With all of the ransomware attacks that are making the headlines this year, many businesses are looking to improve their security posture. One of the methods security professionals find most effective is to use software that controls what applications any networked computer is able to run. If an employee can’t open the bad actor’s malware package, then the attack can’t happen.
VMware’s Carbon-Black, Microsoft’s Windows AppLocker, and Trend’s Apex One all operate by allowing only a list of approved applications to run on any given system. A key step in deploying tools of this nature is to have a full understanding of the applications and services that are installed and running on your systems now. Some of these tools include discovery mechanisms that will help you locate the data. What do you do if your chosen tool lacks this feature?
PowerShell can get the data we need. First up is to list the applications running on your workstations. We’ll scan in the registry keys that record what software is installed on the systems that are part of your Windows domain. You’ll need to run the code below from a domain controller, or a system that has RSAT installed and is a member of the domain.
Installed Application Inventory:
Import-Module ActiveDirectory
$Computers = Get-ADComputer -Filter 'Operatingsystem -Notlike "server" -and enabled -eq "true"' -Properties dnshostname|Select dnshostname -ExpandProperty dnshostname
Foreach ($computer in $computers){$PingTest = Test-Connection - ComputerName $computer -Count 1 -Quiet
If ($PingTest) { $computers += $computer }
Else {Write-Warning "Failed to connect to server '$Computer'."} }
$report = @()
ForEach ($computer in $computers) { $report += Invoke-Command -ComputerName $computer -Command {Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall*,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall* |
Select-Object @{n="Application"; e={$_.DisplayName}}, @{n="Version"; e={$_.DisplayVersion}}, HelpLink, Publisher, InstallDate |
Sort-Object Application} } $report | Format-Table -AutoSize $report |select -Property * -ExcludeProperty RunspaceID, PSShowComputerName|
Export-Csv -Path $env:userprofile\documents\windows_computers_softwareinventory.csv -NoTypeInformationPrograms that automatically execute and keep running once you’ve booted your computer are called services. Most of the application control methods will automatically approve Microsoft services. However, other program packages also use services to enable their functions. Hackers know this and are starting to hide their tools by running them as a service. The code below will find and list all of the non-Microsoft services running on your computers. Again, you’ll need to run the script from a domain controller, or a system that has RSAT installed and is a member of the domain.
Non Microsoft Services:
Import-Module ActiveDirectory
Function InstalledServices {
$Computers = Get-ADComputer -Filter * -Properties dnshostname|Select dnshostname -ExpandProperty dnshostname
Foreach ($Computer in $Computers)
{Get-WMIObject win32_service -ComputerName $Computer|
Select @{n="Computer";e={$Computer}}, @{n="Service";e={$_.Name}}, @{n="State";e={$_.State}}, @{n="Exe_Path";e={$_.PathName}}|Where Exe_Path -notlike "c:\windows*"
}
}
$report = InstalledServices|Sort-Object Computer
$report|Export-CSV $env:userprofile\documents\InstalledServicesReport.csv -NoTypeInformation Locking down computer networks is almost always a painful experience for both the administrators and users. Knowing what apps your people need to do their jobs and ensuring they aren’t entangled in your security efforts will help soften the blows.
techbloggingfool.com 