dissect.target.plugins.os.windows.cim

Module Contents

Classes

EventFilter	Extracted information from __EventFilter.
CimPlugin	CIM database plugin.

Functions

get_property_value_safe	Extract value of a consumer properties. Fallback to default_value if property is missing.
get_filter_name	Return unquoted filter name from a __filtertoconsumerbinding class instance.
get_creator_sid	Extract and parse CreatorSID member, if available.

Attributes

COMMON_ELEMENTS
CommandLineEventConsumerRecord
ActiveScriptEventConsumerRecord

dissect.target.plugins.os.windows.cim.COMMON_ELEMENTS = [('string', 'creator_sid'), ('string', 'machine_name'), ('string', 'filter_query'), ('string',...

dissect.target.plugins.os.windows.cim.CommandLineEventConsumerRecord

dissect.target.plugins.os.windows.cim.ActiveScriptEventConsumerRecord

class dissect.target.plugins.os.windows.cim.EventFilter

Extracted information from __EventFilter.

References

• https://learn.microsoft.com/en-us/windows/win32/wmisdk/–eventfilter

filter_name: str = ''

filter_query: str = ''

filter_query_language: str = ''

filter_creator_sid: str = ''

dissect.target.plugins.os.windows.cim.get_property_value_safe(consumer: dissect.cim.cim.Instance, prop_name: str, default_value: str | None = None) → str | None

Extract value of a consumer properties. Fallback to default_value if property is missing.

dissect.target.plugins.os.windows.cim.get_filter_name(binding: dissect.cim.cim.Instance) → str

Return unquoted filter name from a __filtertoconsumerbinding class instance.

dissect.target.plugins.os.windows.cim.get_creator_sid(class_instance: dissect.cim.cim.Instance) → str | None

Extract and parse CreatorSID member, if available.

class dissect.target.plugins.os.windows.cim.CimPlugin(target: dissect.target.target.Target)

Bases: dissect.target.plugin.Plugin

CIM database plugin.

Provides functions for getting useful data out the CIM (WBEM) database.

__namespace__ = 'cim'

Defines the plugin namespace.

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

repo() → dissect.cim.cim.CIM

consumerbindings() → collections.abc.Iterator[ActiveScriptEventConsumerRecord | CommandLineEventConsumerRecord]

Return all ActiveScriptEventConsumer and CommandLineEventConsumer.

WMI permanent event subscriptions can be used to trigger actions when specified conditions are met. Attackers often use this functionality to persist the execution of backdoors at system start up. WMI Consumers specify an action to be performed, including executing a command, running a script, adding an entry to a log, or sending an email. WMI Filters define conditions that will trigger a Consumer.

References

• https://learn-powershell.net/2013/08/14/powershell-and-events-permanent-wmi-event-subscriptions/

• https://www.mandiant.com/resources/dissecting-one-ofap

• https://support.sophos.com/support/s/article/KB-000038535?language=en_US&c__displayLanguage=en_US

• https://learn.microsoft.com/en-us/windows/win32/wmisdk/activescripteventconsumer

• https://learn.microsoft.com/en-us/windows/win32/wmisdk/commandlineeventconsumer