Created
August 14, 2017 08:48
-
-
Save jymcheong/692d5fa4765a44eaa7f71d6a9928c78a to your computer and use it in GitHub Desktop.
Read Sysmon Events from Remote
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $comp = '<IP address>' # if in domain, use windows machine name | |
| $username = '<Machine/admin_name>' | |
| $password = '<Password>' | |
| $pass = ConvertTo-SecureString -AsPlainText $password -Force | |
| $SecureString = $pass | |
| $MySecureCreds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $Username,$SecureString | |
| #gwmi win32_service –credential $MySecureCreds –computer 172.16.199.162 | |
| #Invoke-WmiMethod -computer $comp –credential $MySecureCreds -Class win32_process -Name create -ArgumentList "notepad" | |
| $Date = (Get-Date).AddMinutes(-2) #process create | |
| Get-WinEvent -computer $comp –credential $MySecureCreds -FilterHashTable @{ LogName = "Microsoft-Windows-Sysmon/Operational"; StartTime = $Date} |where {$_.ID -eq 1} |select * |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Most people will be plucking their hair out when exploring remote WMI calls. After following quite a number articles that covered:
It still didn't work for my Windows 7 test VMs. Then I ran into this: https://helgeklein.com/blog/2011/08/access-denied-trying-to-connect-to-administrative-shares-on-windows-7/
Create that registry value, worked like a charm.
Use IP address, wasted few minutes issuing WMIC.exe and Powershell commands with windows machine name. (Both VMs NOT part of Domain).