SQL for seeing if the wmi feature for port 135 is open

I need simple sql to detect if wmi feature is enabled so i can detect the log4j stuff on my windows system. I need a list so i can send to admin so they dont have to guess at what systems need wmi feature enabled…I tried using ports view sql but doesnt work just tells me the port…

I’m not sure that there’s an easy way to detect if WMI is enabled, but there may be an alternative solution with the dim_service and dim_asset_service tables.

One of the services in dim_service is DCE Endpoint Resolution, which I think is associated with WMI auth. So you could try querying for assets with that service and see if it correlates to assets and their WMI status.

I slightly modified this query to test this.

SELECT dsite.name "Site", da.ip_address as "IP Address",
       da.host_name as "Host Name", ds.name as "Service",
       dcs.credential_status_description "Access Level",
       das.port as "Port Number"
FROM dim_asset da
JOIN fact_asset_scan_service fass using (asset_id)
JOIN fact_asset fa using (asset_id)
JOIN dim_site_asset dsa using (asset_id)
JOIN dim_site dsite using (site_id)
JOIN dim_service ds using (service_id)
JOIN dim_credential_status dcs using (credential_status_id)
JOIN dim_asset_service das using(service_id)
WHERE ds.name = 'DCE Endpoint Resolution'
GROUP BY dsite.name, da.ip_address, da.host_name, ds.name,
         dcs.credential_status_description, das.port
ORDER BY da.ip_address DESC

You can also enable Scanning Diagnostic checks to help figure out where WMI isn’t enabled or working properly: https://www.rapid7.com/blog/post/2021/11/03/insightvm-scan-diagnostics-troubleshooting-credential-issues-for-authenticated-scanning/

1 Like