Skip to content
Retrieve Intel AMT's Audit Log from a Linux machine without knowing the admin user's password.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE First commit. Sep 28, 2017 Added Disclaimer. Sep 29, 2017 First commit. Sep 28, 2017

AMT Forensics for Linux

This README contains instructions on how to use the scripts in this repository to retrieve Intel AMT's Audit Log from a Linux machine without knowing the admin user's password. The ideas from the script can be used to retrieve other pertinent information from Intel AMT via the ME Interface (MEI).



  1. Linux machine with a provisioned AMT
  • For testing, you can manually provision AMT yourself in 10 steps.
  • Make sure /dev/mei exists.
    • You may need to sudo ln -s /dev/mei0 /dev/mei.
    • If this doesn't exist then this most likely means AMT is not enabled & provisioned.
  1. Python & OpenWSMAN installed
  • Python 2.7 with python-enum34 (sudo apt-get install python-enum34)
  • The wsman binary in $PATH:


The Local Manageability Service (LMS) for Linux needs to built and started:

  1. Download lms-8.0.0-7.tar.gz and unzip it. You can read more info about LMS for Linux here.
  2. Copy lms.patch from this repository into the unziped directory.
  3. Carry out the following commands:
user@host:~/Downloads/lms-8.0.0-7$ patch -p1 < lms.patch
user@host:~/Downloads/lms-8.0.0-7$ chmod u+x configure
user@host:~/Downloads/lms-8.0.0-7$ ./configure --enable-daemon=no
user@host:~/Downloads/lms-8.0.0-7$ # fix problems and re-run until all OK.
user@host:~/Downloads/lms-8.0.0-7$ make
user@host:~/Downloads/lms-8.0.0-7$ sudo src/lms

You should be able to load http://localhost:16992/ in your browser now.

Note: On some machines, restarting lms and/or machine is required.

If problems continue, re-try with debugging enabled:

user@host:~/Downloads/lms-8.0.0-7$ make clean
user@host:~/Downloads/lms-8.0.0-7$ ./configure --enable-debug --enable-daemon=no
user@host:~/Downloads/lms-8.0.0-7$ make
user@host:~/Downloads/lms-8.0.0-7$ sudo src/lms


Once LMS is successfully running as per above, start a new shell:

user@host:~$ cd amt-forensics/
user@host:~/amt-forensics$ chmod u+x
user@host:~/amt-forensics$ sudo ls # does a hidden sudo
user@host:~/amt-forensics$ ./
user@host:~/amt-forensics$ python ./ > decoded_log.txt
user@host:~/amt-forensics$ cat decoded_log.txt # Sample Output as example.
    "EventID": "AMT Provisioning Started",
    "InitType": "HTTP_DIGEST",
    "UsernameLength": 9,
    "Username": "$$OsAdmin",
    "TimeStamp": 1072922804,
    "TimeStamp_readable": "2004-01-01 03:06:44",
    "MCLocationType": "IPV4_ADDR",
    "NetAddressLength": 9,
    "NetAddress": "",
    "ExtendedDataLength": 4,
    "ExtendedData": "V\"\u00b8\u009c"
    "EventID": "AMT Provisioning Started",
    "InitType": "LOCAL_INITIATOR",
    "TimeStamp": 1506659359,
    "TimeStamp_readable": "2017-09-29 06:29:19",
    "MCLocationType": "NONE",
    "NetAddressLength": 0,
    "ExtendedDataLength": 0

Web Interface Login

To login via http://localhost:16992/logon.htm, you can obtain password for the user $$osAdmin as per follows:

user@host:~/amt-forensics$ sudo python
[Password String]

You can then use the username $$osAdmin and the printed password string to login.

Info from all APIs

The script under the all_api_calls directory will attempt to gather info from all available AMT WSMAN APIs. This can be useful for manual searching & inspiration during forensics.


This is not an official Google product.

You can’t perform that action at this time.