Published on May 18th, 2016 📆 | 2152 Views ⚑0
CimSweep — Incident Response Suite
Text to Speech
CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows. CimSweep may also be used to engage in offensive reconnaisance without the need to drop any payload to disk. Windows Management Instrumentation has been installed and its respective service running by default since Windows XP and Windows 2000 and is fully supported in the latest versions of Windows including Windows 10, Nano Server, and Server 2016.
Agent-based defensive tools are extremely powerful but they also require deployment of the agent to each system. While agent-based solutions absolutely have a place in our industry, they tend to be very expensive and can be easily detected/thwarted by determined attackers. CimSweep enables the acquisition of time-sensitive data at scale all without needing to deploy an agent.
It is called CimSweep based upon the fact that it utilizes the extremely powerful CIM cmdlets in PowerShell. CIM cmdlets support the WSMan protocol by default but it may also fall back to using DCOM on systems that either cannot support or do not have the Windows Remote Management (WinRM) service enabled. More information on the CIM cmdlets may be found here:
One of the greatest features of the CIM cmdlets is that they allow you to establish a CIM session which can survive reboots. CIM sessions speed up remote queries and they enable an analyst to establish a session once and then can be passed around to any function that supports a -CimSession parameter – which all CimSweep functions support by design.
- PowerShell version 3 or above is required. The CIM cmdlets were introduced in PSv3.
- Elevated credentials to the target hosts. By default, all remote WMI/CIM operations require credentials for users belonging to the Administrator’s group.
- Any Windows OS dating back to Windows XP or Windows 2000.
- The WMI service (winmgmt) must be running. It is running by default.
- Host and network firewalls must allow remote WMI/CIM management ports through.
- For systems where the WSMan protocol is desired, the WinRM service must be running. If PowerShell remoting is already enabled, the WinRM service will already be running. WinRM can be enabled locally with PowerShell or remotely in an enterprise with GPO.
CimSweep is comprised of two components: core functionality and domain specific functionality.
At its core, CimSweep makes it easy to remotely obtain the following information from any Windows operating system:
- Registry keys, values, value types, and value content with optional recursion
- Directory and file listing with optional recursion
- Event log entries
This core functionality was designed to facilitate the development of domain-specific functionality for incident responders, hunt operators, or anyone else needing to target information remotely over WMI.
Building upon the core set of functions in CimSweep, contributors can easily write functions that enable them to obtain highly targeted information. Examples of such information would include the following:
- Attacker persistence artifacts: Run keys, start menu items, WMI persistence, etc.
- Scan for presence of known bad artifacts: i.e. sweep for known bad files, known bad registry keys/values
- Use you imagination! CimSweep enables sweeping for a multitude of forensic artifacts. Consider tools like Sysinternals Autoruns and regripper. CimSweep enables contributors to reimplement these awesome tools all without requiring pushing any tools to a target system!
CimSweep is a PowerShell module imported using the Import-Module cmdlet. For help on importing PowerShell modules, run
Get-Help Import-Module -Full or refer to Importing a PowerShell Module. Once imported, you may see the exported functions by running
Get-Command -Module CimSweep.
Detailed documentation and usage examples for each function can be found by running
Get-Help FunctionName -Full. For example, for detailed help on Get-CSDirectoryListing, run
Get-Help Get-CSDirectoryListing -Full.