CimSweep.psd1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
@{
RootModule = 'CimSweep.psm1'

ModuleVersion = '0.6.0.0'

GUID = 'f347ef1c-d752-4d07-bf68-3197c0aa661a'

Author = 'Matthew Graeber'

Copyright = 'BSD 3-Clause'

Description = 'CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows. CIM/WMI obviates the need for the installation of a host-based agent. The WMI service is running by default on all versions of Windows.'

PowerShellVersion = '3.0'

# Functions to export from this module
FunctionsToExport = @(
    'Get-CSRegistryKey',
    'Get-CSRegistryValue',
    'Get-CSMountedVolumeDriveLetter',
    'Get-CSDirectoryListing',
    'Get-CSEventLog',
    'Get-CSEventLogEntry',
    'Get-CSService',
    'Get-CSProcess',
    'Get-CSEnvironmentVariable'
    'Get-CSRegistryAutoStart',
    'Get-CSScheduledTaskFile',
    'Get-CSTempFile',
    'Get-CSLowILPathFile',
    'Get-CSShellFolderPath',
    'Get-CSStartMenuEntry',
    'Get-CSTypedURL',
    'Get-CSWmiPersistence',
    'Get-CSWmiNamespace',
    'Get-CSVulnerableServicePermission',
    'Get-CSAVInfo',
    'Get-CSProxyConfig',
    'Get-CSInstalledAppCompatShimDatabase',
    'Get-CSBitlockerKeyProtector',
    'Get-CSDeviceGuardStatus'
)

PrivateData = @{

    PSData = @{
        Tags = @('security', 'DFIR', 'defense')

        LicenseUri = 'http://www.apache.org/licenses/LICENSE-2.0.html'

        ProjectUri = 'https://github.com/PowerShellMafia/CimSweep'

        ReleaseNotes = @'
0.6.0
-----
Enhancements:
* Added Get-CSInstalledAppCompatShimDatabase
* Added Get-CSBitlockerKeyProtector
* Get-CSWmiPersistence now also detects persistence in the root/default namespace.
* Added Get-CSDeviceGuardStatus
* Added positional parameters for Name parameters for Get-CSEventLogEntry, Get-CSService, Get-CSProcess, Get-CSEnvironmentVariable, and Get-CSWmiNamespace.
 
Removed:
* Removed the -NoProgressBar parameter from all functions since this is what $ProgressPreference is for.
* Removed Set-DefaultDisplayProperty helper function and all calls to it. It was creating unnecessary code complexity.
* Removed -OperationTimeoutSec param from all functions. Was creating unnecessary code complexity.
 
General changes:
* Reorganized the folder structure and removed any offensive code.
* A decision was also made that CimSweep will only ever have Get- functions. Considering CimSweep is designed to pull information at scale, it should never perform any action that would change system state.
* Applied PSScriptAnalyzer rules to test code and addressed its findings.
 
0.5.1
-----
Enhancements:
* Added Get-CSAVInfo (written by @xorrior)
* Added Get-CSProxyConfig (written by @xorrior)
* Added module-wide Pester tests to ensure consistency across functions.
 
Removed:
* Removed the -Path parameter from Get-CSRegistryKey and Get-CSRegistryValue. -Hive should be used.
 
0.5.0
-----
Enhancements:
* Added Get-CSWmiNamespace
* Added Get-CSVulnerableServicePermission
* -IncludeACL added to Get-CSRegistryKey, Get-CSDirectoryListing, Get-CSService, and Get-CSWmiNamespace.
* -IncludeFileInfo added to Get-CSService. The file info returned also includes the file ACL.
* Functions that accept exact datetimes now mask off milliseconds to enable more flexible time-based sweeps with second granularity.
* Added optional -UserModeServices and -Drivers switches to Get-CSService. This is helpful if you only want drivers or only want user-mode services.
 
Removed:
* Dropped -Drivers and -Services from Get-CSRegistryAutoStart. Get-CSService is the ideal means of obtaining service and driver information.
 
0.4.1
-----
* Bigfix: Forgot to rename Set-DefaultDisplayProperty in Get-CSRegistryAutoStart.
* Enhancement: Addressed PSScriptAnalyzer warnings
 
0.4.0
-----
* Compatible PS Editions: Desktop, Core (i.e. Nano Server and Win 10 IoT)
* -IncludeAcl switch added to Get-CSRegistryKey and Get-CSDirectoryListing. Appending this argument will add an ACL parameter to each object returned.
* The output types of all functions are now fully and properly documented.
'@

    }

}

}