# WBEM Info

## Overview

**Evidence:** WBEM Info\
**Description:** ESXi WBEM Info\
**Category:** System\
**Platform:** esxi\
**Short Name:** wbeminfo\
**Is Parsed:** Yes\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** No

## Background

Web-Based Enterprise Management (WBEM) services enable CIM (Common Information Model) based hardware monitoring and management on ESXi. WBEM configuration controls remote hardware management access and can be exploited if improperly secured or modified to enable unauthorized hardware monitoring.

## Data Collected

This collector gathers structured data about wbem info.

### WBEM Info Data

| Field                          | Description                     | Example       |
| ------------------------------ | ------------------------------- | ------------- |
| `Enabled`                      | Enabled                         | Example value |
| `WSManagementService`          | WS Management Service           | Example value |
| `EnableHTTPS`                  | Enable HTTPS                    | Example value |
| `AuthorizationModel`           | Authorization Model             | Example value |
| `Port`                         | Port                            | 123           |
| `HTTPProcs`                    | HTTP Procs                      | 123           |
| `HTTPSProcs`                   | HTTPS Procs                     | 123           |
| `ProviderProcs`                | Provider Procs                  | 123           |
| `KeepaliveTimeout`             | Keepalive Timeout               | 123           |
| `KeepaliveMaxRequests`         | Keepalive Max Requests          | 123           |
| `ProviderSampleInterval`       | Provider Sample Interval        | 123           |
| `ProviderTimeoutInterval`      | Provider Timeout Interval       | 123           |
| `HTTPMaxContentLength`         | HTTP Max Content Length         | 123           |
| `MaxMessageLength`             | Max Message Length              | 123           |
| `ThreadStackSize`              | Thread Stack Size               | 123           |
| `ProviderResourcePoolOverride` | Provider Resource Pool Override | Example value |
| `SSLCipherList`                | SSL Cipher List                 | Example value |
| `ThreadpoolSize`               | Threadpool Size                 | 123           |
| `Readonly`                     | Readonly                        | Example value |
| `LogLevel`                     | Log Level                       | Example value |
| `ServiceLocationProtocolPID`   | Service Location Protocol PID   | 123           |
| `WSManagementPID`              | WS Management PID               | 123           |
| `CIMObjectManagerPID`          | CIM Object Manager PID          | 123           |
| `EnabledSSLProtocols`          | Enabled SSL Protocols           | Example value |
| `EnabledSystemSSLProtocols`    | Enabled System SSL Protocols    | Example value |
| `EnabledRunningSSLProtocols`   | Enabled Running SSL Protocols   | Example value |

## Collection Method

This collector parses WBEM service configuration, extracting service status, port settings, authentication requirements, SSL/TLS configurations, and access control settings for the WBEM management interface.

## Forensic Value

WBEM configuration analysis reveals remote management exposure, identifies weakened authentication settings, detects unauthorized service modifications, and exposes potential backdoor access through management interfaces. Unexpected WBEM access or configuration changes warrant investigation.