:py:mod:`dissect.target.plugins.os.windows.cim` =============================================== .. py:module:: dissect.target.plugins.os.windows.cim Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.cim.EventFilter dissect.target.plugins.os.windows.cim.CimPlugin Functions ~~~~~~~~~ .. autoapisummary:: :nosignatures: dissect.target.plugins.os.windows.cim.get_property_value_safe dissect.target.plugins.os.windows.cim.get_filter_name dissect.target.plugins.os.windows.cim.get_creator_sid Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.cim.COMMON_ELEMENTS dissect.target.plugins.os.windows.cim.CommandLineEventConsumerRecord dissect.target.plugins.os.windows.cim.ActiveScriptEventConsumerRecord .. py:data:: COMMON_ELEMENTS :value: [('string', 'creator_sid'), ('string', 'machine_name'), ('string', 'filter_query'), ('string',... .. py:data:: CommandLineEventConsumerRecord .. py:data:: ActiveScriptEventConsumerRecord .. py:class:: EventFilter Extracted information from ``__EventFilter``. .. rubric:: References - https://learn.microsoft.com/en-us/windows/win32/wmisdk/--eventfilter .. py:attribute:: filter_name :type: str :value: '' .. py:attribute:: filter_query :type: str :value: '' .. py:attribute:: filter_query_language :type: str :value: '' .. py:attribute:: filter_creator_sid :type: str :value: '' .. py:function:: get_property_value_safe(consumer: dissect.cim.cim.Instance, prop_name: str, default_value: str | None = None) -> str | None Extract value of a consumer properties. Fallback to ``default_value`` if property is missing. .. py:function:: get_filter_name(binding: dissect.cim.cim.Instance) -> str Return unquoted filter name from a ``__filtertoconsumerbinding`` class instance. .. py:function:: get_creator_sid(class_instance: dissect.cim.cim.Instance) -> str | None Extract and parse ``CreatorSID`` member, if available. .. py:class:: CimPlugin(target: dissect.target.target.Target) Bases: :py:obj:`dissect.target.plugin.Plugin` CIM database plugin. Provides functions for getting useful data out the CIM (WBEM) database. .. py:attribute:: __namespace__ :value: 'cim' Defines the plugin namespace. .. py:method:: check_compatible() -> None Perform a compatibility check with the target. This function should return ``None`` if the plugin is compatible with the current target (``self.target``). For example, check if a certain file exists. Otherwise it should raise an :class:`UnsupportedPluginError`. :raises UnsupportedPluginError: If the plugin could not be loaded. .. py:method:: repo() -> dissect.cim.cim.CIM .. py:method:: consumerbindings() -> collections.abc.Iterator[ActiveScriptEventConsumerRecord | CommandLineEventConsumerRecord] Return all ActiveScriptEventConsumer and CommandLineEventConsumer. WMI permanent event subscriptions can be used to trigger actions when specified conditions are met. Attackers often use this functionality to persist the execution of backdoors at system start up. WMI Consumers specify an action to be performed, including executing a command, running a script, adding an entry to a log, or sending an email. WMI Filters define conditions that will trigger a Consumer. .. rubric:: References - https://learn-powershell.net/2013/08/14/powershell-and-events-permanent-wmi-event-subscriptions/ - https://www.mandiant.com/resources/dissecting-one-ofap - https://support.sophos.com/support/s/article/KB-000038535?language=en_US&c__displayLanguage=en_US - https://learn.microsoft.com/en-us/windows/win32/wmisdk/activescripteventconsumer - https://learn.microsoft.com/en-us/windows/win32/wmisdk/commandlineeventconsumer