https://gist.github.com/psrdrgz/f87e73c4a89c4968f4ac67bf99267cc4
Sysmon is a SysInternals tool from Microsoft which allows logging of things
the computer does to the Event Log. It includes things like file
writes/creates/reads, network access, process start/stop, etc.
You can find it in the Event Viewer under:
Applications and Services\Microsoft\Windows\Sysmon\Operational
Here are some powershell commands to parse out useful information:
Get all Sysmon events, this will take a few minutes, do this before using
further commands to filter the data:
$Sysmon = Get-WinEvent -filterhashtable
@{logname="Microsoft-Windows-Sysmon/Operational";id=1}
See all fields available:
$sysmon[0] | fl *
Display all process creations with time:
$sysmon | %{"$(([datetime]$_.properties[0].value).ToLocalTime())
$($_.Properties[3].Value)"}
Display all process creations with command line:
$sysmon | %{"$(([datetime]$_.properties[0].value).ToLocalTime())
$($_.Properties[4].Value)"}
Display a sorted list of all .exe files executed, one per file:
$sysmon | %{$_.Properties[3].Value}| sort -Unique
Save all Radia commands ran to a file on your desktop:
$sysmon | where { $_.Properties[3].Value -match "\\Agent\\" } |
%{"$(([datetime]$_.properties[0].value).ToLocalTime())
$($_.Properties[4].Value)"} > "$($ENV:USERPROFILE)\Desktop\Radia.txt"
Find more examples here:
http://909research.com/windows-log-hunting-with-powershell/
Keywords: Sysinternals, System Monitor, Mark Russinovich |