Parse WMI Repository OBJECTS.DATA

[joeavanzato]

For offline drive analysis, we cannot directly query CIM classes for obvious reasons.

Data related to WMI is stored in a few locations, provided below;
C:\Windows\System32\wbem\Repository\OBJECTS.DATA - Objects managed by WMI
C:\Windows\System32\wbem\Repository\INDEX.BTR - Index of files imported into OBJECTS.DATA
C:\Windows\System32\wbem\Repository\MAPPING*.MAP - Related OBJECTS.DATA with INDEX.BTR

Reference: https://netsecninja.github.io/dfir-notes/wmi-forensics/

A mechanism must be developed to, at minimum, extract CommandLine/Script FilterToConsumer Bindings to help assist alerting on suspicious CIM objects.

Multiple tools exist for this, taking slightly different approaches;

• https://github.com/woanware/wmi-parser - C# using Regex to scan lines for relevant strings
• https://github.com/davidpany/WMI_Forensics/blob/master/PyWMIPersistenceFinder.py - Python, original version of above.
• https://github.com/mandiant/flare-wmi - Multiple tools from Mandiant for parsing the entire WMI structure

Need to research the above and determine what is enough for this use-case - probably the basic regex scan will work 'good enough' for detecting the relevant FilterToConsumer bindings for offline boxes but need to test first.