dissect.target.plugins.os.windows.cim

Module Contents

Classes

CimPlugin

CIM database plugin.

Attributes

ConsumerBindingRecord

dissect.target.plugins.os.windows.cim.ConsumerBindingRecord

class dissect.target.plugins.os.windows.cim.CimPlugin(target)

Bases: dissect.target.plugin.Plugin

CIM database plugin.

Provides functions for getting useful data out the CIM (WBEM) database.

__namespace__ = 'cim'

Defines the plugin namespace.

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

repo() → dissect.cim.cim.CIM

consumerbindings() → Iterator[ConsumerBindingRecord]

Return all __FilterToConsumerBinding queries.

WMI permanent event subscriptions can be used to trigger actions when specified conditions are met. Attackers often use this functionality to persist the execution of backdoors at system start up. WMI Consumers specify an action to be performed, including executing a command, running a script, adding an entry to a log, or sending an email. WMI Filters define conditions that will trigger a Consumer.

References

• https://learn-powershell.net/2013/08/14/powershell-and-events-permanent-wmi-event-subscriptions/

• https://www.mandiant.com/resources/dissecting-one-ofap

• https://support.sophos.com/support/s/article/KB-000038535?language=en_US&c__displayLanguage=en_US