You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For offline drive analysis, we cannot directly query CIM classes for obvious reasons.
Data related to WMI is stored in a few locations, provided below;
C:\Windows\System32\wbem\Repository\OBJECTS.DATA - Objects managed by WMI
C:\Windows\System32\wbem\Repository\INDEX.BTR - Index of files imported into OBJECTS.DATA
C:\Windows\System32\wbem\Repository\MAPPING*.MAP - Related OBJECTS.DATA with INDEX.BTR
Need to research the above and determine what is enough for this use-case - probably the basic regex scan will work 'good enough' for detecting the relevant FilterToConsumer bindings for offline boxes but need to test first.
The text was updated successfully, but these errors were encountered:
For offline drive analysis, we cannot directly query CIM classes for obvious reasons.
Data related to WMI is stored in a few locations, provided below;
C:\Windows\System32\wbem\Repository\OBJECTS.DATA - Objects managed by WMI
C:\Windows\System32\wbem\Repository\INDEX.BTR - Index of files imported into OBJECTS.DATA
C:\Windows\System32\wbem\Repository\MAPPING*.MAP - Related OBJECTS.DATA with INDEX.BTR
Reference: https://netsecninja.github.io/dfir-notes/wmi-forensics/
A mechanism must be developed to, at minimum, extract CommandLine/Script FilterToConsumer Bindings to help assist alerting on suspicious CIM objects.
Multiple tools exist for this, taking slightly different approaches;
Need to research the above and determine what is enough for this use-case - probably the basic regex scan will work 'good enough' for detecting the relevant FilterToConsumer bindings for offline boxes but need to test first.
The text was updated successfully, but these errors were encountered: