mirror of
https://github.com/valitydev/osquery-1.git
synced 2024-11-08 02:18:53 +00:00
15 lines
1.4 KiB
Plaintext
15 lines
1.4 KiB
Plaintext
table_name("wmi_script_event_consumers")
|
|
description("WMI ActiveScriptEventConsumer, which can be used for persistance on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details.")
|
|
schema([
|
|
Column("name", TEXT, "Unique identifier for the event consumer. "),
|
|
Column("scripting_engine", TEXT, "Name of the scripting engine to use, for example, 'VBScript'. This property cannot be NULL."),
|
|
Column("script_file_name", TEXT, "Name of the file from which the script text is read, intended as an alternative to specifying the text of the script in the ScriptText property."),
|
|
Column("script_text", TEXT, "Text of the script that is expressed in a language known to the scripting engine. This property must be NULL if the ScriptFileName property is not NULL."),
|
|
Column("class", TEXT, "The name of the class."),
|
|
Column("relative_path", TEXT, "Relative path to the class or instance."),
|
|
])
|
|
implementation("wmi_script_event_consumers@genScriptConsumers")
|
|
examples([
|
|
"select filter,consumer,query,scripting_engine,script_file_name,script_text,wsec.name from wmi_script_event_consumers wsec left outer join wmi_filter_consumer_binding wcb on consumer = wsec.relative_path left outer join wmi_event_filters wef on wef.relative_path = wcb.filter;",
|
|
])
|