WinRM
App Vendor: Microsoft
Connector Category: Forensics & Malware Analysis
Connector Version: 1.0.0
API Version: 1.0.0
Product Version: 1.0.0
Default Port: 443
About App
The Windows Remote Management (WinRM) app allows security teams to integrate with the enterprise application to enable administrators to remotely manage assets and processes.
Ensure whether the following are enabled on the endpoint(computer/device) where you want the (service.msc) commands to run, for the WinRM server to work seamlessly on the Orchestrate application,
service.msc
Remote Assistance Service
Powershell Remoting
WinRM service
The above pre-requisites apply only to the Windows server configuration.
The WinRM app in the Orchestrate application can perform the below-listed actions:
Action | Description |
|---|---|
Retrieve Access Control List | This action can be used to retrieve all security descriptors for a Resource, such as a file or a registry key. |
Retrieve system information | This action can be used to retrieve the system information using a specific Host IP. |
Retrieve route | This action can be used to retrieve the IP route information from the IP routing table. |
Execute Powershell commands | This action can be used to execute Powershell commands from the system. |
Retrieve OS version | This action can be used to retrieve the properties of a guest operating system version specified in the XML service configuration. |
Retrieve Netstat connection | This action can be used to retrieve the TCP/IP connection and status of a system. |
Retrieve MAC address | This action can be used to retrieve the MAC address of the system. |
Retrieve host name | This action can be used to retrieve the host name of a system. |
Retrieve Event Logs | This action can be used to retrieve Event Logs of the local or remote computers. |
Retrieve directories folder | This action can be used to retrieve all the files from a particular folder. |
Retrieve configuration status | This action can be used to retrieve the data about completed configuration runs. |
Execute command prompt commands | This action can be used to execute command prompt commands. |
Retrieve all volumes | This action can be used to retrieve volumes of the system. |
Retrieve all processes | This action can be used to retrieve all the processes on the system. |
Retrieve all drivers | This action can be used to retrieve all the files from a particular folder. |
Retrieve file type mappings | This action can be used to retrieve the file types and mappings. |
Prerequisites
All the actions configured in the WinRM app relate to private APIs. WinRM Enterprise subscription is required to access the private APIs.
Configuration parameters
The following configuration parameters are required for the WinRM app to communicate with the WinRM enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Username | Enter the username. | Text | Required | |
Password | Enter the password. | Password | Required |
Action: Retrieve Access Control List
This action can be used to retrieve all security descriptors for a Resource, such as a file or a registry key.
Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Host IP | Enter the host IP. | Text | Required |
Action: Retrieve system information
This action can be used to retrieve the system information using a specific Host IP.
Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Host IP | Enter the host IP. | Text | Required |
Action: Retrieve route
This action can be used to retrieve the IP route information from the IP routing table.
Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Host IP | Enter the host IP. | Text | Required |
Action: Execute Powershell commands
This action can be used to execute Powershell commands from the system.
Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Powershell command | Enter the Powershell command. For example, "ps_command". | Text | Required | |
Host IP | Enter the host IP.Enter the Host IP. For example, "1.1.1.1". | Text | Required |
Example Request
[
{
"ps_command": "Get-Help"
}
]Action: Retrieve OS version
This action can be used to retrieve the properties of a guest operating system version specified in the XML service configuration.
Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Host IP | Enter the host IP. | Text | Required |
Action: Execute command prompt commands
This action can be used to retrieve command prompt commands.
Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Host IP | Enter the host IP. | Text | Required |
Example Request
[
{
"command": "cmd"
}
]Action: Retrieve all volumes
This action can be used to retrieve volumes of the system.
Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Host IP | Enter the host IP. | Text | Required |
Action: Retrieve all processes
This action can be used to retrieve all the processes on the system.
Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Host IP | Enter the host IP. | Text | Required |
Action: Retrieve file type mappings
This action can be used to retrieve the file types and mappings.
Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Host IP | Enter the host IP. | Text | Required |