wmi_cli_event_consumers¶
WMI CommandLineEventConsumer, which can be used for persistance on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details.
Platform support¶
Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: wmi_cli_event_consumers
Windows
Table schema¶
Name |
Type |
Description |
|---|---|---|
name |
TEXT |
Unique name of a consumer. |
command_line_template |
TEXT |
Standard string template that specifies the process to be started. This property can be NULL, and the ExecutablePath property is used as the command line. |
executable_path |
TEXT |
Module to execute. The string can specify the full path and file name of the module to execute, or it can specify a partial name. If a partial name is specified, the current drive and current directory are assumed. |
class |
TEXT |
The name of the class. |
relative_path |
TEXT |
Relative path to the class or instance. |
Query examples¶
select filter,consumer,query,command_line_template,wcec.name from wmi_cli_event_consumers wcec left outer join wmi_filter_consumer_binding wcb on consumer = wcec.relative_path left outer join wmi_event_filters wef on wef.relative_path = wcb.filter;