Skip to content

0daysimpson/Get-SysmonLogs

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
Get-SysmonLogs.ps1
Get-SysmonLogs.ps1
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Overview

NAME
    Get-SysMonLogs
DESCRIPTION
    A PowerShell client for retrieving and searching Sysmon logs.
SYNTAX
    Get-SysMonLogs [[-ComputerName] <Object>] [[-Count] <Object>] [[-FilePath] <Object>] [[-Search] <array>] 
    [[-Since] <datetime>] [[-Until] <datetime>] [-File] [-Network] [-Process] [-DNS] [-all] 
    [-GetOldest]  [<CommonParameters>]

Features

  • Serializes Sysmon logs into Powershell objects
  • Supports remote log retrieval
  • Extensible

Installation

  1. Install Sysmon - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
  2. Configure monitoring rules
  3. Import function into profile.ps1

Usage

Example 1 - All process events

PS C:\> Get-SysmonLogs -Process

Name               : Process terminated
Process terminated : 
RuleName           :  
UtcTime            :  2019-06-25 04:00:18.308
ProcessGuid        :  {1ec4209f-9c51-5d11-0000-00108b2d8105}
ProcessId          :  11464
Image              :  C:\Windows\System32\conhost.exe

Name               : Process terminated
Process terminated : 
RuleName           :  
UtcTime            :  2019-06-25 04:00:18.302
ProcessGuid        :  {1ec4209f-9c51-5d11-0000-0010822c8105}
ProcessId          :  21896
Image              :  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Name              : Process Create
Process Create    : 
RuleName          :  
UtcTime           :  2019-06-25 04:00:17.406
ProcessGuid       :  {1ec4209f-9c51-5d11-0000-00108b2d8105}
ProcessId         :  11464
Image             :  C:\Windows\System32\conhost.exe
FileVersion       :  10.0.17763.404 (WinBuild.160101.0800)
Description       :  Console Window Host
Product           :  Microsoft® Windows® Operating System
                        .... snipped ...
ParentImage       :  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine :  powershell.exe  -command "& ...

Example 2 - All DNS requests

PS C:\> Get-SysmonLogs -DNS

Name         : Dns query
Dns query    : 
RuleName     :  
UtcTime      :  2019-06-25 03:28:56.281
ProcessGuid  :  {1ec4209f-3533-5d10-0000-001082bcf800}
ProcessId    :  9484
QueryName    :  github-cloud.s3.amazonaws.com
QueryStatus  :  0
QueryResults :  type:  5 s3-1-w.amazonaws.com;52.216.9.235;
Image        :  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Sysmon Event Table

ID  Tag	                    Event
1   ProcessCreate	        Process Create	
2   FileCreateTime	        File creation time	
3   NetworkConnect	        Network connection detected	
4   n/a	                    Sysmon service state change (cannot be filtered)	
5   ProcessTerminate	    Process terminated	
6   DriverLoad	            Driver Loaded	
7   ImageLoad	            Image loaded	
8   CreateRemoteThread	    CreateRemoteThread detected	
9   RawAccessRead	        RawAccessRead detected	
10  ProcessAccess	        Process accessed	
11  FileCreate	            File created	
12  RegistryEvent	        Registry object added or deleted	
13  RegistryEvent	        Registry value set	
14  RegistryEvent	        Registry object renamed	
15  FileCreateStreamHash	File stream created	
16  n/a	Sysmon configuration change (cannot be filtered)	
17  PipeEvent	            Named pipe created	
18  PipeEvent	            Named pipe connected	
19  WmiEvent	            WMI filter	
20  WmiEvent	            WMI consumer	
21  WmiEvent	            WMI consumer filter	
22  DNSQuery 	            DNS query

About

A PowerShell client for retrieving and searching Sysmon logs

medium.com/@0daySimpson/get-sysmonlogs-8c8666ccd305

Topics

powershell dfir sysmon security-monitoring

Resources

Readme

License

MIT license
Activity

Stars

6 stars

Watchers

0 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages