Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Questions #1

Open
rdram0s opened this issue Jan 13, 2017 · 1 comment
Open

Questions #1

rdram0s opened this issue Jan 13, 2017 · 1 comment

Comments

@rdram0s
Copy link

rdram0s commented Jan 13, 2017

I am researching using WmiEvent and Uproot but have several questions.

  1. Is there more documentation?
  2. Uproot overview does not have WmiEvent implemented. Are there plans to do so?
  3. If I am already monitoring process creations with the native security log with command-line arguments included, is there any benefit to monitoring them using WMI?
  4. I don't see either tool, by default, monitoring the deletion of a class (defensive monitoring of persistence)? Is this something I would add?

Look forward to the replies.

Thanks in advance. #
@jaredcatkinson
Copy link
Member

Hey! Sorry it took me so long to respond (I just finished moving across the country). Let me try to answer your questions the best I can.

  1. Unfortunately the documentation is lacking a bit. I think your best bet for now is using msdn to learn about each Consumer type (ex. https://msdn.microsoft.com/en-us/library/aa384749(v=vs.85).aspx) and then reference the help for each individual cmdlet.

  2. Uproot should now have a working version of WmiEvent built in. I will check this over the next couple of days.

  3. I like to think of Uproot as a way to augment your current monitoring. For example, WMI provides a couple of ways to monitor process creation. The Win32_Process class has tons of information (unfortunately no hashes) but relies on a polling interval (if a process starts and stops between polls, then it will be missed). On the other hand Win32_ProcessStartTrace catches almost every process creation, but doesn't have as detailed of properties associated with it.

  4. The coolest part of Uproot is that it provides a relatively simple interface to create WMI event subscriptions that fit your needs. You can monitor Creation, Modification, and Deletion events for many WMI class instances. I tried to provide a bunch of examples in the repo, but you will likely want to create your own signatures. That being said, I'd be happy to accept pull requests to add new signatures that might be useful to the community (I think this is the area that community contributions could be the most useful).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jaredcatkinson @rdram0s