Help Required for WMI Forensics

Can someone please help me regarding WMI forensics?

What do you mean with WMI?

Windows Management Instrumentation?

Mind you that different Windows OS's version may have different WMI objects/data.

Anyway, here are a few links, I believe that most if not all related work has been done by FireEye and their researchers/investigators
https://github.com/davidpany/WMI_Forensics
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
https://media.defcon.org/DEF%2520CON%252023/DEF%2520CON%252023%2520presentations/DEFCON-23-Ballenthin-Graeber-Teodorescu-WMI-Attacks-Defense-Forensics.pdf

jaclaz

WMIC.EXE is a useful interface, albeit a bit clunky.

Type WMIC /? in a command shell to get more info

If you want to programmatically query WMI, and create reusable code you can use .NET.
http//www.i-programmer.info/projects/38-windows/208-disk-drive-dangers.html?start=1

Can someone please help me regarding WMI forensics?

The most interesting thing is gaining persistence via WMI and avoid detection of backdoors and malware. This might help
https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html

WMI persistence is currently used by more advanced attackers, but i am sure we will see more of this persistence mechanism abused in near future.

WMIC.EXE is a useful interface, albeit a bit clunky.

Yep ) , WMI/WMIC has an "awful" syntax, if you are not familiar with it, a good idea is to start by using the Scriptomatic
https://gallery.technet.microsoft.com/scriptcenter/Scriptomatic-21-aka-shame-9cdc28b5

Rob van Der Woude's site is a treasure trove for using and abusing WMI
http//www.robvanderwoude.com/wmitools.php
http//www.robvanderwoude.com/wmiexamples.php
including his own WMIGEN
http//www.robvanderwoude.com/wmigen.php

jaclaz