Skip to content

hampusstrom/TA-PowerShell

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

59 Commits
bin
bin
 
 
default
default
 
 
docs
docs
 
 
local
local
 
 
lookups
lookups
 
 
metadata
metadata
 
 
.gitignore
.gitignore
 
 
LICENSE.md
LICENSE.md
 
 
README.md
README.md
 
 

Repository files navigation

Splunk TA for PowerShell

This app is still under development and thus, unstable. Do not use in production!

Description

Splunk TA for PowerShell is an app for Splunk Enterprise that tries to be your one-stop-shop for everything PowerShell in Splunk.

Features

  • Inputs for Windows PowerShell Scriptblock event logs
  • Automatic lookup for decoding -EncodedCommands in sysmon events.
  • Inputs.conf local blacklisting of some common useless scriptblocks
  • Tag and EventType for encoded commands (psencodedcommand) for easier filtering
  • Automatically calculated SHA256 hash per unique scriptblock for easy whitelisting and IoC sharing.
  • WinRM Log inputs and field extraction

Planned

  • Transcript logging
  • Module logging if anyone actually cares about it
  • PowerShell Core logging on Windows/*nix/MacOS
  • Reports & Dashboards

Depencencies

N/A

How to use

Until this repo is stable, it won't be put on SplunkBase.

Clone the repo

git clone https://github.com/hampusstrom/TA-PowerShell.git

Customize the inputs.conf to your needs and push using your depoyer and/or deploymentserver depending on your needs.

Contributing

All pull requests are welcome.

About

A Splunk app for everything PowerShell. Soon (tm)

Resources

Readme

License

GPL-3.0 license
Activity

Stars

3 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages