WBEM

Overview

Evidence: WBEM Description: Collect WBEM Files Category: System Platform: windows Short Name: wbem Is Parsed: No Sent to Investigation Hub: Yes Collect File(s): Yes

Background

Windows Management Instrumentation (WMI) uses the WBEM (Web-Based Enterprise Management) repository to store WMI class definitions, instances, and configuration. The repository and associated logs can contain evidence of WMI usage, persistence, and system management activities.

The WBEM repository has been abused by attackers for persistence and reconnaissance, making these files valuable for forensic analysis.

Data Collected

This collector gathers structured data about wbem.

WBEM Data

Field

Description

Example

Name

Artifact name

WBEM

Type

Folder

SourcePath

Original folder path

C:\Windows\System32\wbem\Repository

Path

Relative path in evidence

Other/Repository

Collection Method

This collector collects WBEM-related directories:

Windows\System32\wbem\Repository - WMI repository
Windows\System32\wbem\Logs - WMI log files
Windows\System32\wbem\AutoRecover - Auto-recovery MOFs

Forensic Value

WBEM files can reveal WMI persistence mechanisms and system management activity. Investigators use this data to detect WMI-based persistence, analyze WMI repository modifications, track system management activities, and investigate WMI abuse by attackers.

PreviousVolumes Information NextWebroot Logs

Last updated 3 days ago

Was this helpful?