Skip to content

Instantly share code, notes, and snippets.

@MHaggis

MHaggis/SIP_inputs.md

Created October 10, 2023 19:47
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save MHaggis/75dd5db546c143ea67703d0e86cdbbd1 to your computer and use it in GitHub Desktop.
Save MHaggis/75dd5db546c143ea67703d0e86cdbbd1 to your computer and use it in GitHub Desktop.
Download ZIP
Inventory SIP
Raw
SIP_inputs.md

Place in inputs.conf and watch the SIP roll in.

# Modify for your environment. Make sure the sourcetype matches the analytic as needed.
[powershell://SubjectInterfacePackage]
script = $registryPaths = @("HKLM:\SOFTWARE\Microsoft\Cryptography\Providers","HKLM:\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0","HKLM:\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1","HKLM:\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers","HKLM:\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0","HKLM:\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1"); $registryPaths | ForEach-Object {Get-ChildItem -Recurse $_ | ForEach-Object {$key=$_; $props=$key.GetValueNames(); $propDataPairs=@{}; for ($i=0; $i -lt $props.Length; $i++) {$propDataPairs[$props[$i]]=$key.GetValue($props[$i])}; $outputObj=[PSCustomObject]@{Path=$key.PSPath;PSChildName=$key.PSChildName}; $propDataPairs.GetEnumerator() | ForEach-Object {Add-Member -InputObject $outputObj -NotePropertyName $_.Name -NotePropertyValue $_.Value}; $outputObj | ConvertTo-Json | Write-Output}}
schedule = 0 0 * * *
#schedule = */1 * * * *
sourcetype = PwSh:SubjectInterfacePackage
index=win
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment