CimSweep
0.6.0.0
CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows. CIM/WMI obviates the need for the installation of a host-based agent. The WMI service is running by default on all versions of Windows.
Minimum PowerShell version
3.0
Installation Options
Owners
Copyright
BSD 3-Clause
Package Details
Author(s)
- Matthew Graeber
Tags
Functions
Get-CSRegistryKey Get-CSRegistryValue Get-CSMountedVolumeDriveLetter Get-CSDirectoryListing Get-CSEventLog Get-CSEventLogEntry Get-CSService Get-CSProcess Get-CSEnvironmentVariable Get-CSRegistryAutoStart Get-CSScheduledTaskFile Get-CSTempFile Get-CSLowILPathFile Get-CSShellFolderPath Get-CSStartMenuEntry Get-CSTypedURL Get-CSWmiPersistence Get-CSWmiNamespace Get-CSVulnerableServicePermission Get-CSAVInfo Get-CSProxyConfig Get-CSInstalledAppCompatShimDatabase Get-CSBitlockerKeyProtector Get-CSDeviceGuardStatus
Dependencies
This module has no dependencies.
Release Notes
0.6.0
-----
Enhancements:
* Added Get-CSInstalledAppCompatShimDatabase
* Added Get-CSBitlockerKeyProtector
* Get-CSWmiPersistence now also detects persistence in the root/default namespace.
* Added Get-CSDeviceGuardStatus
* Added positional parameters for Name parameters for Get-CSEventLogEntry, Get-CSService, Get-CSProcess, Get-CSEnvironmentVariable, and Get-CSWmiNamespace.
Removed:
* Removed the -NoProgressBar parameter from all functions since this is what $ProgressPreference is for.
* Removed Set-DefaultDisplayProperty helper function and all calls to it. It was creating unnecessary code complexity.
* Removed -OperationTimeoutSec param from all functions. Was creating unnecessary code complexity.
General changes:
* Reorganized the folder structure and removed any offensive code.
* A decision was also made that CimSweep will only ever have Get- functions. Considering CimSweep is designed to pull information at scale, it should never perform any action that would change system state.
* Applied PSScriptAnalyzer rules to test code and addressed its findings.
0.5.1
-----
Enhancements:
* Added Get-CSAVInfo (written by @xorrior)
* Added Get-CSProxyConfig (written by @xorrior)
* Added module-wide Pester tests to ensure consistency across functions.
Removed:
* Removed the -Path parameter from Get-CSRegistryKey and Get-CSRegistryValue. -Hive should be used.
0.5.0
-----
Enhancements:
* Added Get-CSWmiNamespace
* Added Get-CSVulnerableServicePermission
* -IncludeACL added to Get-CSRegistryKey, Get-CSDirectoryListing, Get-CSService, and Get-CSWmiNamespace.
* -IncludeFileInfo added to Get-CSService. The file info returned also includes the file ACL.
* Functions that accept exact datetimes now mask off milliseconds to enable more flexible time-based sweeps with second granularity.
* Added optional -UserModeServices and -Drivers switches to Get-CSService. This is helpful if you only want drivers or only want user-mode services.
Removed:
* Dropped -Drivers and -Services from Get-CSRegistryAutoStart. Get-CSService is the ideal means of obtaining service and driver information.
0.4.1
-----
* Bigfix: Forgot to rename Set-DefaultDisplayProperty in Get-CSRegistryAutoStart.
* Enhancement: Addressed PSScriptAnalyzer warnings
0.4.0
-----
* Compatible PS Editions: Desktop, Core (i.e. Nano Server and Win 10 IoT)
* -IncludeAcl switch added to Get-CSRegistryKey and Get-CSDirectoryListing. Appending this argument will add an ACL parameter to each object returned.
* The output types of all functions are now fully and properly documented.
FileList
- CimSweep.nuspec
- CimSweep.cat
- CimSweep.psd1
- CimSweep.psm1
- ArtifactRetrieval\AppCompatDatabases.ps1
- ArtifactRetrieval\Autoruns.ps1
- ArtifactRetrieval\SuspiciousFiles.ps1
- ArtifactRetrieval\SuspiciousURLs.ps1
- Auditing\ACLAudits.ps1
- Auditing\AntiVirusInfo.ps1
- Auditing\Bitlocker.ps1
- Auditing\DeviceGuard.ps1
- Auditing\ProxyConfig.ps1
- Core\CoreFunctions.ps1
- Tests\Core.CimSweep.Tests.ps1
- Tests\Module.Tests.ps1
Version History
Version | Downloads | Last updated |
---|---|---|
0.6.0.0 (current version) | 3,419 | 5/13/2017 |
0.5.1.0 | 243 | 10/8/2016 |
0.5.0.0 | 180 | 5/28/2016 |
0.4.1.0 | 72 | 5/16/2016 |
0.4.0.0 | 63 | 5/16/2016 |