<#
Meta
    Date: 2022 March 28th
    Authors: Dray Agha (Twitter @purp1ew0lf)
    Company: Huntress Labs
    Purpose: Automate setting up Sysmon and pulling Ippsec's sysmon IoC streamliner. Great for malware lab. 
#>

function admin_check{
    if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(`
[Security.Principal.WindowsBuiltInRole] "Administrator")) {
        Write-Warning "Insufficient permissions. Run this Powershell script as Admin please"
        Break
    }
    # if we're all good, let's fire it off
    else {Install_various}
}

function install_various{

    #Ensure errors don't ruin anything for us
    $ErrorActionPreference = "SilentlyContinue"
    $progressPreference = 'silentlyContinue'

    # Create and work from specific directory
    new-item "C:\users\$env:USERNAME\Desktop\SysmonLab" -ItemType "directory"
    Set-Location "C:\users\$env:USERNAME\Desktop\SysmonLab"
    
    #Download sysmon stuff
    wget -UseBasicParsing https://download.sysinternals.com/files/Sysmon.zip -outfile "Sysmon.zip"
    Expand-archive "Sysmon.zip"  -DestinationPath .
    wget -UseBasicParsing https://raw.githubusercontent.com/Neo23x0/sysmon-config/master/sysmonconfig-export.xml -outfile "sysmonconfig.xml"
    
    #If you want to swap the sysmon ruleset from Florian's to another's swap the address above
        # SwiftOnSecurity's : https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml
        # Olaf's : https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml
        # Sophos apparently have one but it seems dedicated to malware analysis : https://support.sophos.com/support/s/article/KB-000038882?language=en_US
   
    #install sysmon's stuff
    .\Sysmon64.exe -i sysmonconfig.xml -accepteula

    #Ippsec's stuff
    wget -UseBasicParsing https://raw.githubusercontent.com/IppSec/PowerSiem/master/PowerSiem.ps1 -outfile "PowerSiem.ps1"

    #Clean up
    remove-item .\"sysmon.zip", .\"sysmon.exe", .\"eula.lnk", .\"Eula.txt"
}
#Execute main function in silence
Admin_Check | out-null

#Message
write-host "`n`nSysmon is " -nonewline; write-host (get-service sysmon*).status -ForegroundColor magenta
Write-host "`nRun " -nonewline; Write-Host "C:\users\$env:USERNAME\Desktop\SysmonLab\PowerSiem.ps1" -foregroundcolor Magenta -NoNewline; Write-host " and then detonate your malware to gather IoCs from Sysmon log`n"

exit