WBEM Info
Overview
Section titled “Overview”Evidence: WBEM Info
Description: ESXi WBEM Info
Category: System
Platform: esxi
Short Name: wbeminfo
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Web-Based Enterprise Management (WBEM) services enable CIM (Common Information Model) based hardware monitoring and management on ESXi. WBEM configuration controls remote hardware management access and can be exploited if improperly secured or modified to enable unauthorized hardware monitoring.
Data Collected
Section titled “Data Collected”This collector gathers structured data about wbem info.
WBEM Info Data
Section titled “WBEM Info Data”| Field | Description | Example |
|---|---|---|
Enabled | Enabled | Example value |
WSManagementService | WS Management Service | Example value |
EnableHTTPS | Enable HTTPS | Example value |
AuthorizationModel | Authorization Model | Example value |
Port | Port | 123 |
HTTPProcs | HTTP Procs | 123 |
HTTPSProcs | HTTPS Procs | 123 |
ProviderProcs | Provider Procs | 123 |
KeepaliveTimeout | Keepalive Timeout | 123 |
KeepaliveMaxRequests | Keepalive Max Requests | 123 |
ProviderSampleInterval | Provider Sample Interval | 123 |
ProviderTimeoutInterval | Provider Timeout Interval | 123 |
HTTPMaxContentLength | HTTP Max Content Length | 123 |
MaxMessageLength | Max Message Length | 123 |
ThreadStackSize | Thread Stack Size | 123 |
ProviderResourcePoolOverride | Provider Resource Pool Override | Example value |
SSLCipherList | SSL Cipher List | Example value |
ThreadpoolSize | Threadpool Size | 123 |
Readonly | Readonly | Example value |
LogLevel | Log Level | Example value |
ServiceLocationProtocolPID | Service Location Protocol PID | 123 |
WSManagementPID | WS Management PID | 123 |
CIMObjectManagerPID | CIM Object Manager PID | 123 |
EnabledSSLProtocols | Enabled SSL Protocols | Example value |
EnabledSystemSSLProtocols | Enabled System SSL Protocols | Example value |
EnabledRunningSSLProtocols | Enabled Running SSL Protocols | Example value |
Collection Method
Section titled “Collection Method”This collector parses WBEM service configuration, extracting service status, port settings, authentication requirements, SSL/TLS configurations, and access control settings for the WBEM management interface.
Forensic Value
Section titled “Forensic Value”WBEM configuration analysis reveals remote management exposure, identifies weakened authentication settings, detects unauthorized service modifications, and exposes potential backdoor access through management interfaces. Unexpected WBEM access or configuration changes warrant investigation.