PS C:\> Get-AVStatus chi-win10
Displayname : ESET NOD32 Antivirus 9.0.386.0
ProductState : 266256
Enabled : True
UpToDate : True
Path : C:\Program Files\ESET\ESET NOD32 Antivirus\ecmd.exe
Timestamp : Thu, 21 Jul 2016 15:20:18 GMT
Computername : CHI-WIN10
Name Count
—- —–
ESET NOD32 Antivirus 9.0.386.0 12
ESET Endpoint Security 5.0 6
Windows Defender 4
360 Total Security 1
Import a CSV file which includes a Computername heading. The imported objects are piped to this command. The results are sent to Group-Object.
Displayname : ESET NOD32 Antivirus 9.0.386.0
ProductState : 266256
Enabled : True
UpToDate : False
Path : C:\Program Files\ESET\ESET NOD32 Antivirus\ecmd.exe
Timestamp : Wed, 20 Jul 2016 11:10:13 GMT
Computername : CHI-WIN11
Displayname : ESET NOD32 Antivirus 9.0.386.0
ProductState : 266256
Enabled : True
UpToDate : False
Path : C:\Program Files\ESET\ESET NOD32 Antivirus\ecmd.exe
Timestamp : Thu, 07 Jul 2016 15:15:26 GMT
Computername : CHI-WIN81
You can also pipe CIMSession objects. In this example, the output are enabled products that are not up to date.
The name of a computer to query.
An existing CIMsession.
The default is enabled products only.
initialize an hashtable of paramters to splat to Get-CimInstance
initialize an empty array to hold results
filter for enabled only
For a client of my company, I want to create a PowerShell script to retrieve configuration information on each computer. So as a beginner in PowerShell and after a lot of research, I found 3 command lines in PowerShell which are useful to do this :
- Get-CimInstance -ClassName Win32_LogicalDisk
- Get-CimInstance -ClassName Win32_Processor
- Get-CimInstance -ClassName Win32_ComputerSystem
The aim now is to pipe these 3 informations to a text file or an Excel file if possible. After trying, I’ve just managed to export a single result that replaces another in a text file but I can’t manage to add these 3, one line after the other.
And to add line : Add-Content -Path C:\test.txt -Value (Get-CimInstance -Classname Win32_Processor) but the result isn’t conclusive.
Thank’s for your help !
asked Jul 20, 2023 at 9:01
"win32_logicaldisk", "win32_processor", "win32_computersystem" |
% { gcim -cl $_ } | out-file outfile.txtanswered Jul 20, 2023 at 9:38
12 gold badges123 silver badges137 bronze badges
You can combine multiple statements into one pipeline with “$()”:
$(Get-CimInstance -ClassName Win32_LogicalDisk
Get-CimInstance -ClassName Win32_Processor
Get-CimInstance -ClassName Win32_ComputerSystem) | Out-File -FilePath C:\test.txt& {Get-CimInstance -ClassName Win32_LogicalDisk
Get-CimInstance -ClassName Win32_Processor
Get-CimInstance -ClassName Win32_ComputerSystem} | Out-File -FilePath C:\test.txtanswered Jul 20, 2023 at 14:38
6 gold badges74 silver badges77 bronze badges
Try in Splunk Security Cloud
Description
- Type: Anomaly
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2024-05-23
- Author: Michael Haag, Splunk
- ID: d8c972eb-ed84-431a-8869-ca4bd83257d1
Annotations
ATT&CK
Kill Chain Phase
- Installation
NIST
- DE.AE
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
`powershell` EventCode=4104 ScriptBlockText="*get-ciminstance*" AND ScriptBlockText="*computername*"
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powershell_get_ciminstance_remote_computer_filter`
Macros
Required fields
List of fields required to use this analytic.
- _time
- ScriptBlockText
- Computer
- EventCode
How To Implement
Known False Positives
This is meant to be a low risk RBA anomaly analytic or to be used for hunting. Enable this with a low risk score and let it generate risk in the risk index.
Associated Analytic Story
RBA
| Risk Score | Impact | Confidence | Message |
|---|---|---|---|
| 15.0 | 30 | 50 | A PowerShell Cmdlet Get-CIMInstnace was ran on $Computer$, attempting to connect to a remote host. |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range



