jessefmoore/installSysmon.ps1

## installSysmon.ps1
# 10-02-2021 DFIR-Jesseee
# For CyberForce 2021
# Reference https://textkool.com/en/ascii-art-generator?hl=default&vl=default&font=Red%20Phoenix&text=Install%20Sysmon
#
# To download the installSysmon.ps1 so you can manually run it from $Env:temp
# Invoke-WebRequest https://gist.githubusercontent.com/jessefmoore/d0a6325b4133b05a9a18096fdc8a8c78/raw/82ca1f46bbe711c1577c93b34d78356386ad998c/installSysmon.ps1 -OutFile "$env:tmp/installSysmon.ps1" -ErrorAction SilentlyContinue
#
# To run installSysmon.ps1 from memory
# powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/jessefmoore/d0a6325b4133b05a9a18096fdc8a8c78/raw/fd489ab49506409faf8c75bd3dc975a0b5b20f91/installSysmon.ps1'); installSysmon.ps1"
$ASCII = @"
 .___                   __           .__   .__         _________
|   |  ____    _______/  |_ _____   |  |  |  |       /   _____/___.__.  ______  _____    ____    ____
|   | /    \  /  ___/\   __\\__  \  |  |  |  |       \_____  \<   |  | /  ___/ /     \  /  _ \  /    \
|   ||   |  \ \___ \  |  |   / __ \_|  |__|  |__     /        \\___  | \___ \ |  Y Y  \(  <_> )|   |  \
|___||___|  //____  > |__|  (____  /|____/|____/    /_______  // ____|/____  >|__|_|  / \____/ |___|  /
          \/      \/             \/                         \/ \/          \/       \/              \/
                                                                                                        By DFIR-Jesseee
"@
#
#
$ASCII

add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
    public bool CheckValidationResult(
        ServicePoint srvPoint, X509Certificate certificate,
        WebRequest request, int certificateProblem) {
        return true;
    }
}
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy


#If you can't get the script to run do the Bypasss below
Set-ExecutionPolicy -Scope CurrentUser Bypass -Force
#
Invoke-WebRequest https://github.com/olafhartong/sysmon-modular/archive/refs/heads/master.zip -OutFile "$env:tmp/Sysmon-Mod.zip" -ErrorAction SilentlyContinue
Expand-Archive -LiteralPath $env:tmp\Sysmon-Mod.zip -DestinationPath $env:tmp -ErrorAction SilentlyContinue
cd $env:tmp/sysmon-modular-master
Invoke-WebRequest https://live.sysinternals.com/Sysmon64.exe -OutFile "$env:tmp/sysmon-modular-master/sysmon.exe" -ErrorAction SilentlyContinue
. .\Merge-SysmonXml.ps1
Merge-AllSysmonXml -Path ( Get-ChildItem '[0-9]*\*.xml') -AsString | Out-File sysmonconfig.xml
./sysmon.exe -accepteula -i sysmonconfig.xml
	# 10-02-2021 DFIR-Jesseee
	# For CyberForce 2021
	# Reference https://textkool.com/en/ascii-art-generator?hl=default&vl=default&font=Red%20Phoenix&text=Install%20Sysmon
	#
	# To download the installSysmon.ps1 so you can manually run it from $Env:temp
	# Invoke-WebRequest https://gist.githubusercontent.com/jessefmoore/d0a6325b4133b05a9a18096fdc8a8c78/raw/82ca1f46bbe711c1577c93b34d78356386ad998c/installSysmon.ps1 -OutFile "$env:tmp/installSysmon.ps1" -ErrorAction SilentlyContinue
	#
	# To run installSysmon.ps1 from memory
	# powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/jessefmoore/d0a6325b4133b05a9a18096fdc8a8c78/raw/fd489ab49506409faf8c75bd3dc975a0b5b20f91/installSysmon.ps1'); installSysmon.ps1"
	$ASCII = @"
	.___ __ .__ .__ _________
	\| \| ____ _______/ \|_ _____ \| \| \| \| / _____/___.__. ______ _____ ____ ____
	\| \| / \ / ___/\ __\\__ \ \| \| \| \| \_____ \< \| \| / ___/ / \ / _ \ / \
	\| \|\| \| \ \___ \ \| \| / __ \_\| \|__\| \|__ / \\___ \| \___ \ \| Y Y \( <_> )\| \| \
	\|___\|\|___\| //____ > \|__\| (____ /\|____/\|____/ /_______ // ____\|/____ >\|__\|_\| / \____/ \|___\| /
	\/ \/ \/ \/ \/ \/ \/ \/
	By DFIR-Jesseee
	"@
	#
	#
	$ASCII

	add-type @"
	using System.Net;
	using System.Security.Cryptography.X509Certificates;
	public class TrustAllCertsPolicy : ICertificatePolicy {
	public bool CheckValidationResult(
	ServicePoint srvPoint, X509Certificate certificate,
	WebRequest request, int certificateProblem) {
	return true;
	}
	}
	"@
	[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy


	#If you can't get the script to run do the Bypasss below
	Set-ExecutionPolicy -Scope CurrentUser Bypass -Force
	#
	Invoke-WebRequest https://github.com/olafhartong/sysmon-modular/archive/refs/heads/master.zip -OutFile "$env:tmp/Sysmon-Mod.zip" -ErrorAction SilentlyContinue
	Expand-Archive -LiteralPath $env:tmp\Sysmon-Mod.zip -DestinationPath $env:tmp -ErrorAction SilentlyContinue
	cd $env:tmp/sysmon-modular-master
	Invoke-WebRequest https://live.sysinternals.com/Sysmon64.exe -OutFile "$env:tmp/sysmon-modular-master/sysmon.exe" -ErrorAction SilentlyContinue
	. .\Merge-SysmonXml.ps1
	Merge-AllSysmonXml -Path ( Get-ChildItem '[0-9]\.xml') -AsString \| Out-File sysmonconfig.xml
	./sysmon.exe -accepteula -i sysmonconfig.xml