Questions

[rdram0s]

I am researching using WmiEvent and Uproot but have several questions.

1. Is there more documentation?
2. Uproot overview does not have WmiEvent implemented. Are there plans to do so?
3. If I am already monitoring process creations with the native security log with command-line arguments included, is there any benefit to monitoring them using WMI?
4. I don't see either tool, by default, monitoring the deletion of a class (defensive monitoring of persistence)? Is this something I would add?

Look forward to the replies.

Thanks in advance. #

[jaredcatkinson]

Hey! Sorry it took me so long to respond (I just finished moving across the country). Let me try to answer your questions the best I can.

1. Unfortunately the documentation is lacking a bit. I think your best bet for now is using msdn to learn about each Consumer type (ex. https://msdn.microsoft.com/en-us/library/aa384749(v=vs.85).aspx) and then reference the help for each individual cmdlet.

2. Uproot should now have a working version of WmiEvent built in. I will check this over the next couple of days.

3. I like to think of Uproot as a way to augment your current monitoring. For example, WMI provides a couple of ways to monitor process creation. The Win32_Process class has tons of information (unfortunately no hashes) but relies on a polling interval (if a process starts and stops between polls, then it will be missed). On the other hand Win32_ProcessStartTrace catches almost every process creation, but doesn't have as detailed of properties associated with it.

4. The coolest part of Uproot is that it provides a relatively simple interface to create WMI event subscriptions that fit your needs. You can monitor Creation, Modification, and Deletion events for many WMI class instances. I tried to provide a bunch of examples in the repo, but you will likely want to create your own signatures. That being said, I'd be happy to accept pull requests to add new signatures that might be useful to the community (I think this is the area that community contributions could be the most useful).