/usr/share/artifacts/wmi.yaml is in forensic-artifacts 20161022-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 | # WMI specific artifacts.
name: WMIAccountUsersDomain
doc: |
Fill out user AD domain information based on username.
We expect this artifact to be collected with WindowsRegistryProfiles
to supply the rest of the user information. This artifact optimizes retrieval
of user information by limiting the WMI query to users for which we have
a username for. Specifically this solves the issue that in a domain setting,
querying for all users via WMI will give you the list of all local and domain
accounts which means a large data transfer from an Active Directory server.
This artifact relies on having the users.username field populated in the knowledge
base. Unfortunately even limiting by username this query can be slow, and
this artifact runs it for each user present on the system.
sources:
- type: WMI
attributes: {query: SELECT * FROM Win32_UserAccount WHERE name='%%users.username%%'}
labels: [Users]
provides: [users.userdomain]
supported_os: [Windows]
urls: ['http://msdn.microsoft.com/en-us/library/windows/desktop/aa394507(v=vs.85).aspx']
---
name: WMIComputerSystemProduct
doc: Computer System Product including Identifiying number queried from WMI.
sources:
- type: WMI
attributes: {query: SELECT * FROM Win32_ComputerSystemProduct}
labels: [System]
supported_os: [Windows]
urls: ['http://msdn.microsoft.com/en-us/library/aa394105(v=vs.85).aspx']
---
name: WMIDrivers
doc: Installed drivers via Windows Management Instrumentation (WMI).
sources:
- type: WMI
attributes: {query: 'SELECT DisplayName, Description, InstallDate, Name, PathName, Status,
State, ServiceType from Win32_SystemDriver'}
conditions: [os_major_version >= 6]
labels: [Software]
supported_os: [Windows]
---
name: WMIEnumerateASEC
doc: Enumerate instances of ActiveScriptEventConsumer.
sources:
- type: WMI
attributes: {query: SELECT * FROM ActiveScriptEventConsumer, base_object: 'winmgmts:\root\subscription'}
supported_os: [Windows]
---
name: WMIEnumerateCLEC
doc: Enumerate instances of CommandLineEventConsumer.
sources:
- type: WMI
attributes: {query: SELECT * FROM CommandLineEventConsumer, base_object: 'winmgmts:\root\subscription'}
supported_os: [Windows]
---
name: WMIHotFixes
doc: Installed hotfixes via Windows Management Instrumentation (WMI).
sources:
- type: WMI
attributes: {query: SELECT * from Win32_QuickFixEngineering}
conditions: [os_major_version >= 6]
labels: [Software]
supported_os: [Windows]
---
name: WMIInstalledSoftware
doc: Installed software via Windows Management Instrumentation (WMI).
sources:
- type: WMI
attributes: {query: 'SELECT Name, Vendor, Description, InstallDate, InstallDate2, Version
from Win32_Product'}
conditions: [os_major_version >= 6]
labels: [Software]
supported_os: [Windows]
---
name: WMILastBootupTime
doc: Last system boot time (UTC) retrieved from WMI.
sources:
- type: WMI
attributes: {query: SELECT LastBootUpTime FROM Win32_OperatingSystem}
labels: [System]
supported_os: [Windows]
urls: ['https://msdn.microsoft.com/en-us/library/windows/desktop/aa394239(v=vs.85).aspx']
---
name: WMILogicalDisks
doc: Disk information via Windows Management Instrumentation (WMI).
sources:
- type: WMI
attributes: {query: SELECT * FROM Win32_LogicalDisk}
labels: [System]
supported_os: [Windows]
urls: ['http://msdn.microsoft.com/en-us/library/aa394173(v=vs.85).aspx']
---
name: WMILoggedOnSessions
doc: Logged on users queried from WMI.
sources:
- type: WMI
attributes: {query: SELECT * FROM Win32_LogonSession}
supported_os: [Windows]
---
name: WMILoggedOnUsers
doc: Logged on users queried from WMI.
sources:
- type: WMI
attributes: {query: SELECT * FROM Win32_LoggedonUser}
supported_os: [Windows]
---
name: WMILoginUsers
doc: |
Login Users via Windows Management Instrumentation (WMI).
This WMI query may take a long time to complete when run on a domain and
will create load on a domain controller.
sources:
- type: WMI
attributes: {query: SELECT * from Win32_GroupUser where Name = "login_users"}
conditions: [os_major_version >= 6]
labels: [Software]
supported_os: [Windows]
---
name: WMIPhysicalMemory
doc: Physical memory information via Windows Management Instrumentation (WMI).
sources:
- type: WMI
attributes: {query: SELECT * from Win32_PhysicalMemory}
conditions: [os_major_version >= 6]
labels: [System]
supported_os: [Windows]
urls: ["http://msdn.microsoft.com/en-us/library/aa394347%28v=vs.85%29.aspx"]
---
name: WMIProcessList
doc: Process listing via Windows Management Instrumentation (WMI).
sources:
- type: WMI
attributes: {query: SELECT * from Win32_Process}
conditions: [os_major_version >= 6]
labels: [Software]
supported_os: [Windows]
---
name: WMIProfileUsersHomeDir
doc: |
Get user homedir from Win32_UserProfile based on a known user's SID.
This artifact relies on having the SID field users.sid populated in the knowledge
base. We expect it to be collected with WindowsRegistryProfiles to
supply the rest of the user information.
sources:
- type: WMI
attributes: {query: SELECT * FROM Win32_UserProfile WHERE SID='%%users.sid%%'}
labels: [Users]
provides: [users.homedir]
supported_os: [Windows]
urls: ['http://msdn.microsoft.com/en-us/library/windows/desktop/ee886409(v=vs.85).aspx']
---
name: WMIServices
doc: Services queried from WMI.
sources:
- type: WMI
attributes: {query: SELECT * FROM Win32_Service}
supported_os: [Windows]
---
name: WMIUsers
doc: |
Users via Windows Management Instrumentation (WMI).
Note that in a domain setup, this will probably return all users in the
domain which will be expensive and slow. Consider limiting by SID like
WMIProfileUsersHomeDir.
sources:
- type: WMI
attributes: {query: SELECT * FROM Win32_UserAccount}
labels: [Users]
supported_os: [Windows]
urls: ['http://msdn.microsoft.com/en-us/library/windows/desktop/aa394507(v=vs.85).aspx']
|