Получить экземпляр cim в текстовом файле

PS C:\> Get-AVStatus chi-win10

Displayname : ESET NOD32 Antivirus 9.0.386.0

ProductState : 266256

Enabled : True

UpToDate : True

Path : C:\Program Files\ESET\ESET NOD32 Antivirus\ecmd.exe

Timestamp : Thu, 21 Jul 2016 15:20:18 GMT

Computername : CHI-WIN10

Name Count

—- —–

ESET NOD32 Antivirus 9.0.386.0 12

ESET Endpoint Security 5.0 6

Windows Defender 4

360 Total Security 1

Import a CSV file which includes a Computername heading. The imported objects are piped to this command. The results are sent to Group-Object.

Displayname : ESET NOD32 Antivirus 9.0.386.0

ProductState : 266256

Enabled : True

UpToDate : False

Path : C:\Program Files\ESET\ESET NOD32 Antivirus\ecmd.exe

Timestamp : Wed, 20 Jul 2016 11:10:13 GMT

Computername : CHI-WIN11

Displayname : ESET NOD32 Antivirus 9.0.386.0

ProductState : 266256

Enabled : True

UpToDate : False

Path : C:\Program Files\ESET\ESET NOD32 Antivirus\ecmd.exe

Timestamp : Thu, 07 Jul 2016 15:15:26 GMT

Computername : CHI-WIN81

You can also pipe CIMSession objects. In this example, the output are enabled products that are not up to date.

The name of a computer to query.

An existing CIMsession.

The default is enabled products only.

initialize an hashtable of paramters to splat to Get-CimInstance

initialize an empty array to hold results

filter for enabled only

For a client of my company, I want to create a PowerShell script to retrieve configuration information on each computer. So as a beginner in PowerShell and after a lot of research, I found 3 command lines in PowerShell which are useful to do this :

  • Get-CimInstance -ClassName Win32_LogicalDisk
  • Get-CimInstance -ClassName Win32_Processor
  • Get-CimInstance -ClassName Win32_ComputerSystem

The aim now is to pipe these 3 informations to a text file or an Excel file if possible. After trying, I’ve just managed to export a single result that replaces another in a text file but I can’t manage to add these 3, one line after the other.

:/>  <strong>как запустить windows 10 в безопасном режиме</strong>

And to add line : Add-Content -Path C:\test.txt -Value (Get-CimInstance -Classname Win32_Processor) but the result isn’t conclusive.

Thank’s for your help !

asked Jul 20, 2023 at 9:01

BenGates's user avatar

"win32_logicaldisk", "win32_processor", "win32_computersystem" |
% { gcim -cl $_ } | out-file outfile.txt

answered Jul 20, 2023 at 9:38

Thor's user avatar

12 gold badges123 silver badges137 bronze badges

You can combine multiple statements into one pipeline with “$()”:

$(Get-CimInstance -ClassName Win32_LogicalDisk
Get-CimInstance -ClassName Win32_Processor
Get-CimInstance -ClassName Win32_ComputerSystem) | Out-File -FilePath C:\test.txt
& {Get-CimInstance -ClassName Win32_LogicalDisk
Get-CimInstance -ClassName Win32_Processor
Get-CimInstance -ClassName Win32_ComputerSystem} | Out-File -FilePath C:\test.txt

answered Jul 20, 2023 at 14:38

js2010's user avatar

6 gold badges74 silver badges77 bronze badges

Try in Splunk Security Cloud

Description

  • Type: Anomaly
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

  • Last Updated: 2024-05-23
  • Author: Michael Haag, Splunk
  • ID: d8c972eb-ed84-431a-8869-ca4bd83257d1

Annotations

ATT&CK
Kill Chain Phase
  • Installation
NIST
  • DE.AE
CIS20
  • CIS 10
CVE
1
2
3
4
5
`powershell` EventCode=4104 ScriptBlockText="*get-ciminstance*" AND ScriptBlockText="*computername*"
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powershell_get_ciminstance_remote_computer_filter`

Macros

Required fields

List of fields required to use this analytic.

  • _time
  • ScriptBlockText
  • Computer
  • EventCode

How To Implement

Known False Positives

This is meant to be a low risk RBA anomaly analytic or to be used for hunting. Enable this with a low risk score and let it generate risk in the risk index.

Associated Analytic Story

RBA

Risk ScoreImpactConfidenceMessage
15.03050A PowerShell Cmdlet Get-CIMInstnace was ran on $Computer$, attempting to connect to a remote host.

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range