wmi_script_event_consumers ========================== WMI ActiveScriptEventConsumer, which can be used for persistance on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details. Platform support ---------------- Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. **Running a query against an unsupported platform will result in the following error:** ``no such table: wmi_script_event_consumers`` - Windows Table schema ------------ ================ ==== ======================================================================================================================================================== Name Type Description ================ ==== ======================================================================================================================================================== name TEXT Unique identifier for the event consumer. scripting_engine TEXT Name of the scripting engine to use, for example, 'VBScript'. This property cannot be NULL. script_file_name TEXT Name of the file from which the script text is read, intended as an alternative to specifying the text of the script in the ScriptText property. script_text TEXT Text of the script that is expressed in a language known to the scripting engine. This property must be NULL if the ScriptFileName property is not NULL. class TEXT The name of the class. relative_path TEXT Relative path to the class or instance. ================ ==== ======================================================================================================================================================== Query examples -------------- .. code-block:: sql select filter,consumer,query,scripting_engine,script_file_name,script_text,wsec.name from wmi_script_event_consumers wsec left outer join wmi_filter_consumer_binding wcb on consumer = wsec.relative_path left outer join wmi_event_filters wef on wef.relative_path = wcb.filter;