Windows Management Instrument (WMI) is the de-facto tool for Windows administrative tasks.
Get-WmiObject is a great cmdlet to gather computer information.
• Desktop information• List BIOS information• List Processor information• Manufacture & Model• Installed Hotfixes• OS version• List Local Users
**043 All right. Windows management instrument, how many of you guys are familiar with WMI? Yeah, it's kind of the de-facto tool that Windows administrators use to do pretty much anything they wanted to accomplish. So, I can look at WMI objects. And the command for that is Get-Wmi. And they give you an idea of some of the things, desktop information, BIOS information, processor information, local users that-- list of users and hot fixes and such can all be found.
Page 2 of 20
Computer Information -1
44
Computer Information -1
Bios information
Processor information
**044 So, I think we're going to look at some of those. If I want to know what the computer name is-- not the computer name. Oh, we're looking for BIOS information for the top one. Get-WmiObject, and the class Win32_BIOS, that's the WMI object that we're looking for. And the computer name at the end, we have a dot at the end. That's saying the local computer. We're not doing a remote computer. And we can see we have phoenix BIOS, looks like version six oh one there-- no, I'm sorry, version four oh, release six.
Page 3 of 20
If wanted to get information about the processor for my local computer name, again, the class in this case is Win32_processor, and we can see it's an Intel 64-bit model 58, step 9 processor.
Computer Information -2
45
Computer Information -2
Manufacturer and model information
Installed Hotfixes
**045 In this case, now we're trying to find out who is the manufacturer of-- manufacturer model information for the computer. So, the domain, it belongs to test.mycompany. Looks like it's a VMware device. And it's a VMware virtual platform. So, this was done, obviously, in a virtual machine. It was not done on a hardware based machine.
Page 4 of 20
If I want to know what hot fixes are there, there's a GetWmiObject for that. You guys got the idea, right? GetWmiObject is very useful to us.
Computer Information -3
46
Computer Information -3
Get UserGet-WmiObject –Class Win32_OperatingSystem -ComputerName . | Select-Object –Property *user*
**046 Get users, we see who some of our users are on this particular machine, only one.
Page 5 of 20
Computer Information -4
47
Computer Information -4
Who is logged on and computer time are good for forensics.Get-WmiObject –Class Win32_ComputerSystem –Property UserName –ComputerName .
**047 This is a handy little tool. I might want to find out who is currently logged into the machine, figure out information about date and time of the machine, as well. So, the top command shows me who's logged in. You can see the username is Mark who is logged into that machine. The second command, Win32LocalTime, tells us the date and time for that particular machine. Now, if we did not add this select object property A to Z, if we did not add this command in here, we'd have all this information. It just would not look nice and pretty the way it is being displayed. So, that's what the
Page 6 of 20
select object does for us, makes it a nice pretty, easy to understand, easy to read display.
Computer Management -1
48
Computer Management -1
**048 So, computer management functions we can do, look at what applications are installed, install and remove applications, install and remove Windows features, control sessions by locking them, restart the computer system, shut down the computer system. There's lots of administrative types of commands that we can get in PowerShell.
Page 7 of 20
Computer Management -2
49
Computer Management -2
Lock a computerRun32dll.exe user32.dll,LockWorkStation• Run32dll.exe allows the administrator to run Windows DLLs• User32.dll is a library of Windows management functions
**049 If I wanted to lock a computer, we have to use a DLL. The run32dll.exe is used. Run32dll.exe allows us to run Windows DLLs. And the user32dll is what is required in order to do a Windows function such as shut it down. So, I have to run two of these dynamic link libraries together. The first one it says let me run dynamic link libraries. Well, the is what allows me to run the dynamic link libraries. So, it's a GetWmiObject again. And at the very end we have Win32shutdown. And the zero is going to-- I forgot what the zero argument is. I think it is log off any current users.
**050 The zero is the log off. The one is the shutdown. The two is the restart. Whew. All right.
Page 9 of 20
Network Management
51
Network Management
**051 Network management activities that we can do, view IP addresses, ping other computers, assign DNS, configure DHCP.
Page 10 of 20
Registry Work
52
Registry Work
**052 We could have-- and we probably could explore--
Page 11 of 20
Network Management
51
Network Management
**051 Some of those command, if you want in PowerShell, but figured it would probably better if you explore those commands on your own when you feel like it. But these are just a sampling of some of the network management things that we can do.
Page 12 of 20
Registry Work
52
Registry Work
**052 Just like we have a sample of some of the registry types of activities we can do. See what my registry keys are, copy them, delete them, create new ones if I wanted to, those are some of the registry activities.
• The commands check to see if the executables in the Windows\System32 directory will be allowed to run for the Everyone group.
**053 PowerShell, very flexible tool. In this case, we're showing you that we want to get and test our AppLocker policy. Do you remember AppLocker? AppLocker was the tool that we use to restrict what users are allowed to have access to what applications. So, in this particular case, the command is Get- AppLockerPolicy. We're looking at our local machine. And then we're going to pipe that to test the AppLocker policy. And we have a path of we're looking for all the executables in the system32 directory. And we want to see what the user everyone, or all people on the machine, are allowed to do.
Page 14 of 20
And so, the result that we have is notice all the executables in the system32 directory. The policy decision is they are allowed by default. I could change my user and see what individual users are allowed to do. I can change it and see what other groups are allowed to do. And I can-- obviously, I can change to other directories and see what the policy is for those applications.
Review Logs -1
54
Review Logs -1
View all entries in the Security LogGet-EventLog –LogName Security• To see the security log, use “Run As Administrator” to open
PowerShell.
View the last 5 entries
**054 Log review, log information, in this case, we're going to look at the security log. So, it's Get-
Page 15 of 20
EventLog. Type in the name security, and here at the bottom we can see, in this case, this command we have-- I didn't want to see all the log. That could be a very long list and could take a long time to scroll through my screen. So, maybe I only want to look at, in this case, the five newest entries that are in the log, so Get- EventLog, security log, newest five. I could do newest ten or whatever options make sense to me.
Review Logs -2
55
Review Logs -2
View properties of the last event in the security log.
**055 If I wanted to look at the details of a particular entry, I can use the Get-EventLog command again-- cmdlet again, and say newest. And
Page 16 of 20
then pipe that to format the list and say give me the properties. Well, what properties do you want? The asterisk says give me all the properties for that particular event. And we can see the event ID, the category of event, source of the event, dates and times, so good information from a security standpoint. It was a successful audit. Cryptographic operation was done, so forth. So, that's looking at the latest and greatest entry in the log.
Page 17 of 20
Review Logs -3
56
Review Logs -3
View log entries before / after a date
**056 I can, from a forensic standpoint, I can-- I want to know what happened between certain dates and certain times. And so, that's what we're going to do here. What we do is we set some variables. $1, we say get date information, so March 11th 2013. $2, we're getting that information, March 12th 2013. And once we get that date information and set that into variables of $1 and $2, then we can run our Get-EventLog. So, the command, Get-EventLog, we're talking about, again, the security log. And we say after $1.
Page 18 of 20
Well, what is $1? That's March 11th. And before $2-- well, what's that? March 12th. So, this is from let's say zero zero zero one on March 11th to-- I guess twenty- four hundred hours on March 11th because it says before March 12th, right? So, the beginning of March 12th would be zero zero zero zero, or zero zero zero one, I guess. Right? So, that gives us everything just for March 11th. And the property is we want-- we've sorted this in ascending time. So, now I can see what has happened and retrace. At three seventeen, we had a successful audit. At 2:45 and so on. So, we have these successful entries. Student: You can map on some of those things like that pick up the month. If you wanted to pick up between the eleventh and twelfth of three consecutive months, or whatever, are you able to do that? Mark Williams: Yeah, there are ways of manipulating it to get various ranges that you're looking for. Yes. The syntax and the commands can get quite intricate.
This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study.
Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at [email protected].
This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.
Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding.
THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).
CERT ® is a registered mark owned by Carnegie Mellon University.
