Skip to content

Instantly share code, notes, and snippets.

@medmondson44

medmondson44/EventParser.ps1

Created September 22, 2019 11:22
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save medmondson44/6330fca0108bb808140a013b0b194d0f to your computer and use it in GitHub Desktop.
Save medmondson44/6330fca0108bb808140a013b0b194d0f to your computer and use it in GitHub Desktop.
Download ZIP
This PowerShell script is used to parse Windows events.
Raw
EventParser.ps1
Function Get-PowerShellLog {
<#
.SYNOPSIS
Get-PowerShellLog extracts all PowerShell ScriptBlock Events [Evt 4104] from the Microsoft-Windows-PowerShell/Operational Event log for a specified timeframe
.DESCRIPTION
Query the event log and pull back all PowerShell ScriptBlock Events.
Event 4104
Query and filter
.PARAMETER
Switch to pull back PowerShell ScriptBlock Log back a desired number of minutes
[int32]$BackMins=180. Defaults to 180 minutes = 3 hours
Some time guides: 180 = 3 hours, 360 = 6hours, 720 = 12 hours, 1440 = 1 day, 2880 = 2 days, 4320 = 3 days, 10080 = 7 days
Keep in mind depending on sysmon configuration, the longer the timeframe the more work to pull events.
.PARAMETER
Switch to specify computer or computers to pull back PowerShell ScriptBlock Log
events from.
.EXAMPLE
Get-PowerShellLog -BackMins 720
TimeCreated : 06-Sep-19 09:47:22
Id : 4104
MachineName : medmondson-WS
TaskDisplayName : Execute a Remote Command
ScriptBlockText : {
$PropertyBag = @{
HostName = $_.MachineName
Version=$_.Version
EventType = $_.Message.Split(":")[0]
EventID = $_.Id
DateUTC = Get-Date ($_.Properties[1].Value) -format s
ProcessGuid = $_.Properties[2].Value
ProcessId = $_.Properties[3].Value
Image = $_.Properties[4].Value
CommandLine = $_.Properties[10].Value
CurrentDirectory = $_.Properties[11].Value
User = $_.Properties[12].Value
LogonGuid = $_.Properties[13].Value
LogonId = $_.Properties[14].Value
TerminalSessionId = $_.Properties[15].Value
IntegrityLevel = $_.Properties[16].Value
Hashes = ($_.Properties[17].Value.Split(",")) # shows hash feild with all configured hash types one field
#
SHA1 = ($_.Properties[17].Value.Split(",")[0].split("=")[1]) # required logging of MD5, SHA1, SHA256
#
ParentProcessGuid = $_.Properties[18].Value
ParentProcessId = $_.Properties[19].Value
ParentImage = $_.Properties[20].Value
ParentCommandLine = $_.Properties[21].Value
}
$Output = New-Object -TypeName PSCustomObject -Property $PropertyBag
# When modifying PropertyBag remember to change Seldect-Object for ordering below
$Output | Select-Object DateUTC, HostName, Version, EventID, EventType,
ProcessGuid, ProcessId, Image, CommandLine, SHA1, CurrentDirectory,
User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, ParentProcessGuid,
ParentProcessId, ParentImage, ParentCommandLine
}
.EXAMPLE
Get-PowerShellLog 720
TimeCreated : 06-Sep-19 09:47:22
Id : 4104
MachineName : medmondson-WS
TaskDisplayName : Execute a Remote Command
ScriptBlockText : {
$PropertyBag = @{
HostName = $_.MachineName
Version=$_.Version
EventType = $_.Message.Split(":")[0]
EventID = $_.Id
DateUTC = Get-Date ($_.Properties[1].Value) -format s
ProcessGuid = $_.Properties[2].Value
ProcessId = $_.Properties[3].Value
Image = $_.Properties[4].Value
CommandLine = $_.Properties[10].Value
CurrentDirectory = $_.Properties[11].Value
User = $_.Properties[12].Value
LogonGuid = $_.Properties[13].Value
LogonId = $_.Properties[14].Value
TerminalSessionId = $_.Properties[15].Value
IntegrityLevel = $_.Properties[16].Value
Hashes = ($_.Properties[17].Value.Split(",")) # shows hash feild with all configured hash types one field
#
SHA1 = ($_.Properties[17].Value.Split(",")[0].split("=")[1]) # required logging of MD5, SHA1, SHA256
#
ParentProcessGuid = $_.Properties[18].Value
ParentProcessId = $_.Properties[19].Value
ParentImage = $_.Properties[20].Value
ParentCommandLine = $_.Properties[21].Value
}
$Output = New-Object -TypeName PSCustomObject -Property $PropertyBag
# When modifying PropertyBag remember to change Seldect-Object for ordering below
$Output | Select-Object DateUTC, HostName, Version, EventID, EventType,
ProcessGuid, ProcessId, Image, CommandLine, SHA1, CurrentDirectory,
User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, ParentProcessGuid,
ParentProcessId, ParentImage, ParentCommandLine
}
.EXAMPLE
Get-PowerShellLog -computername <computername>
TimeCreated : 06-Sep-19 09:47:22
Id : 4104
MachineName : medmondson-WS
TaskDisplayName : Execute a Remote Command
ScriptBlockText : {
$PropertyBag = @{
HostName = $_.MachineName
Version=$_.Version
EventType = $_.Message.Split(":")[0]
EventID = $_.Id
DateUTC = Get-Date ($_.Properties[1].Value) -format s
ProcessGuid = $_.Properties[2].Value
ProcessId = $_.Properties[3].Value
Image = $_.Properties[4].Value
CommandLine = $_.Properties[10].Value
CurrentDirectory = $_.Properties[11].Value
User = $_.Properties[12].Value
LogonGuid = $_.Properties[13].Value
LogonId = $_.Properties[14].Value
TerminalSessionId = $_.Properties[15].Value
IntegrityLevel = $_.Properties[16].Value
Hashes = ($_.Properties[17].Value.Split(",")) # shows hash feild with all configured hash types one field
#
SHA1 = ($_.Properties[17].Value.Split(",")[0].split("=")[1]) # required logging of MD5, SHA1, SHA256
#
ParentProcessGuid = $_.Properties[18].Value
ParentProcessId = $_.Properties[19].Value
ParentImage = $_.Properties[20].Value
ParentCommandLine = $_.Properties[21].Value
}
$Output = New-Object -TypeName PSCustomObject -Property $PropertyBag
# When modifying PropertyBag remember to change Seldect-Object for ordering below
$Output | Select-Object DateUTC, HostName, Version, EventID, EventType,
ProcessGuid, ProcessId, Image, CommandLine, SHA1, CurrentDirectory,
User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, ParentProcessGuid,
ParentProcessId, ParentImage, ParentCommandLine
}
.LINK
.NOTES
#>
[cmdletbinding()]
param (
[Parameter(Mandatory=$false,
ValueFromPipeline=$True,
HelpMessage="Enter ComputerName")]
[int32]$BackMins=180,
[string[]]$computername
)
foreach ($comp in $computername) {
if (Test-Connection -ComputerName $comp -BufferSize 16 -Count 1 -Quiet)
{
$BackTime=(Get-Date) - (New-TimeSpan -Minutes $BackMins)
$RawEvents = Get-WinEvent -computername $Comp -filterhashtable @{Logname="Microsoft-Windows-PowerShell/Operational"; ID=4104} | Where-Object {$_.TimeCreated -ge $BackTime}
$RawEvents | ForEach-Object{
$SelectorStrings = [string[]]@(
'Event/EventData/Data[@Name="ScriptBlockText"]'
)
$PropertySelector = [System.Diagnostics.Eventing.Reader.EventLogPropertySelector]::new($SelectorStrings)
$ScriptBlockText = $_.GetPropertyValues($PropertySelector)
[PSCustomObject]@{
TimeCreated = $_.TimeCreated
Id = $_.Id
MachineName = $_.MachineName
ScriptBlockText = $ScriptBlockText
TaskDisplayName = $_.TaskDisplayName
} | Select-Object TimeCreated, Id, MachineName, TaskDisplayName, @{n='ScriptBlockText';e={$_.ScriptBlockText -join ' ' } }
}
}
else
{
Write-Output $comp | Out-File offline_host.txt -append
}
}
}
Function Get-LogonInfo {
<#
.SYNOPSIS
Get-LogonInfo extracts all Loon Events [Evt 4624] from the Security Event log for a specified timeframe
.DESCRIPTION
Query the event log and pull back all Logon Events.
Event 4624
Query and filter
.PARAMETER
Switch to pull back Logon Log back a desired number of minutes
[int32]$BackMins=180. Defaults to 180 minutes = 3 hours
Some time guides: 180 = 3 hours, 360 = 6hours, 720 = 12 hours, 1440 = 1 day, 2880 = 2 days, 4320 = 3 days, 10080 = 7 days
Keep in mind depending on sysmon configuration, the longer the timeframe the more work to pull events.
.PARAMETER
Switch to specify computer or computers to pull back Logon Log
events from.
.EXAMPLE
Get-LogonInfo -BackMins 720
TimeCreated : 16-Sep-19 15:37:24
UserName : SYSTEM
Domain : NT AUTHORITY
LogonId : 999
LogonType : 5
ComputerName : {-}
ProcessId : 860
ProcessName : C:\Windows\System32\services.exe
IPAddress : -
Port : -
Message : An account was successfully logged on
.EXAMPLE
Get-LogonInfo 720
TimeCreated : 16-Sep-19 15:37:24
UserName : SYSTEM
Domain : NT AUTHORITY
LogonId : 999
LogonType : 5
ComputerName : {-}
ProcessId : 860
ProcessName : C:\Windows\System32\services.exe
IPAddress : -
Port : -
Message : An account was successfully logged on
.EXAMPLE
Get-LogonInfo -computername <computername>
TimeCreated : 16-Sep-19 15:37:24
UserName : SYSTEM
Domain : NT AUTHORITY
LogonId : 999
LogonType : 5
ComputerName : {-}
ProcessId : 860
ProcessName : C:\Windows\System32\services.exe
IPAddress : -
Port : -
Message : An account was successfully logged on
.LINK
.NOTES
#>
[cmdletbinding()]
param (
[Parameter(Mandatory=$false,
ValueFromPipeline=$True,
HelpMessage="Enter ComputerName")]
[int32]$BackMins=180,
[string[]]$computername
)
foreach ($comp in $computername) {
if (Test-Connection -ComputerName $comp -BufferSize 16 -Count 1 -Quiet)
{
$BackTime=(Get-Date) - (New-TimeSpan -Minutes $BackMins)
$RawEvents=Get-WinEvent -computername $Comp -FilterHashtable @{Logname="Security"; ID=4624} | Where-Object {$_.TimeCreated -ge $BackTime}
$RawEvents | ForEach-Object{
$SelectorStrings = [string[]]@(
'Event/EventData/Data[@Name="TargetUserName"]',
'Event/EventData/Data[@Name="TargetDomainName"]',
'Event/EventData/Data[@Name="TargetLogonId"]',
'Event/EventData/Data[@Name="LogonType"]',
'Event/EventData/Data[@Name="WorkstationName"]',
'Event/EventData/Data[@Name="ProcessId"]',
'Event/EventData/Data[@Name="ProcessName"]',
'Event/EventData/Data[@Name="IpAddress"]',
'Event/EventData/Data[@Name="IpPort"]'
)
$PropertySelector = [System.Diagnostics.Eventing.Reader.EventLogPropertySelector]::new($SelectorStrings)
$UserName,$Domain,$LogonId,$LogonType,$ComputerName,$ProcessId,$ProcessName,$IPAddress,$Port = $_.GetPropertyValues($PropertySelector)
[PSCustomObject]@{
TimeCreated = $_.TimeCreated
UserName = $UserName
Domain = $Domain
LogonId = $LogonId
LogonType = $LogonType
ComputerName = $ComputerName
ProcessId = $ProcessId
ProcessName = $ProcessName
IPAddress = $IPAddress
Port = $Port
Message = ($_.Message).split(".")[0]
}
}
}else
{
Write-Output $comp | Out-File offline_host.txt -append
}
}
}
Function Get-SysmonProcess {
<#
.SYNOPSIS
Get-SysmonProcess extracts all Sysmon Process Create Events [Evt 1] from the Sysymon Operational Event log for a specified timeframe
.DESCRIPTION
Query the event log and pull back all Sysmon Process Creation events. Configured for Sysmon 10.2
Event 1
Query and filter
.PARAMETER
Switch to pull back Process Creation back a desired number of minutes
[int32]$BackMins=180. Defaults to 180 minutes = 3 hours
Some time guides: 180 = 3 hours, 360 = 6hours, 720 = 12 hours, 1440 = 1 day, 2880 = 2 days, 4320 = 3 days, 10080 = 7 days
Keep in mind depending on sysmon configuration, the longer the timeframe the more work to pull events.
.EXAMPLE
Get-SysmonProcess -BackMins 720
Get-SysmonProcess 720
Get-SysmonProcess -computername <computername>
DateUTC : 2017-01-16T01:09:25
HostName : Win10.ACME.local
Version : 5
EventID : 1
EventType : Process Create
ProcessGuid : b7480112-1d45-587c-0000-0010c1d96b00
ProcessId : 5196
Image : C:\Windows\System32\PING.EXE
CommandLine : ping 8.8.8.8 -n 1
SHA1 : 57CC695F7FFA71A5970DDAB9A8656DDEC78E795A
CurrentDirectory : C:\Users\Administrator\Desktop\
User : ACME\USER1
LogonGuid : b7480112-13c7-587c-0000-0020bef05f00
LogonId : 6287550
TerminalSessionId : 2
IntegrityLevel : High
ParentProcessGuid : b7480112-1d20-587c-0000-00105ea06b00
ParentProcessId : 1064
ParentImage : C:\Windows\System32\cmd.exe
ParentCommandLine : "C:\Windows\system32\cmd.exe"
.LINK
.NOTES
Configured for Sysmon 10.2
Sysmon configuration plays a large part in the amount of events.
I have configured the module to report back for a Sysmon hash configuration of: MD5,SHA1,SHA256. For any other configurations you will need to reconfigure the Propertybag array to report relevant algorythms.
For simplicity I have also included a hashes field commented out. If included, it will show all calculated hashes in one line.
When modifying $PropertyBag, remember to change the final Select-Object to ensure correct feilds are selected in order.
For offline parsing of event logs modify script to remove "-LogName" and add "-Path <PATH_to_Logs>".
e.g RawEvents = Get-WinEvent -Path c:\case\sysmon.evtx | Where-Object {$_.TimeCreated -ge $BackTime} | Where-Object { $_.Id -eq 1}
#>
[CmdletBinding()]
Param (
[Parameter(Mandatory=$false,
ValueFromPipeline=$True,
HelpMessage="Enter ComputerName")]
[int32]$BackMins=180,
[string[]]$computername
)
foreach ($comp in $computername) {
if (Test-Connection -ComputerName $comp -BufferSize 16 -Count 1 -Quiet)
{
$BackTime=(Get-Date) - (New-TimeSpan -Minutes $BackMins)
$RawEvents = Get-WinEvent -ComputerName $comp -filterhashtable @{Logname="Microsoft-Windows-Sysmon/Operational"; ID=1} | Where-Object {$_.TimeCreated -ge $BackTime}
$RawEvents | ForEach-Object {
$PropertyBag = @{
HostName = $_.MachineName
Version=$_.Version
EventType = $_.Message.Split(":")[0]
EventID = $_.Id
DateUTC = Get-Date ($_.Properties[1].Value) -format s
ProcessGuid = $_.Properties[2].Value
ProcessId = $_.Properties[3].Value
Image = $_.Properties[4].Value
OriginalFilename = $_.Properties[9].Value
CommandLine = $_.Properties[10].Value
CurrentDirectory = $_.Properties[11].Value
User = $_.Properties[12].Value
LogonGuid = $_.Properties[13].Value
LogonId = $_.Properties[14].Value
TerminalSessionId = $_.Properties[15].Value
IntegrityLevel = $_.Properties[16].Value
Hashes = ($_.Properties[17].Value.Split(",")) # shows hash feild with all configured hash types one field
#
SHA1 = ($_.Properties[17].Value.Split(",")[0].split("=")[1]) # required logging of MD5, SHA1, SHA256
IMPHASH= ($_.Properties[17].Value.Split(",")[3].split("=")[1])
#
ParentProcessGuid = $_.Properties[18].Value
ParentProcessId = $_.Properties[19].Value
ParentImage = $_.Properties[20].Value
ParentCommandLine = $_.Properties[21].Value
}
$Output = New-Object -TypeName PSCustomObject -Property $PropertyBag
# When modifying PropertyBag remember to change Seldect-Object for ordering below
$Output | Select-Object DateUTC, HostName, Version, EventID, EventType,
ProcessGuid, ProcessId, Image, OriginalFilename, CommandLine, SHA1, IMPHASH, CurrentDirectory,
User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, ParentProcessGuid,
ParentProcessId, ParentImage, ParentCommandLine
}
}else
{
Write-Output $comp | Out-File offline_host.txt -append
}
}
}
Function Get-SysmonNetwork {
<#
.SYNOPSIS
Get-SysmonNetwork extracts all Sysmon Network Events [Evt 3] from the Sysymon Operational Event log for a specified timeframe
.DESCRIPTION
Query the event log and pull back all Sysmon Process Creation events. Configured for Sysmon 10.2
Event 3
Query and filter
.PARAMETER
Switch to pull back Network events back a desired number of minutes
[int32]$BackMins=180. Defaults to 180 minutes = 3 hours
Some time guides: 180 = 3 hours, 360 = 6hours, 720 = 12 hours, 1440 = 1 day, 2880 = 2 days, 4320 = 3 days, 10080 = 7 days
Keep in mind depending on sysmon configuration, the longer the timeframe the more work to pull events.
.EXAMPLE
Get-SysmonNetwork -BackMins 180
Get-SysmonNetwork 180
Get-SysmonNetwork -computername <computername>
HostName : Win10.ACME.local
Version : 5
EventType : Network connection detected
EventID : 3
DateUTC : 2017-01-18T02:16:53
ProcessGuid : b7480112-13e6-587c-0000-00109a016400
ProcessId : 4572
Image : C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
User : ACME\USER1
Protocol : tcp
Initiated : True
SourceIsIpv6 : False
SourceIp : 10.1.1.21
SourceHostname : Win10.ACME.local
SourcePort : 55047
SourcePortName :
DestinationIsIpv6 : False
DestinationIp : 216.58.220.131
DestinationHostname : syd09s01-in-f131.1e100.net
DestinationPort : 443
DestinationPortName : https
.LINK
.NOTES
Configured for Sysmon 10.2
Sysmon configuration plays a large part in the amount of events.
For offline parsing of event logs modify script to remove "-LogName" and add "-Path <PATH_to_Logs>".
e.g RawEvents = Get-WinEvent -Path c:\case\sysmon.evtx | Where-Object {$_.TimeCreated -ge $BackTime} | Where-Object { $_.Id -eq 3}
#>
[CmdletBinding()]
Param (
[Parameter(Mandatory=$false,
ValueFromPipeline=$True,
HelpMessage="Enter ComputerName")]
[int32]$BackMins=180,
[string[]]$computername
)
foreach ($comp in $computername) {
if (Test-Connection -ComputerName $comp -BufferSize 16 -Count 1 -Quiet)
{
$BackTime=(Get-Date) - (New-TimeSpan -Minutes $BackMins)
$RawEvents = Get-WinEvent -ComputerName $comp -filterhashtable @{Logname="Microsoft-Windows-Sysmon/Operational"; ID=3} | Where-Object {$_.TimeCreated -ge $BackTime}
$RawEvents | ForEach-Object {
$PropertyBag = @{
HostName = $_.MachineName
Version=$_.Version
EventType = $_.Message.Split(":")[0]
EventID = $_.Id
DateUTC = Get-Date ($_.Properties[1].Value) -format s
ProcessGuid = $_.Properties[2].Value
ProcessId = $_.Properties[3].Value
Image = $_.Properties[4].Value
User = $_.Properties[5].Value
Protocol = $_.Properties[6].Value
Initiated = $_.Properties[7].Value
SourceIsIpv6 = $_.Properties[8].Value
SourceIp = $_.Properties[9].Value
SourceHostname = $_.Properties[10].Value
SourcePort = $_.Properties[11].Value
SourcePortName = $_.Properties[12].Value
DestinationIsIpv6 = $_.Properties[13].Value
DestinationIp = $_.Properties[14].Value
DestinationHostname = $_.Properties[15].Value
DestinationPort = $_.Properties[16].Value
DestinationPortName = $_.Properties[17].Value
}
$Output = New-Object -TypeName PSCustomObject -Property $PropertyBag
# When modifying PropertyBag remember to change Seldect-Object for ordering below
$Output | Select-Object HostName, Version, EventType, EventID, DateUTC, ProcessGuid, ProcessId, Image, User, Protocol, Initiated, SourceIsIpv6, SourceIp, SourceHostname, SourcePort, SourcePortName, DestinationIsIpv6, DestinationIp, DestinationHostname, DestinationPort, DestinationPortName
}
} else
{
Write-Output $comp | Out-File offline_host.txt -append
}
}
}
Function Get-SysmonFileStreamCreate {
<#
.SYNOPSIS
Get-SysmonFileStreamCreate extracts all Sysmon File Stream Create Events [Evt 15] from the Sysymon Operational Event log for a specified timeframe
.DESCRIPTION
Query the event log and pull back all Sysmon File Stream Creation events. Configured for Sysmon 10.2
Event 1
Query and filter
.PARAMETER
Switch to pull back Process Creation back a desired number of minutes
[int32]$BackMins=180. Defaults to 180 minutes = 3 hours
Some time guides: 180 = 3 hours, 360 = 6hours, 720 = 12 hours, 1440 = 1 day, 2880 = 2 days, 4320 = 3 days, 10080 = 7 days
Keep in mind depending on sysmon configuration, the longer the timeframe the more work to pull events.
.EXAMPLE
Get-SysmonFileStreamCreate -BackMins 720
Get-SysmonFileStreamCreate 720
Get-SysmonFileStreamCreate -computername <computername>
DateUTC : 2019-09-03T12:42:22
HostName : medmondson-WS
Version : 2
EventID : 15
EventType : File stream created
ProcessGuid : dcb4ab66-2527-5d65-0000-001051b4cd0e
ProcessId : 6668
Image : C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
TargetFilename : C:\Users\medmondson\Downloads\Get-SysmonProcessTerminate.ps1
CreationUTC : 2019-09-03 12:42:21.609
SHA1 : 89D4DDBBCCCF36419DE3E1DAB66343C7
.LINK
.NOTES
Configured for Sysmon 10.2
Sysmon configuration plays a large part in the amount of events.
I have configured the module to report back for a Sysmon hash configuration of: MD5,SHA1,SHA256. For any other configurations you will need to reconfigure the Propertybag array to report relevant algorythms.
For simplicity I have also included a hashes field commented out. If included, it will show all calculated hashes in one line.
When modifying $PropertyBag, remember to change the final Select-Object to ensure correct feilds are selected in order.
For offline parsing of event logs modify script to remove "-LogName" and add "-Path <PATH_to_Logs>".
e.g RawEvents = Get-WinEvent -Path c:\case\sysmon.evtx | Where-Object {$_.TimeCreated -ge $BackTime} | Where-Object { $_.Id -eq 1}
#>
[CmdletBinding()]
Param (
[Parameter(Mandatory=$false,
ValueFromPipeline=$True,
HelpMessage="Enter ComputerName")]
[int32]$BackMins=180,
[string[]]$computername
)
foreach ($comp in $computername) {
if (Test-Connection -ComputerName $comp -BufferSize 16 -Count 1 -Quiet)
{
$BackTime=(Get-Date) - (New-TimeSpan -Minutes $BackMins)
$RawEvents = Get-WinEvent -ComputerName $comp -filterhashtable @{Logname="Microsoft-Windows-Sysmon/Operational"; ID=15} | Where-Object {$_.TimeCreated -ge $BackTime}
$RawEvents | ForEach-Object {
$PropertyBag = @{
HostName = $_.MachineName
Version=$_.Version
EventType = $_.Message.Split(":")[0]
EventID = $_.Id
DateUTC = Get-Date ($_.Properties[1].Value) -format s
ProcessGuid = $_.Properties[2].Value
ProcessId = $_.Properties[3].Value
Image = $_.Properties[4].Value
TargetFilename = $_.Properties[5].Value
CreationUTC = $_.Properties[6].Value
Hashes = ($_.Properties[7].Value.Split(",")) # shows hash feild with all configured hash types one field
#
SHA1 = ($_.Properties[7].Value.Split(",")[0].split("=")[1]) # required logging of MD5, SHA1, SHA256
#
}
$Output = New-Object -TypeName PSCustomObject -Property $PropertyBag
# When modifying PropertyBag remember to change Seldect-Object for ordering below
$Output | Select-Object DateUTC, HostName, Version, EventID, EventType,
ProcessGuid, ProcessId, Image, TargetFilename, CreationUTC, SHA1
}
}else
{
Write-Output $comp | Out-File offline_host.txt -append
}
}
}
Function Get-SysmonCreateRemoteThread {
<#
.SYNOPSIS
Get-SysmonCreateRemoteThread extracts all Sysmon Create Remote Thread Events [Evt 8] from the Sysymon Operational Event log for a specified timeframe
.DESCRIPTION
Query the event log and pull back all Sysmon File Stream Creation events. Configured for Sysmon 10.2
Event 8
Query and filter
.PARAMETER
Switch to pull back Process Creation back a desired number of minutes
[int32]$BackMins=180. Defaults to 180 minutes = 3 hours
Some time guides: 180 = 3 hours, 360 = 6hours, 720 = 12 hours, 1440 = 1 day, 2880 = 2 days, 4320 = 3 days, 10080 = 7 days
Keep in mind depending on sysmon configuration, the longer the timeframe the more work to pull events.
.EXAMPLE
Get-SysmonCreateRemoteThread -BackMins 720
Get-SysmonCreateRemoteThread 720
Get-SysmonCreateRemoteThread -computername <computername>
.LINK
.NOTES
Configured for Sysmon 10.2
Sysmon configuration plays a large part in the amount of events.
I have configured the module to report back for a Sysmon hash configuration of: MD5,SHA1,SHA256. For any other configurations you will need to reconfigure the Propertybag array to report relevant algorythms.
For simplicity I have also included a hashes field commented out. If included, it will show all calculated hashes in one line.
When modifying $PropertyBag, remember to change the final Select-Object to ensure correct feilds are selected in order.
For offline parsing of event logs modify script to remove "-LogName" and add "-Path <PATH_to_Logs>".
e.g RawEvents = Get-WinEvent -Path c:\case\sysmon.evtx | Where-Object {$_.TimeCreated -ge $BackTime} | Where-Object { $_.Id -eq 1}
#>
[CmdletBinding()]
Param (
[Parameter(Mandatory=$false,
ValueFromPipeline=$True,
HelpMessage="Enter ComputerName")]
[int32]$BackMins=180,
[string[]]$computername
)
foreach ($comp in $computername) {
if (Test-Connection -ComputerName $comp -BufferSize 16 -Count 1 -Quiet)
{
$BackTime=(Get-Date) - (New-TimeSpan -Minutes $BackMins)
$RawEvents = Get-WinEvent -ComputerName $comp -filterhashtable @{Logname="Microsoft-Windows-Sysmon/Operational"; ID=8} | Where-Object {$_.TimeCreated -ge $BackTime}
$RawEvents | ForEach-Object {
$PropertyBag = @{
HostName = $_.MachineName
Version=$_.Version
EventType = $_.Message.Split(":")[0]
EventID = $_.Id
DateUTC = Get-Date ($_.Properties[1].Value) -format s
SourceProcessGuid = $_.Properties[2].Value
SourceProcessId = $_.Properties[3].Value
SourceImage = $_.Properties[4].Value
TargetProcessId = $_.Properties[5].Value
TargetImage = $_.Properties[6].Value
NewThreadId = $_.Properties[7].Value
StartAddress = $_.Properties[8].Value
}
$Output = New-Object -TypeName PSCustomObject -Property $PropertyBag
# When modifying PropertyBag remember to change Seldect-Object for ordering below
$Output | Select-Object DateUTC, HostName, Version, EventID, EventType,
SourceProcessGuid, SourceProcessId,SourceImage, TargetProcessId, TargetImage, NewThreadId,StartAddress
}
}else
{
Write-Output $comp | Out-File offline_host.txt -append
}
}
}
Function Get-SvcAll {
[CmdletBinding()]
Param (
[Parameter(Mandatory=$false,
ValueFromPipeline=$True,
HelpMessage="Enter ComputerName")]
[string[]]$computername
)
foreach ($comp in $computername) {
Get-WmiObject -ComputerName $comp win32_service | Select-Object Name, DisplayName, PathName, StartName, StartMode, State, TotalSessions, Description
}
}
Function Get-SysmonFileCreate {
<#
.SYNOPSIS
Get-SysmonFileCreate extracts all Sysmon File Create Events [Evt 11] from the Sysymon Operational Event log for a specified timeframe
.DESCRIPTION
Query the event log and pull back all Sysmon Process Creation events. Configured for Sysmon 10.2
Event 1
Query and filter
.PARAMETER
Switch to pull back File Creation back a desired number of minutes
[int32]$BackMins=180. Defaults to 180 minutes = 3 hours
Some time guides: 180 = 3 hours, 360 = 6hours, 720 = 12 hours, 1440 = 1 day, 2880 = 2 days, 4320 = 3 days, 10080 = 7 days
Keep in mind depending on sysmon configuration, the longer the timeframe the more work to pull events.
.EXAMPLE
Get-SysmonFileCreate -BackMins 720
Get-SysmonFileCreat 720
Get-SysmonFileCreate -computername <computername>
DateUTC : 2019-08-30T12:12:53
HostName : DESKTOP-O62L50L
Version : 2
EventID : 11
EventType : File created
ProcessGuid : 66dc2183-12b4-5d69-0000-00107822a903
ProcessId : 9240
Image : C:\Windows\system32\svchost.exe
TargetFilename : C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.18017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
CreationUtcTime : 2019-08-30 12:12:53.589
.LINK
.NOTES
Configured for Sysmon 10.2
Sysmon configuration plays a large part in the amount of events.
When modifying $PropertyBag, remember to change the final Select-Object to ensure correct fields are selected in order.
For offline parsing of event logs modify script to remove "-LogName" and add "-Path <PATH_to_Logs>".
e.g RawEvents = Get-WinEvent -Path c:\case\sysmon.evtx | Where-Object {$_.TimeCreated -ge $BackTime} | Where-Object { $_.Id -eq 11}
#>
[CmdletBinding()]
Param (
[Parameter(Mandatory=$false,
ValueFromPipeline=$True,
HelpMessage="Enter ComputerName")]
[int32]$BackMins=180,
[string[]]$computername
)
foreach ($comp in $computername) {
if (Test-Connection -ComputerName $comp -BufferSize 16 -Count 1 -Quiet)
{
$BackTime=(Get-Date) - (New-TimeSpan -Minutes $BackMins)
$RawEvents = Get-WinEvent -ComputerName $comp -filterhashtable @{Logname="Microsoft-Windows-Sysmon/Operational"; ID=11} | Where-Object {$_.TimeCreated -ge $BackTime}
$RawEvents | ForEach-Object {
$PropertyBag = @{
HostName = $_.MachineName
Version=$_.Version
EventType = $_.Message.Split(":")[0]
EventID = $_.Id
DateUTC = Get-Date ($_.Properties[1].Value) -format s
ProcessGuid = $_.Properties[2].Value
ProcessId = $_.Properties[3].Value
Image = $_.Properties[4].Value
TargetFilename = $_.Properties[5].Value
CreationUtcTime = $_.Properties[6].Value
}
$Output = New-Object -TypeName PSCustomObject -Property $PropertyBag
# When modifying PropertyBag remember to change Seldect-Object for ordering below
$Output | Select-Object DateUTC, HostName, Version, EventID, EventType,
ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime
}
}else
{
Write-Output $comp | Out-File offline_host.txt -append
}
}
}
Function Get-SysmonProcessTerminate {
<#
.SYNOPSIS
Get-SysmonProcessTerminate extracts all Sysmon Process Terminate Events [Evt 5] from the Sysymon Operational Event log for a specified timeframe
.DESCRIPTION
Query the event log and pull back all Sysmon Process Creation events. Configured for Sysmon 10.2
Event 1
Query and filter
.PARAMETER Computername
Takes one or more computernames or IP addresses
.EXAMPLE
Get-SysmonProcessTerminate -BackMins 720
DateUTC : 2019-08-30T12:43:00
HostName : DESKTOP-O62L50L
Version : 3
EventID : 5
EventType : Process terminated
ProcessGuid : 66dc2183-19d3-5d69-0000-0010cea72804
ProcessId : 7128
Image : C:\Users\medmondson\Anaconda3\python.exe
.EXAMPLE
Get-SysmonProcessTerminate 720
DateUTC : 2019-08-30T12:43:00
HostName : DESKTOP-O62L50L
Version : 3
EventID : 5
EventType : Process terminated
ProcessGuid : 66dc2183-19d3-5d69-0000-0010cea72804
ProcessId : 7128
Image : C:\Users\medmondson\Anaconda3\python.exe
.EXAMPLE
Get-SysmonProcessTerminate -computername <computername>
DateUTC : 2019-08-30T12:43:00
HostName : DESKTOP-O62L50L
Version : 3
EventID : 5
EventType : Process terminated
ProcessGuid : 66dc2183-19d3-5d69-0000-0010cea72804
ProcessId : 7128
Image : C:\Users\medmondson\Anaconda3\python.exe
.LINK
.NOTES
Configured for Sysmon 10.2
Sysmon configuration plays a large part in the amount of events.
When modifying $PropertyBag, remember to change the final Select-Object to ensure correct fields are selected in order.
For offline parsing of event logs modify script to remove "-LogName" and add "-Path <PATH_to_Logs>".
e.g RawEvents = Get-WinEvent -Path c:\case\sysmon.evtx | Where-Object {$_.TimeCreated -ge $BackTime} | Where-Object { $_.Id -eq 5}
#>
[CmdletBinding()]
Param (
[Parameter(Mandatory=$False,ValueFromPipeline=$True,HelpMessage="Enter a ComputerName or Ip Address")]
[int32]$BackMins=180,
[string[]]$computername
)
foreach ($comp in $computername) {
if (Test-Connection -ComputerName $comp -BufferSize 16 -Count 1 -Quiet)
{
$BackTime=(Get-Date) - (New-TimeSpan -Minutes $BackMins)
$RawEvents = Get-WinEvent -ComputerName $comp -FilterHashtable @{Logname="Microsoft-Windows-Sysmon/Operational"; ID=5;} | Where-Object {$_.TimeCreated -ge $BackTime}
$RawEvents | ForEach-Object{
$SelectorStrings = [string[]]@(
'Event/EventData/Data[@Name="RuleName"]',
'Event/EventData/Data[@Name="UtcTime"]',
'Event/EventData/Data[@Name="ProcessGuid"]',
'Event/EventData/Data[@Name="ProcessId"]',
'Event/EventData/Data[@Name="Image"]'
)
$PropertySelector = [System.Diagnostics.Eventing.Reader.EventLogPropertySelector]::new($SelectorStrings)
$RuleName, $UtcTime,$ProcessGuid, $ProcessId,$Image = $_.GetPropertyValues($PropertySelector)
[PSCustomObject]@{
TimeCreated = $UtcTime
Hostname = $_.MachineName
EventId = $_.Id
ProcessGuid = $ProcessGuid
ProcessId = $ProcessId
Image = $Image
Message = ($_.Message).split(":")[0]
}
}
} else
{
Write-Output $comp | Out-File offline_host.txt -append
}
}
}
Function Get-SysmonRegAddDelete {
<#
.SYNOPSIS
Get-SysmonRegAddDel extracts all Sysmon Registry Add or Delete Events [Evt 12] from the Sysymon Operational Event log for a specified timeframe
.DESCRIPTION
Query the event log and pull back all Sysmon Registry Add or Delete events. Configured for Sysmon 10.2
Event 1
Query and filter
.PARAMETER
Switch to pull back Registry add or delete back a desired number of minutes
[int32]$BackMins=180. Defaults to 180 minutes = 3 hours
Some time guides: 180 = 3 hours, 360 = 6hours, 720 = 12 hours, 1440 = 1 day, 2880 = 2 days, 4320 = 3 days, 10080 = 7 days
Keep in mind depending on sysmon configuration, the longer the timeframe the more work to pull events.
.EXAMPLE
Get-SysmonRegAddDel -BackMins 720
Get-SysmonRegAddDel 720
Get-SysmonRegAddDel -computername <computername>
DateUTC : 2019-08-30T11:58:07
HostName : DESKTOP-O62L50L
Version : 2
EventID : 12
EventType : Registry object added or deleted
ProcessGuid : 66dc2183-52b4-5d47-0000-001082b50300
ProcessId : 4532
Image : C:\Windows\Explorer.EXE
TargetObject : HKU\S-1-5-21-1791521161-3932478378-4057060958-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tsv
.LINK
.NOTES
Configured for Sysmon 10.2
Sysmon configuration plays a large part in the amount of events.
When modifying $PropertyBag, remember to change the final Select-Object to ensure correct fields are selected in order.
For offline parsing of event logs modify script to remove "-LogName" and add "-Path <PATH_to_Logs>".
e.g RawEvents = Get-WinEvent -Path c:\case\sysmon.evtx | Where-Object {$_.TimeCreated -ge $BackTime} | Where-Object { $_.Id -eq 11}
#>
[CmdletBinding()]
Param (
[Parameter(Mandatory=$False,ValueFromPipeline=$True,HelpMessage="Enter a ComputerName or Ip Address")]
[int32]$BackMins=180,
[string[]]$computername
)
foreach ($comp in $computername) {
if (Test-Connection -ComputerName $comp -BufferSize 16 -Count 1 -Quiet)
{
$BackTime=(Get-Date) - (New-TimeSpan -Minutes $BackMins)
$RawEvents = Get-WinEvent -ComputerName $comp -FilterHashtable @{Logname="Microsoft-Windows-Sysmon/Operational"; ID=12;} | Where-Object {$_.TimeCreated -ge $BackTime}
$RawEvents | ForEach-Object {
$PropertyBag = @{
HostName = $_.MachineName
Version=$_.Version
EventType = $_.Message.Split(":")[0]
EventID = $_.Id
DateUTC = Get-Date ($_.Properties[2].Value) -format s
ProcessGuid = $_.Properties[3].Value
ProcessId = $_.Properties[4].Value
Image = $_.Properties[5].Value
TargetObject = $_.Properties[6].Value
}
$Output = New-Object -TypeName PSCustomObject -Property $PropertyBag
# When modifying PropertyBag remember to change Seldect-Object for ordering below
$Output | Select-Object DateUTC, HostName, Version, EventID, EventType,
ProcessGuid, ProcessId, Image, TargetObject
}
}else
{
Write-Output $comp | Out-File offline_host.txt -append
}
}
}
Function Get-SysmonRegValueSet {
<#
.SYNOPSIS
Get-SysmonRegValSet extracts all Sysmon Registry Value Set Events [Evt 13] from the Sysymon Operational Event log for a specified timeframe
.DESCRIPTION
Query the event log and pull back all Sysmon Process Creation events. Configured for Sysmon 10.2
Event 1
Query and filter
.PARAMETER
Switch to pull back Registry add or delete back a desired number of minutes
[int32]$BackMins=180. Defaults to 180 minutes = 3 hours
Some time guides: 180 = 3 hours, 360 = 6hours, 720 = 12 hours, 1440 = 1 day, 2880 = 2 days, 4320 = 3 days, 10080 = 7 days
Keep in mind depending on sysmon configuration, the longer the timeframe the more work to pull events.
.EXAMPLE
Get-SysmonRegValSet -BackMins 720
Get-SysmonRegValSet 720
Get-SysmonRegValSet -computername computername
DateUTC : 2019-08-30T11:58:10
HostName : DESKTOP-O62L50L
Version : 2
EventID : 13
EventType : Registry value set
ProcessGuid : 66dc2183-52b4-5d47-0000-001082b50300
ProcessId : 4532
Image : C:\Windows\Explorer.EXE
TargetObject : HKU\S-1-5-21-1791521161-3932478378-4057060958-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tsv\OpenWithList\a
Details : {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\OpenWith.exe
.LINK
.NOTES
Configured for Sysmon 10.2
Sysmon configuration plays a large part in the amount of events.
When modifying $PropertyBag, remember to change the final Select-Object to ensure correct fields are selected in order.
For offline parsing of event logs modify script to remove "-LogName" and add "-Path <PATH_to_Logs>".
e.g RawEvents = Get-WinEvent -Path c:\case\sysmon.evtx | Where-Object {$_.TimeCreated -ge $BackTime} | Where-Object { $_.Id -eq 13}
#>
[CmdletBinding()]
Param (
[Parameter(Mandatory=$False,ValueFromPipeline=$True,HelpMessage="Enter a ComputerName or Ip Address")]
[int32]$BackMins=180,
[string[]]$computername
)
foreach ($comp in $computername) {
if (Test-Connection -ComputerName $comp -BufferSize 16 -Count 1 -Quiet)
{
$BackTime=(Get-Date) - (New-TimeSpan -Minutes $BackMins)
$RawEvents = Get-WinEvent -ComputerName $comp -FilterHashtable @{Logname="Microsoft-Windows-Sysmon/Operational"; ID=13;} | Where-Object {$_.TimeCreated -ge $BackTime}
$RawEvents | ForEach-Object {
$PropertyBag = @{
HostName = $_.MachineName
Version=$_.Version
EventType = $_.Message.Split(":")[0]
EventID = $_.Id
DateUTC = Get-Date ($_.Properties[2].Value) -format s
ProcessGuid = $_.Properties[3].Value
ProcessId = $_.Properties[4].Value
Image = $_.Properties[5].Value
TargetObject = $_.Properties[6].Value
Details = $_.Properties[7].Value
}
$Output = New-Object -TypeName PSCustomObject -Property $PropertyBag
# When modifying PropertyBag remember to change Seldect-Object for ordering below
$Output | Select-Object DateUTC, HostName, Version, EventID, EventType,
ProcessGuid, ProcessId, Image, TargetObject,Details
}
}else
{
Write-Output $comp | Out-File offline_host.txt -append
}
}
}
Function Get-SysmonDNS {
<#
.SYNOPSIS
Get-SysmonDNS extracts all Sysmon DNS Events [Evt 22] from the Sysymon Operational Event log for a specified timeframe
.DESCRIPTION
Query the event log and pull back all Sysmon Process Creation events. Configured for Sysmon 10.2
Event 1
Query and filter
.PARAMETER
Switch to pull back Process Creation back a desired number of minutes
[int32]$BackMins=180. Defaults to 180 minutes = 3 hours
Some time guides: 180 = 3 hours, 360 = 6hours, 720 = 12 hours, 1440 = 1 day, 2880 = 2 days, 4320 = 3 days, 10080 = 7 days
Keep in mind depending on sysmon configuration, the longer the timeframe the more work to pull events.
.EXAMPLE
Get-SysmonDNS -BackMins 720
Get-SysmonDNS 720
Get-SysmonDNS -computername <computername>
DateUTC : 2019-09-16T19:01:44
HostName : medmondson-WS
Version : 5
EventID : 22
EventType : Dns query
ProcessGuid : dcb4ab66-4680-5d7a-0000-00100bcd1201
ProcessId : 4344
QueryName : fonts.gstatic.com
QueryStatus : 0
QueryResults : type: 5 gstaticadssl.l.google.com;64.233.177.94;
Image : C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
.LINK
.NOTES
Configured for Sysmon 10.2
#>
[CmdletBinding()]
Param (
[Parameter(Mandatory=$false,
ValueFromPipeline=$True,
HelpMessage="Enter ComputerName")]
[int32]$BackMins=180,
[string[]]$computername
)
foreach ($comp in $computername) {
if (Test-Connection -ComputerName $comp -BufferSize 16 -Count 1 -Quiet)
{
$BackTime=(Get-Date) - (New-TimeSpan -Minutes $BackMins)
$RawEvents = Get-WinEvent -ComputerName $comp -filterhashtable @{Logname="Microsoft-Windows-Sysmon/Operational"; ID=22} | Where-Object {$_.TimeCreated -ge $BackTime}
$RawEvents | ForEach-Object {
$PropertyBag = @{
HostName = $_.MachineName
Version=$_.Version
EventType = $_.Message.Split(":")[0]
EventID = $_.Id
DateUTC = Get-Date ($_.Properties[1].Value) -format s
ProcessGuid = $_.Properties[2].Value
ProcessId = $_.Properties[3].Value
QueryName = $_.Properties[4].Value
QueryStatus = $_.Properties[5].Value
QueryResults = $_.Properties[6].Value
Image = $_.Properties[7].Value
}
$Output = New-Object -TypeName PSCustomObject -Property $PropertyBag
# When modifying PropertyBag remember to change Seldect-Object for ordering below
$Output | Select-Object DateUTC, HostName, Version, EventID, EventType,
ProcessGuid, ProcessId, QueryName,QueryStatus,QueryResults, Image
}
}else
{
Write-Output $comp | Out-File offline_host.txt -append
}
}
}
Function Get-SysmonWMIFilter {
<#
.SYNOPSIS
Get-SysmonWMIFilter extracts all Sysmon WMI Filter Events [Evt 19] from the Sysymon Operational Event log for a specified timeframe
.DESCRIPTION
Query the event log and pull back all Sysmon WMI Filter events. Configured for Sysmon 10.2
Event 1
Query and filter
.PARAMETER
Switch to pull back Process Creation back a desired number of minutes
[int32]$BackMins=180. Defaults to 180 minutes = 3 hours
Some time guides: 180 = 3 hours, 360 = 6hours, 720 = 12 hours, 1440 = 1 day, 2880 = 2 days, 4320 = 3 days, 10080 = 7 days
Keep in mind depending on sysmon configuration, the longer the timeframe the more work to pull events.
.EXAMPLE
Get-SysmonWMIFilter -BackMins 720
Get-SysmonWMIFilter 720
Get-SysmonWMIFilter -computername <computername>
DateUTC : 2019-09-19T14:38:38
HostName : medmondson-WS
Version : 3
EventID : 19
EventType : WmiEventFilter activity detected
Operation : Modified
User : medmondson-WS\medmondson
EventNamespace : "root\\cimv2"
Name : "ServiceFilter"
Query : "select * from __instanceModificationEvent within 5 where targetInstance isa 'win32_Service'"
.LINK
.NOTES
Configured for Sysmon 10.2
#>
[CmdletBinding()]
Param (
[Parameter(Mandatory=$false,
ValueFromPipeline=$True,
HelpMessage="Enter ComputerName")]
[int32]$BackMins=180,
[string[]]$computername
)
foreach ($comp in $computername) {
if (Test-Connection -ComputerName $comp -BufferSize 16 -Count 1 -Quiet)
{
$BackTime=(Get-Date) - (New-TimeSpan -Minutes $BackMins)
$RawEvents = Get-WinEvent -ComputerName $comp -filterhashtable @{Logname="Microsoft-Windows-Sysmon/Operational"; ID=19} | Where-Object {$_.TimeCreated -ge $BackTime}
$RawEvents | ForEach-Object {
$PropertyBag = @{
HostName = $_.MachineName
Version=$_.Version
EventType = $_.Message.Split(":")[0]
EventID = $_.Id
DateUTC = Get-Date ($_.Properties[2].Value) -format s
Operation = $_.Properties[3].Value
User = $_.Properties[4].Value
EventNamespace = $_.Properties[5].Value
Name = $_.Properties[6].Value
Query = $_.Properties[7].Value
}
$Output = New-Object -TypeName PSCustomObject -Property $PropertyBag
# When modifying PropertyBag remember to change Seldect-Object for ordering below
$Output | Select-Object DateUTC, HostName, Version, EventID, EventType,
Operation,User,EventNamespace,Name,Query
}
}else
{
Write-Output $comp | Out-File offline_host.txt -append
}
}
}
Function Get-SysmonWMIConsumer {
<#
.SYNOPSIS
Get-SysmonWMIConsumer extracts all Sysmon WMI Consumer Events [Evt 20] from the Sysymon Operational Event log for a specified timeframe
.DESCRIPTION
Query the event log and pull back all Sysmon WMI Consumer events. Configured for Sysmon 10.2
Event 1
Query and filter
.PARAMETER
Switch to pull back WMI Consumer back a desired number of minutes
[int32]$BackMins=180. Defaults to 180 minutes = 3 hours
Some time guides: 180 = 3 hours, 360 = 6hours, 720 = 12 hours, 1440 = 1 day, 2880 = 2 days, 4320 = 3 days, 10080 = 7 days
Keep in mind depending on sysmon configuration, the longer the timeframe the more work to pull events.
.EXAMPLE
Get-SysmonWMIConsumer -BackMins 720
Get-SysmonWMIConsumer 720
Get-SysmonWMIConsumer -computername <computername>
DateUTC : 2019-09-19T14:58:48
HostName : medmondson-WS
Version : 3
EventID : 20
EventType : WmiEventConsumer activity detected
Operation : Created
User : medmondson-WS\medmondson
Name : "ServiceConsumer"
Type : Log File
Destination : "C:\\Scripts\\Log.log"
.LINK
.NOTES
Configured for Sysmon 10.2
#>
[CmdletBinding()]
Param (
[Parameter(Mandatory=$false,
ValueFromPipeline=$True,
HelpMessage="Enter ComputerName")]
[int32]$BackMins=180,
[string[]]$computername
)
foreach ($comp in $computername) {
if (Test-Connection -ComputerName $comp -BufferSize 16 -Count 1 -Quiet)
{
$BackTime=(Get-Date) - (New-TimeSpan -Minutes $BackMins)
$RawEvents = Get-WinEvent -ComputerName $comp -filterhashtable @{Logname="Microsoft-Windows-Sysmon/Operational"; ID=20} | Where-Object {$_.TimeCreated -ge $BackTime}
$RawEvents | ForEach-Object {
$PropertyBag = @{
HostName = $_.MachineName
Version=$_.Version
EventType = $_.Message.Split(":")[0]
EventID = $_.Id
DateUTC = Get-Date ($_.Properties[2].Value) -format s
Operation = $_.Properties[3].Value
User = $_.Properties[4].Value
Name = $_.Properties[5].Value
Type = $_.Properties[6].Value
Destination = $_.Properties[7].Value
}
$Output = New-Object -TypeName PSCustomObject -Property $PropertyBag
# When modifying PropertyBag remember to change Seldect-Object for ordering below
$Output | Select-Object DateUTC, HostName, Version, EventID, EventType,
Operation,User,Name,Type, Destination
}
}else
{
Write-Output $comp | Out-File offline_host.txt -append
}
}
}
Function Get-SysmonWMIBinding {
<#
.SYNOPSIS
Get-SysmonWMIBinding extracts all Sysmon WMI FIlter/Consumer Binding Events [Evt 21] from the Sysymon Operational Event log for a specified timeframe
.DESCRIPTION
Query the event log and pull back all Sysmon WMI FIlter/Consumer Binding events. Configured for Sysmon 10.2
Event 1
Query and filter
.PARAMETER
Switch to pull back WMI FIlter/Consumer Binding events back a desired number of minutes
[int32]$BackMins=180. Defaults to 180 minutes = 3 hours
Some time guides: 180 = 3 hours, 360 = 6hours, 720 = 12 hours, 1440 = 1 day, 2880 = 2 days, 4320 = 3 days, 10080 = 7 days
Keep in mind depending on sysmon configuration, the longer the timeframe the more work to pull events.
.EXAMPLE
Get-SysmonWMIBinding -BackMins 720
Get-SysmonWMIBinding 720
Get-SysmonWMIBinding -computername <computername>
DateUTC : 2019-09-19T15:05:33
HostName : medmondson-WS
Version : 3
EventID : 21
EventType : WmiEventConsumerToFilter activity detected
Operation : Created
User : medmondson-WS\medmondson
Consumer : "\\\\.\\root\\subscription:LogFileEventConsumer.Name=\"ServiceConsumer\""
Filter : "\\\\.\\root\\subscription:__EventFilter.Name=\"ServiceFilter\""
.LINK
.NOTES
Configured for Sysmon 10.2
#>
[CmdletBinding()]
Param (
[Parameter(Mandatory=$false,
ValueFromPipeline=$True,
HelpMessage="Enter ComputerName")]
[int32]$BackMins=180,
[string[]]$computername
)
foreach ($comp in $computername) {
if (Test-Connection -ComputerName $comp -BufferSize 16 -Count 1 -Quiet)
{
$BackTime=(Get-Date) - (New-TimeSpan -Minutes $BackMins)
$RawEvents = Get-WinEvent -ComputerName $comp -filterhashtable @{Logname="Microsoft-Windows-Sysmon/Operational"; ID=21} | Where-Object {$_.TimeCreated -ge $BackTime}
$RawEvents | ForEach-Object {
$PropertyBag = @{
HostName = $_.MachineName
Version=$_.Version
EventType = $_.Message.Split(":")[0]
EventID = $_.Id
DateUTC = Get-Date ($_.Properties[2].Value) -format s
Operation = $_.Properties[3].Value
User = $_.Properties[4].Value
Consumer = $_.Properties[5].Value
Filter = $_.Properties[6].Value
}
$Output = New-Object -TypeName PSCustomObject -Property $PropertyBag
# When modifying PropertyBag remember to change Seldect-Object for ordering below
$Output | Select-Object DateUTC, HostName, Version, EventID, EventType,
Operation,User,Consumer,Filter
}
}else
{
Write-Output $comp | Out-File offline_host.txt -append
}
}
}
Function Get-SysmonDriverLoad {
<#
.SYNOPSIS
Get-SysmonDriverLoad extracts all Sysmon Driver Load Events [Evt 6] from the Sysymon Operational Event log for a specified timeframe
.DESCRIPTION
Query the event log and pull back all Sysmon Driver Load events. Configured for Sysmon 10.2
Event 1
Query and filter
.PARAMETER
Switch to pull back Driver Load events back a desired number of minutes
[int32]$BackMins=180. Defaults to 180 minutes = 3 hours
Some time guides: 180 = 3 hours, 360 = 6hours, 720 = 12 hours, 1440 = 1 day, 2880 = 2 days, 4320 = 3 days, 10080 = 7 days
Keep in mind depending on sysmon configuration, the longer the timeframe the more work to pull events.
.EXAMPLE
Get-SysmonDriverLoad -BackMins 720
Get-SysmonDriverLoad 720
Get-SysmonDriverLoad -computername <computername>
.LINK
.NOTES
Configured for Sysmon 10.2
#>
[CmdletBinding()]
Param (
[Parameter(Mandatory=$false,
ValueFromPipeline=$True,
HelpMessage="Enter ComputerName")]
[int32]$BackMins=180,
[string[]]$computername
)
foreach ($comp in $computername) {
if (Test-Connection -ComputerName $comp -BufferSize 16 -Count 1 -Quiet)
{
$BackTime=(Get-Date) - (New-TimeSpan -Minutes $BackMins)
$RawEvents = Get-WinEvent -ComputerName $comp -filterhashtable @{Logname="Microsoft-Windows-Sysmon/Operational"; ID=6} | Where-Object {$_.TimeCreated -ge $BackTime}
$RawEvents | ForEach-Object {
$PropertyBag = @{
HostName = $_.MachineName
Version=$_.Version
EventType = $_.Message.Split(":")[0]
EventID = $_.Id
DateUTC = Get-Date ($_.Properties[1].Value) -format s
ImageLoaded = $_.Properties[2].Value
Hashes = ($_.Properties[3].Value.Split(",")) # shows hash feild with all configured hash types one field
#
SHA1 = ($_.Properties[3].Value.Split(",")[0].split("=")[1]) # required logging of MD5, SHA1, SHA256
IMPHASH= ($_.Properties[3].Value.Split(",")[3].split("=")[1])
Signed = $_.Properties[4].Value
Signature = $_.Properties[5].Value
SignatureStatus = $_.Properties[6].Value
}
$Output = New-Object -TypeName PSCustomObject -Property $PropertyBag
# When modifying PropertyBag remember to change Seldect-Object for ordering below
$Output | Select-Object DateUTC, HostName, Version, EventID, EventType,
ImageLoaded, SHA1, IMPHASH, Signed, Signature, SignatureStatus
}
}else
{
Write-Output $comp | Out-File offline_host.txt -append
}
}
}
Function Get-Svc4697 {
<#
.SYNOPSIS
Get-Get-Svc4697 extracts all Service Installs [Evt 4697] from the Security Event log for a specified timeframe
.DESCRIPTION
Query the event log and pull back all Service Install events.
Event 4697
Query and filter
.PARAMETER
Switch to pull back Driver Load events back a desired number of minutes
[int32]$BackMins=180. Defaults to 180 minutes = 3 hours
Some time guides: 180 = 3 hours, 360 = 6hours, 720 = 12 hours, 1440 = 1 day, 2880 = 2 days, 4320 = 3 days, 10080 = 7 days
Keep in mind depending on sysmon configuration, the longer the timeframe the more work to pull events.
.EXAMPLE
Get-Get-Svc4697 -BackMins 720
Get-Get-Svc4697 720
Get-Get-Svc4697 -computername <computername>
.LINK
.NOTES
#>
[CmdletBinding()]
Param (
[Parameter(Mandatory=$false,
ValueFromPipeline=$True,
HelpMessage="Enter ComputerName")]
[int32]$BackMins=180,
[string[]]$computername
)
foreach ($comp in $computername) {
if (Test-Connection -ComputerName $comp -BufferSize 16 -Count 1 -Quiet)
{
$BackTime=(Get-Date) - (New-TimeSpan -Minutes $BackMins)
$RawEvents = Get-WinEvent -ComputerName $comp -filterhashtable @{Logname="Security"; ID=4697} | Where-Object {$_.TimeCreated -ge $BackTime}
$RawEvents | ForEach-Object {
$PropertyBag = @{
HostName = $_.MachineName
Version=$_.Version
EventID = $_.Id
TimeCreated = $_.TimeCreated
UserSID = $_.Properties[0].Value
User = $_.Properties[1].Value
#
Domain = $_.Properties[2].Value
LogonId = $_.Properties[3].Value
ServiceName = $_.Properties[4].Value
ServiceFileName = $_.Properties[5].Value
ServiceType = $_.Properties[6].Value
ServiceStartType = $_.Properties[7].Value
ServiceAccount = $_.Properties[8].Value
}
$Output = New-Object -TypeName PSCustomObject -Property $PropertyBag
# When modifying PropertyBag remember to change Seldect-Object for ordering below
$Output | Select-Object TimeCreated, HostName, Version, EventID, UserSID, User,
Domain,LogonId,ServiceName,ServiceFileName,ServiceType,ServiceStartType,ServiceAccount
}
}else
{
Write-Output $comp | Out-File offline_host.txt -append
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment