mattifestation/PSSysmonTools

This repository has been archived on 14/Sep/2022
Stars
227
Rank 175,900 (Top 4 %)
Language
PowerShell
License
BSD 3-Clause "New...
Created almost 7 years ago
Updated about 6 years ago

mattifestation/PSSysmonTools

mattifestation

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Sysmon Tools for PowerShell

PSSysmonTools

Sysmon Tools for PowerShell

Implemented functions

Get-SysmonConfiguration

Parses a Sysmon driver configuration from the registry. Output is nearly identical to that of "sysmon.exe -c" but without the requirement to run sysmon.exe.

ConvertFrom-SysmonBinaryConfiguration

Parses a binary Sysmon configuration. ConvertFrom-SysmonBinaryConfiguration is designed to serve as a helper function for Get-SysmonConfiguration.

Test-SysmonConfiguration

Validates a Sysmon configuration.

ConvertTo-SysmonXMLConfiguration

Recovers a Sysmon XML configuration from a binary configuration.

Merge-SysmonXMLConfiguration

Merges one or more Sysmon XML configurations.

Please refer to built-in help for each function for more information.

Notes

These PowerShell functions will need to be manually validated for each new Sysmon and configuration schema version. Please report all bugs and indiscrepencies with new versions by supplying the following information:

The Sysmon config XML that's generating the error (only schema versions 3.40 and later).
The version of Sysmon being used (only 6.20 and later).

Also, please file feature requests in the form of GitHub issues! Thank you!

PowerShellArsenal

A PowerShell Module Dedicated to Reverse Engineering

CimSweep

CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows.

PIC_Bindshell

Position Independent Windows Shellcode Written in C

WMI_Backdoor

A PoC WMI backdoor presented at Black Hat 2015

PSReflect

Easily define in-memory enums, structs, and Win32 functions in PowerShell

WDACTools

A PowerShell module to facilitate building, configuring, deploying, and auditing Windows Defender Application Control (WDAC) policies

WinPETools

A module designed to simplify the creation, customization, and deployment of bootable Windows Preinstallation Environment (WinPE) images.

BHUSA2018_Sysmon

All materials from our Black Hat 2018 "Subverting Sysmon" talk

AntimalwareBlight

Execute PowerShell code at the antimalware-light protection level.

DeviceGuardBypassMitigationRules

A reference Device Guard code integrity policy consisting of FilePublisher deny rules for published Device Guard configuration bypasses

PoCSubjectInterfacePackage

A proof-of-concept subject interface package (SIP) used to demonstrate digital signature subversion attacks.

BCD

BCD is a module to interact with boot configuration data (BCD) either locally or remotely using the ROOT/WMI:Bcd* WMI classes. The functionality of the functions in this module mirror that of bcdedit.exe.

WDACPolicies

A collection of Windows software baseline notes with corresponding Windows Defender Application Control (WDAC) policies

TCGLogTools

A set of tools to retrieve and parse TCG measured boot logs. Microsoft refers to these as Windows Boot Confirguration Logs (WBCL). In order to retrieve these logs, you must be running at least Windows 8 with the TPM enabled.

WindowsEventLogMetadata

Event metadata collected across all manifest-based ETW providers on Window 10 1903

ShellcodeExec

A simple shellcode runner

CatalogTools

A PowerShell module to assist in parsing and managing catalog files.

UnicornPowerShell

A PowerShell binding for the Unicorn Engine

MSFTTraceMessageFormat

All TMF files that I extracted from Microsoft PDBs.

mattifestation