How to use a non-Admin account for WMI
Last Modified: 2023-09-04 10:36:26 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
How to use a non-Admin account for WMI
Technical Articles ID:
KB74126
Last Modified: 2023-09-04 10:36:26 Etc/GMT Environment
SIEM Enterprise Security Manager (ESM) 11.x SIEM Event Receiver (Receiver) 11.x Microsoft Windows Server Summary
The following procedures describe how to use a non-Admin account for WMI. Group membership, security policy assignments, and permissions
Distributed Component Object Model (DCOM) rights assignments Use the following steps to configure DCOM security for the WMI collection group:
WMI namespace security assignments Use the following steps to set the WMI namespace security so that the WMI collection group has access to WMI objects:
For Windows Server 2012 or later, add permission to read the security log:
Example:
SID S-1-5-21-2714243513-2981656821-964208712-1125 C:\Windows\system32>wevtutil gl security name: security enabled: true type: Admin owningPublisher: isolation: Custom channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573) logging: logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx retention: false autoBackup: false maxSize: 134217728 publishing: fileMax: 1 C:\Windows\system32>wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x7;;;S-1-5-21-2714243513-2981656821-964208712-1125) C:\Windows\system32>wevtutil gl security name: security enabled: true type: Admin owningPublisher: isolation: Custom channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x7;;;S-1-5-21-2714243513-2981656821-964208712-1125) logging: logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx retention: false autoBackup: false maxSize: 134217728 publishing: fileMax: 1 You can now use the WMI collection user to collect events from WMI without having to use domain administrator rights. Related Information
NitroSecurity ID: 15094-552
Affected ProductsLanguages:This article is available in the following languages: |
|