Skip to content
/ wmi-parser Public

Parses the WMI object database....looking for persistence

31 stars 8 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

woanware/wmi-parser

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
source
source
 
 
readme.md
readme.md
 
 
readme.pdf
readme.pdf
 
 

Repository files navigation

wmi-parser

TLDR

There is nothing new here! It is just a rewrite of @DavidPany excellent work into WMI parsing. The original pythin code can be found here:

https://github.com/davidpany/WMI_Forensics

Background

I need WMI parsing for autorunner, so converted the original python code to C#, and thought it might as well be available as a standalone tool. The only added feature is CSV export

Example

.\wmi-parser.exe -i .\OBJECTS.DATA

wmi-parser v0.0.1

Author: Mark Woan / woanware (markwoan@gmail.com)
https://github.com/woanware/wmi-parser

  SCM Event Log Consumer-SCM Event Log Filter - (Common binding based on consumer and filter names,  possibly legitimate)
    Consumer: NTEventLogEventConsumer ~ SCM Event Log Consumer ~ sid ~ Service Control Manager

    Filter:
      Filter Name : SCM Event Log Filter
      Filter Query: select * from MSFT_SCMEventLogEvent

  BadStuff-DeviceDocked

    Name: BadStuff
    Type: CommandLineEventConsumer
    Arguments: powershell.exe -NoP Start-Process ('badstuff.exe')

    Filter:
      Filter Name : DeviceDocked
      Filter Query: SELECT * FROM Win32_SystemConfigurationChangeEvent

About

Parses the WMI object database....looking for persistence

Resources

Readme
Activity

Stars

31 stars

Watchers

5 watching

Forks

8 forks
Report repository

Releases 2

v0.0.2 Latest
Dec 7, 2018
+ 1 release

Packages

No packages published

Languages