Inventory of IT assets using standard Windows tools with minimal access rights

Colleagues, in the previous articlewe discussed how to effectively work with Windows audit events. However, to build an integrated information security management system, it is important not only to respond to cyber incidents in a timely manner - it is necessary first of all to understand what exactly we are protecting. Building a correct model of threats and intruders, building a cyber risk management system, managing vulnerabilities and many other information security processes requires a fundamental foundation - IT asset management. A clear vision of the infrastructure, accounting for software and hardware, their interactions and dependencies will be the key to building a competent cyber defense system. In this technical article, we will show you how to take inventory of IT assets, while implementing the principle of least privilege, using the functionality of the remote registry, WMI and WinRM.





Introduction

. – , , , . (, , , ) (, , , , , , , ). (. Asset Management) - , , , , (.. -). . , " " . 2.2 . ")" , , - . « » , , ( .4). №239 « » ( .1). . , ISO 27001:2013 A.8.1.1 ”Inventory of assets”. NIST SP 800-53 CM-8 ”System component inventory” PM-5 ”System inventory”. , NIST “Cybersecurity Framework” ID.AM-1 ID.AM-2, , , NIST SP 1800-5 ”IT Asset Management” (« -») -.





- CMDB (Configuration Management Database, ), , , . (, , , ) (, , , ) CMDB CI (Configuration Items, ). CMDB (ITAM, IT Asset Management), , ,   , , -. , .





CMDB/ITAM- , " " . ( Windows ) , "least privilege". , , , , ( ).





( , , , ), . : . - , , : , (footprint) , ... , , . , /- Windows- , , Windows- . - .. replay- ( ), Pass-the-Hash Pass-the-Ticket. lsass.exe NTLM- Kerberos- . , , lsass.exe , NTLM- / Kerberos-. , , . , (least privilege), , , «», .





Windows- . domain.local\Scan, , pcname.domain.local, Windows. Protected Users, Kerberos- TGT-, 4 ( 10 ), AES . , , . , IP- Windows NTLM, Kerberos, Active Directory DNS-.





, Windows: WMI. , Windows , , PowerShell Remoting Constrained Endpoints Just Enough Administration. , , , Windows Server 2003 Windows XP, , , WMI, WinRM.





1.

( DACL , ). , human-readable . 





1)

  1. : TCP: 135 (MS RPC), 445 (SMB, compmgmt.msc - " " - "" " ").





  2. " " (RemoteRegistry).





  3. , .





  4. HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg . , .





  5. HKLM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths Machine , 3. , () . Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options - Network access: Remotely accessible registry paths and sub-paths ( \ Windows \ \ \  \  : ). , ,   AllowedExactPaths, Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options \ Network access: Remotely accessible registry paths ( \ Windows \ \ \  -  : . ). , , , HKLM\Security\Cache ( ), HKLM\SAM\SAM ( ), HKLM\Security\Policy\Secrets ( LSA secrets).





  6. 6. ACL " " (RemoteRegistry).





2)

, , : 





$list=@()

$pcname = 'pcname.domain.local'

$InstalledSoftwareKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall"

$InstalledSoftware=[microsoft.win32.registrykey]::OpenRemoteBaseKey('LocalMachine',$pcname)

$RegistryKey=$InstalledSoftware.OpenSubKey($InstalledSoftwareKey) 

$SubKeys=$RegistryKey.GetSubKeyNames()

Foreach ($key in $SubKeys){

$thisKey=$InstalledSoftwareKey+"\\"+$key

$thisSubKey=$InstalledSoftware.OpenSubKey($thisKey)

$obj = New-Object PSObject

$obj | Add-Member -MemberType NoteProperty -Name "DisplayName" -Value $($thisSubKey.GetValue("DisplayName"))

$obj | Add-Member -MemberType NoteProperty -Name "DisplayVersion" -Value $($thisSubKey.GetValue("DisplayVersion"))

$obj | Add-Member -MemberType NoteProperty -Name "DisplayIcon" -Value $($thisSubKey.GetValue("DisplayIcon"))

$obj | Add-Member -MemberType NoteProperty -Name "InstallLocation" -Value $($thisSubKey.GetValue("InstallLocation"))

$list += $obj

}

$list | FL *
      
      



 , , WMI- Win32_Product (, Get-WmiObject -Class Win32_Product) , , . (, ), WMI WinRM.





3)

  Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration \ Audit Policies \ Object Access \ Audit Registry - Enable ( \ Windows \ \ \ \ \ - ). SACL ( ) , .





GPO. " " (RemoteRegistry) ( , ) "" (Security) EventID=4663 , , .





2. WMI- DCOM

WMI- WMI Microsoft Windows Windows 98 . WMI , WMI . WMI WinRM , Windows XP 2003/2008 - . 





1)

 1. : WMI – , DCOM, MS RPC. TCP:135 , TCP-. - DCOM- DCOM (dcomcnfg), " " " " " ", ( 1000 ).





Windows Server 2008 WMI DCOM (dcomcnfg), " " " ",   " DCOM" "Windows Management and Instrumentation". " " "", "TCP/IP " , radio-button " ", TCP-, TCP:31000.





, ,





winmgmt -standalonehost





" Windows" (Windows Management Instrumentation, winmgmt ) , ,





net stop winmgmt /yes && net start winmgmt





WMI- TCP:31000 Windows Firewall, "WMIFixedPort"





netsh advfirewall firewall add rule name="WMIFixedPort" dir=in action=allow protocol=TCP localport=31000 enable=yes profile=domain









winmgmt -sharedhost





winmgmt. Windows Firewall .





 2. WMI " Windows" (Windows Management Instrumentation, winmgmt ).





 3. . Domain Users, Authenticated Users, Interactive. Authenticated Users (SID S-1-5-11) (User accounts) (Computer accounts). , . , Windows UAC.





 4. WMI-. WMI- WMI- WMI- "Root" " " (Enable account) " " (Remote enable). WMI-, , " " (Execute method). wmimgmt.msc - WMI - "", "Root".





, WMI "Root" - , , Root\CIMV2\Security\MicrosoftVolumeEncryption, BitLocker- , DACL WMI-.





, , WMI-. ( , Security Descriptor, SD) WMI- "Root" , WMI- , :





wmic /namespace:\\root /output:"C:\folder\sd.txt" path __systemsecurity call getSD





, SD, .. ,





SD = {1, 0, 4, 128, 148, 0, 0, 0, ... 0}





, , VBS- :  





strSD = array(1,0,4,128,148,0,0,0,...0)

set namespace = createobject("wbemscripting.swbemlocator").connectserver(,"root")

set security = namespace.get("__systemsecurity=@")

nStatus = security.setsd(strSD)
      
      



.vbs Windows. . DACL WMI-, "Root", . , MicrosoftVolumeEncryption :





wmic /namespace:\\root\CIMV2\Security\MicrosoftVolumeEncryption /output:"C:\folder\sd.txt" path __systemsecurity call getSD









strSD = array(1,0,4,128,148,0,0,0,...0)

set namespace = createobject("wbemscripting.swbemlocator").connectserver(,"root\CIMV2\Security\MicrosoftVolumeEncryption")

set security = namespace.get("__systemsecurity=@")

nStatus = security.setsd(strSD)
      
      



5. DCOM





WMI DCOM, WMI- . " DCOM" (DCOM Users), DCOM. :





 





1) GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options - DCOM: Machine Access Restrictions in SDDL syntax ( \ Windows \ \ \  -  DCOM: SDDL), " " (Remote Access).





HKLM \ Software \ Policies \ Microsoft \ Windows NT \ DCOM, MachineAccessRestriction, , SDDL-.





  dcomcnfg, " ", " COM" " " " ..." " ".





2) GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options - DCOM: Machine Launch Restrictions in SDDL syntax ( \ Windows \ \ \  -  DCOM: SDDL), " " (Remote Launch) " " (Remote Activation).





HKLM - Software - Policies - Microsoft - Windows NT - DCOM, MachineLaunchRestriction, , SDDL-.





  dcomcnfg, " ", " COM" " " " ..." " " " ".





3) DCOM DCOM- "Windows Management and Instrumentation": DCOM (dcomcnfg), " " " ",   " DCOM" "Windows Management and Instrumentation". "" " " ( " " " " ), " " ( " " ), " " ( "" " ", " ", "", " " ).





6. WMI .





WMI , WMI- , , WMI- .





, WMI/DCOM, : .





 1) " " (Impersonation level), , . "Impersonate" (""). HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Scripting "Default Impersonation Level" - "3" "Impersonate", WMI .





, DCOM , "" (Identify), , "" (Impersonate). DCOM (dcomcnfg), " " " ",   " " " " "".





, DWORD- "LegacyImpersonationLevel" "3" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole , "Impersonate".





2) " " (Authentication level), (, ) , WMI/DCOM. WMI Connect (""), Packet Privacy (" "). DCOM (dcomcnfg), " " " ",   " DCOM" "Windows Management and Instrumentation". "" " " " ".





, " " (App ID) "Windows Management and Instrumentation", , DCOM (dcomcnfg), " " " ", " DCOM" "Windows Management and Instrumentation" - "" " " (Application ID).





HKLM\SOFTWARE\Classes\AppID\{ } DWORD- AuthenticationLevel "6", Packet Privacy (" "), .





, DCOM , "" (Connect), , Packet Privacy (" "). DCOM (dcomcnfg), " " " ",   " " " " " ".





, DWORD- "LegacyAuthenticationLevel" "6" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole , "Packet Privacy".





7. WMI " Windows" (Windows Management Instrumentation, winmgmt). DCOM .





2)

WMI- WMI- , "" wmic (Windows Management Instrumentation Command) PowerShell- Get-WmiObject. . , wmic Windows (deprecated), .





WMI- .





pcname.domain.local PowerShell- Get-WmiObject :





Get-WmiObject -ComputerName pcname.domain.local -Class Win32_NetworkAdapter | format-list Name





PowerShell-:





gwmi -cn pcname.domain.local Win32_NetworkAdapter| fl Name





PowerShell, wmic. ,





wmic /node:"pcname.domain.local" path Win32_NetworkAdapter get name





WMI- Win32_NetworkAdapter .









wmic /node:"pcname.domain.local" nic get name





WMI- Win32_NetworkAdapter "nic". WMI- wmic alias list full  , (, "nic") : wmic alias list brief | findstr /I nic





WMI- get *  , , /format , :





wmic /node:"pcname.domain.local" os get * /format:value ( )





WMI , :





wmic /node:"pcname.domain.local" /output:"c:\folder\file.html" computersystem list full /format:htable ( html-)





wmic /node:"pcname.domain.local" /output:"c:\folder\file.csv" path Win32_OperatingSystem get * /format:csv ( csv-)





WMI- list ,





wmic /node:"pcname.domain.local" nic list brief ( )





wmic /node:"pcname.domain.local" nic list status ( )





wmic /node:"pcname.domain.local" nic list full /every:5 ( 5 )





: wmic aliasname list /? ( aliasname - , , nic)





WQL (WMI Query Language), , :





wmic /node:"pcname.domain.local" nic WHERE PhysicalAdapter='true' get * /format:value









wmic /node:"pcname.domain.local" path Win32_NetworkAdapter WHERE PhysicalAdapter='true' get * /format:value





PowerShell





gwmi -cn pcname.domain.local -Query "Select * from Win32_NetworkAdapter WHERE PhysicalAdapter='true' " | fl *





, PowerShell wmic WMI- "Root\Cimv2". , , , WMI . , BitLocker- , WMI- :





wmic /node:"pcname.domain.local" /namespace:"\\Root\CIMV2\Security\MicrosoftVolumeEncryption" path Win32_EncryptableVolume get * /format:list





gwmi -cn pcname.domain.local -namespace:"Root\CIMV2\Security\MicrosoftVolumeEncryption" -class Win32_EncryptableVolume | fl *





BIOS :





wmic /node:"pcname.domain.local" /namespace:"\\Root\wmi" path MS_SystemInformation get * /format:value





gwmi -cn pcname.domain.local -namespace:"Root\wmi" -class MS_SystemInformation | fl *





Root\SecurityCenter ( Windows XP/2003 ) Root\SecurityCenter2 ( Windows Vista/2008 ):





wmic /namespace:"\\Root\SecurityCenter2" path AntivirusProduct get * /format:value





gwmi -cn pcname.domain.local -namespace:"Root\SecurityCenter2" -class AntivirusProduct | fl *





, wmic , :





wmic /node:@pclist.txt /user:domain.local\Scan /password:P@$$w0rd CommandName





WMI-, " " (Execute method) WMI- "Root". , GetStringValue StdRegProv .





wmic:





wmic /node:"pcname.domain.local" /NameSpace:\\root\default Class StdRegProv Call GetStringValue sSubKeyName="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\LogonUI" sValueName="LastLoggedOnSAMUser" | findstr "sValue"





PowerShell, :





$hklm = 2147483650 #  HKLM- 

$key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI"

$values = @('LastLoggedOnUser','LastLoggedOnUserSID','LastLoggedOnDisplayName')

Foreach ($value in $values) {

 $wmi = get-wmiobject -list "StdRegProv" -namespace root\default -computername pcname.domain.local

 ($wmi.GetStringValue($hklm,$key,$value)).svalue

 $wmi2 = ($wmi.GetStringValue($hklm,$key,$value)).svalue

}
      
      



, WMI " " (Execute method) Create Win32_process. , . SeRestorePrivilege (Restore files and directories , ), WMI «Return Value=8». Computer Configuration\Windows Settings\Security Settings\User rights assignment - Restore files and directories ( \ Windows \ \   \   - ). , , .. , , SeRestorePrivilege , , , , , .. , WMI (, ), , , , , .





WMI:





wmic /node:"pcname.domain.local" path Win32_Process Call Create "cmd.exe /c C:\folder\batch.bat" ( bat- )





Invoke-WmiMethod -ComputerName pcname.domain.local -Class Win32_process -Name Create -ArgumentList 'cmd /c schtasks /run /tn "task1" ' ( "task1" " ")





, , WMI, ( ) , , , - CyberThreat Intelligence.   SeDebugPrivilege (Debug Program, ) . Computer Configuration\Windows Settings\Security Settings\User rights assignment - Debug Program ( \ Windows \ \   \   -  ). . , LSA ( ) Windows, , mimikatz . ( SeRestorePrivilege) , SeDebugPrivilege, , , .





, :





wmic /node:"pcname.domain.local" path Win32_Process get ExecutablePath









gwmi win32_process -ComputerName pcname.domain.local | fl ExecutablePath





SeRestorePrivilege SeDebugPrivilege, , WMI- Enable account, Remote enable Execute method, , , :





Invoke-WmiMethod -ComputerName pcname.domain.local -Class Win32_Process -Name Create -ArgumentList 'powershell.exe -command "get-process | get-unique | ForEach-Object {Get-FileHash $_.path -Algorithm SHA256} | fl * | out-file C:\folder\$env:COMPUTERNAME.$(get-date -format HH-mm-ss.dd.MM.yyyy).txt" '





- , , VirusTotal API





Invoke-RestMethod -Method 'POST' -Uri "https://www.virustotal.com/vtapi/v2/file/report?apikey=$VTApiKey&resource=$item"





( VTApiKey - VirusTotal Community API-, item - -). - "" , , xCyclopedia. , , , ( WMI-, SeRestorePrivilege SeDebugPrivilege).





3) WMI-

WMI-   Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration \ Audit Policies \ Object Access \ Audit other object access events - Enable ( \ Windows \ \ \ \ \ - ).





SACL ( ) WMI-, .





WMI- DACL -. VBS-, SACL WMI-. " Windows" (Windows Management Instrumentation, winmgmt) ( , ) WMI- "" (Security) EventID=4662 , WMI-, WMI- WMI.





WMI " \ Windows \ \ \ \ \ - " (Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration \ Audit Policies \ Detailed tracking \ Audit process creation - Enable ), " \ Windows \ \ \ - " (Computer Configuration \ Administrative Templates\System\Audit Process Creation - Include command line in process creation events). "" (Security) EventID=4688 , , ( WMI C:\Windows\System32\wbem\WmiPrvSE.exe).





SeRestorePrivilege " \ Windows \ \ \ \ - , " (Computer Configuration\Windows Settings\Advanced Audit Policy Configuration\Privilege Use - Audit Sensitive Privilege Use) , " \ Windows \ \ \ - : " (Computer Configuration\Windows Settings\Security Settings\Local Policies \ Security Options \ Audit: Audit the use of Backup and Restore privilege) . "" (Security) EventID=4674 (An operation was attempted on a privileged object) .





SeDebugPrivilege " \ Windows \ \ \ \ / -  " (Computer Configuration\Windows Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff - Audit Special Logon )  . "" (Security) EventID=4672 (Special privileges assigned to new logon) .





, WMI , .. , Windows, . WMI :





https://www.blackhat.com/docs/us-14/materials/us-14-Kazanciyan-Investigating-Powershell-Attacks-WP.pdf





https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf





3. WMI- WinRM

Windows- WMI- DCOM , Windows 7/2008R2, Common Information Model, .. CIM- Windows Remote Management (WinRM, WSMan (WS-Management, Web Services for Management)) PowerShell- Get-CimInstance Invoke-CimMethod, Get-WmiObject Invoke-WmiMethod. CIM- (DCOM WSMan) Test-WSMan, WS-Management. Windows 8/2012 3.0, Windows 7/2008R2 - 2.0, Windows XP/2003/2008 WinRM WS-Management , . WinRM , DCOM.





WSMan- Windows- - SOAP-, WinRM ( HTTP-Kerberos-session-encrypted), TCP:5985 ( Windows 7/2008 TCP:80), HTTP- . HTTPS SSL- , , TCP:5986 ( Windows TCP:443). , .





WinRM winrm qc -q , " Windows" (Windows Remote Management (WS-Management), WinRM) TCP:5985 . WinRM " \ \ Windows \ Windows \ Windows - WinRM" (Computer Configuration \ Administrative Templates \ Windows Components \ Windows Remote Management (WinRM) \ WinRM Service - Allow remote server management through WinRM). IP-, , , , , "*". WinRM Windows Firewall, , , :





netsh advfirewall firewall add rule name="WinRM-HTTP" dir=in action=allow protocol=TCP localport=5985 remoteip=X.X.X.X enable=yes profile=domain





X.X.X.X - , .





WinRM winrm get winrm/config , WinRM- - winrm enumerate winrm/config/listener , WSMan - winrm id . "" , winrm qc , " Windows" (Windows Remote Management (WS-Management) , WinRM) WinRM-: winrm delete winrm/config/Listener?Address=*+Transport=HTTP  . , winrm qc Windows Remote Shell (WinRS) WinRS. WinRS « / / Windows / Windows / - » (Computer Configuration / Administrative Templates / Windows Components / Windows Remote Shell / Allow Remote Shell Access - Disabled), winrm set winrm/config/winrs @{AllowRemoteShellAccess="false"} .





WinRM. , " " (Remote Management Users), Windows 10/2016, "WinRMRemoteWMIUsers__". , WinRM-, , - , PowerShell Remoting. CIM-,





winrm configsddl http://schemas.dmtf.org/wbem/wscim/1/cim-schema





"" / Read (Get,Enumerate,Subscribe) Get-CimInstance "" / Execute (Invoke) Invoke-CimMethod.





, WMI- Get-CimInstance, WMI- " " (Enable account) " " (Remote enable). Invoke-CimMethod, WMI- " " (Execute method). TCP:5985, SeRestorePrivilege.





CIM- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\WMI Provider ConfigXML, XML, CIM- ( SDDL-). , ConfigXML Architecture, . , GPO. WinRM :





https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=10





https://www.bloggingforlogging.com/2018/01/24/demystifying-winrm/





" Windows" (Windows Remote Management (WS-Management) , WinRM), , , .





CIM :





Get-CimInstance -ComputerName pcname.domain.local -Class Win32_NetworkAdapter





, SeRestorePrivilege SeDebugPrivilege:





Invoke-CimMethod -ComputerName pcname.domain.local -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = 'powershell.exe -command "get-process | get-unique | ForEach-Object {Get-FileHash $_.path -Algorithm SHA256} | fl * | out-file C:\folder\$env:COMPUTERNAME.$(get-date -format HH-mm-ss.dd.MM.yyyy).txt" ' }





, "" WMI-, CIM- , " " - "" (Security) EventID=4662 Get-CimInstance. " " " ", "" (Security) EventID=4688 Invoke-CimMethod.





4.

CIM/WMI- . , Windows , - , . , , , , , , . , . 





4.1.

, , .. WMI- win32_QuickFixEngineering . , WMI/DCOM- "TrustedInstaller", . , , DCOM (dcomcnfg), " " " ", " DCOM" , "Trusted Installer Service" "" " " ( " " " " ) " " ( " " ). , « » (Application ID) "Trusted Installer Service", "", HKLM\SOFTWARE\Classes\AppID\{ } . dcomcnfg , "Trusted Installer Service". " " ( " " " ") " " ( " "). HKLM\SOFTWARE\Classes\AppID\{ }. "Trusted Installer Service" AccessPermission LaunchPermission HKLM\SOFTWARE\Classes\AppID\{ } , . " Windows" (Windows Modules Installer, TrustedInstaller). , WMI- :





wmic /node:"pcname.domain.local" qfe list full /format:table









gwmi -ComputerName pcname.domain.local -Class win32_QuickFixEngineering | fl *









Get-CimInstance -ComputerName pcname.domain.local -Class win32_QuickFixEngineering | fl *





4.2. Windows 

, , SCM (Service Control Manager), Windows. .





SID , ,





wmic useraccount where (name="Scan" and domain="domain.local") get sid





SCM, - :





sc sdshow scmanager





SDDL-, SCM , , :





D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)





:





(A;;CCLCRPRC;;;[SID]) , [SID] SID .





("A;;") SCM: CC - , LC - , RP - , RC - .





SDDL-, , DACL ("D:") SACL ("S:"):





D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CCLCRPRC;;;[SID])S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)





, - :





sc sdset scmanager D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CCLCRPRC;;;[SID])S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)





HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder "Security" , . "Security" SCM . , ( sc sdshow _), .





:





wmic /node:"pcname.domain.local" path Win32_Service get /format:list









gwmi -ComputerName pcname.domain.local -Class Win32_Service | fl *









Get-CimInstance -ComputerName pcname.domain.local -ClassName Win32_Service | fl *





5.

-, , . , Windows 7/2008, PowerShell Remoting Windows Remote Shell. WinRM ( WSMan) . TCP:5985, " Windows" (Windows Remote Management (WS-Management), WinRM) PSRemoting/WinRM, Enable-PSRemoting ( PowerShell Remoting), winrm qc ( Windows Remote Shell), " WinRM".





5.1. PowerShell Remoting

PowerShell Remoting " " (Remote Management Users). , :





Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI





"" / Read (Get,Enumerate,Subscribe) "" / Execute (Invoke).





HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Microsoft.PowerShell ConfigXML, XML, SDDL-. , ConfigXML Architecture, .





PowerShell Remoting





Enter-PSSession -ComputerName pcname.domain.local





PowerShell cmd .





,





Invoke-Command -ComputerName pcname.domain.local -ScriptBlock {Get-Culture}





Invoke-Command -ComputerName pcname.domain.local -ScriptBlock {ipconfig}





" " " ", "" (Security) EventID=4688 - "C:\Windows\System32\wsmprovhost.exe". Windows cmd, PowerShell-, , . " \ \ Windows \ Windows PowerShell - PowerShell", check-box " ", PowerShell , . " - Windows - - Windows \ Windows PowerShell - " " PowerShell" Microsoft-Windows-PowerShell/Operational, Microsoft-Windows-WinRM/Operational .





, Enter-PSSession Invoke-Command - !





5.2. Windows Remote Shell 

Windows Remote Shell





winrm configSDDL default





"" / Read (Get,Enumerate,Subscribe) "" / Execute (Invoke).





KLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Service rootSDDL, SDDL-.





WinRS « / / Windows / Windows / - » (Computer Configuration / Administrative Templates / Windows Components / Windows Remote Shell / Allow Remote Shell Access - Enabled), winrm set winrm/config/winrs @{AllowRemoteShellAccess="true"}.





Windows Remote Shell





winrs -r:pcname.domain.local cmd





Windows cmd .





,





winrs -r:pcname.domain.local netstat -nao





winrs -r:pcname.domain.local tasklist





winrs -r:pcname.domain.local powershell  -command "get-culture"





" " " ", "" (Security) EventID=4688 - "C:\Windows\System32\winrshost.exe".





- Windows, . , . , - , -. , , PowerShell, . , " " Security Vision , , , , , , . Security Vision MS Windows. . ( – – ), gMSA (Group Managed Service Account).








All Articles