forensic-artifacts 20170808-1 / usr / share / artifacts / wmi.yaml

This file is indexed.

/usr/share/artifacts/wmi.yaml is in forensic-artifacts 20170808-1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
# WMI specific artifacts.

name: WMIAccountUsersDomain
doc: |
  Fill out user AD domain information based on username.

  We expect this artifact to be collected with WindowsRegistryProfiles
  to supply the rest of the user information. This artifact optimizes retrieval
  of user information by limiting the WMI query to users for which we have
  a username for. Specifically this solves the issue that in a domain setting,
  querying for all users via WMI will give you the list of all local and domain
  accounts which means a large data transfer from an Active Directory server.
  This artifact relies on having the users.username field populated in the knowledge
  base. Unfortunately even limiting by username this query can be slow, and
  this artifact runs it for each user present on the system.
sources:
- type: WMI
  attributes: {query: SELECT * FROM Win32_UserAccount WHERE name='%%users.username%%'}
labels: [Users]
provides: [users.userdomain]
supported_os: [Windows]
urls: ['http://msdn.microsoft.com/en-us/library/windows/desktop/aa394507(v=vs.85).aspx']
---
name: WMIComputerSystemProduct
doc: Computer System Product including Identifiying number queried from WMI.
sources:
- type: WMI
  attributes: {query: SELECT * FROM Win32_ComputerSystemProduct}
labels: [System]
supported_os: [Windows]
urls: ['http://msdn.microsoft.com/en-us/library/aa394105(v=vs.85).aspx']
---
name: WMIDrivers
doc: Installed drivers via Windows Management Instrumentation (WMI).
sources:
- type: WMI
  attributes: {query: 'SELECT DisplayName, Description, InstallDate, Name, PathName, Status,
      State, ServiceType from Win32_SystemDriver'}
conditions: [os_major_version >= 6]
labels: [Software]
supported_os: [Windows]
---
name: WMIEnumerateASEC
doc: Enumerate instances of ActiveScriptEventConsumer.
sources:
- type: WMI
  attributes: {query: SELECT * FROM ActiveScriptEventConsumer, base_object: 'winmgmts:\root\subscription'}
supported_os: [Windows]
---
name: WMIEnumerateCLEC
doc: Enumerate instances of CommandLineEventConsumer.
sources:
- type: WMI
  attributes: {query: SELECT * FROM CommandLineEventConsumer, base_object: 'winmgmts:\root\subscription'}
supported_os: [Windows]
---
name: WMIHotFixes
doc: Installed hotfixes via Windows Management Instrumentation (WMI).
sources:
- type: WMI
  attributes: {query: SELECT * from Win32_QuickFixEngineering}
conditions: [os_major_version >= 6]
labels: [Software]
supported_os: [Windows]
---
name: WMIInstalledSoftware
doc: Installed software via Windows Management Instrumentation (WMI).
sources:
- type: WMI
  attributes: {query: 'SELECT Name, Vendor, Description, InstallDate, InstallDate2, Version
      from Win32_Product'}
conditions: [os_major_version >= 6]
labels: [Software]
supported_os: [Windows]
---
name: WMILastBootupTime
doc: Last system boot time (UTC) retrieved from WMI.
sources:
- type: WMI
  attributes: {query: SELECT LastBootUpTime FROM Win32_OperatingSystem}
labels: [System]
supported_os: [Windows]
urls: ['https://msdn.microsoft.com/en-us/library/windows/desktop/aa394239(v=vs.85).aspx']
---
name: WMILogicalDisks
doc: Disk information via Windows Management Instrumentation (WMI).
sources:
- type: WMI
  attributes: {query: SELECT * FROM Win32_LogicalDisk}
labels: [System]
supported_os: [Windows]
urls: ['http://msdn.microsoft.com/en-us/library/aa394173(v=vs.85).aspx']
---
name: WMILoggedOnSessions
doc: Logged on users queried from WMI.
sources:
- type: WMI
  attributes: {query: SELECT * FROM Win32_LogonSession}
supported_os: [Windows]
---
name: WMILoggedOnUsers
doc: Logged on users queried from WMI.
sources:
- type: WMI
  attributes: {query: SELECT * FROM Win32_LoggedonUser}
supported_os: [Windows]
---
name: WMILoginUsers
doc: |
  Login Users via Windows Management Instrumentation (WMI).

  This WMI query may take a long time to complete when run on a domain and
  will create load on a domain controller.
sources:
- type: WMI
  attributes: {query: SELECT * from Win32_GroupUser where Name = "login_users"}
conditions: [os_major_version >= 6]
labels: [Software]
supported_os: [Windows]
---
name: WMIPhysicalMemory
doc: Physical memory information via Windows Management Instrumentation (WMI).
sources:
- type: WMI
  attributes: {query: SELECT * from Win32_PhysicalMemory}
conditions: [os_major_version >= 6]
labels: [System]
supported_os: [Windows]
urls: ["http://msdn.microsoft.com/en-us/library/aa394347%28v=vs.85%29.aspx"]
---
name: WMIProcessList
doc: Process listing via Windows Management Instrumentation (WMI).
sources:
- type: WMI
  attributes: {query: SELECT * from Win32_Process}
conditions: [os_major_version >= 6]
labels: [Software]
supported_os: [Windows]
---
name: WMIProfileUsersHomeDir
doc: |
  Get user homedir from Win32_UserProfile based on a known user's SID.

  This artifact relies on having the SID field users.sid populated in the knowledge
  base. We expect it to be collected with WindowsRegistryProfiles to
  supply the rest of the user information.
sources:
- type: WMI
  attributes: {query: SELECT * FROM Win32_UserProfile WHERE SID='%%users.sid%%'}
labels: [Users]
provides: [users.homedir]
supported_os: [Windows]
urls: ['http://msdn.microsoft.com/en-us/library/windows/desktop/ee886409(v=vs.85).aspx']
---
name: WMIServices
doc: Services queried from WMI.
sources:
- type: WMI
  attributes: {query: SELECT * FROM Win32_Service}
supported_os: [Windows]
---
name: WMIUsers
doc: |
  Users via Windows Management Instrumentation (WMI).

  Note that in a domain setup, this will probably return all users in the
  domain which will be expensive and slow. Consider limiting by SID like
  WMIProfileUsersHomeDir.
sources:
- type: WMI
  attributes: {query: SELECT * FROM Win32_UserAccount}
labels: [Users]
supported_os: [Windows]
urls: ['http://msdn.microsoft.com/en-us/library/windows/desktop/aa394507(v=vs.85).aspx']
---
name: WMIVolumeShadowCopies
doc: A List of Volume Shadow Copies from WMI.
sources:
- type: WMI
  attributes: {query: SELECT * FROM Win32_ShadowCopy}
labels: [System]
supported_os: [Windows]

APT Browse - Built by Thomas Orozco.