-
-
Save mavjs/cc1272e8eb00e6ad2233b69a1d6800a2 to your computer and use it in GitHub Desktop.
Revisions
-
Purp1eW0lf revised this gist
Jul 1, 2022 . 1 changed file with 0 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -36,8 +36,6 @@ function install_various{ # Olaf's : https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml # Sophos apparently have one but it seems dedicated to malware analysis : https://support.sophos.com/support/s/article/KB-000038882?language=en_US #install sysmon's stuff .\Sysmon64.exe -i sysmonconfig.xml -accepteula -
Jul 1, 2022 . 1 changed file with 7 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -30,6 +30,13 @@ function install_various{ wget -UseBasicParsing https://download.sysinternals.com/files/Sysmon.zip -outfile "Sysmon.zip" Expand-archive "Sysmon.zip" -DestinationPath . wget -UseBasicParsing https://raw.githubusercontent.com/Neo23x0/sysmon-config/master/sysmonconfig-export.xml -outfile "sysmonconfig.xml" #If you want to swap the sysmon ruleset from Florian's to another's swap the address above # SwiftOnSecurity's : https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml # Olaf's : https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml # Sophos apparently have one but it seems dedicated to malware analysis : https://support.sophos.com/support/s/article/KB-000038882?language=en_US #install sysmon's stuff .\Sysmon64.exe -i sysmonconfig.xml -accepteula -
May 16, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -44,7 +44,7 @@ function install_various{ Admin_Check | out-null #Message write-host "`n`nSysmon is " -nonewline; write-host (get-service sysmon*).status -ForegroundColor magenta Write-host "`nRun " -nonewline; Write-Host "C:\users\$env:USERNAME\Desktop\SysmonLab\PowerSiem.ps1" -foregroundcolor Magenta -NoNewline; Write-host " and then detonate your malware to gather IoCs from Sysmon log`n" exit -
Mar 28, 2022 . 1 changed file with 3 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -25,17 +25,16 @@ function install_various{ # Create and work from specific directory new-item "C:\users\$env:USERNAME\Desktop\SysmonLab" -ItemType "directory" Set-Location "C:\users\$env:USERNAME\Desktop\SysmonLab" #Download sysmon stuff wget -UseBasicParsing https://download.sysinternals.com/files/Sysmon.zip -outfile "Sysmon.zip" Expand-archive "Sysmon.zip" -DestinationPath . wget -UseBasicParsing https://raw.githubusercontent.com/Neo23x0/sysmon-config/master/sysmonconfig-export.xml -outfile "sysmonconfig.xml" #install sysmon's stuff .\Sysmon64.exe -i sysmonconfig.xml -accepteula #Ippsec's stuff wget -UseBasicParsing https://raw.githubusercontent.com/IppSec/PowerSiem/master/PowerSiem.ps1 -outfile "PowerSiem.ps1" #Clean up -
Mar 28, 2022 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,51 @@ <# Meta Date: 2022 March 28th Authors: Dray Agha (Twitter @purp1ew0lf) Company: Huntress Labs Purpose: Automate setting up Sysmon and pulling Ippsec's sysmon IoC streamliner. Great for malware lab. #> function admin_check{ if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(` [Security.Principal.WindowsBuiltInRole] "Administrator")) { Write-Warning "Insufficient permissions. Run this Powershell script as Admin please" Break } # if we're all good, let's fire it off else {Install_various} } function install_various{ #Ensure errors don't ruin anything for us $ErrorActionPreference = "SilentlyContinue" $progressPreference = 'silentlyContinue' # Create and work from specific directory new-item "C:\users\$env:USERNAME\Desktop\SysmonLab" -ItemType "directory" Set-Location "C:\users\$env:USERNAME\Desktop\SysmonLab" #Download sysmon stuff wget -UseBasicParsing https://download.sysinternals.com/files/Sysmon.zip -outfile "Sysmon.zip" Expand-archive "Sysmon.zip" -DestinationPath . wget -UseBasicParsing https://raw.githubusercontent.com/Neo23x0/sysmon-config/master/sysmonconfig-export.xml -outfile "sysmonconfig.xml" #install sysmon stuff .\Sysmon64.exe -i sysmonconfig.xml -accepteula #Ippsec stuff wget -UseBasicParsing https://raw.githubusercontent.com/IppSec/PowerSiem/master/PowerSiem.ps1 -outfile "PowerSiem.ps1" #Clean up remove-item .\"sysmon.zip", .\"sysmon.exe", .\"eula.lnk", .\"Eula.txt" } #Execute main function in silence Admin_Check | out-null #Message write-host "`n`nSysmon is " -nonewline; write-host (get-service sysmon64).status -ForegroundColor magenta Write-host "`nRun " -nonewline; Write-Host "C:\users\$env:USERNAME\Desktop\SysmonLab\PowerSiem.ps1" -foregroundcolor Magenta -NoNewline; Write-host " and then detonate your malware to gather IoCs from Sysmon log`n" exit