If you would like to know about WMI, this post explains WMI in Details
Let’s check 3rd medium challenge (WhoaMI) in (incident-response-challenge.com) website and try to solve it.
14th Challenge
This challenge states there is a persistence mechanism that’s related to powershell and CMD.
We’ll parse OBJECTS.DAT WMI repository file using PyWMIPersistenceFinder.py You can find the tool here: PyWMIPersistenceFinder
Answer to the challenge
C:\temp\addadmin.ps1
References
- The challenge used in this post belongs to incident-response-challenge.com