DOCSLIB.ORG

WMI Query Language Via Powershell

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
WMI Query Language Via Powershell WMI Query Language via PowerShell Ravikanth Chaganti Explore basics of WMI Query Language, different types of WMI queries, and learn how PowerShell can be used to retrieve WMI management information using WQL. Table of Contents Introduction .................................................................................................................................................. 5 Introducing WMI Query Language ............................................................................................................ 5 WMI Query Types ..................................................................................................................................... 6 Data Queries ......................................................................................................................................... 6 Event Queries ........................................................................................................................................ 6 Schema Queries .................................................................................................................................... 7 WQL Keywords .......................................................................................................................................... 7 WQL Operators ......................................................................................................................................... 8 Tools for the job .......................................................................................................................................... 10 WBEMTEST .............................................................................................................................................. 10 WMI Administrative Tools ...................................................................................................................... 12 [WMISEARCHER] type accelerator .......................................................................................................... 14 PowerShell WMI cmdlets ........................................................................................................................ 15 WMI Data Queries ...................................................................................................................................... 17 SELECT, FROM, and WHERE .................................................................................................................... 17 Using Operators .................................................................................................................................. 18 ASSOCIATORS OF .................................................................................................................................... 21 ClassDefsOnly ...................................................................................................................................... 23 AssocClass ........................................................................................................................................... 24 ResultClass .......................................................................................................................................... 24 ResultRole ........................................................................................................................................... 24 Role ..................................................................................................................................................... 28 RequiredQualifier and RequiredAssocQualifier .................................................................................. 28 REFERENCES OF ....................................................................................................................................... 29 WMI Event Queries: Introduction ............................................................................................................... 31 Event Query Types .................................................................................................................................. 33 Intrinsic Events .................................................................................................................................... 33 Extrinsic Events ................................................................................................................................... 33 Timer Events ....................................................................................................................................... 33 WQL Syntax for event queries ................................................................................................................ 34 WITHIN ................................................................................................................................................ 34 [1] GROUP ................................................................................................................................................. 35 HAVING ............................................................................................................................................... 36 BY ........................................................................................................................................................ 36 Intrinsic Event Queries ................................................................................................................................ 38 __InstanceCreationEvent ........................................................................................................................ 39 __InstanceDeletionEvent ........................................................................................................................ 39 __InstanceModificationEvent ................................................................................................................. 39 Extrinsic Event Queries ............................................................................................................................... 43 Monitoring registry value change events ............................................................................................... 43 Monitoring registry key change events .................................................................................................. 44 Monitoring registry tree change events ................................................................................................. 45 Timer Events ............................................................................................................................................... 46 WMI Schema Queries ................................................................................................................................. 49 Using __this ............................................................................................................................................. 50 Using __Class .......................................................................................................................................... 50 WMI Event Consumers ............................................................................................................................... 51 Temporary Event consumers .................................................................................................................. 51 Permanent Event consumers .................................................................................................................. 51 Creating an event filter ....................................................................................................................... 53 Creating a logical consumer ................................................................................................................ 53 Binding Event Filter and Consumer ..................................................................................................... 54 Introducing PowerEvents ........................................................................................................................ 54 Creating an event filter ....................................................................................................................... 55 Creating an event consumer ............................................................................................................... 55 Binding Event filter and consumer ...................................................................................................... 55 [2] This book is dedicated to Andrew Tearle, the most passionate PowerSheller and a good friend. Rest in peace Andy. [3] Acknowledgements I would like to thank Shay Levy (MVP), Aleksandar Nikolic (MVP), Philip LaVoie, and Robert Robelo for providing their feedback. Their feedback really helped shape the ebook and include extra content that was not planned initially. Also, thanks to everyone who read my blog posts on WMI query language and provided feedback. Your encouragement and support helped me write quite a bit about WQL and now this ebook. [4] Introduction Windows Management Instrumentation (WMI) is Microsoft’s implementation of Web Based Enterprise Management (WBEM), which is an industry initiative to develop a standard technology for accessing management information in an enterprise environment. WMI uses the Common Information Model (CIM) industry standard to represent systems, applications, networks, devices, and other managed components. CIM is developed
Load more

Recommended publications
  • Scoping Changes with Method Namespaces
    Scoping Changes with Method Namespaces Alexandre Bergel ADAM Project, INRIA Futurs Lille, France [email protected] Abstract. Size and complexity of software has reached a point where modular constructs provided by traditional object-oriented programming languages are not expressive enough. A typical situation is how to modify a legacy code without breaking its existing clients. We propose method namespaces as a visibility mechanism for behavioral refine- ments of classes (method addition and redefinition). New methods may be added and existing methods may be redefined in a method namespace. This results in a new version of a class accessible only within the defining method namespace. This mechanism, complementary to inheritance in object-orientation and tradi- tional packages, allows unanticipated changes while minimizing the impact on former code. Method Namespaces have been implemented in the Squeak Smalltalk system and has been successfully used to provide a translated version of a library without ad- versely impacting its original clients. We also provide benchmarks that demon- strate its application in a practical setting. 1 Introduction Managing evolution and changes is a critical part of the life cycle of all software sys- tems [BMZ+05, NDGL06]. In software, changes are modeled as a set of incremental code refinements such as class redefinition, method addition, and method redefinition. Class-based object-oriented programming languages (OOP) models code refinements with subclasses that contain behavioral differences. It appears that subclassing is well adapted when evolution is anticipated. For example, most design patterns and frame- works rely on class inheritance to express future anticipated adaptation and evolution. However, subclassing does not as easily help in expressing unanticipated software evo- lution [FF98a, BDN05b].
    [Show full text]
  • Investigating Powershell Attacks
    Investigating PowerShell Attacks Black Hat USA 2014 August 7, 2014 PRESENTED BY: Ryan Kazanciyan, Matt Hastings © Mandiant, A FireEye Company. All rights reserved. Background Case Study WinRM, Victim VPN SMB, NetBIOS Attacker Victim workstations, Client servers § Fortune 100 organization § Command-and-control via § Compromised for > 3 years § Scheduled tasks § Active Directory § Local execution of § Authenticated access to PowerShell scripts corporate VPN § PowerShell Remoting © Mandiant, A FireEye Company. All rights reserved. 2 Why PowerShell? It can do almost anything… Execute commands Download files from the internet Reflectively load / inject code Interface with Win32 API Enumerate files Interact with the registry Interact with services Examine processes Retrieve event logs Access .NET framework © Mandiant, A FireEye Company. All rights reserved. 3 PowerShell Attack Tools § PowerSploit § Posh-SecMod § Reconnaissance § Veil-PowerView § Code execution § Metasploit § DLL injection § More to come… § Credential harvesting § Reverse engineering § Nishang © Mandiant, A FireEye Company. All rights reserved. 4 PowerShell Malware in the Wild © Mandiant, A FireEye Company. All rights reserved. 5 Investigation Methodology WinRM PowerShell Remoting evil.ps1 backdoor.ps1 Local PowerShell script Persistent PowerShell Network Registry File System Event Logs Memory Traffic Sources of Evidence © Mandiant, A FireEye Company. All rights reserved. 6 Attacker Assumptions § Has admin (local or domain) on target system § Has network access to needed ports on target system § Can use other remote command execution methods to: § Enable execution of unsigned PS scripts § Enable PS remoting © Mandiant, A FireEye Company. All rights reserved. 7 Version Reference 2.0 3.0 4.0 Requires WMF Requires WMF Default (SP1) 3.0 Update 4.0 Update Requires WMF Requires WMF Default (R2 SP1) 3.0 Update 4.0 Update Requires WMF Default 4.0 Update Default Default Default (R2) © Mandiant, A FireEye Company.
    [Show full text]
  • Offensive-WMI
    OFFENSIVE WMI Tim Medin [email protected] redsiege.com/wmi TIM MEDIN Red Siege - Principal IANS Faculty Consultant , Founder Formerly SANS ▸ CounterHack – NetWars, ▸ Principal Instructor Penetration Testing, CyberCity ▸ Co-author 460 Vulnerability Assessment ▸ FishNet (Optiv) – Sr Penetration Tester ▸ Instructor 560 Network Penetration Testing ▸ Financial Institution – Sr Technical Analyst – Security ▸ Instructor 660 Advanced Pen Testing, Exploit Dev ▸ Network Admin, Control Systems Engineer, Robots ▸ MSISE (Master of Engineering) Program Director WTH IS WMI WINDOWS MANAGEMENT INSTRUMENTATION “Infrastructure for management data and operations on Windows-based operating systems” ▸Common data formats – Common Information Model (CIM) ▸Common access methods Allows for management and monitoring the guts of Windows systems ▸Local ▸Remote First included in Windows 2000 WMIC is the command line interface ATTACK USAGE Not for initial access, but for many things after Requires credentials or existing access Used for ▸Recon ▸Lateral Movement ▸Situational Awareness ▸Persistence ▸PrivEsc ▸C&C QUERYING WITH WMI(C) “The WMI Query Language (WQL) is a subset of standard American National Standards Institute Structured Query Language (ANSI SQL) with minor semantic changes to support WMI.” The syntax will make you hate being born! GRAMMAR https://www.sans.org/security-resources/sec560/windows_command_line_sheet_v1.pdf RECONNAISSANCE & SITUATIONAL AWARENESS Get local user accounts with net user Get domain user accounts with net user /domain Both wmic useraccount
    [Show full text]
  • Resource Management: Linux Kernel Namespaces and Cgroups
    Resource management: Linux kernel Namespaces and cgroups Rami Rosen [email protected] Haifux, May 2013 www.haifux.org 1/121 http://ramirose.wix.com/ramirosen TOC Network Namespace PID namespaces UTS namespace Mount namespace user namespaces cgroups Mounting cgroups links Note: All code examples are from for_3_10 branch of cgroup git tree (3.9.0-rc1, April 2013) 2/121 http://ramirose.wix.com/ramirosen General The presentation deals with two Linux process resource management solutions: namespaces and cgroups. We will look at: ● Kernel Implementation details. ●what was added/changed in brief. ● User space interface. ● Some working examples. ● Usage of namespaces and cgroups in other projects. ● Is process virtualization indeed lightweight comparing to Os virtualization ? ●Comparing to VMWare/qemu/scaleMP or even to Xen/KVM. 3/121 http://ramirose.wix.com/ramirosen Namespaces ● Namespaces - lightweight process virtualization. – Isolation: Enable a process (or several processes) to have different views of the system than other processes. – 1992: “The Use of Name Spaces in Plan 9” – http://www.cs.bell-labs.com/sys/doc/names.html ● Rob Pike et al, ACM SIGOPS European Workshop 1992. – Much like Zones in Solaris. – No hypervisor layer (as in OS virtualization like KVM, Xen) – Only one system call was added (setns()) – Used in Checkpoint/Restart ● Developers: Eric W. biederman, Pavel Emelyanov, Al Viro, Cyrill Gorcunov, more. – 4/121 http://ramirose.wix.com/ramirosen Namespaces - contd There are currently 6 namespaces: ● mnt (mount points, filesystems) ● pid (processes) ● net (network stack) ● ipc (System V IPC) ● uts (hostname) ● user (UIDs) 5/121 http://ramirose.wix.com/ramirosen Namespaces - contd It was intended that there will be 10 namespaces: the following 4 namespaces are not implemented (yet): ● security namespace ● security keys namespace ● device namespace ● time namespace.
    [Show full text]
  • Moscow ML .Net Owner's Manual
    Moscow ML .Net Owner's Manual Version 0.9.0 of November 2003 Niels Jørgen Kokholm, IT University of Copenhagen, Denmark Peter Sestoft, Royal Veterinary and Agricultural University, Copenhagen, Denmark This document describes Moscow ML .Net 0.9.0, a port of Moscow ML 2.00 to the .Net platform. The focus is on how Moscow ML .Net differs from Moscow ML 2.0. Three other documents, the Moscow ML Owner’s Manual [7], the Moscow ML Language Overview [5] and the Moscow ML Library Documentation [6] describe general aspects of the Moscow ML system. Moscow ML implements Standard ML (SML), as defined in the 1997 Definition of Standard ML, including the SML Modules language and some extensions. Moreover, Moscow ML supports most re- quired parts of the SML Basis Library. It supports separate compilation and the generation of stand-alone executables. The reader is assumed to be familiar with the .Net platform [2]. Contents 1 Characteristics of Moscow ML .Net 2 1.1 Compiling and linking 2 1.2 Command-line options 3 1.3 Additional primitives in the built-in units 3 1.4 The libraries 4 2 Installation 5 3 External programming interface 5 3.1 How external assemblies are found and loaded 5 3.2 How to call a .Net static method from Moscow ML .Net. 6 3.2.1 An example 7 3.2.2 Passing arguments and using results 7 3.2.3 Representation of ML Values 8 3.2.4 Notes 8 3.2.5 An experimental auto-marshalling import mechanism: clr_val 8 3.3 How to call an ML function from .Net 10 3.3.1 Example 10 3.3.2 Experimental, easier export of ML values via exportVal 11 The Moscow ML home page is http://www.dina.kvl.dk/~sestoft/mosml.html 1 1 Characteristics of Moscow ML .Net Unlike most other ports of Moscow ML, this port is not based on porting the Caml Light runtime, but is based on the creation of a new backend that generates .Net CIL code.
    [Show full text]
  • Objective C Runtime Reference
    Objective C Runtime Reference Drawn-out Britt neighbour: he unscrambling his grosses sombrely and professedly. Corollary and spellbinding Web never nickelised ungodlily when Lon dehumidify his blowhard. Zonular and unfavourable Iago infatuate so incontrollably that Jordy guesstimate his misinstruction. Proper fixup to subclassing or if necessary, objective c runtime reference Security and objects were native object is referred objects stored in objective c, along from this means we have already. Use brake, or perform certificate pinning in there attempt to deter MITM attacks. An object which has a reference to a class It's the isa is a and that's it This is fine every hierarchy in Objective-C needs to mount Now what's. Use direct access control the man page. This function allows us to voluntary a reference on every self object. The exception handling code uses a header file implementing the generic parts of the Itanium EH ABI. If the method is almost in the cache, thanks to Medium Members. All reference in a function must not control of data with references which met. Understanding the Objective-C Runtime Logo Table Of Contents. Garbage collection was declared deprecated in OS X Mountain Lion in exercise of anxious and removed from as Objective-C runtime library in macOS Sierra. Objective-C Runtime Reference. It may not access to be used to keep objects are really calling conventions and aggregate operations. Thank has for putting so in effort than your posts. This will cut down on the alien of Objective C runtime information. Given a daily Objective-C compiler and runtime it should be relate to dent a.
    [Show full text]
  • GFD.191 Freek Dijkstra, SARA GFSG Richard Hughes-Jones, DANTE Gregory B
    GFD.191 Freek Dijkstra, SARA GFSG Richard Hughes-Jones, DANTE Gregory B. Newby, Arctic Region Supercomputing Center Joel Replogle, Open Grid Forum December 2011 Procedure for Registration of Subnamespace Identifiers in the URN:OGF Hierarchy Status of This Document Community Practice (CP) Copyright Notice Copyright c Open Grid Forum (2011). Some Rights Reserved. Distribution is unlimited. Abstract URNs in the OGF namespace take the form urn:ogf:<snid>:<subnamespace-specific-string>. This document describes the procedure how to register subnamespace identifiers (<snid>) in the urn:ogf: namespace. Contents Abstract ........................................... 1 Contents ........................................... 1 1 introduction ....................................... 3 1.1 Notational Conventions .............................. 3 1.2 Globally Uniqueness of URNs ........................... 3 1.3 Persistency of URNs ................................ 4 2 Selecting a Namespace ................................. 4 3 Canonical Syntax of URN:OGF identifiers ........................ 5 4 Procedure for Registering a Namespace Identifier .................... 6 5 Review Criteria for SNID Proposals ........................... 7 1 GFD.191 December 2011 6 Template for Registering a Namespace Identifier .................... 8 7 Security Considerations ................................. 18 8 Glossary ......................................... 18 9 Contributors ....................................... 19 10 Acknowledgments .................................... 20 Intellectual
    [Show full text]
  • Namespaces and Templates in C++ Robot Vision Systems - Seminar 1
    Namespaces and Templates in C++ Robot Vision Systems - Seminar 1 Mattias Tiger Cognitive Robotics Group, Knowledge Processing Laboratory Artificial Intelligence and Integrated Computer Systems Division Department of Computer and Information Science Link¨opingUniversity, Sweden Outline Namespaces Templates Template Meta Programming Template Summary Namespace Declaration and usage Using directive Alias Template Arguments/Parametrization Specialization Function and Class templates Some examples Mattias Tiger 2/13 Outline Basics Namespaces Using namespace Templates Namespace Alias Template Meta Programming Namespace Summary Template Summary Structure a program into logical units Manage variable/function shadowing Allow functions and types to have the same name (within different namespaces) int fn(int a) { return a; }// First fn() declaration namespace foo { int fn(int a) { return a+1; }// Second fn() declaration namespace bar {// Nestled namespace int fn(int a) { return a+2; }// Third fn() declaration } } int main() { std::cout << fn(1) <<"\n"; std::cout << foo::fn(1) <<"\n"; std::cout << foo::bar::fn(1) <<"\n"; ... Mattias Tiger 3/13 Outline Basics Namespaces Using namespace Templates Namespace Alias Template Meta Programming Namespace Summary Template Summary The using keyword. namespace foo { int fn(int a) { return a; }// First fn() declaration } namespace bar { int fn(int a) { return a+1; }// Second fn() declaration } using namespace bar;// Remove the need to use bar:: when calling bar::fn() int main() { std::cout << fn(1) <<"\n";// Second fn()(bar::fn()) is called ... Mattias Tiger 4/13 Outline Basics Namespaces Using namespace Templates Namespace Alias Template Meta Programming Namespace Summary Template Summary Namespace alias. namespace foo { int fn(int a) { return a+1; } } namespace bar = foo;// bar is now an alias of foo int main() { std::cout << bar::fn(1) <<"\n";// foo::fn() is called ..
    [Show full text]
  • Namespaces In
    NNAAMMEESSPPAACCEESS IINN CC++++ http://www.tutorialspoint.com/cplusplus/cpp_namespaces.htm Copyright © tutorialspoint.com Consider a situation, when we have two persons with the same name, Zara, in the same class. Whenever we need to differentiate them definitely we would have to use some additional information along with their name, like either the area if they live in different area or their mother or father name, etc. Same situation can arise in your C++ applications. For example, you might be writing some code that has a function called xyz and there is another library available which is also having same function xyz. Now the compiler has no way of knowing which version of xyz function you are referring to within your code. A namespace is designed to overcome this difficulty and is used as additional information to differentiate similar functions, classes, variables etc. with the same name available in different libraries. Using namespace, you can define the context in which names are defined. In essence, a namespace defines a scope. Defining a Namespace: A namespace definition begins with the keyword namespace followed by the namespace name as follows: namespace namespace_name { // code declarations } To call the namespace-enabled version of either function or variable, prepend the namespace name as follows: name::code; // code could be variable or function. Let us see how namespace scope the entities including variable and functions: #include <iostream> using namespace std; // first name space namespace first_space{ void func(){ cout << "Inside first_space" << endl; } } // second name space namespace second_space{ void func(){ cout << "Inside second_space" << endl; } } int main () { // Calls function from first name space.
    [Show full text]
  • C++ Differences in Basic Syntax Namespaces Classes
    C++ C++ C++ Differences in basic syntax #include <filename> instead of #include <filename.h> Have new set of libraries and include-files, used by default include-files for C may be used by prefixing their names with C++ is C language with addition of “c” classes (for object-oriented programming) cin and cout replace scanf and printf templates (having types as parameters) Syntax: cin >> <variable name> where variable name may be a variable of type int, char or string cout << <variable-or-string 1> << <variable-or-string 2 > ... where variable-or-string is either a string constant, which is printed directly, or a variable of type int, char or string, in which case its current value is printed. cin and cout may be extended to cover user-defined datatypes Eike Ritter Operating Systems with C/C++ Eike Ritter Operating Systems with C/C++ C++ C++ Namespaces Classes C++ has a mechanism for limiting scope of identifiers (names for C++ has classes similar to Java variables, objects and classes) Class definition has two parts: A namespace is a collection of declarations of such identifiers Listing types of fields and member functions If ns is a namespace and ident is an identifier, you refer to ident in the program by ns.ident Definition of member functions In addition have command using namespace <ns>, which keywords public, private and protected have same meaning makes all identifiers of namespace ns available in the program as in Java Above example could also be written as Operations new and delete create and delete objects of classes new creates new object,
    [Show full text]
  • Declaring Variables in Class Python
    Declaring Variables In Class Python Corky whinings her floorwalkers backstage, desiccated and ecaudate. Unchary Cy leverages falsely and creakily, she taunt her spermatocele vanned soulfully. Sigfrid remains plaintive: she rusticated her exclusivists jutted too respectfully? Global name an error and assign a derived class itself is that points describing the same way as a variable in python variables in class python. If to declare a class named Device and initialize a variable dev to plumbing new. The grab to porter this are nonlocal definitions, should be pleasure in the global namespace. This class contains a single constructor. It is faster and more add to attend the real Python course outside a classroom. Make sure your community account class, this allows multiple pieces of an interface, and how to take in class but the collection, known as spam! PHP because when are less structure than the traditional languages with your fancy features. Each tutorial at Real Python is created by a soft of developers so leaving it meets our incredible quality standards. Object Oriented Programming in Python Stack Abuse. The special function are not create an input data type object oriented programming languages often think of m_value: if we are. Python class Objects and classes Python Tutorial Pythonspot. Objects can be a double underscores when you define what are in order for. Understanding Class and Instance Variables in Python 3. For example also it in which makes up! Instances of a Class Python Like root Mean It. This stage notice provides an overturn of our commitment to privacy and describes how we color, and undo some applications that might achieve a real choice.
    [Show full text]
  • Php Naming Conventions
    PHP NAMING CONVENTIONS PHP Naming Conventions Classes HUBzero Library HUBzero Core Library uses the PSR-0 class naming convention whereby the names of the classes directly map to the directories in which they are stored. The root level directory ofHUBzero’s standard library is the “Hubzero/” directory. All HUBzero core library classes are stored hierarchically under these root directories. Class names may only contain alphanumeric characters. Numbers are permitted in class names but are discouraged in most cases. Underscores are only permitted in place of the path separator; the filename “Hubzero/User/Profile.php” must map to the class name “HubzeroUserProfile”. If a class name is comprised of more than one word, the first letter of each new word must be capitalized. Successive capitalized letters are not allowed, e.g. a class “HubzeroPDF” is not allowed while “HubzeroPdf” is acceptable. Note: Code that must be deployed alongside Hubzero and Joomla libraries but is not part of the standard or extras libraries (e.g. application code or libraries that are not distributed by Hubzero) must never start with “Hubzero”. Extensions Classes should be given descriptive names. Avoid using abbreviations where possible. Class names should always begin with an uppercase letter and be written in CamelCase even if using traditionally uppercase acronyms (such as XML, HTML). One exception is for Joomla framework classes which must begin with an uppercase ‘J’ with the next letter also being uppercase. JHtmlHelper JXmlParser JModel Namespaced While namespacing an extension is not required, it is encouraged. Controllers For components, such as the Blog in the Administrator, the convention is Components[Component]Controllers[Name].
    [Show full text]