search

WMI

hashtag
File Location:

  • C:\Windows\System32\wbem\Repository

    • OBJECTS.DATA

    • WMI Persistence goldmine log

LogoForensics on WMI PersistenceBen's IR Noteschevron-right

hashtag
Network Connections:

Ports:

  • TCP 135

  • HTTP 5985

  • HTTPS 5986

hashtag
Audit Logs:

On by default in Windows 2012R2/8.1+

  • 5857: Indicates time of wmiprvse.exe execution and path to provider DLL. Attackers sometimes install malicious WMI provider DLLs

  • Event ID 5858: Operation_ClientFailure

  • Event ID 5859: Operation_EssStarted

  • 5860: Registration of temporary Event Consumer.

  • 5861: Registration of permanent Event Consumer. Typically used for persistence, but can be used for remote execution.

hashtag
WMI Persistence:

hashtag
Remote WMIC Evidence:

WMI -Activity Event ID 5857 shows WmiPrvSE.exe starting up.

Application > Microsoft > Windows> WMI-Activity > Operational

Security Event ID 4624 shows SYSTEM authenticating with Service logon type 5 right when WmiPrvSE.exe executed.

Security

Event ID 4624 is also seen authenticating with Logon Type 3, seconds before WMI execution.

Security

Scroll down a bit more to get Source IP and Source Port. The random port could indicate WMI/RPC usage.

Security

Enable WMI-Trace logging to see WMI cmd/queries from remote machines.

LogoKeep an Eye on Your WMI Logs - SANS Internet Storm CenterSANS Internet Storm Centerchevron-right
Ref
Previous1024 RDP ClientActiveX is trying to connectNextDNS Logs

Last updated