Trawler
Trawler copied to clipboard
joeavanzato
Parse WMI Repository OBJECTS.DATA
For offline drive analysis, we cannot directly query CIM classes for obvious reasons.
Data related to WMI is stored in a few locations, provided below; C:\Windows\System32\wbem\Repository\OBJECTS.DATA - Objects managed by WMI C:\Windows\System32\wbem\Repository\INDEX.BTR - Index of files imported into OBJECTS.DATA C:\Windows\System32\wbem\Repository\MAPPING*.MAP - Related OBJECTS.DATA with INDEX.BTR
Reference: https://netsecninja.github.io/dfir-notes/wmi-forensics/
A mechanism must be developed to, at minimum, extract CommandLine/Script FilterToConsumer Bindings to help assist alerting on suspicious CIM objects.
Multiple tools exist for this, taking slightly different approaches;
- https://github.com/woanware/wmi-parser - C# using Regex to scan lines for relevant strings
- https://github.com/davidpany/WMI_Forensics/blob/master/PyWMIPersistenceFinder.py - Python, original version of above.
- https://github.com/mandiant/flare-wmi - Multiple tools from Mandiant for parsing the entire WMI structure
Need to research the above and determine what is enough for this use-case - probably the basic regex scan will work 'good enough' for detecting the relevant FilterToConsumer bindings for offline boxes but need to test first.
