WMI

File Location:

  • C:\Windows\System32\wbem\Repository

    • OBJECTS.DATA

    • WMI Persistence goldmine log

Network Connections:

Ports:

  • TCP 135

  • HTTP 5985

  • HTTPS 5986

Audit Logs:

On by default in Windows 2012R2/8.1+

Microsoft-Windows-WMI-Activity/Operational

  • 5857: Indicates time of wmiprvse.exe execution and path to provider DLL. Attackers sometimes install malicious WMI provider DLLs

  • Event ID 5858: Operation_ClientFailure

  • Event ID 5859: Operation_EssStarted

  • 5860: Registration of temporary Event Consumer.

  • 5861: Registration of permanent Event Consumer. Typically used for persistence, but can be used for remote execution.

WMI Persistence:

Remote WMIC Evidence:

###Command Used####
> wmic /USER:pekora /node:shuba process call create "cmd.exe"

WMI -Activity Event ID 5857 shows WmiPrvSE.exe starting up.

Security Event ID 4624 shows SYSTEM authenticating with Service logon type 5 right when WmiPrvSE.exe executed.

Event ID 4624 is also seen authenticating with Logon Type 3, seconds before WMI execution.

Scroll down a bit more to get Source IP and Source Port. The random port could indicate WMI/RPC usage.

Enable WMI-Trace logging to see WMI cmd/queries from remote machines. 

> wevtutil.exe sl Microsoft-Windows-WMI-Activity/Trace /e:true
Previous1024 RDP ClientActiveX is trying to connectNextDNS Logs

Last updated