DOCSLIB.ORG

WMI Events in MOM

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
WMI Events in MOM Brian Wren Systems Management UNLOCKING THE MYSTERY OF WMI EVENTS IN MOM Microsoft Operations Manager (MOM) is a great tool for keeping an eye on your environment, but it can sometimes be tricky to monitor a particular activity. If the activity can be watched through the Windows event log or a counter in Performance Monitor, then it is relatively easy to create a corresponding To monitor WMI events in MOM, a WMI rule in MOM. If the activity cannot be monitored through one of these means, however, event provider is created to collect the ap- then a custom script is often needed. Such a script will typically be written to sample a propriate events generated on the monitored particular resource on a predefined schedule and generate an alert upon detecting that computer. An event processing rule uses this the defined activity occurred. provider to generate a MOM alert. For example, an application may rely on a Windows process that is not a Windows ser- vice. If this process ends unexpectedly, there likely wouldn’t be an event written to the Understanding WMI Windows event log or any other applica- In order to monitor WMI events in • Understanding the workings of WMI tion log. The only way to determine if this MOM, a basic understanding of WMI is re- • MOM classes for event notification process is still running is to execute a script quired. WMI is the Microsoft implementa- • Writing scripts to manipulate on a periodic basis to ensure that it is still tion of Web-Based Enterprise Management WMI objects healthy. Rather than writing a custom script (WBEM) as defined by the Distributed • Sample event queries to sample a resource periodically, you can Management Task Force (DMTF). It is take advantage of Windows Management the primary management technology for Brian Wren is a Principal Consultant with Microsoft Consulting AT A GLANCEAT Services in Southern California. In addition to architecting and de- Instrumentation (WMI) events. Virtually Windows operating systems, permitting ploying a variety of solutions for customers, he writes and speaks every interesting activity in Windows gen- management of a variety of computing regularly on management technologies. He can be reached at erates a WMI event, and MOM includes a resources using a common language and [email protected]. provider for monitoring all of them. common interfaces. You can write scripts 42 To get your FREE copy of TechNet Magazine subscribe at: www.microsoft.com/uk/technetmagazine with the WMI Scripting Library in order to inspect and modify computer resources Figure 1 Sample WMI Classes represented by WMI classes. Before you do, Class Description however, there are a number of WMI con- cepts that you should know. Win32_Process Processes running on a Windows computer Common Information Model (CIM) Win32_ComputerSystem A computer running a Windows operating system Repository The CIM repository is the WMI CIM_DataFile A file stored on a disk schema that stores the class definitions that MSFT_Alert An alert in MOM model WMI-managed resources. The re- pository holds the information required to Instance An instance is a unique occurrence __InstanceDelectionEvent, and __Instance- work with live resources in the computing of a particular class. For example, each service ModificationEvent. (Notice the double un- environment. It does not contain actual installed on a computer running Windows derscore characters at the beginning of each data about these resources since this data is is an instance of the Win32_Service class. name.) Extrinsic events are used to moni- dynamically retrieved as required. It is this The C: drive is an instance of the Win32_ tor resources that are not represented by schema that allows the wide variety of dif- LogicalDrive class. Figure 3 shows sample a WMI class. There is no common set of ferent resources to be uniformly managed. properties of one instance of the Win32_ extrinsic events, and individual ones must Namespaces CIM classes are organised service class. be implemented for a particular resource into namespaces. Each namespace in the WMI Events Just as each resource is identi- using them. CIM repository contains a logical group of fied by a WMI class, each type of WMI event The most common extrinsic events that related classes representing a specific tech- is represented by a class. When an event oc- would be used in MOM are for monitoring nology or area of management. Any time a curs, an instance of the corresponding WMI the registry. The registry must use extrin- connection is made to WMI, a namespace event class is created. The two types of WMI sic events since there is no WMI class for must be specified. Only the classes contained event classes that are used by MOM are in- individual registry settings (the intrinsic within this namespace may be accessed by trinsic and extrinsic. (Note that there is also events associated with the Win32_registry the connection. an event class type of Timer that is rarely class represent the registry as a whole). The The most important namespace for used. This type is not relevant to MOM so registry-related extrinsic events are Registry- Windows management is root\cimv2. It I won’t discuss it here.) KeyChangeEvent, RegistryTreeChangeEvent, contains the classes with the Win32_ pre- Intrinsic events are used to monitor re- and RegistryValueChangeEvent, and are lo- fix representing various components of the sources that have a WMI class. Each time an cated in the root\default namespace. Windows operating system and hosting instance of any such class is created, modi- Other applications may implement ex- computer. Examples include Win32_Process fied or deleted, an intrinsic event is gen- trinsic events that may be monitored. It is (running processes in Windows), Win32_ erated within the class’s namespace. The their responsibility to provide the names LogicalDisk (Windows logical disk drives), most common intrinsic event classes used and other information for these events. The and Win32_ComputerSystem (the computer in MOM are __InstanceCreationEvent, Application Center 2000 Management Pack, hosting Windows). This namespace also in- cludes the CIM_DataFile class which can be used to monitor files and folders. Two oth- Figure 2 Sample Properties of Win32_Service Class er important namespaces are root\default, Property Description which contains registry events, and root\ Name Unique name of the service MOM, which contains classes for accessing DisplayName Displayed name of the service MOM from external processes. PathName The command-line path that was executed to start the service Class Every resource that can be managed StartMode Startup type of the service (Auto, Manual, or Disabled) by WMI is defined by a class. A class is a template for each type of resource and de- State Current state of the service (Running, Stopping or Stopped) fines the properties that will be collected for that resource. Examples of common WMI Figure 3 Sample Properties of a Win32_Service Instance classes are shown in Figure 1. Property A property is a unique piece of in- Property Description formation about an instance. All instances Name Winmgmt of a class will have the same set of proper- DisplayName Windows Management Instrumentation ties although the values of each instance’s PathName C:\WINDOWS\system32\svchost.exe -k netsvcs properties may differ. Some Properties StartMode Auto of the Win32_Service class are shown in State Running Figure 2. TechNet Magazine October 2006 43 Systems Management namespace you will be using anyway. The namespace can be changed later by typing a new one into the textbox in the top left- hand corner of the UI. By default, you will be connecting to the local machine, but you may specify another computer by clicking on the computer button. Fortunately, WMI lets you connect to a remote repository as easily as to a local one. CIM Studio looks daunting when first started, and it does pro- vide a complete set of services for working with WMI, but for the purposes of this ar- ticle you won’t have to worry about most of that complexity. The simplest method of locating a class Figure 4 Class Search in CIM Studio is to search the repository. This is done by clicking on the binoculars button next to for example, has a number of WMI Event While all of these tools are useful, all the the namespace textbox (the result is shown Providers using these events. required functionality for the purposes of in Figure 4). This example returns a set of this article can be achieved with CIM Studio, classes that include the word “process” in WMI Tools which is designed to work with classes de- their name, including the class I’m inter- Tools for working with WMI include CIM fined in the CIM Repository. The first step ested in: Win32_Process. Selecting this Studio and Object Browser, which may be in using WMI events in MOM is determin- class will cause it to be displayed in the tree used to inspect the WMI repository and ing the class corresponding to the resource in the left pane. The details of the class will determine the appropriate class and related of interest, and CIM Studio may be used appear in the right pane (see Figure 5). The properties to monitor. The toolset, found for this purpose. most important information is the list of at go.microsoft.com/fwlink/?LinkId=70207 also in- When CIM Studio is started, you are re- properties. The property names may be cludes the WMI Event Viewer and WMI quired to connect to a namespace. This will used for specifying criteria in WMI notifi- Event Registration Editor. default to root\cimv2, which is typically the cation queries. In addition to the structure of the class, CIM Studio can display the instances of the class with their values for each proper- ty.
Load more

Recommended publications
  • Offensive-WMI
    OFFENSIVE WMI Tim Medin [email protected] redsiege.com/wmi TIM MEDIN Red Siege - Principal IANS Faculty Consultant , Founder Formerly SANS ▸ CounterHack – NetWars, ▸ Principal Instructor Penetration Testing, CyberCity ▸ Co-author 460 Vulnerability Assessment ▸ FishNet (Optiv) – Sr Penetration Tester ▸ Instructor 560 Network Penetration Testing ▸ Financial Institution – Sr Technical Analyst – Security ▸ Instructor 660 Advanced Pen Testing, Exploit Dev ▸ Network Admin, Control Systems Engineer, Robots ▸ MSISE (Master of Engineering) Program Director WTH IS WMI WINDOWS MANAGEMENT INSTRUMENTATION “Infrastructure for management data and operations on Windows-based operating systems” ▸Common data formats – Common Information Model (CIM) ▸Common access methods Allows for management and monitoring the guts of Windows systems ▸Local ▸Remote First included in Windows 2000 WMIC is the command line interface ATTACK USAGE Not for initial access, but for many things after Requires credentials or existing access Used for ▸Recon ▸Lateral Movement ▸Situational Awareness ▸Persistence ▸PrivEsc ▸C&C QUERYING WITH WMI(C) “The WMI Query Language (WQL) is a subset of standard American National Standards Institute Structured Query Language (ANSI SQL) with minor semantic changes to support WMI.” The syntax will make you hate being born! GRAMMAR https://www.sans.org/security-resources/sec560/windows_command_line_sheet_v1.pdf RECONNAISSANCE & SITUATIONAL AWARENESS Get local user accounts with net user Get domain user accounts with net user /domain Both wmic useraccount
    [Show full text]
  • Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asyncronous, and Fileless Backdoor Matt Graeber
    Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asyncronous, and Fileless Backdoor Matt Graeber Black Hat 2015 Introduction As technology is introduced and subsequently deprecated over time in the Windows operating system, one powerful technology that has remained consistent since Windows NT 4.01 and Windows 952 is Windows Management Instrumentation (WMI). Present on all Windows operating systems, WMI is comprised of a powerful set of tools used to manage Windows systems both locally and remotely. While it has been well known and utilized heavily by system administrators since its inception, WMI was likely introduced to the mainstream security community when it was discovered that it was used maliciously as one component in the suite of exploits and implants used by Stuxnet3. Since then, WMI has been gaining popularity amongst attackers for its ability to perform system reconnaissance, AV and VM detection, code execution, lateral movement, persistence, and data theft. As attackers increasingly utilize WMI, it is important for defenders, incident responders, and forensic analysts to have knowledge of WMI and to know how they can wield it to their advantage. This whitepaper will introduce the reader to WMI, actual and proof-of-concept attacks using WMI, how WMI can be used as a rudimentary intrusion detection system (IDS), and how to perform forensics on the WMI repository file format. WMI Architecture 1 https://web.archive.org/web/20050115045451/http://www.microsoft.com/downloads/details.aspx?FamilyID=c17 4cfb1-ef67-471d-9277-4c2b1014a31e&displaylang=en 2 https://web.archive.org/web/20051106010729/http://www.microsoft.com/downloads/details.aspx?FamilyId=98A 4C5BA-337B-4E92-8C18-A63847760EA5&displaylang=en 3 http://poppopret.blogspot.com/2011/09/playing-with-mof-files-on-windows-for.html WMI is the Microsoft implementation of the Web-Based Enterprise Management (WBEM)4 and Common Information Model (CIM)5 standards published by the Distributed Management Task Force (DMTF)6.
    [Show full text]
  • [MS-WSMV-Diff]: Web Services Management Protocol Extensions for Windows Vista
    [MS-WSMV-Diff]: Web Services Management Protocol Extensions for Windows Vista Intellectual Property Rights Notice for Open Specifications Documentation ▪ Technical Documentation. Microsoft publishes Open Specifications documentation (“this documentation”) for protocols, file formats, data portability, computer languages, and standards support. Additionally, overview documents cover inter-protocol relationships and interactions. ▪ Copyrights. This documentation is covered by Microsoft copyrights. Regardless of any other terms that are contained in the terms of use for the Microsoft website that hosts this documentation, you can make copies of it in order to develop implementations of the technologies that are described in this documentation and can distribute portions of it in your implementations that use these technologies or in your documentation as necessary to properly document the implementation. You can also distribute in your implementation, with or without modification, any schemas, IDLs, or code samples that are included in the documentation. This permission also applies to any documents that are referenced in the Open Specifications documentation. ▪ No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation. ▪ Patents. Microsoft has patents that might cover your implementations of the technologies described in the Open Specifications documentation. Neither this notice nor Microsoft's delivery of this documentation grants any licenses under those patents or any other Microsoft patents. However, a given Open Specifications document might be covered by the Microsoft Open Specifications Promise or the Microsoft Community Promise. If you would prefer a written license, or if the technologies described in this documentation are not covered by the Open Specifications Promise or Community Promise, as applicable, patent licenses are available by contacting [email protected].
    [Show full text]
  • CIM Query Language Specification
    Document Number: DSP0202 Date: 2007-08-13 Version: 1.0.0 CIM Query Language Specification Document Type: Specification Document Status: Final Document Language: E CIM Query Language Specification DSP0202 Copyright notice Copyright © 2007 Distributed Management Task Force, Inc. (DMTF). All rights reserved. DMTF is a not-for-profit association of industry members dedicated to promoting enterprise and systems management and interoperability. Members and non-members may reproduce DMTF specifications and documents for uses consistent with this purpose, provided that correct attribution is given. As DMTF specifications may be revised from time to time, the particular version and release date should always be noted. Implementation of certain elements of this standard or proposed standard may be subject to third party patent rights, including provisional patent rights (herein "patent rights"). DMTF makes no representations to users of the standard as to the existence of such rights, and is not responsible to recognize, disclose, or identify any or all such third party patent right, owners or claimants, nor for any incomplete or inaccurate identification or disclosure of such rights, owners or claimants. DMTF shall have no liability to any party, in any manner or circumstance, under any legal theory whatsoever, for failure to recognize, disclose, or identify any such third party patent rights, or for such party’s reliance on the standard or incorporation thereof in its product, protocols or testing procedures. DMTF shall have no liability to any party implementing such standard, whether such implementation is foreseeable or not, nor to any patent owner or claimant, and shall have no liability or responsibility for costs or losses incurred if a standard is withdrawn or modified after publication, and shall be indemnified and held harmless by any party implementing the standard from any and all claims of infringement by a patent owner for such implementations.
    [Show full text]
  • Windows Management Instrumentation (WMI) Offense, Defense, and Forensics
    WHITE PAPER WINDOWS MANAGEMENT INSTRUMENTATION (WMI) OFFENSE, DEFENSE, AND FORENSICS William Ballenthin, Matt Graeber, Claudiu Teodorescu FireEye Labs Advanced Reverse Engineering (FLARE) Team, FireEye, Inc. SECURITY REIMAGINED Windows Management Instrumentation William Ballenthin, Matt Graeber, Claudiu Teodorescu FireEye Labs Advanced Reverse Engineering (FLARE) Team, (WMI) Offense, Defense, and Forensics FireEye, Inc. CONTENTS Introduction 2 Revision History 6 WMI Architecture 7 WMI Classes and Namespaces 8 Querying WMI 10 Instance Queries 10 Event Queries 11 Meta Queries 12 Interacting with WMI 13 PowerShell 13 wmic.exe 13 wbemtest.exe 14 WMI Explorer 15 CIM Studio 16 Windows Script Host (WSH) languages 16 C/C++ via IWbem* COM API 17 .NET System.Management classes 17 winrm.exe 17 wmic and wmis-pth for Linux 17 Remote WMI 17 Distributed Component Object Model (DCOM) 18 Windows Remote Management (WinRM) 18 WMI Eventing 19 Eventing Requirements 19 Event Filters 20 Intrinsic Events 20 Extrinsic Events 21 Event Consumers 21 Malicious WMI Persistence Example 22 WMI Attacks 23 Reconnaissance 23 Anti-Virus/VM Detection 23 2 Windows Management Instrumentation William Ballenthin, Matt Graeber, Claudiu Teodorescu FireEye Labs Advanced Reverse Engineering (FLARE) Team, (WMI) Offense, Defense, and Forensics FireEye, Inc. Code Execution and Lateral Movement 26 Win32_Process Create Method 26 Event consumers 27 Covert Data Storage 28 WMI as a C2 Channel 28 “Push” Attack 29 “Pull” Attack 30 WMI Providers 31 Malicious WMI Providers 32 WMI Defense 32
    [Show full text]
  • Sccm-2012-What-Is-New-In-Os-Deployment
    APPENDIX B IN THIS APPENDIX ▶ General Resources Reference URLs ▶ Microsoft’s Configuration Manager Resources ▶ Other Configuration Manager Resources ▶ Blogs T his appendix includes a number of reference URLs associ- ▶ Public Forums ated with System Center 2012 R2 Configuration Manager ▶ Utilities (ConfigMgr). URLs do change: Although the authors have made every effort to verify the references here as working links, there is no guarantee they will remain current. It is quite possible some will change or be “dead” by the time you read this book. Sometimes the Wayback Machine ( https://www.archive.org/ ) can rescue you from dead or broken links. The Wayback Machine site is an Internet archive, and it takes you back to an archived version of a site...sometimes. These links are also available “live” at Pearson’s InformIT website, at http://www.informit.com/store/system-center- 2012-r2-configuration-manager-unleashed-9780672337154 , under the Downloads tab. Look for Appendix B , “Reference URLs.” General Resources A number of websites provide excellent resources for Configuration Manager. This section lists some of the more general resources available: ▶ http://www.myITforum.com is a community of world- wide Information Technology (IT) professionals and a website established in 1999 by Rod Trent. myITforum includes topics on System Center and IT. The list of blogs and other ConfigMgr-related articles at myITforum.com is enormous. This appendix includes some specific links and pertinent informa- tion, but it does not include everything. 316 APPENDIX B Reference URLs ▶ The Windows IT Pro forums are now at http://myITforum.com/forums. ▶ A great source of information is for all things System Center related, including Configuration Manager, is System Center Central, at http://www.systemcentercentral.com .
    [Show full text]
  • SNMP Vs. WBEM
    http://www.wbem.co.uk SNMP vs. WBEM The Future of Systems Management Over the last few months, I’ve been involved with system architects debating the pros and cons of SNMP and WBEM. Through these discussions and my personal experience, I’ve decided to write up my thoughts. The bottom line of this discussion is to explain why I think WBEM is a far superior systems management technology and how it addresses the short comings of SNMP. It should also highlight the major reasons why a rich systems management specification was needed in order to fill the void in present and future complex and large scale systems management environments. Let’s start by examining the abbreviations of SNMP (Simple Network Management Protocol) and WBEM (Web-Based Enterprise Management)… Simple This is one of the reasons why WBEM came about. SNMP can model simple management environments. When SNMP was initially established, it was used to manage routers and other network related equipment. These types of hardware didn’t require a complex management environment. In addition, the processing power of the hardware (usually) limited the scope of what it was able to run and so the management solution had to be lightweight. SNMP fitted perfectly. Routers (and the like) didn’t require a rich management interface and it was also lightweight enough to run in the embedded software. Now, the horizon is very different! Systems are more complex than routers (and network related hardware) and their management interface has stretched far beyond the simple nature of SNMP. Hardware now runs on much more powerful processors with more memory which in turn means the software that runs on them is capable of much more functionality.
    [Show full text]
  • Dell™ Openmanage™ Client Instrumentation Version 7.6 User's
    Dell™ OpenManage™ Client Instrumentation Version 7.6 User’s Guide www.dell.com | support.dell.com Notes and Notices NOTE: A NOTE indicates important information that helps you make better use of your computer. NOTICE: A NOTICE indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. ____________________ Information in this document is subject to change without notice. © 2008 Dell Inc. All rights reserved. Reproduction of these materials in any manner whatsoever without the written permission of Dell Inc. is strictly forbidden. Trademarks used in this text: Dell, the DELL logo, OpenManage, Latitude, OptiPlex, and Dell Precision are trademarks of Dell Inc.; Intel is a trademark of Intel Corporation in the U.S. and other countries; Altiris is a registered trademark of Altiris Inc.; Microsoft, Windows, and Windows Vista are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell Inc. disclaims any proprietary interest in trademarks and trade names other than its own. June 2008 Contents 1 Introduction . 7 CIM Overview . 7 WMI Overview . 8 Data Sources Used by OMCI. 8 OMCI Architecture . 9 Features . 11 CIM 2.6 Schema Support . 11 Dell LegacySelect 2.0 Support . 11 Remote Boot Device Select . 12 WMI Security . 12 Event Reporting . 12 Remote Shutdown . 13 Remote Wake-Up Configurability. 13 WfM Version 2.0 Compliance. 13 What's New . 13 Supported Operating Systems .
    [Show full text]
  • WMI Query Language Via Powershell
    WMI Query Language via PowerShell Ravikanth Chaganti Explore basics of WMI Query Language, different types of WMI queries, and learn how PowerShell can be used to retrieve WMI management information using WQL. Table of Contents Introduction .................................................................................................................................................. 5 Introducing WMI Query Language ............................................................................................................ 5 WMI Query Types ..................................................................................................................................... 6 Data Queries ......................................................................................................................................... 6 Event Queries ........................................................................................................................................ 6 Schema Queries .................................................................................................................................... 7 WQL Keywords .......................................................................................................................................... 7 WQL Operators ......................................................................................................................................... 8 Tools for the job .........................................................................................................................................
    [Show full text]
  • Microsoft System Center Configuration Manager Field Experience Ebook
    Microsoft System Center Configuration Manager Field Experience Rushi Faldu n Manish Raval n Brandon Linton n Kaushal Pandey Mitch Tulloch, Series Editor Visit us today at microsoftpressstore.com • Hundreds of titles available – Books, eBooks, and online resources from industry experts • Free U.S. shipping • eBooks in multiple formats – Read on your computer, tablet, mobile device, or e-reader • Print & eBook Best Value Packs • eBook Deal of the Week – Save up to 60% on featured titles • Newsletter and special offers – Be the first to hear about new releases, specials, and more • Register your book – Get additional benefits Hear about it first. Get the latest news from Microsoft Press sent to your inbox. • New and upcoming books • Special offers • Free eBooks • How-to articles Sign up today at MicrosoftPressStore.com/Newsletters Free ebooks From technical overviews to drilldowns on special topics, get free ebooks from Microsoft Press at: www.microsoftvirtualacademy.com/ebooks Download your free ebooks in PDF, EPUB, and/or Mobi for Kindle formats. Look for other great resources at Microsoft Virtual Academy, where you can learn new skills and help advance your career with free Microsoft training delivered by experts. Microsoft Press Wait, there’s more... Find more great content and resources in the Microsoft Press Guided Tours app. The Microsoft Press Guided Tours app provides insightful tours by Microsoft Press authors of new and evolving Microsoft technologies. • Share text, code, illustrations, videos, and links with peers and friends • Create and manage highlights and notes • View resources and download code samples • Tag resources as favorites or to read later • Watch explanatory videos • Copy complete code listings and scripts Download from Windows Store PUBLISHED BY Microsoft Press A Division of Microsoft Corporation One Microsoft Way Redmond, Washington 98052-6399 Copyright © 2013 by Microsoft Corporation (All) All rights reserved.
    [Show full text]
  • [MS-WMI]: Windows Management Instrumentation Remote Protocol
    [MS-WMI]: Windows Management Instrumentation Remote Protocol Intellectual Property Rights Notice for Open Specifications Documentation . Technical Documentation. Microsoft publishes Open Specifications documentation (“this documentation”) for protocols, file formats, data portability, computer languages, and standards support. Additionally, overview documents cover inter-protocol relationships and interactions. Copyrights. This documentation is covered by Microsoft copyrights. Regardless of any other terms that are contained in the terms of use for the Microsoft website that hosts this documentation, you can make copies of it in order to develop implementations of the technologies that are described in this documentation and can distribute portions of it in your implementations that use these technologies or in your documentation as necessary to properly document the implementation. You can also distribute in your implementation, with or without modification, any schemas, IDLs, or code samples that are included in the documentation. This permission also applies to any documents that are referenced in the Open Specifications documentation. No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation. Patents. Microsoft has patents that might cover your implementations of the technologies described in the Open Specifications documentation. Neither this notice nor Microsoft's delivery of this documentation grants any licenses under those patents or any other Microsoft patents. However, a given Open Specifications document might be covered by the Microsoft Open Specifications Promise or the Microsoft Community Promise. If you would prefer a written license, or if the technologies described in this documentation are not covered by the Open Specifications Promise or Community Promise, as applicable, patent licenses are available by contacting [email protected].
    [Show full text]
  • Understanding WMI Malware
    Understanding WMI Malware Trend Micro, Incorporated Julius Dizon, Lennard Galang, and Marvin Cruz A Trend Micro Research Paper I July 2010 Understanding WMI Malware CONTENTS INTRODUCTION ...............................................................................................................................3 WHAT IS WMI? .................................................................................................................................4 WMI NAMESPACE: root\subscription ..........................................................................................5 WMI System Classes .....................................................................................................................5 __EvEntConsumEr.................................................................................................................................... 6 __EvEntFiltEr.......................................................................................................................................... 8 __FiltErtoConsumErBinding.................................................................................................................... 9 __timErinstruCtion.................................................................................................................................. 9 PUTTING THE PUZZLE PIECES TOGETHER: MALWARE ROUTINES ....................................... 11 TROJ_WMIGHOST.A WMI Class Instances and Correlation...................................................... 11 filemonitor_consumer ................................................................................................................
    [Show full text]