Automatically generated based on tag:
| Title | Type | Summary | Location |
|---|---|---|---|
| ETW - WMI events | Page | For WMI activity. Tracking process execution is the only way to natively detect lateral movement leveraging WMI. With out "Audit process tracking" enabled to log process creation event 4688 (or a dedicated product tracking process creation, such as Sysmon or an EDR), lateral movement over WMI cannot be reliably investigated. Main events: Channel: Security. Event ID 4688: "A new process has been created", to track WMI process execution (wmic.exe and WmiPrvSE.exe notably). Channel: Microsoft-Windows-WMI-Activity/Operational. Event ID 5860 for temporary WMI Event subscription creation. Event ID 5861 for permanent WMI Event subscription creation. |
Channels: Security. Event: 4688. Microsoft-Windows-WMI-Activity/Operational. Events: 5857, 5858, 5859, 5860, 5861. |
| WMI - Event Subscription | Page | WMI Event Subscriptions can be used to maintain persistence on a Windows system, with permanent event subscriptions persisting across system reboots. Permanent event subscriptions are composed of: an "event filter" (event that will trigger the consumer), an "event consumer" (that will perform an action, such as executing a command), and a "filter to consumer binding". Event subscriptions are written to disk in the "OBJECTS.DATA" file that notably contains the event filters and event consumers. |
WMI repository files under <SYSTEMROOT>\System32\wbem\Repository\: - OBJECTS.DATA - INDEX.BTR - MAPPING<1-3>.MAP |
| WMI - Processes | Page | The following processes are related to WMI activity: - wmic.exe: client command line utility to interact with WMI (locally or on a remote computer). The PowerShell Invoke-WmiMethod cmdlet can be used as an alternative to wmic. - WmiPrvSE.exe: WMI Provider Host program that is executed to run WMI commands. If a program is executed through WMI, it will be spawned as a child of a wmiprvse.exe process. |
View on GitHub