WMI

File Location:

• C:\Windows\System32\wbem\Repository

  • OBJECTS.DATA

  • WMI Persistence goldmine log

Forensics on WMI PersistenceBen's IR Notes

Network Connections:

Ports:

• TCP 135

• HTTP 5985

• HTTPS 5986

Audit Logs:

On by default in Windows 2012R2/8.1+

Microsoft-Windows-WMI-Activity/Operational

• 5857: Indicates time of wmiprvse.exe execution and path to provider DLL. Attackers sometimes install malicious WMI provider DLLs

• Event ID 5858: Operation_ClientFailure

• Event ID 5859: Operation_EssStarted

• 5860: Registration of temporary Event Consumer.

• 5861: Registration of permanent Event Consumer. Typically used for persistence, but can be used for remote execution.

WMI Persistence:

Remote WMIC Evidence:

###Command Used####
> wmic /USER:pekora /node:shuba process call create "cmd.exe"

WMI -Activity Event ID 5857 shows WmiPrvSE.exe starting up.

Application > Microsoft > Windows> WMI-Activity > Operational

Security Event ID 4624 shows SYSTEM authenticating with Service logon type 5 right when WmiPrvSE.exe executed.

Security

Event ID 4624 is also seen authenticating with Logon Type 3, seconds before WMI execution.

Security

Scroll down a bit more to get Source IP and Source Port. The random port could indicate WMI/RPC usage.

Security

Enable WMI-Trace logging to see WMI cmd/queries from remote machines.

> wevtutil.exe sl Microsoft-Windows-WMI-Activity/Trace /e:true

InfoSec Handlers Diary Blog - SANS Internet Storm CenterSANS Internet Storm Center

Ref