Wmi

Windows Management Instrumentation (WMI) is the infrastructure for management data and operations on Windows-based operating systems. It is Microsoft's implementation of Web-Based Enterprise Management (WBEM).

WMI uses the Common Information Model (CIM) to represent classes of information. CIM is developed and maintained by the DMTF (formerly known as the Distributed Management Task Force).

The Managed Object Format (MOF) is the language used to describe Common Information Model (CIM) classes.

The CIM database consists of multiple files (OBJECTS.DATA, MAPPING*.MAP, INDEX.BTR and prior to Windows Vista MAPPING.VER) that are located in the following directories:

"C:\Windows\System32\WBEM\repository\" on Vista+
"C:\Windows\System32\WBEM\repository\FS\" on WinXP/Win2003

There could also be copies of the CIM database files, in the following locations:

"C:\Windows\System32\WBEM\repository.001\"
"C:\Windows\System32\WBEM\repository.001\FS\"
"C:\Windows\System32\WBEM\repository.002\"
"C:\Windows\System32\WBEM\repository.002\FS\"
...

External Links

Windows Management Instrumentation, by Microsoft
Common Information Model, by Microsoft
Managed Object Format (MOF), by Microsoft
WMI Command-line Tools, by Microsoft
CIM Schemas, by DMTF (formerly known as the Distributed Management Task Force)

Namespaces

Malware and intrusion analysis

Understanding WMI Malware, by Julius Dizon, Lennard Galang, and Marvin Cruz, July 2010
Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asyncronous, and Fileless Backdoor, by Matt Graeber, 2015
Subverting Sysmon Application of a Formalized: Security Product Evasion Methodology, by Matt Graeber, Lee Christensen, 2018
WmiEventConsumerClassDerivation.ps1, by Matt Graeber, June 21, 2019

Evidence of File Execution

Do You See What I CCM?, by David Pany, Fred House, December 15, 2016
Secret Archives of Execution Evidence: CCM_RecentlyUsedApps, by James Habben, February 28, 2017
WMI_Forensics, by David Pany, Sept 1, 2017