To get this to work, Cuckoo requires an extra auxiliary module for this purpose. Along with the Python WMI module installed on the guest, or at least I ended up using the WMI module, but you could easily use pywin32.
As you already have Python installed on the guest, you can use pip to install it.
Cuckoo runs any auxiliary module that is available in the directory:
So this got me thinking (I know, crazy times!), as I have been doing some other work with EMET or rather logs from EMET. Why not combine the code above with EMET on the guest?
Obviously you need to install EMET (on the guest), do that and make sure it's active. Configure it after your specific needs. As your main goal might not be, to only catch EMET in action, you will need to configure EMET from the default blocking to audit mode. This will allow the malicious code to continue running even if it's detected by EMET.
from lib.common.abstracts import Auxiliary
from lib.common.results import NetlogFile
log = logging.getLogger(__name__)
dadada = 
log.info("Starting EMET auxilary module")
log.info("Collecting EMET events...")
c = wmi.WMI(privileges=['Security'])
for event in c._raw_query('SELECT * FROM Win32_NTLogEvent'):
if event.SourceName == "EMET":
#https://msdn.microsoft.com/en-us/library/aa394226(v=vs.85).aspx maybe add more values?
dadada.append([event.SourceName, event.Category, event.Type, event.ComputerName, event.User, event.Message])
bleekscheet = "\n".join(str(x) for x in dadada)
nf = NetlogFile()
Example of EMET events retrieved from the guest:
[u'EMET', 0, u'Error', u'<COMPUTERNAME>', None, u'EMET version 5.5.5871.31892\nEMET detected MemProt mitigation in iexplore.exe\r\n\r\nMemProt check failed:\n Application \t: C:\\Program Files\\Internet Explorer\\iexplore.exe\n User Name \t: <COMPUTERNAME>\\<USER>\n Session ID \t: 1\n PID \t\t: 0x474 (1140)\n TID \t\t: 0x81C (2076)\n API Name \t: kernel32.VirtualProtect\n ReturnAddress \t: 0x0000000000446E60\n CalledAddress \t: 0x000007FEFDA031E0\n StackPtr \t: 0x00000000029AF4D0\n']
[u'EMET', 0, u'Error', u'<COMPUTERNAME>', None, u'EMET version 5.5.5871.31892\nEMET detected StackPivot mitigation in iexplore.exe\r\n\r\nStackPivot check failed:\n Application \t: C:\\Program Files\\Internet Explorer\\iexplore.exe\n User Name \t: <COMPUTERNAME>\\<USER>\n Session ID \t: 1\n PID \t\t: 0x71C (1820)\n TID \t\t: 0x46C (1132)\n API name \t: kernel32.WinExec\n ReturnAddress \t: 0x000000007775C8FF\n CalledAddress \t: 0x00000000775B8D80\n Thread stack area range: [0x3172000..0x3180000]\n StackPtr \t: 0x000000000543FB30\n']
Please note that the coding style is not officially approved by @skier_t =)(but I'm as always very grateful for his help!) Hopefully there will be a better way of doing this in the future, natively in Cuckoo.