AnsweredAssumed Answered

Custom WMI Query

Question asked by Adam Browning on Sep 20, 2019
Latest reply on Feb 26, 2020 by Arun Kumar

I'm pretty terrible at getting these custom WMI queries figured out, but luckily there's a community that I can ask.


A bit of backstory in case someone has a better solution/suggestion. We use the CIS policies for our baselines, though we modify it pretty heavily. I'm getting all the reporting worked out in Qualys, and the big push from infosec is they want the controls in Qualys to match up as exact as possible to what we are pushing out via group policy. Example:


CID:  2342

Status of the ‘Account Lockout Threshold’ setting (invalid login attempts)

CIS Default:  in range 1-10

Our Exact:  equal to 3


No big deal for the majority of of the controls, but there are a few User Rights Assignment controls that aren't playing as nice. A good example of one I'm working with is this:


CID:  2182

Current list of Groups and User Accounts granted the ‘Act as part of the operating system’ right

Our Exact:  does not contain (regular expression list) .+


It works, kind of. We define that control but assign no users and/or groups, so it's blank. I'm not sure how this control in Qualys actually checks for this, but the value it pulls from every system is "Right not assigned". I have to check the box for "Right not assigned" on all of these that are defined but empty, which is fine for my standards, but I'm sure explaining to infosec that if it's receiving 98% of the rest of the policy it 'should' be pulling that last 2%. 


Since it's a system generated control I can't modify it, so I'm starting down the path to create custom WMI query controls for each of these. I found this WMI query during my Google searching that works great, I just need some assistance on how the heck to fit it into the scan parameters for the WMI query check.


Get-WMIObject RSOP_UserPrivilegeRight -namespace root\rsop\computer | Where {$_.UserRight -eq "SeTcbPrivilege" -and $_.precedence -eq 1} | Select -expand AccountList


There was probably way too much detail added and I know the majority of you won't read through this whole post, but if you do, I'll drink a cup of coffee to salute you.