twigs for Windows

Windows assets can be discovered using twigs Powershell script (twigs.ps1). This is a simple, agent-less, low impact way to discover all windows services and components / patches on a Windows system. This results in accurate vulnerability assessment with zero false positives. This script can be run locally or remotely as often as needed via automation to get the most current snapshot of your entire Windows footprint.

Twigs Powershell script for windows discovery is digitally signed for security reasons. You can discover local or remote Windows hosts using Twigs Powershell script. Follow the steps below to perform discovery of Windows assets using twigs Powershell script:

  • Logon to the Windows machine for discovery
  • Download twigs PowerShell script from here
  • Install signing certificate for the Powershell script
    • Right click the Powershell script in Windows explorer and select Properties
    • In the Properties window, click on “Digital Signatures” tab
    • In the “Signature List” table, select row for “ThreatWorx”
    • Click on “Details” and then “View Certificate”
    • Click on “Install Certificate…” to install the certificate for “Local Machine” in “Trusted Root Certificate Authorities” and “Trusted Publishers” store.
  • Note you will need API token key to perform discovery.
  • Please ensure that ExecutionPolicy allows running Powershell scripts. To view current execution policy, please run ‘Get-ExecutionPolicy’. Refer to note below for details on how to change it.
  • The typical command parameters to twigs Powershell script are as below

.\twigs.ps1 [[-mode] <String>] [[-remote_hosts_csv] <String>] [[-host_list] <String>] [[-password] <String>] [-handle] <String> [[-token] <String>] [[-instance] <String>] [[-out] <String>] [[-assetid] <String>] [[-assetname] <String>] [[-tags] <String[]>] [-tag_critical] [-no_scan] [-no_host_benchmark] [-email_report] [<CommonParameters>]

  • To view above help run ‘.\twigs.ps1 -?’ or for detailed help message run ‘Get-Help .\twigs.ps1 -detailed’ (see section below)
  • For remote host discovery, you need to specify remote Windows host details in a CSV file.
  • This CSV file has the format as below:

hostname,userlogin,userpwd <Windows machine name or IP or CIDR>,<Login ID>,<Password> MyWindowsMachine,MyWindowsDomain\MyWindowsUser,MyWindowsUserPassword

  • Note it is recommended that you secure the password in the CSV file by using ‘-host_list’ option provided by Twigs Powershell script.
  • Specify appropriate arguments and run twigs Powershell script.

Help video: https://youtu.be/BuTvbERm_Xs

You may need to relax the execution policy for Powershell scripts on your Windows box. Typically you can set it using Set-ExecutionPolicy as below:

Set-ExecutionPolicy RemoteSigned

or

Set-ExecutionPolicy AllSigned

Detailed help for twigs Powershell script

PS C:\Users\twadmin\Downloads\twigs_PS> Get-Help .\twigs.ps1 -detailed

NAME
C:\Users\twadmin\Downloads\twigs_PS\twigs.ps1

SYNOPSIS
Windows Host discovery script (twigs equivalent)

SYNTAX
C:\Users\twadmin\Downloads\twigs_PS\twigs.ps1 [[-mode] ] [[-remote_hosts_csv] ] [[-host_list]
] [[-password] ] [-handle] [[-token] ] [[-instance] ] [[-out] ]
[[-assetid] ] [[-assetname] ] [[-tags] ] [-tag_critical] [-no_scan] [-no_host_benchmark]
[-email_report] [<CommonParameters>]

DESCRIPTION
This script helps discover Windows Host(s) as assets in ThreatWorx instance. It is equivalent to twigs.

PARAMETERS
-mode
Specifies the discovery mode (local or remote).

-remote_hosts_csv <String>
    Specifies path for CSV file containing details of remote hosts to be discovered. Optional.

-host_list <String>
    Specifies path for CSV file to be secured. Format is same as remote hosts CSV. Optional.

-password <String>
    A password used to encrypt / decrypt login information from the host list / remote hosts CSV file. Optional.

-handle <String>
    Specifies the handle of the ThreatWorx user. Mandatory.

-token <String>
    Specifies the API token of the ThreatWorx user. Optional.

-instance <String>
    Specifies the ThreatWorx instance. Optional.

-out <String>
    Specifies the output JSON filename to hold discovered asset details. Optional.

-assetid <String>
    Specifies the identifier for the asset. Optional.

-assetname <String>
    Specifies the name for the asset. Optional.

-tags <String[]>
    Specify tags for the asset. Optional.

-tag_critical [<SwitchParameter>]
    Tag the asset as critical. Optional.

-no_scan [<SwitchParameter>]
    Do not initiate a baseline assessment. Optional.

-no_host_benchmark [<SwitchParameter>]
    Do not run host benchmark tests. Optional.

-email_report [<SwitchParameter>]
    After impact refresh is complete, email scan report to self. Optional.

<CommonParameters>
    This cmdlet supports the common parameters: Verbose, Debug,
    ErrorAction, ErrorVariable, WarningAction, WarningVariable,
    OutBuffer, PipelineVariable, and OutVariable. For more information, see
    about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).

-------------------------- EXAMPLE 1 --------------------------

PS C:\>.\twigs.ps1 -handle someuser@company.com -token XXXX -instance ACME.threatworx.io -out asset.json -assetid
myassetid -assetname myassetname -tag_critical -tags 'tag1','tag2' -email_report

REMARKS
To see the examples, type: "get-help C:\Users\twadmin\Downloads\twigs_PS\twigs.ps1 -examples".
For more information, type: "get-help C:\Users\twadmin\Downloads\twigs_PS\twigs.ps1 -detailed".
For technical information, type: "get-help C:\Users\twadmin\Downloads\twigs_PS\twigs.ps1 -full".

PS C:\Users\twadmin\Downloads\twigs_PS>