Created
December 29, 2020 14:57
-
-
Save kafkaesqu3/832982574ebb9b53cd22827ace087650 to your computer and use it in GitHub Desktop.
Read sysmon logs, parse events into new objects
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-SysmonLogsProcessStarts | |
{ | |
<# | |
.Synopsis | |
Get-SysmonLogs | |
.DESCRIPTION | |
This cmd-let will make it possible to get the logs from sysmon which you can filter and search for malicious activity | |
.EXAMPLE | |
Get-SysmonLogs | |
.EXAMPLE | |
get-SysmonLogs | where {($_.parentImage -like "*office*") -and ($_.CommandLine -like "*powershell*")} | |
#> | |
Param | |
( | |
[array]$Computers = $env:computername | |
) | |
Foreach ($ComputerName in $Computers) | |
{ | |
try | |
{ | |
#Get ID (Process start) | |
$events = Get-WinEvent -computername $ComputerName -FilterHashtable @{ logname = "Microsoft-Windows-Sysmon/Operational"; Id = 1; } -erroraction silentlycontinue | |
foreach ($event in $events) | |
{ | |
$eventXML = [xml]$Event.ToXml() | |
# Create Object | |
New-Object -Type PSObject -Property @{ | |
UTCTime = $eventXML.Event.EventData.Data[1].'#text' | |
ProcessGUID = $eventXML.Event.EventData.Data[2].'#text' | |
ProcessID = $eventXML.Event.EventData.Data[3].'#text' | |
Image = $eventXML.Event.EventData.Data[4].'#text' | |
FileVersion = $eventXML.Event.EventData.Data[5].'#text' | |
Description = $eventXML.Event.EventData.Data[6].'#text' | |
Product = $eventXML.Event.EventData.Data[7].'#text' | |
Company = $eventXML.Event.EventData.Data[8].'#text' | |
OriginalFileName = $eventXML.Event.EventData.Data[9].'#text' | |
CommandLine = $eventXML.Event.EventData.Data[10].'#text' | |
CurrentDirectory = $eventXML.Event.EventData.Data[11].'#text' | |
User = $eventXML.Event.EventData.Data[12].'#text' | |
LogonGuid = $eventXML.Event.EventData.Data[13].'#text' | |
LogonID = $eventXML.Event.EventData.Data[14].'#text' | |
TerminalSessionId = $eventXML.Event.EventData.Data[15].'#text' | |
IntegrityLevel = $eventXML.Event.EventData.Data[16].'#text' | |
Hashes = $eventXML.Event.EventData.Data[17].'#text' | |
ParentProcessGUID = $eventXML.Event.EventData.Data[18].'#text' | |
ParentProcessID = $eventXML.Event.EventData.Data[19].'#text' | |
ParentImage = $eventXML.Event.EventData.Data[20].'#text' | |
ParentCommandLine = $eventXML.Event.EventData.Data[21].'#text' | |
} | |
} | |
} | |
catch | |
{ | |
Write-Host "Something went wrong, please install Sysmon`nHost: $ComputerName" | |
} | |
} | |
} | |
function Get-SysmonLogsNetwork | |
{ | |
<# | |
.Synopsis | |
Get-SysmonLogs | |
.DESCRIPTION | |
This cmd-let will make it possible to get the logs from sysmon which you can filter and search for malicious activity | |
.EXAMPLE | |
Get-SysmonLogs | |
.EXAMPLE | |
get-SysmonLogs | where {($_.parentImage -like "*office*") -and ($_.CommandLine -like "*powershell*")} | |
#> | |
Param | |
( | |
[array]$Computers = $env:computername | |
) | |
Foreach ($ComputerName in $Computers) | |
{ | |
try | |
{ | |
#Get ID (Process start) | |
$events = Get-WinEvent -computername $ComputerName -FilterHashtable @{ logname = "Microsoft-Windows-Sysmon/Operational"; Id = 3; } -erroraction silentlycontinue | |
foreach ($event in $events) | |
{ | |
$eventXML = [xml]$Event.ToXml() | |
# Create Object | |
New-Object -Type PSObject -Property @{ | |
UtcTime = $eventXML.Event.EventData.Data[1].'#text' | |
ProcessGuid = $eventXML.Event.EventData.Data[2].'#text' | |
ProcessId = $eventXML.Event.EventData.Data[3].'#text' | |
Image = $eventXML.Event.EventData.Data[4].'#text' | |
User = $eventXML.Event.EventData.Data[5].'#text' | |
Protocol = $eventXML.Event.EventData.Data[6].'#text' | |
Initiated = $eventXML.Event.EventData.Data[7].'#text' | |
SourceIsIpv6 = $eventXML.Event.EventData.Data[8].'#text' | |
SourceIp = $eventXML.Event.EventData.Data[9].'#text' | |
SourceHostname = $eventXML.Event.EventData.Data[10].'#text' | |
SourcePort = $eventXML.Event.EventData.Data[11].'#text' | |
SourcePortName = $eventXML.Event.EventData.Data[12].'#text' | |
DestinationIsIpv6 = $eventXML.Event.EventData.Data[13].'#text' | |
DestinationIp = $eventXML.Event.EventData.Data[14].'#text' | |
DestinationHostname = $eventXML.Event.EventData.Data[15].'#text' | |
DestinationPort = $eventXML.Event.EventData.Data[16].'#text' | |
DestinationPortName = $eventXML.Event.EventData.Data[17].'#text' | |
} | |
} | |
} | |
catch | |
{ | |
Write-Host "Something went wrong, please install Sysmon`nHost: $ComputerName" | |
} | |
} | |
} | |
function Get-SysmonLogsDNS | |
{ | |
<# | |
.Synopsis | |
Get-SysmonLogs | |
.DESCRIPTION | |
This cmd-let will make it possible to get the logs from sysmon which you can filter and search for malicious activity | |
.EXAMPLE | |
Get-SysmonLogs | |
.EXAMPLE | |
get-SysmonLogs | where {($_.parentImage -like "*office*") -and ($_.CommandLine -like "*powershell*")} | |
#> | |
Param | |
( | |
[array]$Computers = $env:computername | |
) | |
Foreach ($ComputerName in $Computers) | |
{ | |
try | |
{ | |
#Get ID (Process start) | |
$events = Get-WinEvent -computername $ComputerName -FilterHashtable @{ logname = "Microsoft-Windows-Sysmon/Operational"; Id = 22; } -erroraction silentlycontinue | |
foreach ($event in $events) | |
{ | |
$eventXML = [xml]$Event.ToXml() | |
# Create Object | |
New-Object -Type PSObject -Property @{ | |
UtcTime = $eventXML.Event.EventData.Data[1].'#text' | |
ProcessGuid = $eventXML.Event.EventData.Data[2].'#text' | |
ProcessId = $eventXML.Event.EventData.Data[3].'#text' | |
QueryName = $eventXML.Event.EventData.Data[4].'#text' | |
QueryStatus = $eventXML.Event.EventData.Data[5].'#text' | |
QueryResults = $eventXML.Event.EventData.Data[6].'#text' | |
Image = $eventXML.Event.EventData.Data[7].'#text' | |
} | |
} | |
} | |
catch | |
{ | |
Write-Host "Something went wrong, please install Sysmon`nHost: $ComputerName" | |
} | |
} | |
} | |
function Get-SysmonLogsFilesCreated | |
{ | |
<# | |
.Synopsis | |
Get-SysmonLogs | |
.DESCRIPTION | |
This cmd-let will make it possible to get the logs from sysmon which you can filter and search for malicious activity | |
.EXAMPLE | |
Get-SysmonLogs | |
.EXAMPLE | |
get-SysmonLogs | where {($_.parentImage -like "*office*") -and ($_.CommandLine -like "*powershell*")} | |
#> | |
Param | |
( | |
[array]$Computers = $env:computername | |
) | |
Foreach ($ComputerName in $Computers) | |
{ | |
try | |
{ | |
#Get ID (Process start) | |
$events = Get-WinEvent -computername $ComputerName -FilterHashtable @{ logname = "Microsoft-Windows-Sysmon/Operational"; Id = 11; } -erroraction silentlycontinue | |
foreach ($event in $events) | |
{ | |
$eventXML = [xml]$Event.ToXml() | |
# Create Object | |
New-Object -Type PSObject -Property @{ | |
UtcTime = $eventXML.Event.EventData.Data[1].'#text' | |
ProcessGuid = $eventXML.Event.EventData.Data[2].'#text' | |
ProcessId = $eventXML.Event.EventData.Data[3].'#text' | |
Image = $eventXML.Event.EventData.Data[4].'#text' | |
TargetFilename = $eventXML.Event.EventData.Data[5].'#text' | |
CreationUtcTime = $eventXML.Event.EventData.Data[6].'#text' | |
} | |
} | |
} | |
catch | |
{ | |
Write-Host "Something went wrong, please install Sysmon`nHost: $ComputerName" | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment