finding Evil in Plain Sight канала 13Cubed
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
Getting Started with Plaso and Log2Timeline - Forensic Timeline CreationWindows WMI: WMI repository, Providers, Infrastructure, namespaces and moreWhat's In .DS Store for You? - macOS ForensicsCCleaner v5.33 Malware (Supply Chain Attack)DFIR Home Labs5 Secret Codes Hidden in Plain SightCVEs in Windows Event Logs? What You Need to KnowIntroduction to Windows ForensicsHow to use WMI Objects with PowerShell - #HowToTuesdayFinding Evil with YARADemo 16 - WMI as a Persistence and C2 MechanismGeocaching: Finding treasures in plain sightLinux Memory Forensics - Memory Capture and AnalysisPrefetch Deep DiveAbusing Windows Management Instrumentation (WMI)WMI - Windows Management Instrumentation - [#12] PowerShell for IT Professionals15 Windows Settings You Should Change Now!NTFS Journal ForensicsHashcat for Forensics - How Did They Get In?