Windows assets can be discovered using twigs Powershell script (twigs.ps1). Twigs Powershell script for windows discovery is digitally signed for security reasons. You can discover local or remote Windows hosts using Twigs Powershell script.
Steps
Follow the steps below to perform discovery of Windows assets using twigs Powershell script:
Logon to the Windows machine for discovery
Download twigs PowerShell script from here
Install signing certificate for the Powershell script
Right click the Powershell script in Windows explorer and select Properties
In the Properties window, click on “Digital Signatures” tab
In the “Signature List” table, select row for “ThreatWorx”
Click on “Details” and then “View Certificate”
Click on “Install Certificate…” to install the certificate for “Local Machine” in “Trusted Root Certificate Authorities” and “Trusted Publishers” store.
Note you will need API token key to perform discovery.
Please ensure that ExecutionPolicy allows running Powershell scripts. To view current execution policy, please run ‘Get-ExecutionPolicy’. Refer to note below for details on how to change it.
The typical command parameters to twigs Powershell script are as below
.\twigs.ps1 [[-mode] <String>] [[-remote_hosts_csv] <String>] [[-host_list]
<String>] [[-password] <String>] [-handle] <String> [[-token] <String>]
[[-instance] <String>] [[-out] <String>]
[[-assetid] <String>] [[-assetname] <String>]
[[-tags] <String[]>] [-tag_critical] [-no_scan] [-email_report]
[<CommonParameters>]
To view above help run ‘.\twigs.ps1 -?’ or for detailed help message run ‘Get-Help .\twigs.ps1 -detailed’
For remote host discovery, you need to specify remote Windows host details in a CSV file. This CSV file has the format as below:
hostname,userlogin,userpwd
<Windows machine name or IP or CIDR>,<Login ID>,<Password>
MyWindowsMachine,MyWindowsDomain\MyWindowsUser,MyWindowsUserPassword
Note it is recommended that you secure the password in the CSV file by using ‘-host_list’ option provided by Twigs Powershell script.
Specify appropriate arguments and run twigs Powershell script.
Note you may need to relax the execution policy for Powershell scripts on your Windows box. Typically you can set it using Set-ExecutionPolicy as below:
Set-ExecutionPolicy RemoteSigned
or
Set-ExecutionPolicy AllSigned