Windows 7
From Hack Sphere Labs Wiki
Contents
WMI Pull Event Logs
- Install (http://www.orvant.com/packages/) libwmiclient1_1.3.14-3_amd64.deb libwmiclient1-dev_1.3.14-3_amd64.deb wmi-client_1.3.14-3_amd64.deb
- Enable WMI Through Firewall on Windows
wmic -U DOMAIN/USERNAME%PASSWORD //HostnameorIP "Select * from Win32_NTLogEvent Where LogFile='Security'" | grep .*\.exe|grep 'New Process Name' > output.temp
sed 's/\sNew Process Name:\s//g' output.temp
cat output.temp | sed 's/\sNew Process Name:\s//g' | sort | uniq
./winexe-static --debuglevel=1 -U IT%3c4bhkec //HostnameorIP "wevtutil cl Security"
awk 'NR==FNR { a[$0]; next } !($0 in a)' whitelist checklist
Notes
- http://www.enviris.com/blog/7-how-to-enable-wmi-on-windows-7.aspx
- http://msdn.microsoft.com/en-us/library/aa394593%28v=vs.85%29.aspx
nett localgroup add
- https://social.technet.microsoft.com/Forums/sharepoint/en-US/0112535c-9b2c-4f9b-96d6-85cff585b20b/the-process-does-not-possess-the-sesecurityprivilege-privilege-which-is-required-for-this?forum=sharepointadminlegacy
- http://community.zenoss.org/docs/DOC-4517
- http://www.forensicswiki.org/wiki/Windows_Event_Log_%28EVT%29
- http://lifehacker.com/5275652/shut-down-your-windows-pc-remotely-from-linux
net rpc
- http://community.zenoss.org/message/48714
- http://technet.microsoft.com/en-us/library/cc722318.aspx
- https://sourceforge.net/p/winexe/winexe-waf/ci/master/tree/
- https://pzolee.blogs.balabit.com/2010/09/wmi-client-for-linux/
winexe
git clone git://git.code.sf.net/p/winexe/winexe-waf winexe-winexe-waf apt-get install gcc-mingw32 mingw32-binutils mingw-w64 comerr-dev libpopt-dev libbsd-dev zlib1g-dev libc6-dev python-dev cd source #directory winexe git clone git://git.samba.org/samba.git samba ./waf configure --samba-dir=../samba ./waf cd build ./winexe-static
winexe service install
sc create winexesvc binPath= C:\WINDOWS\WINEXESVC.EXE start= auto DisplayName= winexesvc sc description winexesvc "Remote command provider for Zenoss monitoring"
Notes
App not responding/application stopped working
- Disable:
- http://msdn.microsoft.com/en-us/library/bb513638%28VS.85%29.aspx
- https://social.technet.microsoft.com/Forums/windows/en-US/6025f72e-5bac-4dbd-9992-825828711399/disabling-applicationexe-not-responding-dialog
- http://www.neowin.net/forum/topic/1055744-windows-7-disable-x-application-has-stopped-working-dialog/
