Configure WMI Plugins

Windows Management Instrumentation (WMI) plugins collect Microsoft Windows events and data remotely. These plugins collect the information without an agent, using the Windows Management Instrumentation Command Line (WMIC).

Note: Currently, WMIC does not support samba4/NTLMv2. Nor does WMIC work on more recent Windows versions, like Windows Server 2012 or later, because these versions authenticate with NLTMv2 only by default.

To use a WMI plugin with a Windows host that uses NTLMv2, you must manually enable NTLMv1 authentication. For information about this, see the Microsoft Support web pages.

# Plugin wmi-application-logger id:1518 version: 0.0.2
# Last modification: 2015-05-13 16:11
#
# Plugin Selection Info:
# AlienVault:WMI Application Logger:-
#
# END-HEADER
# Accepted products:
# alienvault - plugin-wmi -
# Description:
#
[DEFAULT]
plugin_id=1518
[config]
type=detector
enable=yes
source=wmi
credentials_file=/etc/ossim/agent/wmi_credentials.csv
sleep=10
process=
start=no
stop=no
[start_cmd]
cmd=wmic -U OSS_WMI_USER%OSS_WMI_PASS //OSS_WMI_HOST "Select LogFile,RecordNumber from Win32_NTLogEvent Where Logfile = 'Application'" | head -n 3 | tail -n 1 | cut -f 2 -d \|
regexp=
[cmd]
cmd = wmic -U OSS_WMI_USER%OSS_WMI_PASS //OSS_WMI_HOST "Select ComputerName,EventCode,Logfile,Message,RecordNumber,SourceName,TimeWritten,User from Win32_NTLogEvent Where Logfile = 'Application' and RecordNumber > OSS_COUNTER" | cat
start_regexp=^([^\|]+)\|(\d+)\|([^\|]+)\|
regexp="^(?P<system_name>[^\|]+)\|(?P<plugin_sid>\d+)\|(?P<logfile>[^\|]+)\|(?P<message>[^\|]+)\|(?P<recordnumber>[^\|]+)\|(?P<sourcename>[^\|]+)\|(?P<timewritten>[^\|]+)\|(?P<username>.*)$"
src_ip={resolv($0)}
plugin_sid={$1}
userdata2={$2}
userdata3={$3}
userdata4={$4}
userdata5={$5}
userdata6={$6}
username={$7}

The following sections of a WMI plugin are essential.

[start_cmd]
[cmd]

You use [start_cmd] and [cmd] to return the last WMI Application event, and start reading from that event.

Additional Configuration Required Before You Enable an WMI Plugin

You need to perform the following additional configuration before you can use the WMI plugins.

This configuration procedure is for users who must contact the WMI plugin remotely from a Windows host. The procedure is appropriate for production.

Note: This procedure is based on Microsoft Windows 7. Microsoft Windows 10 no longer shows the Run box in the Start menu. However, Windows 10 does allow you to personalize the Start menu to include it. For more information, refer to the Windows 10 documentation.

To enable remote WMI access on Windows

Create a new user in the Windows host (without any administrator privileges) who can connect remotely. In this example, we use “wmiuser” as the username and “wmi” as the password.

Important: This step is performed to make the connection more secure.
Enable remote access and activation permissions for the user account you just created.
1. In the Windows Start menu, type Dcomcnfg in the empty field and press Enter.
2. In the Component Services dialog box, right-click My Computer and select Properties.
Click the COM Security tab, then Edit Limits under Access Permissions.
Click ANONYMOUS LOGON, enable Allow Remote Access, and then click OK.
Click Apply.
On the COM Security tab, under Launch and Activation Permissions, select Edit Limits, then click Add.
In the empty field of the popup that appears, type the username for the new user account and click OK.
On the Launch and Activation Permissions dialog box, select Remote Launch, Local Activation, and Remote Activation. Click OK.
Click Apply, and then OK.

Follow this procedure to create a file with your Windows IP and credentials on Sheriff CSM. You will need command line access to Sheriff CSM to complete this task.

To configure Sheriff CSM to use a WMI plugin

Connect to the Sheriff Console through SSH and use your credentials to log in.

The Sheriff Setup menu displays.
On the Sheriff Setup main menu, select Jailbreak System to gain command line access.

Select Yes when prompted. You will be in the root directory.

Create a wmi_credentials.csv file.

vim /etc/vigilante/agent/wmi_credentials.csv

Add IPs, users, and password with the following formats.

xxx.xxx.x.x,<domain_name>\\<wmiuser>,<password>

Example

233.200.7.0, mydomain_name\\mr_big,uguessed1t

If you do not use a domain, enter the following instead.

_xxx.xxx.x.x_, <username>,<password>

Save the file.

In order for the WMI plugin to work correctly, you must update the plugin with the path to the wmi_credentials.csv file you just created. You will need command line access to Sheriff CSM to complete this task.

To specify the path to the WMI credentials file

Depending on which plugin you've enabled, locate the WMI configuration file or files in your Sheriff CSM instance. Potential file locations might be any of the following.

/etc/vigilante/agent/plugins/wmi-application-logger.cfg
/etc/vigilante/agent/plugins/wmi-monitor.cfg
/etc/vigilante/agent/plugins/wmi-security-logger-srv2008.cfg
/etc/vigilante/agent/plugins/wmi-security-logger.cfg
/etc/vigilante/agent/plugins/wmi-system-logger.cfg

Create the file <wmi-xxxx-plugin>.cfg.local based on your choice and enter the path to your wmi_credentials.csv file in the credentials_file field.

Example
```
[config]
credentials_file=/etc/vigilante/agent/wmi_credentials.csv
```
Save the file.

You can now enable the WMI plugin. See Enable Plugins on Assets.

Topic revision: r12 - 12 Apr 2022, SheriffCyberSecurity

Sheriff

User Guides

Sheriff CSM

Deployment Guide

User Guide