WBEM
Overview
Section titled “Overview”Evidence: WBEM
Description: Collect WBEM Files
Category: System
Platform: windows
Short Name: wbem
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”Windows Management Instrumentation (WMI) uses the WBEM (Web-Based Enterprise Management) repository to store WMI class definitions, instances, and configuration. The repository and associated logs can contain evidence of WMI usage, persistence, and system management activities.
The WBEM repository has been abused by attackers for persistence and reconnaissance, making these files valuable for forensic analysis.
Data Collected
Section titled “Data Collected”This collector gathers structured data about wbem.
WBEM Data
Section titled “WBEM Data”| Field | Description | Example |
|---|---|---|
Name | Artifact name | WBEM |
Type | Folder | Folder |
SourcePath | Original folder path | C:\Windows\System32\wbem\Repository |
Path | Relative path in evidence | Other/Repository |
Collection Method
Section titled “Collection Method”This collector collects WBEM-related directories:
Windows\System32\wbem\Repository- WMI repositoryWindows\System32\wbem\Logs- WMI log filesWindows\System32\wbem\AutoRecover- Auto-recovery MOFs
Forensic Value
Section titled “Forensic Value”WBEM files can reveal WMI persistence mechanisms and system management activity. Investigators use this data to detect WMI-based persistence, analyze WMI repository modifications, track system management activities, and investigate WMI abuse by attackers.