How to use the artifacts.win_artifacts.AbstractWMIArtifact function in artifacts
To help you get started, we’ve selected a few artifacts examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
google / grr / artifacts / win_artifacts.py View on Github 
LABELS = ["Software"]
SUPPORTED_OS = ["Windows"]
COLLECTORS = [
Collector(action="CollectArtifactFiles",
args={"artifact_list": ["WindowsPersistenceMechanisms"],
"pathspec_attribute": "pathspec"},
returned_types=["StatEntry"])
]
################################################################################
# User Artifacts
################################################################################
class WindowsAdminUsers(AbstractWMIArtifact):
"""Extract the Aministrators on Windows via WMI."""
LABELS = ["Software"]
COLLECTORS = [
Collector(action="WMIQuery",
args={"query": "SELECT * "
"from Win32_GroupUser where Name = \"Administrators\""}
)
]
class WindowsLoginUsers(AbstractWMIArtifact):
"""Extract the Login Users on Windows via WMI.
If on a domain this will query the domain which may take a long time and
create load on a domain controller.]
class WindowsDrivers(AbstractWMIArtifact):
"""Extract the installed drivers on Windows via WMI."""
LABELS = ["Software"]
COLLECTORS = [
Collector(action="WMIQuery",
args={"query": "SELECT DisplayName, Description, InstallDate, Name, PathName, Status, State, ServiceType "
"from Win32_SystemDriver"}
)
]
class WindowsHotFixes(AbstractWMIArtifact):
"""Extract the installed hotfixes on Windows via WMI."""
LABELS = ["Software"]
COLLECTORS = [
Collector(action="WMIQuery",
args={"query": "SELECT * "
"from Win32_QuickFixEngineering"}
)
]
class WindowsRunKeys(Artifact):
"""Collect windows run keys."""
LABELS = ["Software"]
SUPPORTED_OS = ["Windows"]
COLLECTORS = [class SecurityEventLog(AbstractEventLog):
"""Windows Security Event Log."""
COLLECTORS = [
Collector(
action="GetFile",
args={"path": r"%%environ_systemroot%%\System32\winevt\Logs\SecEvent.evt"}
)]
################################################################################
# Software Artifacts
################################################################################
class WindowsWMIInstalledSoftware(AbstractWMIArtifact):
"""Extract the installed software on Windows via WMI."""
LABELS = ["Software"]
COLLECTORS = [
Collector(action="WMIQuery",
args={"query": "SELECT Name, Vendor, Description, InstallDate, InstallDate2, Version "
"from Win32_Product"}
)
]
class WindowsDrivers(AbstractWMIArtifact):
"""Extract the installed drivers on Windows via WMI."""
LABELS = ["Software"]
COLLECTORS = [################################################################################
class WindowsAdminUsers(AbstractWMIArtifact):
"""Extract the Aministrators on Windows via WMI."""
LABELS = ["Software"]
COLLECTORS = [
Collector(action="WMIQuery",
args={"query": "SELECT * "
"from Win32_GroupUser where Name = \"Administrators\""}
)
]
class WindowsLoginUsers(AbstractWMIArtifact):
"""Extract the Login Users on Windows via WMI.
If on a domain this will query the domain which may take a long time and
create load on a domain controller.
"""
LABELS = ["Software"]
COLLECTORS = [
Collector(action="WMIQuery",
args={"query": "SELECT * "
"from Win32_GroupUser where Name = \"login_users\""}
)
]
class WMIProcessList(AbstractWMIArtifact):################################################################################
class WindowsWMIInstalledSoftware(AbstractWMIArtifact):
"""Extract the installed software on Windows via WMI."""
LABELS = ["Software"]
COLLECTORS = [
Collector(action="WMIQuery",
args={"query": "SELECT Name, Vendor, Description, InstallDate, InstallDate2, Version "
"from Win32_Product"}
)
]
class WindowsDrivers(AbstractWMIArtifact):
"""Extract the installed drivers on Windows via WMI."""
LABELS = ["Software"]
COLLECTORS = [
Collector(action="WMIQuery",
args={"query": "SELECT DisplayName, Description, InstallDate, Name, PathName, Status, State, ServiceType "
"from Win32_SystemDriver"}
)
]
class WindowsHotFixes(AbstractWMIArtifact):
"""Extract the installed hotfixes on Windows via WMI."""
LABELS = ["Software"]
COLLECTORS = ["""Extract the Login Users on Windows via WMI.
If on a domain this will query the domain which may take a long time and
create load on a domain controller.
"""
LABELS = ["Software"]
COLLECTORS = [
Collector(action="WMIQuery",
args={"query": "SELECT * "
"from Win32_GroupUser where Name = \"login_users\""}
)
]
class WMIProcessList(AbstractWMIArtifact):
"""Extract the process list on Windows via WMI."""
LABELS = ["Software"]
COLLECTORS = [
Collector(action="WMIQuery",
args={"query": "SELECT * "
"from Win32_Process"}
)
]
################################################################################
# Network Artifacts
################################################################################artifacts
ForensicArtifacts.com Artifact Repository.
Package Health Score
81 / 100Popular artifacts functions
- artifacts.collector.CollectorDefinition
- artifacts.definitions
- artifacts.definitions.SUPPORTED_OS
- artifacts.definitions.TYPE_INDICATOR_ARTIFACT_GROUP
- artifacts.definitions.TYPE_INDICATOR_FILE
- artifacts.definitions.TYPE_INDICATOR_PATH
- artifacts.definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY
- artifacts.definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE
- artifacts.errors
- artifacts.errors.FormatError
- artifacts.reader
- artifacts.reader.YamlArtifactsReader
- artifacts.registry
- artifacts.source_type
- artifacts.source_type.FileSourceType
- artifacts.source_type.PathSourceType
- artifacts.source_type.SourceType
- artifacts.source_type.WindowsRegistryKeySourceType
- artifacts.win_artifacts.AbstractWMIArtifact