Purp1eW0lf/Install_sysmon.ps1

## Install_sysmon.ps1
<#
Meta
    Date: 2022 June 30th
    Authors: Dray Agha (Twitter @purp1ew0lf)
    Company: Huntress Labs
    Purpose: Automate setting up Sysmon with Florian Roth's ruleset.
    Sysmon log can be found in C:\windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx
#>

function admin_check{
    if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(`
[Security.Principal.WindowsBuiltInRole] "Administrator")) {
        Write-Warning "Insufficient permissions. Run this Powershell script as Admin please"
        Break
    }
    # if we're all good, let's fire it off
    else {Install_various}
}

function install_various{

    #Ensure errors don't ruin anything for us
    $ErrorActionPreference = "SilentlyContinue"
    $progressPreference = 'silentlyContinue'

    # Create and work from specific directory
    new-item "C:\windows\Sysmon" -ItemType "directory"
    Set-Location "C:\windows\Sysmon"

    #Download sysmon stuff
    wget -UseBasicParsing https://download.sysinternals.com/files/Sysmon.zip -outfile "Sysmon.zip"
    Expand-archive "Sysmon.zip"  -DestinationPath .
    wget -UseBasicParsing https://raw.githubusercontent.com/Neo23x0/sysmon-config/master/sysmonconfig-export.xml -outfile "sysmonconfig.xml"

    #If you want to swap the sysmon ruleset from Florian's to another's swap the address above
        # SwiftOnSecurity's : https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml
        # Olaf's : https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml
        # Sophos apparently have one but it seems dedicated to malware analysis : https://support.sophos.com/support/s/article/KB-000038882?language=en_US

    #install sysmon's stuff
    .\Sysmon64.exe -i sysmonconfig.xml -accepteula

    #Clean up
    remove-item .\"sysmon.zip", .\"sysmon.exe", .\"eula.lnk", .\"Eula.txt"
}
#Execute main function in silence
Admin_Check | out-null

#Message
#write-host "`n`nSysmon is " -nonewline; write-host (get-service sysmon*).status -ForegroundColor magenta
	<#
	Meta
	Date: 2022 June 30th
	Authors: Dray Agha (Twitter @purp1ew0lf)
	Company: Huntress Labs
	Purpose: Automate setting up Sysmon with Florian Roth's ruleset.
	Sysmon log can be found in C:\windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx
	#>

	function admin_check{
	if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(`
	[Security.Principal.WindowsBuiltInRole] "Administrator")) {
	Write-Warning "Insufficient permissions. Run this Powershell script as Admin please"
	Break
	}
	# if we're all good, let's fire it off
	else {Install_various}
	}

	function install_various{

	#Ensure errors don't ruin anything for us
	$ErrorActionPreference = "SilentlyContinue"
	$progressPreference = 'silentlyContinue'

	# Create and work from specific directory
	new-item "C:\windows\Sysmon" -ItemType "directory"
	Set-Location "C:\windows\Sysmon"

	#Download sysmon stuff
	wget -UseBasicParsing https://download.sysinternals.com/files/Sysmon.zip -outfile "Sysmon.zip"
	Expand-archive "Sysmon.zip" -DestinationPath .
	wget -UseBasicParsing https://raw.githubusercontent.com/Neo23x0/sysmon-config/master/sysmonconfig-export.xml -outfile "sysmonconfig.xml"

	#If you want to swap the sysmon ruleset from Florian's to another's swap the address above
	# SwiftOnSecurity's : https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml
	# Olaf's : https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml
	# Sophos apparently have one but it seems dedicated to malware analysis : https://support.sophos.com/support/s/article/KB-000038882?language=en_US

	#install sysmon's stuff
	.\Sysmon64.exe -i sysmonconfig.xml -accepteula

	#Clean up
	remove-item .\"sysmon.zip", .\"sysmon.exe", .\"eula.lnk", .\"Eula.txt"
	}
	#Execute main function in silence
	Admin_Check \| out-null

	#Message
	#write-host "`n`nSysmon is " -nonewline; write-host (get-service sysmon*).status -ForegroundColor magenta