21. WMIStartup
The WMIStartup
module uses different WMI queries to retrieve information
on elements that could be used for persistence. It is very likely that findings
by this module also appear in other modules (e.g. Autoruns
) in a different
form, because it just uses a different method to look at the same elements.
21.1. Samples
Aug 23 02:03:12 server55.local.net/10.16.1.44
THOR: Warning: MODULE: WMIStartup
MESSAGE: Suspicious startup program WMI Run Key Evaluation
LOCATION: "C:\Users\user1\AppData\Local\Temp\1\RarSFX1\OlympUpgrade.exe"
SCORE: 75
May 20 11:14:52 wks10021/10.1.7.60
THOR: Warning: MODULE: WMIStartup
MESSAGE: Suspicious startup program WMI Run Key Evaluation
LOCATION: "C:\Users\user1\AppData\Local\Akamai\netsession_win.exe"
SCORE: 75
21.2. Typical False Positives
Legitimate software that uses suspicious startup locations
21.3. Attribute Evaluation
Attribute |
Question |
Answer |
Indication |
Weight |
---|---|---|---|---|
LOCATION |
See chapter File Path Checks |