Hi,
I am new in forensics.
Can someone please help me regarding WMI forensics?
Like the helps links or how should I start tutorials or presentation or tools by which i can start it.
Can someone please help me regarding WMI forensics?
What do you mean with WMI?
Windows Management Instrumentation?
Mind you that different Windows OS's version may have different WMI objects/data.
Anyway, here are a few links, I believe that most if not all related work has been done by FireEye and their researchers/investigators
https://
https://
https://
jaclaz
WMIC.EXE is a useful interface, albeit a bit clunky.
Type WMIC /? in a command shell to get more info
If you want to programmatically query WMI, and create reusable code you can use .NET.
Can someone please help me regarding WMI forensics?
The most interesting thing is gaining persistence via WMI and avoid detection of backdoors and malware. This might help
https://
WMI persistence is currently used by more advanced attackers, but i am sure we will see more of this persistence mechanism abused in near future.
WMIC.EXE is a useful interface, albeit a bit clunky.
Yep ) , WMI/WMIC has an "awful" syntax, if you are not familiar with it, a good idea is to start by using the Scriptomatic
https://
Rob van Der Woude's site is a treasure trove for using and abusing WMI
http//
http//
including his own WMIGEN
http//
jaclaz