Configure WMI Plugins

Applies to Product: USM Appliance™ LevelBlue OSSIM®

Windows Management Instrumentation (WMI) plugins collect Microsoft Windows events and data remotely. These plugins collect the information without an agent, using the Windows Management Instrumentation Command Line (WMIC) .

Note: Currently, WMIC does not support samba4/NTLMv2. Nor does WMIC work on more recent Windows versions, like Windows Server 2012 or later, because these versions authenticate with NLTMv2 only by default.

To use a WMI plugin with a Windows host that uses NTLMv2, you must manually enable NTLMv1 authentication. For information about this, see the Microsoft Support web pages.

 

# Plugin wmi-application-logger id:1518 version: 0.0.2

# Last modification: 2015-05-13 16:11

#

# Plugin Selection Info:

# AlienVault:WMI Application Logger:-

#

# END-HEADER

# Accepted products:

# alienvault - plugin-wmi -

# Description:

#

[DEFAULT]

plugin_id=1518

[config]

type=detector

enable=yes

source=wmi

credentials_file=/etc/ossim/agent/wmi_credentials.csv

sleep=10

process=

start=no

stop=no

[start_cmd]

cmd=wmic -U OSS_WMI_USER%OSS_WMI_PASS //OSS_WMI_HOST "Select LogFile,RecordNumber from Win32_NTLogEvent Where Logfile = 'Application'" | head -n 3 | tail -n 1 | cut -f 2 -d \|

regexp=

[cmd]

cmd = wmic -U OSS_WMI_USER%OSS_WMI_PASS //OSS_WMI_HOST "Select ComputerName,EventCode,Logfile,Message,RecordNumber,SourceName,TimeWritten,User from Win32_NTLogEvent Where Logfile = 'Application' and RecordNumber > OSS_COUNTER" | cat

start_regexp=^([^\|]+)\|(\d+)\|([^\|]+)\|

regexp="^(?P<system_name>[^\|]+)\|(?P<plugin_sid>\d+)\|(?P<logfile>[^\|]+)\|(?P<message>[^\|]+)\|(?P<recordnumber>[^\|]+)\|(?P<sourcename>[^\|]+)\|(?P<timewritten>[^\|]+)\|(?P<username>.*)$"

src_ip={resolv($0)}

plugin_sid={$1}

userdata2={$2}

userdata3={$3}

userdata4={$4}

userdata5={$5}

userdata6={$6}

username={$7}

The following sections of a WMI plugin are essential.

[start_cmd]

[cmd]

You use [start_cmd] and [cmd] to return the last WMI Application event, and start reading from that event.

Additional Configuration Required Before You Enable an WMI Plugin

You need to perform the following additional configuration before you can use the WMI plugins.

This configuration procedure is for users who must contact the WMI plugin remotely from a Windows host. The procedure is appropriate for production.

Note: This procedure is based on Microsoft Windows 7. Microsoft Windows 10 no longer shows the Run box in the Start menu. However, Windows 10 does allow you to personalize the Start menu to include it. For more information, refer to the Windows 10 documentation.

To enable remote WMI access on Windows

  1. Create a new user in the Windows host (without any administrator privileges) who can connect remotely. In this example, we use “wmiuser” as the username and “wmi” as the password.

    Important: This step is performed to make the connection more secure.

  2. Enable remote access and activation permissions for the user account you just created.

    1. In the Windows Start menu, type Dcomcnfg in the empty field and press Enter.
    2. In the Component Services dialog box, right-click My Computer and select Properties.

  3. Click the COM Security tab, then Edit Limits under Access Permissions.

    Microsoft COM Security tab with Edit Limits selected.

  4. Click ANONYMOUS LOGON, enable Allow Remote Access, and then click OK.

    Microsoft Access Permission dialog box with Anonymous Logon and Remote Access selected.

  5. Click Apply.
  6. On the COM Security tab, under Launch and Activation Permissions, select Edit Limits, then click Add.
  7. In the empty field of the popup that appears, type the username for the new user account and click OK.
  8. On the Launch and Activation Permissions dialog box, select Remote Launch, Local Activation, and Remote Activation. Click OK.

  9. Click Apply, and then OK.

Follow this procedure to create a file with your Windows IP and credentials on USM Appliance. You will need command line access to USM Appliance to complete this task.

To configure USM Appliance to use a WMI plugin

  1. Connect to the LevelBlue Console through SSH and use your credentials to log in.

    The LevelBlue Setup menu displays.

  2. On the LevelBlue Setup main menu, select Jailbreak System to gain command line access.

    Select Yes when prompted. You will be in the root directory.

  3. Create a wmi_credentials.csv file.

    vim /etc/ossim/agent/wmi_credentials.csv

  4. Add IPs, users, and password with the following formats.

    xxx.xxx.x.x,<domain_name>\\<wmiuser>,<password>

    Example

    233.200.7.0, mydomain_name\\mr_big,uguessed1t

    If you do not use a domain, enter the following instead.

    xxx.xxx.x.x, <username>,<password>

  5. Save the file.

In order for the WMI plugin to work correctly, you must update the plugin with the path to the wmi_credentials.csv file you just created. You will need command line access to USM Appliance to complete this task.

To specify the path to the WMI credentials file

  1. Depending on which plugin you've enabled, locate the WMI configuration file or files in your USM Appliance instance. Potential file locations might be any of the following.

    /etc/ossim/agent/plugins/wmi-application-logger.cfg

    /etc/ossim/agent/plugins/wmi-monitor.cfg

    /etc/ossim/agent/plugins/wmi-security-logger-srv2008.cfg

    /etc/ossim/agent/plugins/wmi-security-logger.cfg

    /etc/ossim/agent/plugins/wmi-system-logger.cfg

  2. Create the file <wmi-xxxx-plugin>.cfg.local based on your choice and enter the path to your wmi_credentials.csv file in the credentials_file field.

    Example

    [config]

    credentials_file=/etc/ossim/agent/wmi_credentials.csv

  3. Save the file.

You can now enable the WMI plugin. See Enable Plugins on Assets.