CimSweep

CimSweep is a suite of CIM/WMI-based tools that allows users to perform incident response and hunting operations remotely on all versions of Windows. Additionally, CimSweep can be utilized for offensive reconnaissance without the need to drop any payload onto disk. Windows Management Instrumentation (WMI) has been installed and its corresponding service has been running by default since Windows XP and Windows 2000. It is also fully supported in the latest versions of Windows, including Windows 10, Nano Server, and Server 2016. While agent-based defensive tools are very effective, they require the deployment of an agent on each system. Although agent-based solutions play an important role in our industry, they can be quite costly and may be easily detected or countered by skilled attackers. CimSweep facilitates the collection of time-sensitive data at scale without the necessity to deploy an agent.

The tool is called CimSweep because it leverages the highly effective CIM cmdlets in PowerShell. By default, CIM cmdlets support the WSMan protocol. However, on systems that cannot support or do not have Windows Remote Management, they can revert to using DCOM.