CimSweep

0.6.0.0

CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows. CIM/WMI obviates the need for the installation of a host-based agent. The WMI service is running by default on all versions of Windows.

Minimum PowerShell version

3.0

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name CimSweep

Copy and Paste the following command to install this package using Microsoft.PowerShell.PSResourceGet More Info

Install-PSResource -Name CimSweep

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Owners

Copyright

BSD 3-Clause

Package Details

Author(s)

  • Matthew Graeber

Tags

security DFIR defense

Functions

Get-CSRegistryKey Get-CSRegistryValue Get-CSMountedVolumeDriveLetter Get-CSDirectoryListing Get-CSEventLog Get-CSEventLogEntry Get-CSService Get-CSProcess Get-CSEnvironmentVariable Get-CSRegistryAutoStart Get-CSScheduledTaskFile Get-CSTempFile Get-CSLowILPathFile Get-CSShellFolderPath Get-CSStartMenuEntry Get-CSTypedURL Get-CSWmiPersistence Get-CSWmiNamespace Get-CSVulnerableServicePermission Get-CSAVInfo Get-CSProxyConfig Get-CSInstalledAppCompatShimDatabase Get-CSBitlockerKeyProtector Get-CSDeviceGuardStatus

Dependencies

This module has no dependencies.

Release Notes

0.6.0
-----
Enhancements:
* Added Get-CSInstalledAppCompatShimDatabase
* Added Get-CSBitlockerKeyProtector
* Get-CSWmiPersistence now also detects persistence in the root/default namespace.
* Added Get-CSDeviceGuardStatus
* Added positional parameters for Name parameters for Get-CSEventLogEntry, Get-CSService, Get-CSProcess, Get-CSEnvironmentVariable, and Get-CSWmiNamespace.

Removed:
* Removed the -NoProgressBar parameter from all functions since this is what $ProgressPreference is for.
* Removed Set-DefaultDisplayProperty helper function and all calls to it. It was creating unnecessary code complexity.
* Removed -OperationTimeoutSec param from all functions. Was creating unnecessary code complexity.

General changes:
* Reorganized the folder structure and removed any offensive code.
* A decision was also made that CimSweep will only ever have Get- functions. Considering CimSweep is designed to pull information at scale, it should never perform any action that would change system state.
* Applied PSScriptAnalyzer rules to test code and addressed its findings.

0.5.1
-----
Enhancements:
* Added Get-CSAVInfo (written by @xorrior)
* Added Get-CSProxyConfig (written by @xorrior)
* Added module-wide Pester tests to ensure consistency across functions.

Removed:
* Removed the -Path parameter from Get-CSRegistryKey and Get-CSRegistryValue. -Hive should be used.

0.5.0
-----
Enhancements:
* Added Get-CSWmiNamespace
* Added Get-CSVulnerableServicePermission
* -IncludeACL added to Get-CSRegistryKey, Get-CSDirectoryListing, Get-CSService, and Get-CSWmiNamespace.
* -IncludeFileInfo added to Get-CSService. The file info returned also includes the file ACL.
* Functions that accept exact datetimes now mask off milliseconds to enable more flexible time-based sweeps with second granularity.
* Added optional -UserModeServices and -Drivers switches to Get-CSService. This is helpful if you only want drivers or only want user-mode services.

Removed:
* Dropped -Drivers and -Services from Get-CSRegistryAutoStart. Get-CSService is the ideal means of obtaining service and driver information.

0.4.1
-----
* Bigfix: Forgot to rename Set-DefaultDisplayProperty in Get-CSRegistryAutoStart.
* Enhancement: Addressed PSScriptAnalyzer warnings

0.4.0
-----
* Compatible PS Editions: Desktop, Core (i.e. Nano Server and Win 10 IoT)
* -IncludeAcl switch added to Get-CSRegistryKey and Get-CSDirectoryListing. Appending this argument will add an ACL parameter to each object returned.
* The output types of all functions are now fully and properly documented.

FileList

Version History

Version Downloads Last updated
0.6.0.0 (current version) 3,380 5/13/2017
0.5.1.0 243 10/8/2016
0.5.0.0 180 5/28/2016
0.4.1.0 72 5/16/2016
0.4.0.0 63 5/16/2016