..
    generated, remove this comment to keep this file

``cim.consumerbindings``
========================

.. code-block:: console

    $ target-query <path/to/target> -f cim.consumerbindings


.. list-table:: Details
    :widths: 20 80

    * - Module
      - ``os.windows.cim.CimPlugin``
    * - Output
      - ``records``

**Module documentation**

CIM database plugin.

Provides functions for getting useful data out the CIM (WBEM) database.

**Function documentation**

Return all __FilterToConsumerBinding queries.

WMI permanent event subscriptions can be used to trigger actions when specified conditions are met. Attackers
often use this functionality to persist the execution of backdoors at system start up. WMI Consumers specify an
action to be performed, including executing a command, running a script, adding an entry to a log, or sending
an email. WMI Filters define conditions that will trigger a Consumer.

References:
    - https://learn-powershell.net/2013/08/14/powershell-and-events-permanent-wmi-event-subscriptions/
    - https://www.mandiant.com/resources/dissecting-one-ofap
    - https://support.sophos.com/support/s/article/KB-000038535?language=en_US&c__displayLanguage=en_US