valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-08 10:23:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1a0aa988f1
osquery-1/specs/windows/wmi_cli_event_consumers.table

13 lines
1.3 KiB
Plaintext
Raw Blame History

table_name("wmi_cli_event_consumers")
description("WMI CommandLineEventConsumer, which can be used for persistance on Windows. https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf")
schema([
Column("name", TEXT, "Unique name of a consumer."),
Column("command_line_template", TEXT, "Standard string template that specifies the process to be started. This property can be NULL, and the ExecutablePath property is used as the command line."),
Column("executable_path", TEXT, "Module to execute. The string can specify the full path and file name of the module to execute, or it can specify a partial name. If a partial name is specified, the current drive and current directory are assumed."),
Column("class", TEXT, "The name of the class."),
Column("relative_path", TEXT, "Relative path to the class or instance."),
])
implementation("wmi_cli_event_consumers@genWmiCliConsumers")
examples([
"select filter,consumer,query,command_line_template,wcec.name from wmi_cli_event_consumers wcec left outer join wmi_filter_consumer_binding wcb on consumer = wcec.relative_path left outer join wmi_event_filters wef on wef.relative_path = wcb.filter;",
])
Reference in New Issue View Git Blame Copy Permalink