jsecurity101/LOLDriverConfig.ps1

## LOLDriverConfig.ps1
#Author: Jonathan Johnson (@jsecurity101)

function New-DriverConfig {

<#
	.EXAMPLE
    New-DriverConfig -Block
    Creates driver block config in the current directory

    .EXAMPLE
    New-DriverConfig -Audit
    Creates driver audit config in the current directory

    .EXAMPLE
    New-DriverConfig -Audit -ConfigPath C:\Driver.xml
    Creates driver audit config in the C:\ directory

#>

 param (
        [Parameter()]
        [Switch]
        $Block,

        [Parameter()]
        [Switch]
        $Audit,

        [Parameter()]
        [string]
        $ConfigPath = "$PWD\Driver.xml"

    )

$RequestContent = (Invoke-WebRequest -Uri 'https://www.loldrivers.io/api/drivers.json' -UseBasicParsing).Content

$RequestContentUpdate = $RequestContent.ToLower() | ConvertFrom-Json

#Beginning of config
Set-Content -Path $ConfigPath  -Value '<Sysmon schemaversion="4.90">
         <EventFiltering>'

if  ($PSBoundParameters.ContainsKey('Audit'))
{

    #Beginning of DriverLoad Section
    Add-Content -Path $ConfigPath -Value '         <RuleGroup name="Potential Vulnerable or Malicious Driver Load" groupRelation="or">
             <DriverLoad onmatch="include">'

    $samples = $RequestContentUpdate | % {$_.knownvulnerablesamples}

    $SHA256 = $samples | % {$_.sha256}

    foreach($hash in $SHA256){if (($hash -ne $null) -and ($hash -ne " ") -and ($hash -ne "")){$line = "                <Hashes condition=`"contains`">SHA256=$hash</Hashes>"; Add-Content -Path $ConfigPath -Value $line}}

    Add-Content -Path $ConfigPath -Value '			</DriverLoad>
		    </RuleGroup>'

    #End of DriverLoad Section

    #Beginning of Driver Executable Detected
    Add-Content -Path $ConfigPath -Value '         <RuleGroup name="Potential Vulnerable or Malicious Driver File Detected" groupRelation="or">
             <FileExecutableDetected onmatch="include">'

    foreach($hash in $SHA256){if (($hash -ne $null) -and ($hash -ne " ") -and ($hash -ne "")){$line = "                <Hashes condition=`"contains`">SHA256=$hash</Hashes>"; Add-Content -Path $ConfigPath -Value $line}}

    Add-Content -Path $ConfigPath -Value '			</FileExecutableDetected>
		    </RuleGroup>'

    #End of Driver Executable Detected

}


if  ($PSBoundParameters.ContainsKey('Block'))
{

    Add-Content -Path $ConfigPath -Value '         <RuleGroup name="Potential Vulnerable or Malicious Driver File Block" groupRelation="or">
             <FileBlockExecutable onmatch="include">'

    $samples = $RequestContentUpdate | % {$_.knownvulnerablesamples}

    $SHA256 = $samples | % {$_.sha256}

    foreach($hash in $SHA256){if (($hash -ne $null) -and ($hash -ne " ") -and ($hash -ne "")){$line = "                <Hashes condition=`"contains`">SHA256=$hash</Hashes>"; Add-Content -Path $ConfigPath -Value $line}}

    Add-Content -Path $ConfigPath -Value '			</FileBlockExecutable>
		    </RuleGroup>'
}

Add-Content -Path $ConfigPath -Value '	</EventFiltering>
</Sysmon>'

}
	#Author: Jonathan Johnson (@jsecurity101)

	function New-DriverConfig {

	<#
	.EXAMPLE
	New-DriverConfig -Block
	Creates driver block config in the current directory

	.EXAMPLE
	New-DriverConfig -Audit
	Creates driver audit config in the current directory

	.EXAMPLE
	New-DriverConfig -Audit -ConfigPath C:\Driver.xml
	Creates driver audit config in the C:\ directory

	#>

	param (
	[Parameter()]
	[Switch]
	$Block,

	[Parameter()]
	[Switch]
	$Audit,

	[Parameter()]
	[string]
	$ConfigPath = "$PWD\Driver.xml"

	)

	$RequestContent = (Invoke-WebRequest -Uri 'https://www.loldrivers.io/api/drivers.json' -UseBasicParsing).Content

	$RequestContentUpdate = $RequestContent.ToLower() \| ConvertFrom-Json

	#Beginning of config
	Set-Content -Path $ConfigPath -Value '<Sysmon schemaversion="4.90">
	<EventFiltering>'

	if ($PSBoundParameters.ContainsKey('Audit'))
	{

	#Beginning of DriverLoad Section
	Add-Content -Path $ConfigPath -Value ' <RuleGroup name="Potential Vulnerable or Malicious Driver Load" groupRelation="or">
	<DriverLoad onmatch="include">'

	$samples = $RequestContentUpdate \| % {$_.knownvulnerablesamples}

	$SHA256 = $samples \| % {$_.sha256}

	foreach($hash in $SHA256){if (($hash -ne $null) -and ($hash -ne " ") -and ($hash -ne "")){$line = " <Hashes condition=`"contains`">SHA256=$hash</Hashes>"; Add-Content -Path $ConfigPath -Value $line}}

	Add-Content -Path $ConfigPath -Value ' </DriverLoad>
	</RuleGroup>'

	#End of DriverLoad Section

	#Beginning of Driver Executable Detected
	Add-Content -Path $ConfigPath -Value ' <RuleGroup name="Potential Vulnerable or Malicious Driver File Detected" groupRelation="or">
	<FileExecutableDetected onmatch="include">'

	foreach($hash in $SHA256){if (($hash -ne $null) -and ($hash -ne " ") -and ($hash -ne "")){$line = " <Hashes condition=`"contains`">SHA256=$hash</Hashes>"; Add-Content -Path $ConfigPath -Value $line}}

	Add-Content -Path $ConfigPath -Value ' </FileExecutableDetected>
	</RuleGroup>'

	#End of Driver Executable Detected

	}


	if ($PSBoundParameters.ContainsKey('Block'))
	{

	Add-Content -Path $ConfigPath -Value ' <RuleGroup name="Potential Vulnerable or Malicious Driver File Block" groupRelation="or">
	<FileBlockExecutable onmatch="include">'

	$samples = $RequestContentUpdate \| % {$_.knownvulnerablesamples}

	$SHA256 = $samples \| % {$_.sha256}

	foreach($hash in $SHA256){if (($hash -ne $null) -and ($hash -ne " ") -and ($hash -ne "")){$line = " <Hashes condition=`"contains`">SHA256=$hash</Hashes>"; Add-Content -Path $ConfigPath -Value $line}}

	Add-Content -Path $ConfigPath -Value ' </FileBlockExecutable>
	</RuleGroup>'
	}

	Add-Content -Path $ConfigPath -Value ' </EventFiltering>
	</Sysmon>'

	}