mavjs/Sysmon_Lab.ps1

## Sysmon_Lab.ps1
<#
Meta
    Date: 2022 March 28th
    Authors: Dray Agha (Twitter @purp1ew0lf)
    Company: Huntress Labs
    Purpose: Automate setting up Sysmon and pulling Ippsec's sysmon IoC streamliner. Great for malware lab.
#>

function admin_check{
    if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(`
[Security.Principal.WindowsBuiltInRole] "Administrator")) {
        Write-Warning "Insufficient permissions. Run this Powershell script as Admin please"
        Break
    }
    # if we're all good, let's fire it off
    else {Install_various}
}

function install_various{

    #Ensure errors don't ruin anything for us
    $ErrorActionPreference = "SilentlyContinue"
    $progressPreference = 'silentlyContinue'

    # Create and work from specific directory
    new-item "C:\users\$env:USERNAME\Desktop\SysmonLab" -ItemType "directory"
    Set-Location "C:\users\$env:USERNAME\Desktop\SysmonLab"

    #Download sysmon stuff
    wget -UseBasicParsing https://download.sysinternals.com/files/Sysmon.zip -outfile "Sysmon.zip"
    Expand-archive "Sysmon.zip"  -DestinationPath .
    wget -UseBasicParsing https://raw.githubusercontent.com/Neo23x0/sysmon-config/master/sysmonconfig-export.xml -outfile "sysmonconfig.xml"

    #If you want to swap the sysmon ruleset from Florian's to another's swap the address above
        # SwiftOnSecurity's : https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml
        # Olaf's : https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml
        # Sophos apparently have one but it seems dedicated to malware analysis : https://support.sophos.com/support/s/article/KB-000038882?language=en_US

    #install sysmon's stuff
    .\Sysmon64.exe -i sysmonconfig.xml -accepteula

    #Ippsec's stuff
    wget -UseBasicParsing https://raw.githubusercontent.com/IppSec/PowerSiem/master/PowerSiem.ps1 -outfile "PowerSiem.ps1"

    #Clean up
    remove-item .\"sysmon.zip", .\"sysmon.exe", .\"eula.lnk", .\"Eula.txt"
}
#Execute main function in silence
Admin_Check | out-null

#Message
write-host "`n`nSysmon is " -nonewline; write-host (get-service sysmon*).status -ForegroundColor magenta
Write-host "`nRun " -nonewline; Write-Host "C:\users\$env:USERNAME\Desktop\SysmonLab\PowerSiem.ps1" -foregroundcolor Magenta -NoNewline; Write-host " and then detonate your malware to gather IoCs from Sysmon log`n"

exit
	<#
	Meta
	Date: 2022 March 28th
	Authors: Dray Agha (Twitter @purp1ew0lf)
	Company: Huntress Labs
	Purpose: Automate setting up Sysmon and pulling Ippsec's sysmon IoC streamliner. Great for malware lab.
	#>

	function admin_check{
	if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(`
	[Security.Principal.WindowsBuiltInRole] "Administrator")) {
	Write-Warning "Insufficient permissions. Run this Powershell script as Admin please"
	Break
	}
	# if we're all good, let's fire it off
	else {Install_various}
	}

	function install_various{

	#Ensure errors don't ruin anything for us
	$ErrorActionPreference = "SilentlyContinue"
	$progressPreference = 'silentlyContinue'

	# Create and work from specific directory
	new-item "C:\users\$env:USERNAME\Desktop\SysmonLab" -ItemType "directory"
	Set-Location "C:\users\$env:USERNAME\Desktop\SysmonLab"

	#Download sysmon stuff
	wget -UseBasicParsing https://download.sysinternals.com/files/Sysmon.zip -outfile "Sysmon.zip"
	Expand-archive "Sysmon.zip" -DestinationPath .
	wget -UseBasicParsing https://raw.githubusercontent.com/Neo23x0/sysmon-config/master/sysmonconfig-export.xml -outfile "sysmonconfig.xml"

	#If you want to swap the sysmon ruleset from Florian's to another's swap the address above
	# SwiftOnSecurity's : https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml
	# Olaf's : https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml
	# Sophos apparently have one but it seems dedicated to malware analysis : https://support.sophos.com/support/s/article/KB-000038882?language=en_US

	#install sysmon's stuff
	.\Sysmon64.exe -i sysmonconfig.xml -accepteula

	#Ippsec's stuff
	wget -UseBasicParsing https://raw.githubusercontent.com/IppSec/PowerSiem/master/PowerSiem.ps1 -outfile "PowerSiem.ps1"

	#Clean up
	remove-item .\"sysmon.zip", .\"sysmon.exe", .\"eula.lnk", .\"Eula.txt"
	}
	#Execute main function in silence
	Admin_Check \| out-null

	#Message
	write-host "`n`nSysmon is " -nonewline; write-host (get-service sysmon*).status -ForegroundColor magenta
	Write-host "`nRun " -nonewline; Write-Host "C:\users\$env:USERNAME\Desktop\SysmonLab\PowerSiem.ps1" -foregroundcolor Magenta -NoNewline; Write-host " and then detonate your malware to gather IoCs from Sysmon log`n"

	exit