CimSweep

0.5.0.0

CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows. CIM/WMI obviates the need for the installation of a host-based agent. The WMI service is running by default on all versions of Windows.

Minimum PowerShell version

3.0

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name CimSweep -RequiredVersion 0.5.0.0

Copy and Paste the following command to install this package using Microsoft.PowerShell.PSResourceGet More Info

Install-PSResource -Name CimSweep -Version 0.5.0.0

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Owners

Copyright

BSD 3-Clause

Package Details

Author(s)

  • Matthew Graeber

Tags

security DFIR defense

Functions

Get-CSRegistryKey Get-CSRegistryValue Get-CSMountedVolumeDriveLetter Get-CSDirectoryListing Get-CSEventLog Get-CSEventLogEntry Get-CSService Get-CSProcess Get-CSEnvironmentVariable Get-CSRegistryAutoStart Get-CSScheduledTaskFile Get-CSTempFile Get-CSLowILPathFile Get-CSShellFolderPath Get-CSStartMenuEntry Get-CSTypedURL Get-CSWmiPersistence Get-CSWmiNamespace Get-CSVulnerableServicePermission

Dependencies

This module has no dependencies.

Release Notes

0.5.0
-----
Enhancements:
* Added Get-CSWmiNamespace
* Added Get-CSVulnerableServicePermission
* -IncludeACL added to Get-CSRegistryKey, Get-CSDirectoryListing, Get-CSService, and Get-CSWmiNamespace.
* -IncludeFileInfo added to Get-CSService. The file info returned also includes the file ACL.
* Functions that accept exact datetimes now mask off milliseconds to enable more flexible time-based sweeps with second granularity.
* Added optional -UserModeServices and -Drivers switches to Get-CSService. This is helpful if you only want drivers or only want user-mode services.

Removed:
* Dropped -Drivers and -Services from Get-CSRegistryAutoStart. Get-CSService is the ideal means of obtaining service and driver information.

0.4.1
-----
* Bigfix: Forgot to rename Set-DefaultDisplayProperty in Get-CSRegistryAutoStart.
* Enhancement: Addressed PSScriptAnalyzer warnings

0.4.0
-----
* Compatible PS Editions: Desktop, Core (i.e. Nano Server and Win 10 IoT)
* -IncludeAcl switch added to Get-CSRegistryKey and Get-CSDirectoryListing. Appending this argument will add an ACL parameter to each object returned.
* The output types of all functions are now fully and properly documented.

FileList

Version History

Version Downloads Last updated
0.6.0.0 2,489 5/13/2017
0.5.1.0 240 10/8/2016
0.5.0.0 (current version) 177 5/28/2016
0.4.1.0 69 5/16/2016
0.4.0.0 60 5/16/2016