The ABCs of WMI - Finding Evil in Plain Sight
To date, WMI is one of the few forensic topics that hasn't been widely covered on this channel. Let's fix that and explore how we can separate legitimate WMI usage from attacker activity. We'll start with a review and cover the basics of this technology. Then we'll spend the rest of the episode looking at how we can enumerate the contents of the WMI database on a live system and on a dead system.
*** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. ***
📖 Chapters
00:00 - Intro
04:37 - Analyzing WMI with Autoruns for Windows
06:41 - Analyzing WMI with PowerShell
09:48 - Using KAPE to Acquire WMI Artifacts
11:09 - Using PyWMIPersistenceFinder.py
14:16 - Recap
🛠 Resources
Autoruns for Windows:
https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
KAPE:
https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-parser-extractor-kape
PyWMIPersistenceFinder.py:
https://github.com/davidpany/WMI_Forensics
MITRE ATT&CK - Windows Management Instrumentation:
https://attack.mitre.org/techniques/T1047/
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics
Видео The ABCs of WMI - Finding Evil in Plain Sight канала 13Cubed
*** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. ***
📖 Chapters
00:00 - Intro
04:37 - Analyzing WMI with Autoruns for Windows
06:41 - Analyzing WMI with PowerShell
09:48 - Using KAPE to Acquire WMI Artifacts
11:09 - Using PyWMIPersistenceFinder.py
14:16 - Recap
🛠 Resources
Autoruns for Windows:
https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
KAPE:
https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-parser-extractor-kape
PyWMIPersistenceFinder.py:
https://github.com/davidpany/WMI_Forensics
MITRE ATT&CK - Windows Management Instrumentation:
https://attack.mitre.org/techniques/T1047/
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics
Видео The ABCs of WMI - Finding Evil in Plain Sight канала 13Cubed
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
Getting Started with Plaso and Log2Timeline - Forensic Timeline Creation
Windows WMI: WMI repository, Providers, Infrastructure, namespaces and more
What's In .DS Store for You? - macOS Forensics
CCleaner v5.33 Malware (Supply Chain Attack)
DFIR Home Labs
5 Secret Codes Hidden in Plain Sight
CVEs in Windows Event Logs? What You Need to Know
Introduction to Windows Forensics
How to use WMI Objects with PowerShell - #HowToTuesday
Finding Evil with YARA
Demo 16 - WMI as a Persistence and C2 Mechanism
Geocaching: Finding treasures in plain sight
Linux Memory Forensics - Memory Capture and Analysis
Prefetch Deep Dive
Abusing Windows Management Instrumentation (WMI)![WMI - Windows Management Instrumentation - [#12] PowerShell for IT Professionals](https://i.ytimg.com/vi/_NadlLhLldY/default.jpg)
WMI - Windows Management Instrumentation - [#12] PowerShell for IT Professionals
15 Windows Settings You Should Change Now!
NTFS Journal Forensics
Hashcat for Forensics - How Did They Get In?