Basics of Tracking WMI Activity
Tags
| attack-pattern: | Data Model Powershell - T1059.001 Powershell - T1086 Windows Management Instrumentation - T1047 |
Common Information
| Type | Value |
|---|---|
| UUID | f6e50104-5fcf-4e0b-91fe-7a36400909c3 |
| Fingerprint | f3de364fa4f44c00 |
| Analysis status | DONE |
| Considered CTI value | 0 |
| Text language | |
| Published | Oct. 14, 2017, midnight |
| Added to db | Jan. 18, 2023, 11:07 p.m. |
| Last updated | Nov. 17, 2024, 11:40 p.m. |
| Headline | Shell is Only the Beginning |
| Title | Basics of Tracking WMI Activity |
| Detected Hints/Tags/Attributes | 34/1/50 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 64 | go.microsoft.com |
|
| Details | Domain | 1 | wmiprov.events |
|
| Details | Domain | 73 | schemas.microsoft.com |
|
| Details | Domain | 219 | gist.github.com |
|
| Details | Domain | 4128 | github.com |
|
| Details | Domain | 201 | msdn.microsoft.com |
|
| Details | Domain | 1 | event.sourceeventargs.newevent.targetinstance.name |
|
| Details | File | 1 | c:\windows\system32\wbem\winmgmtr.dll |
|
| Details | File | 1 | events.asp |
|
| Details | File | 1 | winmgmtr.dll |
|
| Details | File | 1 | wmiprov.log |
|
| Details | File | 41 | system.obj |
|
| Details | File | 7 | _.log |
|
| Details | File | 1 | link.log |
|
| Details | File | 1 | %systemroot%\system32\wbem\wbemcons.dll |
|
| Details | File | 1 | %systemroot%\system32\wbem\wmipiprt.dll |
|
| Details | File | 1 | %systemroot%\system32\wbem\wmiprov.dll |
|
| Details | File | 1 | c:\windows\system32\wbem\krnlprov.dll |
|
| Details | File | 1 | %systemroot%\system32\wbem\wmipcima.dll |
|
| Details | File | 1 | c:\windows\system32\wbem\wmiperfclass.dll |
|
| Details | File | 1 | %systemroot%\system32\tscfgwmi.dll |
|
| Details | File | 1 | %systemroot%\system32\wbem\cimwin32.dll |
|
| Details | File | 1 | %systemroot%\system32\wbem\vdswmi.dll |
|
| Details | File | 1 | %systemroot%\system32\sppwmi.dll |
|
| Details | File | 1 | %systemroot%\system32\wbem\wmipicmp.dll |
|
| Details | File | 1 | %systemroot%\system32\win32_deviceguard.dll |
|
| Details | File | 2 | %systemroot%\system32\powerwmiprovider.dll |
|
| Details | File | 1 | %systemroot%\system32\storagewmi.dll |
|
| Details | File | 1 | %systemroot%\system32\wbem\stdprov.dll |
|
| Details | File | 1 | %systemroot%\system32\profprov.dll |
|
| Details | File | 1 | c:\windows\system32\wbem\wmiperfinst.dll |
|
| Details | File | 1 | %systemroot%\system32\wbem\dmwmibridgeprov.dll |
|
| Details | File | 1 | c:\windows\syswow64\wbem\wmiperfclass.dll |
|
| Details | File | 1 | %systemroot%\system32\smbwmiv2.dll |
|
| Details | File | 1 | %systemroot%\system32\wbem\wmiprvsd.dll |
|
| Details | File | 1 | %systemroot%\system32\wbem\scrcons.exe |
|
| Details | File | 1 | %systemroot%\system32\wbem\vsswmi.dll |
|
| Details | File | 1 | deploymentprovider.dll |
|
| Details | File | 1 | %systemroot%\system32\wbem\mgmtprovider.dll |
|
| Details | File | 1 | %systemroot%\system32\wbem\ntevt.dll |
|
| Details | File | 1 | %systemroot%\system32\wbem\dnsserverpsprovider.dll |
|
| Details | File | 1 | %windir%\system32\wbem\servercompprov.dll |
|
| Details | File | 1 | newevent.tar |
|
| Details | Github username | 4 | subtee |
|
| Details | Github username | 4 | jaredcatkinson |
|
| Details | Url | 1 | https://go.microsoft.com/fwlink/events.asp?coname=microsoft |
|
| Details | Url | 1 | http://schemas.microsoft.com/win/2004/08/events |
|
| Details | Url | 1 | https://gist.github.com/subtee/c6bd1401504f9d4d52a0 |
|
| Details | Url | 1 | https://github.com/jaredcatkinson/evilnetconnectionwmiprovider |
|
| Details | Url | 1 | https://msdn.microsoft.com/en-us/library/aa394559(v=vs.85).aspx |