0

I am working with PowerShell constrained endpoints. I have an endpoint that runs as a specific user as it needs to reach out to make calls to another service on another system. Virtual accounts and gMSAs will not work with this other service so it must be a regular user account.

I would like to be able to record the connection's client IP address in the logs. In the past I have used the following:

$script:EndpointClientIp = Get-WSManInstance Shell -Enumerate | Where-Object { $_.ProcessId -eq $script:EndpointProcessId } | Select-Object -ExpandProperty ClientIP

However, the above Get-WSManInstance command only works if the user is an admin. In these new JEA endpoints I am trying to avoid giving the run-as user admin privileges.

Is there a way to acquire this IP address without being an admin on the system? Perhaps there is a way to modify the WSMan permissions to allow this user account to access that portion of the WSMan config? If so, what else would it gain access to that I would want to consider? If not through the WSMan, is there another way to tie the IP address of an incoming connection to the process ID of the app allowing the connection (again, without admin privileges)?

This is a Windows Server 2019 box.

New Guy
  • 8,606
  • 1
  • 15
  • 12
  • PowerShell provides `$PSSenderInfo`, but it won't contain network information. What is the purpose of having access to the client IP at runtime? – Mathias R. Jessen Feb 01 '21 at 17:53
  • Yea, I'm using `$PSSenderInfo` to get the user that connected to the endpoint. I only need this for logging purposes. I have a very detailed log of this endpoint and would like to include who and from where users are connecting. – New Guy Feb 01 '21 at 18:43
  • Can the callers send their IP as an argument somehow? (assuming they know/can list their own IP) – Doug Maurer Feb 01 '21 at 19:14
  • Well the point is to monitor potential abuse of the endpoint. So I can't really trust the user to provide an accurate IP address. While the endpoint will be locked down to a specific VLAN, it should only be one or two IPs that are connecting (may vary as this other team makes changes). These logs will be ingested into a SIEM and I will be able to detect atypical connections from this VLAN (i.e. possible compromise of one of their services). – New Guy Feb 01 '21 at 22:05

0 Answers0