Read Sysmon Events from Remote

sysmonRead.ps1

$comp = '<IP address>'  # if in domain, use windows machine name
$username = '<Machine/admin_name>'
$password = '<Password>'
$pass = ConvertTo-SecureString -AsPlainText $password -Force
$SecureString = $pass
$MySecureCreds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $Username,$SecureString 

#gwmi win32_service –credential $MySecureCreds –computer 172.16.199.162

#Invoke-WmiMethod -computer $comp –credential $MySecureCreds -Class win32_process -Name create -ArgumentList "notepad"

$Date = (Get-Date).AddMinutes(-2)                                                                                                              #process create
Get-WinEvent -computer $comp –credential $MySecureCreds -FilterHashTable @{ LogName = "Microsoft-Windows-Sysmon/Operational"; StartTime = $Date} |where {$_.ID -eq 1} |select *

Most people will be plucking their hair out when exploring remote WMI calls. After following quite a number articles that covered:

1. Turning on all the necessary services (most services are already started on both my Win7 VMs)
2. User permission to perform remote calls for DCOM and WMI (it should work by default for administrator user)
3. Firewall rules (this ones matters)

It still didn't work for my Windows 7 test VMs. Then I ran into this: https://helgeklein.com/blog/2011/08/access-denied-trying-to-connect-to-administrative-shares-on-windows-7/

Create that registry value, worked like a charm.

Use IP address, wasted few minutes issuing WMIC.exe and Powershell commands with windows machine name. (Both VMs NOT part of Domain).