-
Notifications
You must be signed in to change notification settings - Fork 26
/
Copy pathloki-plugin-wmi.py
76 lines (64 loc) · 3.45 KB
/
loki-plugin-wmi.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
# -*- coding: utf-8 -*-
"""
Loki WMI Scanner plugin
2018/04/20
2018/04/21
Author: @DidierStevens
"""
import hashlib
import sys
def ScanWMI():
global logger # logger is defined in loki.py.__main__
if sys.platform in ("win32", "cygwin"):
try:
import wmi
except ImportError as e:
wmi = None
logger.log("CRITICAL", "WMIScan", "Unable to import wmi")
print("Unable to import wmi")
oWMI = wmi.WMI(namespace=r'root\subscription')
knownHashes = ['159e2bcde798cf5fbb290f90a7ccc1a6', '20d385446e60cf9134792d5b145c54bb', '65c80cb7a9094b32c3f9982887b9862a', '6ddb270d17551138747ad7c1bc3db9b3', 'de5b1c4f59c4463f8e9b70cbe1156976']
leventFilter = []
lFilterToConsumerBinding = []
lCommandLineEventConsumer = []
lActiveScriptEventConsumer = []
try:
leventFilter = oWMI.__eventFilter()
except:
logger.log("WARNING", "WMIScan", 'Error retrieving __eventFilter')
try:
lFilterToConsumerBinding = oWMI.__FilterToConsumerBinding()
except:
logger.log("WARNING", "WMIScan", 'Error retrieving __FilterToConsumerBinding')
try:
lCommandLineEventConsumer = oWMI.CommandLineEventConsumer()
except:
logger.log("WARNING", "WMIScan", 'Error retrieving CommandLineEventConsumer')
try:
lActiveScriptEventConsumer = oWMI.ActiveScriptEventConsumer()
except:
logger.log("WARNING", "WMIScan", 'Error retrieving ActiveScriptEventConsumer')
for eventFilter in leventFilter:
try:
hashEntry = hashlib.md5(str(eventFilter)).hexdigest()
if not hashEntry in knownHashes:
logger.log("WARNING", "WMIScan", 'CLASS: __eventFilter MD5: %s NAME: %s QUERY: %s' % (hashEntry, eventFilter.wmi_property('Name').value, eventFilter.wmi_property('Query').value))
except:
logger.log("INFO", "WMIScan", repr(str(eventFilter)))
for FilterToConsumerBinding in lFilterToConsumerBinding:
try:
hashEntry = hashlib.md5(str(FilterToConsumerBinding)).hexdigest()
if not hashEntry in knownHashes:
logger.log("WARNING", "WMIScan", 'CLASS: __FilterToConsumerBinding MD5: %s CONSUMER: %s FILTER: %s' % (hashEntry, FilterToConsumerBinding.wmi_property('Consumer').value, FilterToConsumerBinding.wmi_property('Filter').value))
except:
logger.log("INFO", "WMIScan", repr(str(FilterToConsumerBinding)))
for CommandLineEventConsumer in lCommandLineEventConsumer:
try:
hashEntry = hashlib.md5(str(CommandLineEventConsumer)).hexdigest()
if not hashEntry in knownHashes:
logger.log("WARNING", "WMIScan", 'CLASS: CommandLineEventConsumer MD5: %s NAME: %s COMMANDLINETEMPLATE: %s' % (hashEntry, CommandLineEventConsumer.wmi_property('Name').value, CommandLineEventConsumer.wmi_property('CommandLineTemplate').value))
except:
logger.log("INFO", "WMIScan", repr(str(CommandLineEventConsumer)))
for ActiveScriptEventConsumer in lActiveScriptEventConsumer:
logger.log("INFO", "WMIScan", repr(str(ActiveScriptEventConsumer)))
LokiRegisterPlugin("PluginWMI", ScanWMI, 1) # noqa: F821 undefined name 'LokiRegisterPlugin'