[
{
"path": ".gitattributes",
"content": "# Auto detect text files and perform LF normalization\n* text=auto\n\n# Custom for Visual Studio\n*.cs diff=csharp\n*.sln merge=union\n*.csproj merge=union\n*.vbproj merge=union\n*.fsproj merge=union\n*.dbproj merge=union\n\n# Standard to msysgit\n*.doc\t diff=astextplain\n*.DOC\t diff=astextplain\n*.docx diff=astextplain\n*.DOCX diff=astextplain\n*.dot diff=astextplain\n*.DOT diff=astextplain\n*.pdf diff=astextplain\n*.PDF\t diff=astextplain\n*.rtf\t diff=astextplain\n*.RTF\t diff=astextplain\n\n# Custom for PowerShell*.psm1 text\n*.psd1 text\n*.psm1 text\n*.ps1xml text"
},
{
"path": "Config.ps1",
"content": "\n# .ExternalHelp Posh-SysMon.psm1-Help.xml\nfunction New-SysmonConfiguration\n{\n [CmdletBinding(HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonConfiguration.md')]\n Param\n (\n # Path to write XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=0)]\n [String]\n $Path,\n\n # Specify one or more hash algorithms used for image identification\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('ALL', 'MD5', 'SHA1', 'SHA256', 'IMPHASH')]\n [string[]]\n $HashingAlgorithm,\n\n\n\n # Log Network Connections\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [Switch]\n $NetworkConnect,\n\n # Log process loading of modules.\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true,\n Position=3)]\n [Switch]\n $DriverLoad,\n\n # Log process loading of modules.\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true,\n Position=4)]\n [Switch]\n $ImageLoad,\n\n # Log create remote thread actions.\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true,\n Position=5)]\n [Switch]\n $CreateRemoteThread,\n\n # Log file creation time modifications.\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true,\n Position=6)]\n [Switch]\n $FileCreateTime,\n\n # Log process creation.\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true,\n Position=7)]\n [Switch]\n $ProcessCreate,\n\n # Log process termination.\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true,\n Position=8)]\n [Switch]\n $ProcessTerminate,\n\n # Log when a running process opens another process.\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true,\n Position=9)]\n [Switch]\n $ProcessAccess,\n\n # Log raw access reads of files.\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true,\n Position=10)]\n [Switch]\n $RawAccessRead,\n\n # Check for signature certificate revocation.\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true,\n Position=11 )]\n [Switch]\n $CheckRevocation,\n\n # Log Registry events.\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true,\n Position=12 )]\n [Switch]\n $RegistryEvent,\n\n # Log File Creation events.\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true,\n Position=13 )]\n [Switch]\n $FileCreate,\n\n # Log File Stream creations events.\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true,\n Position=14 )]\n [Switch]\n $FileCreateStreamHash,\n\n # Log NamedPipes connection and creations events.\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true,\n Position=15 )]\n [Switch]\n $PipeEvent,\n\n # WMI Permanent Event component events.\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true,\n Position=16 )]\n [Switch]\n $WmiEvent,\n\n # Comment for purpose of the configuration file.\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true)]\n [String]\n $Comment,\n\n # Schema Vesion for the configuration file, default is 3.3.\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true)]\n [ValidateSet('2.0','3.0', '3.1', '3.2','3.3', '3.4')]\n [String]\n $SchemaVersion = '3.4'\n )\n\n Begin{}\n Process\n {\n if ($HashingAlgorithm -contains 'ALL')\n {\n $Hash = '*'\n }\n else\n {\n $Hash = $HashingAlgorithm -join ','\n }\n\n $Config = ($ExecutionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath($Path))\n\n # get an XMLTextWriter to create the XML\n\n $XmlWriter = New-Object System.XMl.XmlTextWriter($Config,$Null)\n\n # choose a pretty formatting:\n $xmlWriter.Formatting = 'Indented'\n $xmlWriter.Indentation = 1\n\n # write the header\n if ($Comment)\n {\n $xmlWriter.WriteComment($Comment)\n }\n $xmlWriter.WriteStartElement('Sysmon')\n\n $XmlWriter.WriteAttributeString('schemaversion', $SchemaVersion)\n\n Write-Verbose -Message \"Enabling hashing algorithms : $($Hash)\"\n $xmlWriter.WriteElementString('HashAlgorithms',$Hash)\n\n # Enable checking revocation.\n if ($CheckRevocation)\n {\n if ($SchemaVersion -in @('3.1','3.2','3.3','3.4'))\n {\n Write-Verbose -message 'Enabling CheckRevocation.'\n $xmlWriter.WriteElementString('CheckRevocation','')\n }\n else\n {\n Write-Warning -Message 'CheckRevocation was not enabled because it is not supported in this SchemaVersion.'\n }\n }\n\n # Create empty EventFiltering section.\n $xmlWriter.WriteStartElement('EventFiltering')\n\n if ($NetworkConnect)\n {\n Write-Verbose -Message 'Enabling network connection logging for all connections by setting no filter and onmatch to exclude.'\n $xmlWriter.WriteStartElement('NetworkConnect')\n $XmlWriter.WriteAttributeString('onmatch', 'exclude')\n $xmlWriter.WriteFullEndElement()\n }\n\n if ($DriverLoad)\n {\n Write-Verbose -Message 'Enabling logging all driver loading by setting no filter and onmatch to exclude.'\n $xmlWriter.WriteStartElement('DriverLoad ')\n $XmlWriter.WriteAttributeString('onmatch', 'exclude')\n $xmlWriter.WriteFullEndElement()\n }\n\n if ($ImageLoad)\n {\n Write-Verbose -Message 'Enabling logging all image loading by setting no filter and onmatch to exclude.'\n $xmlWriter.WriteStartElement('ImageLoad ')\n $XmlWriter.WriteAttributeString('onmatch', 'exclude')\n $xmlWriter.WriteFullEndElement()\n }\n\n if ($CreateRemoteThread)\n {\n Write-Verbose -Message 'Enabling logging all CreateRemoteThread API actions by setting no filter and onmatch to exclude.'\n $xmlWriter.WriteStartElement('CreateRemoteThread ')\n $XmlWriter.WriteAttributeString('onmatch', 'exclude')\n $xmlWriter.WriteFullEndElement()\n }\n\n if ($ProcessCreate)\n {\n Write-Verbose -Message 'Enabling logging all process creation by setting no filter and onmatch to exclude.'\n $xmlWriter.WriteStartElement('ProcessCreate ')\n $XmlWriter.WriteAttributeString('onmatch', 'exclude')\n $xmlWriter.WriteFullEndElement()\n }\n\n if ($ProcessTerminate)\n {\n Write-Verbose -Message 'Enabling logging all process termination by setting no filter and onmatch to exclude.'\n $xmlWriter.WriteStartElement('ProcessTerminate ')\n $XmlWriter.WriteAttributeString('onmatch', 'exclude')\n $xmlWriter.WriteFullEndElement()\n }\n\n if ($FileCreateTime)\n {\n Write-Verbose -Message 'Enabling logging all process creation by setting no filter and onmatch to exclude.'\n $xmlWriter.WriteStartElement('FileCreateTime ')\n $XmlWriter.WriteAttributeString('onmatch', 'exclude')\n $xmlWriter.WriteFullEndElement()\n }\n\n if ($ProcessAccess)\n {\n Write-Verbose -Message 'Enabling logging all process access by setting no filter and onmatch to exclude.'\n $xmlWriter.WriteStartElement('ProcessAccess ')\n $XmlWriter.WriteAttributeString('onmatch', 'exclude')\n $xmlWriter.WriteFullEndElement()\n }\n\n if ($RawAccessRead)\n {\n Write-Verbose -Message 'Enabling logging all process access by setting no filter and onmatch to exclude.'\n $xmlWriter.WriteStartElement('RawAccessRead ')\n $XmlWriter.WriteAttributeString('onmatch', 'exclude')\n $xmlWriter.WriteFullEndElement()\n }\n\n # Log registry events.\n if ($RegistryEvent)\n {\n if ($SchemaVersion -gt 3.2)\n {\n Write-Verbose -message 'Enabling RegistryEvent.'\n $xmlWriter.WriteStartElement('RegistryEvent ')\n $XmlWriter.WriteAttributeString('onmatch', 'exclude')\n $xmlWriter.WriteFullEndElement()\n }\n else\n {\n Write-Warning -Message 'RegistryEvent was not enabled because it is not supported in this SchemaVersion.'\n }\n }\n\n # Log file create events.\n if ($FileCreate)\n {\n if ($SchemaVersion -gt 3.2)\n {\n Write-Verbose -message 'Enabling FileCreate.'\n $xmlWriter.WriteStartElement('FileCreate ')\n $XmlWriter.WriteAttributeString('onmatch', 'exclude')\n $xmlWriter.WriteFullEndElement()\n }\n else\n {\n Write-Warning -Message 'FileCreate was not enabled because it is not supported in this SchemaVersion.'\n }\n }\n\n # Log file create events.\n if ($FileCreateStreamHash)\n {\n if ($SchemaVersion -gt 3.2)\n {\n Write-Verbose -message 'Enabling FileCreateStreamHash.'\n $xmlWriter.WriteStartElement('FileCreateStreamHash ')\n $XmlWriter.WriteAttributeString('onmatch', 'exclude')\n $xmlWriter.WriteFullEndElement()\n }\n else\n {\n Write-Warning -Message 'FileCreateStreamHash was not enabled because it is not supported in this SchemaVersion.'\n }\n }\n\n # NamedPipes create and connect events.\n if ($PipeEvent)\n {\n if ($SchemaVersion -gt 3.2)\n {\n Write-Verbose -message 'Enabling PipeEvent.'\n $xmlWriter.WriteStartElement('PipeEvent ')\n $XmlWriter.WriteAttributeString('onmatch', 'exclude')\n $xmlWriter.WriteFullEndElement()\n }\n else\n {\n Write-Warning -Message 'PipeEvent was not enabled because it is not supported in this SchemaVersion.'\n }\n }\n\n # NamedPipes create and connect events.\n if ($WmiEvent)\n {\n if ($SchemaVersion -gt 3.4)\n {\n Write-Verbose -message 'Enabling WmiEvent.'\n $xmlWriter.WriteStartElement('WmiEvent ')\n $XmlWriter.WriteAttributeString('onmatch', 'exclude')\n $xmlWriter.WriteFullEndElement()\n }\n els\n {\n Write-Warning -Message 'WmiEvent was not enabled because it is not supported in this SchemaVersion.'\n }\n }\n\n # End Element of EventFiltering\n $xmlWriter.WriteFullEndElement()\n\n # Sysmon\n $xmlWriter.WriteEndElement()\n\n # finalize the document:\n #$xmlWriter.WriteEndDocument()\n $xmlWriter.Flush()\n $xmlWriter.Close()\n Write-Verbose -Message \"Config file created as $($Config)\"\n write-verbose -Message \"Configuration is for Sysmon $($sysmonVerMap[$SchemaVersion])\"\n }\n End\n {\n }\n}\n\n# .ExternalHelp Posh-SysMon.psm1-Help.xml\nfunction Get-SysmonHashingAlgorithm\n{\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Get-SysmonHashingAlgorithm.md')]\n Param\n (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [string]$Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n [string]$LiteralPath\n )\n\n Begin{}\n Process\n {\n # Check if the file is a valid XML file and if not raise and error.\n try\n {\n switch($psCmdlet.ParameterSetName)\n {\n 'Path' {[xml]$Config = Get-Content -Path $Path}\n 'LiteralPath' {[xml]$Config = Get-Content -LiteralPath $LiteralPath}\n }\n }\n catch [System.Management.Automation.PSInvalidCastException]\n {\n Write-Error -Message 'Specified file does not appear to be a XML file.'\n return\n }\n\n # Validate the XML file is a valid Sysmon file.\n if ($Config.SelectSingleNode('//Sysmon') -eq $null)\n {\n Write-Error -Message 'XML file is not a valid Sysmon config file.'\n return\n }\n\n if ($Config.Sysmon.schemaversion -notin $SysMonSupportedVersions)\n {\n Write-Error -Message 'This version of Sysmon Rule file is not supported.'\n return\n }\n\n $ObjOptions = @{}\n\n if ($Config.Sysmon.SelectSingleNode('//HashAlgorithms'))\n {\n $ObjOptions['Hashing'] = $config.Sysmon.HashAlgorithms\n }\n else\n {\n $ObjOptions['Hashing'] = ''\n }\n\n #$ObjOptions['Comment'] = $Config.'#comment'\n $ConfigObj = [pscustomobject]$ObjOptions\n $ConfigObj.pstypenames.insert(0,'Sysmon.HashingAlgorithm')\n $ConfigObj\n\n }\n End{}\n}\n\n\n# .ExternalHelp Posh-SysMon.psm1-Help.xml\nfunction Get-SysmonRule\n{\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Get-SysmonRule.md')]\n Param\n (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [string]$Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n [string]$LiteralPath,\n\n # Event type to parse rules for.\n [Parameter(Mandatory=$false,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('ALL', 'NetworkConnect', 'ProcessCreate', 'FileCreateTime',\n 'ProcessTerminate', 'ImageLoad', 'DriverLoad', 'ProcessAccess',\n 'RawAccessRead','ProcessAccess', 'FileCreateStreamHash',\n 'RegistryEvent', 'FileCreate', 'PipeEvent', 'WmiEvent')]\n [string[]]\n $EventType = @('ALL')\n )\n\n Begin{}\n Process\n {\n # Check if the file is a valid XML file and if not raise and error.\n try\n {\n switch($psCmdlet.ParameterSetName)\n {\n 'Path' {[xml]$Config = Get-Content -Path $Path}\n 'LiteralPath' {[xml]$Config = Get-Content -LiteralPath $LiteralPath}\n }\n }\n catch [System.Management.Automation.PSInvalidCastException]\n {\n Write-Error -Message 'Specified file does not appear to be a XML file.'\n return\n }\n\n # Validate the XML file is a valid Sysmon file.\n if ($Config.SelectSingleNode('//Sysmon') -eq $null)\n {\n Write-Error -Message 'XML file is not a valid Sysmon config file.'\n return\n }\n\n if ($Config.Sysmon.schemaversion -notin $SysMonSupportedVersions)\n {\n Write-Error -Message 'This version of Sysmon Rule file is not supported.'\n return\n }\n\n # Collect all individual rules if they exist.\n $Rules = $Config.Sysmon.EventFiltering\n\n if ($EventType -contains 'ALL')\n {\n $TypesToParse = @('NetworkConnect', 'ProcessCreate', 'FileCreateTime',\n 'ProcessTerminate', 'ImageLoad', 'DriverLoad','CreateRemoteThread',\n 'ProcessAccess', 'RawAccessRead', 'FileCreateStreamHash',\n 'RegistryEvent', 'FileCreate', 'PipeEvent', 'WmiEvent')\n }\n else\n {\n $TypesToParse = $EventType\n }\n\n foreach($Type in $TypesToParse)\n {\n $EvtType = $MyInvocation.MyCommand.Module.PrivateData[$Type]\n $RuleData = $Rules.SelectNodes(\"//EventFiltering/$($EvtType)\")\n if($RuleData -ne $null)\n {\n Write-Verbose -Message \"$($EvtType) Rule Found.\"\n Get-RuleWithFilter($RuleData)\n }\n\n }\n }\n End{}\n}\n\n\n# .ExternalHelp Posh-SysMon.psm1-Help.xml\nfunction Set-SysmonHashingAlgorithm\n{\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Set-SysmonHashingAlgorithm.md')]\n Param\n (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Specify one or more hash algorithms used for image identification\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('ALL', 'MD5', 'SHA1', 'SHA256', 'IMPHASH')]\n [string[]]\n $HashingAlgorithm\n )\n\n Begin{}\n Process\n {\n # Check if the file is a valid XML file and if not raise and error.\n try\n {\n switch($psCmdlet.ParameterSetName)\n {\n 'Path'\n {\n [xml]$Config = Get-Content -Path $Path\n $FileLocation = (Resolve-Path -Path $Path).Path\n }\n\n 'LiteralPath'\n {\n [xml]$Config = Get-Content -LiteralPath $LiteralPath\n $FileLocation = (Resolve-Path -LiteralPath $LiteralPath).Path\n }\n }\n }\n catch [System.Management.Automation.PSInvalidCastException]\n {\n Write-Error -Message 'Specified file does not appear to be a XML file.'\n return\n }\n\n # Validate the XML file is a valid Sysmon file.\n if ($Config.SelectSingleNode('//Sysmon') -eq $null)\n {\n Write-Error -Message 'XML file is not a valid Sysmon config file.'\n return\n }\n\n if ($Config.Sysmon.schemaversion -notin $SysMonSupportedVersions)\n {\n Write-Error -Message 'This version of Sysmon Rule file is not supported.'\n return\n }\n\n Write-Verbose -Message 'Updating Hashing option.'\n if ($HashingAlgorithm -contains 'ALL')\n {\n $Hash = '*'\n }\n else\n {\n $Hash = $HashingAlgorithm -join ','\n }\n\n # Check if Hashing Alorithm node exists.\n if($Config.SelectSingleNode('//Sysmon/HashAlgorithms') -ne $null)\n {\n $Config.Sysmon.HashAlgorithms = $Hash\n }\n else\n {\n $HashElement = $Config.CreateElement('HashAlgorithms')\n [void]$Config.Sysmon.Configuration.AppendChild($HashElement)\n $Config.Sysmon.Configuration.Hashing = $Hash\n }\n Write-Verbose -Message 'Hashing option has been updated.'\n\n\n Write-Verbose -Message \"Option have been set on $($FileLocation)\"\n $Config.Save($FileLocation)\n }\n End{}\n}\n\n\n# .ExternalHelp Posh-SysMon.psm1-Help.xml\nfunction Set-SysmonRule\n{\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Set-SysmonRule.md')]\n Param\n (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type to update.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('NetworkConnect', 'ProcessCreate', 'FileCreateTime',\n 'ProcessTerminate', 'ImageLoad', 'DriverLoad', 'CreateRemoteThread',\n 'ProcessAccess', 'RawAccessRead', 'FileCreateStreamHash',\n 'RegistryEvent', 'FileCreate', 'PipeEvent', 'WmiEvent')]\n [string[]]\n $EventType,\n\n # Action for event type rule and filters.\n [Parameter(Mandatory=$false,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('Include', 'Exclude')]\n [String]\n $OnMatch = 'Exclude',\n\n # Action to take for Schema 3.0 files.\n [Parameter(Mandatory=$false,\n ValueFromPipelineByPropertyName=$true)]\n [ValidateSet('Modify', 'Add')]\n [String]\n $Action = 'Modify'\n )\n\n Begin{}\n Process\n {\n # if no elemrnt create one either if it is schema 2.0 or 3.0.\n # If one is present we modify that one if Schema 2.0 and if Schema 3.0 and action modify.\n # If Schema 3.0 and action add we check if only is present and that it is not the same OnMatch\n # as being specified if it is we do nothing if not we add.\n\n\n # Check if the file is a valid XML file and if not raise and error.\n try\n {\n switch($psCmdlet.ParameterSetName)\n {\n 'Path'\n {\n [xml]$Config = Get-Content -Path $Path\n $FileLocation = (Resolve-Path -Path $Path).Path\n }\n\n 'LiteralPath'\n {\n [xml]$Config = Get-Content -LiteralPath $LiteralPath\n $FileLocation = (Resolve-Path -LiteralPath $LiteralPath).Path\n }\n }\n }\n catch [Management.Automation.PSInvalidCastException]\n {\n Write-Error -Message 'Specified file does not appear to be a XML file.'\n return\n }\n\n # Validate the XML file is a valid Sysmon file.\n if ($Config.SelectSingleNode('//Sysmon') -eq $null)\n {\n Write-Error -Message 'XML file is not a valid Sysmon config file.'\n return\n }\n\n if ($Config.Sysmon.schemaversion -notin $SysMonSupportedVersions)\n {\n Write-Error -Message 'This version of Sysmon Rule file is not supported.'\n return\n }\n\n $Rules = $config.SelectSingleNode('//Sysmon/EventFiltering')\n\n foreach($Type in $EventType)\n {\n $EvtType = $MyInvocation.MyCommand.Module.PrivateData[$Type]\n $RuleData = $Rules.SelectSingleNode(\"//EventFiltering/$($EvtType)\")\n $elements = $Rules.\"$($EvtType)\" | Select-Object -property onmatch -Unique\n\n if($RuleData -ne $null)\n {\n if ($Rules.\"$($EvtType)\".count -eq $null)\n {\n if (($Config.Sysmon.schemaversion -eq '2.0') -or ($Config.Sysmon.schemaversion -in @('3.0', '3.1', '3.2','3.3', '3.4') -and $Action -eq 'Modify'))\n {\n Write-Verbose -Message \"Setting as default action for $($EvtType) the rule on match of $($OnMatch).\"\n $RuleData.SetAttribute('onmatch',($OnMatch.ToLower()))\n Write-Verbose -Message 'Action has been set.'\n }\n elseif ($Config.Sysmon.schemaversion -in @('3.0', '3.1', '3.2','3.3', '3.4') -and $Action -eq 'Add')\n {\n if ($RuleData.onmatch -ne $OnMatch)\n {\n Write-Verbose -Message \"Creating rule for event type with action of $($OnMatch)\"\n $TypeElement = $config.CreateElement($EvtType)\n $TypeElement.SetAttribute('onmatch',($OnMatch.ToLower()))\n $RuleData = $Rules.AppendChild($TypeElement)\n Write-Verbose -Message 'Action has been set.'\n }\n else\n {\n Write-Verbose -Message 'A rule with the specified onmatch action already exists.'\n }\n }\n }\n elseif ($Config.Sysmon.schemaversion -in ('3.0', '3.1', '3.2','3.3', '3.4') -and $elements.count -eq 2)\n {\n Write-Verbose -Message 'A rule with the specified onmatch action already exists.'\n }\n else\n {\n Write-Error -Message 'This XML file does not conform to the schema.'\n return\n }\n }\n else\n {\n Write-Verbose -Message \"No rule for $($EvtType) was found.\"\n Write-Verbose -Message \"Creating rule for event type with action of $($OnMatch)\"\n $TypeElement = $config.CreateElement($EvtType)\n $TypeElement.SetAttribute('onmatch',($OnMatch.ToLower()))\n $RuleData = $Rules.AppendChild($TypeElement)\n Write-Verbose -Message 'Action has been set.'\n }\n\n Get-RuleWithFilter($RuleData)\n }\n $config.Save($FileLocation)\n }\n End{}\n}\n\n\n# .ExternalHelp Posh-SysMon.psm1-Help.xml\nfunction Remove-SysmonRule\n{\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Remove-SysmonRule.md')]\n Param\n (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type to remove. It is case sensitive.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('NetworkConnect', 'ProcessCreate', 'FileCreateTime',\n 'ProcessTerminate', 'ImageLoad', 'DriverLoad', 'CreateRemoteThread',\n 'ProcessAccess', 'RawAccessRead', 'FileCreateStreamHash',\n 'RegistryEvent', 'FileCreate', 'PipeEvent', 'WmiEvent')]\n [string[]]\n $EventType,\n\n # Action for event type rule and filters.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('Include', 'Exclude')]\n [String]\n $OnMatch = 'Exclude'\n )\n\n Begin{}\n Process\n {\n # Check if the file is a valid XML file and if not raise and error.\n try\n {\n switch($psCmdlet.ParameterSetName)\n {\n 'Path'\n {\n [xml]$Config = Get-Content -Path $Path\n $FileLocation = (Resolve-Path -Path $Path).Path\n }\n\n 'LiteralPath'\n {\n [xml]$Config = Get-Content -LiteralPath $LiteralPath\n $FileLocation = (Resolve-Path -LiteralPath $LiteralPath).Path\n }\n }\n }\n catch [Management.Automation.PSInvalidCastException]\n {\n Write-Error -Message 'Specified file does not appear to be a XML file.'\n return\n }\n\n # Validate the XML file is a valid Sysmon file.\n if ($Config.SelectSingleNode('//Sysmon') -eq $null)\n {\n Write-Error -Message 'XML file is not a valid Sysmon config file.'\n return\n }\n\n if ($Config.Sysmon.schemaversion -notin $SysMonSupportedVersions)\n {\n Write-Error -Message 'This version of Sysmon Rule file is not supported.'\n return\n }\n\n $Rules = $config.SelectSingleNode('//Sysmon/EventFiltering')\n foreach ($rule in $rules.ChildNodes)\n {\n if ($rule.name -in $EventType -and $rule.onmatch -eq $OnMatch)\n {\n [void]$rule.ParentNode.RemoveChild($rule)\n Write-Verbose -Message \"Removed rule for $($EventType).\"\n }\n }\n\n $config.Save($FileLocation)\n }\n End{}\n}\n\n"
},
{
"path": "Filters.ps1",
"content": "# .ExternalHelp Posh-SysMon.psm1-Help.xml\nfunction New-SysmonImageLoadFilter {\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonImageLoadFilter.md')]\n Param (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type on match action.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('include', 'exclude')]\n [string]\n $OnMatch,\n\n # Condition for filtering against and event field.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image',\n 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')]\n [string]\n $Condition,\n\n # Event field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=3)]\n [ValidateSet('UtcTime', 'ProcessGuid', 'ProcessId', 'Image',\n 'ImageLoaded', 'Hashes', 'Signed',\n 'Signature')]\n [string]\n $EventField,\n\n # Value of Event Field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=4)]\n [string[]]\n $Value\n )\n\n Begin {}\n Process\n {\n $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField]\n $cmdoptions = @{\n 'EventType' = 'ImageLoad'\n 'Condition' = $Condition\n 'EventField' = $FieldString\n 'Value' = $Value\n 'OnMatch' = $OnMatch\n\n }\n switch($psCmdlet.ParameterSetName)\n {\n 'Path'\n {\n $cmdOptions.Add('Path',$Path)\n New-RuleFilter @cmdOptions\n }\n\n 'LiteralPath'\n {\n $cmdOptions.Add('LiteralPath',$LiteralPath)\n New-RuleFilter @cmdOptions\n }\n }\n\n }\n End { }\n}\n\n\n# .ExternalHelp Posh-SysMon.psm1-Help.xml\nfunction New-SysmonDriverLoadFilter {\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonDriverLoadFilter.md')]\n Param (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type on match action.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('include', 'exclude')]\n [string]\n $OnMatch,\n\n # Condition for filtering against and event field.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image',\n 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')]\n [string]\n $Condition,\n\n # Event field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=3)]\n [ValidateSet('UtcTime', 'ImageLoaded',\n 'Hashes', 'Signed', 'Signature')]\n [string]\n $EventField,\n\n # Value of Event Field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=4)]\n [string[]]\n $Value\n )\n\n Begin {}\n Process {\n $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField]\n $cmdoptions = @{\n 'EventType' = 'DriverLoad'\n 'Condition' = $Condition\n 'EventField' = $FieldString\n 'Value' = $Value\n 'OnMatch' = $OnMatch\n\n }\n\n switch($psCmdlet.ParameterSetName) {\n 'Path' {\n $cmdOptions.Add('Path',$Path)\n New-RuleFilter @cmdOptions\n }\n\n 'LiteralPath' {\n $cmdOptions.Add('LiteralPath',$LiteralPath)\n\n New-RuleFilter @cmdOptions\n }\n }\n }\n End {}\n}\n\n\n# .ExternalHelp Posh-SysMon.psm1-Help.xml\nfunction New-SysmonNetworkConnectFilter\n{\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonNetworkConnectFilter.md')]\n Param (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type on match action.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('include', 'exclude')]\n [string]\n $OnMatch,\n\n # Condition for filtering against and event field.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image',\n 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')]\n [string]\n $Condition,\n\n # Event field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=3)]\n [ValidateSet('UtcTime', 'ProcessGuid', 'ProcessId', 'Image',\n 'User', 'Protocol', 'Initiated', 'SourceIsIpv6',\n 'SourceIp', 'SourceHostname', 'SourcePort',\n 'SourcePortName', 'DestinationIsIpv6',\n 'DestinationIp', 'DestinationHostname',\n 'DestinationPort', 'DestinationPortName')]\n [string]\n $EventField,\n\n # Value of Event Field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=4)]\n [string[]]\n $Value\n )\n\n Begin {}\n Process {\n $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField]\n $cmdoptions = @{\n 'EventType' = 'NetworkConnect'\n 'Condition' = $Condition\n 'EventField' = $FieldString\n 'Value' = $Value\n 'OnMatch' = $OnMatch\n\n }\n\n switch($psCmdlet.ParameterSetName) {\n 'Path' {\n $cmdOptions.Add('Path',$Path)\n New-RuleFilter @cmdOptions\n }\n\n 'LiteralPath' {\n $cmdOptions.Add('LiteralPath',$LiteralPath)\n New-RuleFilter @cmdOptions\n }\n }\n }\n End {}\n}\n\n\n# .ExternalHelp Posh-SysMon.psm1-Help.xml\nfunction New-SysmonFileCreateFilter {\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonFileCreateFilter.md')]\n Param (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type on match action.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('include', 'exclude')]\n [string]\n $OnMatch,\n\n # Condition for filtering against and event field.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image',\n 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')]\n [string]\n $Condition,\n\n # Event field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=3)]\n [ValidateSet('UtcTime', 'ProcessGuid', 'ProcessId', 'Image',\n 'TargetFilename', 'CreationUtcTime',\n 'PreviousCreationUtcTime')]\n [string]\n $EventField,\n\n # Value of Event Field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=4)]\n [string[]]\n $Value\n )\n\n Begin {}\n Process {\n $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField]\n\n switch($psCmdlet.ParameterSetName) {\n 'Path' {\n New-RuleFilter -Path $Path -EventType FileCreateTime -Condition $Condition -EventField $FieldString -Value $Value -OnMatch $OnMatch\n }\n\n 'LiteralPath' {\n New-RuleFilter -LiteralPath $LiteralPath -EventType FileCreateTime -Condition $Condition -EventField $FieldString -Value $Value -OnMatch $OnMatch\n }\n }\n\n }\n End {}\n}\n\n\n# .ExternalHelp Posh-SysMon.psm1-Help.xml\nfunction New-SysmonProcessCreateFilter\n{\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonProcessCreateFilter.md')]\n Param (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type on match action.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('include', 'exclude')]\n [string]\n $OnMatch,\n\n # Condition for filtering against and event field.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image',\n 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')]\n [string]\n $Condition,\n\n # Event field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=3)]\n [ValidateSet('UtcTime', 'ProcessGuid', 'ProcessId', 'Image',\n 'CommandLine', 'User', 'LogonGuid', 'LogonId',\n 'TerminalSessionId', 'IntegrityLevel',\n 'Hashes', 'ParentProcessGuid', 'ParentProcessId',\n 'ParentImage', 'ParentCommandLine')]\n [string]\n $EventField,\n\n # Value of Event Field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=4)]\n [string[]]\n $Value\n )\n\n Begin {}\n Process {\n $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField]\n $cmdoptions = @{\n 'EventType' = 'ProcessCreate'\n 'Condition' = $Condition\n 'EventField' = $FieldString\n 'Value' = $Value\n 'OnMatch' = $OnMatch\n\n }\n switch($psCmdlet.ParameterSetName) {\n 'Path' {\n $cmdOptions.Add('Path',$Path)\n New-RuleFilter @cmdOptions\n }\n\n 'LiteralPath' {\n $cmdOptions.Add('LiteralPath',$LiteralPath)\n New-RuleFilter @cmdOptions\n }\n }\n }\n End { }\n}\n\n\n# .ExternalHelp Posh-SysMon.psm1-Help.xml\nfunction New-SysmonProcessTerminateFilter\n{\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonProcessTerminateFilter.md')]\n Param (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type on match action.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('include', 'exclude')]\n [string]\n $OnMatch,\n\n # Condition for filtering against and event field.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image',\n 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')]\n [string]\n $Condition,\n\n # Event field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=3)]\n [ValidateSet('UtcTime', 'ProcessGuid', 'ProcessId')]\n [string]\n $EventField,\n\n # Value of Event Field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=4)]\n [string[]]\n $Value\n )\n\n Begin {}\n Process\n {\n $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField]\n $cmdoptions = @{\n 'EventType' = 'ProcessTerminate'\n 'Condition' = $Condition\n 'EventField' = $FieldString\n 'Value' = $Value\n 'OnMatch' = $OnMatch\n\n }\n switch($psCmdlet.ParameterSetName)\n {\n 'Path'\n {\n $cmdOptions.Add('Path',$Path)\n New-RuleFilter @cmdOptions\n }\n\n 'LiteralPath'\n {\n $cmdOptions.Add('LiteralPath',$LiteralPath)\n New-RuleFilter @cmdOptions\n }\n }\n }\n End {}\n}\n\n# .ExternalHelp Posh-SysMon.psm1-Help.xml\nfunction New-SysmonCreateRemoteThreadFilter\n{\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonCreateRemoteThreadFilter.md')]\n Param (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type on match action.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('include', 'exclude')]\n [string]\n $OnMatch,\n\n # Condition for filtering against and event field.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image',\n 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')]\n [string]\n $Condition,\n\n # Event field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=3)]\n [ValidateSet('SourceImage', 'TargetImage')]\n [string]\n $EventField,\n\n # Value of Event Field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=4)]\n [string[]]\n $Value\n )\n\n Begin { }\n Process {\n $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField]\n $cmdoptions = @{\n 'EventType' = 'CreateRemoteThread'\n 'Condition' = $Condition\n 'EventField' = $FieldString\n 'Value' = $Value\n 'OnMatch' = $OnMatch\n\n }\n switch($psCmdlet.ParameterSetName) {\n 'Path' {\n $cmdOptions.Add('Path',$Path)\n New-RuleFilter @cmdOptions\n }\n\n 'LiteralPath' {\n $cmdOptions.Add('LiteralPath',$LiteralPath)\n New-RuleFilter @cmdOptions\n }\n }\n }\n End {}\n}\n\n<#\n.SYNOPSIS\nCreate a new filter for the logging of when a running process opens another.\n.DESCRIPTION\nCreate a new filter for the logging of when a running process opens another.\n.EXAMPLE\nC:\\PS> New-SysmonProcessAccessFilter -Path .\\testver31.xml -OnMatch include -Condition Contains -EventField TargetImage lsass.exe\nLog any process trying to open lsass.exe.\n#>\nfunction New-SysmonProcessAccessFilter {\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonProcessAccessFilter.md')]\n Param (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type on match action.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('include', 'exclude')]\n [string]\n $OnMatch,\n\n # Condition for filtering against and event field.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image',\n 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')]\n [string]\n $Condition,\n\n # Event field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=3)]\n [ValidateSet('UtcTime', 'SourceProcessGUID',\n 'SourceProcessId', 'SourceThreadId', 'SourceImage',\n 'TargetProcessGUID', 'TargetProcessId', 'TargetImage',\n 'GrantedAccess','CallTrace')]\n [string]\n $EventField,\n\n # Value of Event Field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=4)]\n [string[]]\n $Value\n )\n\n Begin {}\n Process {\n $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField]\n $cmdoptions = @{\n 'EventType' = 'ProcessAccess'\n 'Condition' = $Condition\n 'EventField' = $FieldString\n 'Value' = $Value\n 'OnMatch' = $OnMatch\n\n }\n switch ($PSCmdlet.ParameterSetName) {\n 'Path' {\n $cmdOptions.Add('Path',$Path)\n New-RuleFilter @cmdOptions\n }\n\n 'LiteralPath' {\n $cmdOptions.Add('LiteralPath',$LiteralPath)\n New-RuleFilter @cmdOptions\n }\n }\n }\n End {}\n}\n\n<#\n.SYNOPSIS\nCreate a new filter for the logging of file raw access read actions.\n.DESCRIPTION\nCreate a new filter for the logging of file raw access read actions.\n.EXAMPLE\nC:\\PS> New-SysmonRawAccessReadFilter -Path .\\testver31.xml -OnMatch include -Condition Contains -EventField Image NTDS.dit\nLog any raw access read of the file NTDS.dit.\n#>\nfunction New-SysmonRawAccessReadFilter {\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonRawAccessReadFilter.md')]\n Param (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type on match action.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('include', 'exclude')]\n [string]\n $OnMatch,\n\n # Condition for filtering against and event field.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image',\n 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')]\n [string]\n $Condition,\n\n # Event field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=3)]\n [ValidateSet('UtcTime', 'ProcessGuid', 'ProcessId',\n 'Image', 'Device')]\n [string]\n $EventField,\n\n # Value of Event Field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=4)]\n [string[]]\n $Value\n )\n\n Begin {}\n Process {\n $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField]\n $cmdoptions = @{\n 'EventType' = 'RawAccessRead'\n 'Condition' = $Condition\n 'EventField' = $FieldString\n 'Value' = $Value\n 'OnMatch' = $OnMatch\n\n }\n\n switch ($PSCmdlet.ParameterSetName) {\n 'Path' {\n $cmdOptions.Add('Path',$Path)\n New-RuleFilter @cmdOptions\n }\n\n 'LiteralPath' {\n $cmdOptions.Add('LiteralPath',$LiteralPath)\n New-RuleFilter @cmdOptions\n }\n }\n }\n End {}\n}\n\n\n<#\n.SYNOPSIS\nCreate a new filter for the logging file creation.\n.DESCRIPTION\nCreate a new filter for the logging file creation.\n.EXAMPLE\n#>\nfunction New-SysmonFileCreateFilter {\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonFileCreateFilter.md')]\n Param (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type on match action.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('include', 'exclude')]\n [string]\n $OnMatch,\n\n # Condition for filtering against and event field.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image',\n 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')]\n [string]\n $Condition,\n\n # Event field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=3)]\n [ValidateSet('TargetFilename', 'ProcessGuid', 'ProcessId',\n 'Image')]\n [string]\n $EventField,\n\n # Value of Event Field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=4)]\n [string[]]\n $Value\n )\n\n Begin {}\n Process {\n $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField]\n $cmdoptions = @{\n 'EventType' = 'FileCreate'\n 'Condition' = $Condition\n 'EventField' = $FieldString\n 'Value' = $Value\n 'OnMatch' = $OnMatch\n }\n\n switch ($PSCmdlet.ParameterSetName) {\n 'Path' {\n $cmdOptions.Add('Path',$Path)\n New-RuleFilter @cmdOptions\n }\n\n 'LiteralPath' {\n $cmdOptions.Add('LiteralPath',$LiteralPath)\n New-RuleFilter @cmdOptions\n }\n }\n }\n End {}\n}\n\n\n<#\n.SYNOPSIS\nCreate a new filter for the logging of the saving of data on a file stream.\n.DESCRIPTION\nCreate a new filter for the logging of the saving of data on a file stream.\n#>\nfunction New-SysmonFileCreateStreamHashFilter {\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonFileCreateStreamHashFilter.md')]\n Param (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type on match action.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('include', 'exclude')]\n [string]\n $OnMatch,\n\n # Condition for filtering against and event field.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image',\n 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')]\n [string]\n $Condition,\n\n # Event field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=3)]\n [ValidateSet('TargetFilename', 'ProcessGuid', 'ProcessId',\n 'Image')]\n [string]\n $EventField,\n\n # Value of Event Field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=4)]\n [string[]]\n $Value\n )\n\n Begin {}\n Process {\n $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField]\n $cmdoptions = @{\n 'EventType' = 'FileCreateStreamHash'\n 'Condition' = $Condition\n 'EventField' = $FieldString\n 'Value' = $Value\n 'OnMatch' = $OnMatch\n }\n\n switch ($PSCmdlet.ParameterSetName) {\n 'Path' {\n $cmdOptions.Add('Path',$Path)\n New-RuleFilter @cmdOptions\n }\n\n 'LiteralPath' {\n $cmdOptions.Add('LiteralPath',$LiteralPath)\n New-RuleFilter @cmdOptions\n }\n }\n }\n End {}\n}\n\n\n<#\n.SYNOPSIS\nCreate a new filter for the actions against the registry.\n.DESCRIPTION\nCreate a new filter for actions against the registry. Supports filtering\nby aby of the following event types:\n* CreateKey\n* DeleteKey\n* RenameKey\n* CreateValue\n* DeleteValue\n* RenameValue\n* SetValue\n\nHives on Schema 3.2 in TargetObject are referenced as:\n* \\REGISTRY\\MACHINE\\HARDWARE\n* \\REGISTRY\\USER\\Security ID number\n* \\REGISTRY\\MACHINE\\SECURITY\n* \\REGISTRY\\USER\\.DEFAULT\n* \\REGISTRY\\MACHINE\\SYSTEM\n* \\REGISTRY\\MACHINE\\SOFTWARE\n* \\REGISTRY\\MACHINE\\SAM\n\nHives on Schema 3.3 and above in TargetObject are referenced as:\n* HKLM\n* HKCR\n* HKEY_USER\n\n.EXAMPLE\nC:\\PS> New-SysmonRegistryFilter -Path .\\32config.xml -OnMatch include -Condition Contains -EventField TargetObject 'RunOnce'\nCapture persistance attemp by creating a registry entry in the RunOnce keys.\n#>\nfunction New-SysmonRegistryFilter {\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonRegistryFilter.md')]\n Param (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({ Test-Path -Path $_ })]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type on match action.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('include', 'exclude')]\n [string]\n $OnMatch,\n\n # Condition for filtering against and event field.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image',\n 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')]\n [string]\n $Condition,\n\n # Event field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=3)]\n [ValidateSet('TargetObject', 'ProcessGuid', 'ProcessId',\n 'Image', 'EventType')]\n [string]\n $EventField,\n\n # Value of Event Field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=4)]\n [string[]]\n $Value\n )\n\n Begin {\n # Event types used to validate right type and string case\n $EventTypeMap = @{\n CreateKey = 'CreateKey'\n DeleteKey = 'DeleteKey'\n RenameKey = 'RenameKey'\n CreateValue = 'CreateValue'\n DeleteValue = 'DeleteValue'\n RenameValue = 'RenameValue'\n SetValue = 'SetValue'\n }\n\n $Etypes = $EventTypeMap.Keys\n }\n Process {\n $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField]\n\n if ($EventField -in 'EventType') {\n if ($Value -in $Etypes) {\n $Value = $EventTypeMap[$Value]\n } else {\n Write-Error -Message \"Not a supported EventType. Supported Event types $($Etypes -join ', ')\"\n return\n }\n }\n $cmdoptions = @{\n 'EventType' = 'RegistryEvent'\n 'Condition' = $Condition\n 'EventField' = $FieldString\n 'Value' = $Value\n 'OnMatch' = $OnMatch\n\n }\n\n switch ($PSCmdlet.ParameterSetName) {\n 'Path' {\n $cmdOptions.Add('Path',$Path)\n New-RuleFilter @cmdOptions\n }\n\n 'LiteralPath' {\n $cmdOptions.Add('LiteralPath',$LiteralPath)\n New-RuleFilter @cmdOptions\n }\n }\n }\n End {}\n}\n\n<#\n.SYNOPSIS\nCreate a new filter for when a Named Pipe is created or connected.\n.DESCRIPTION\nCreate a new filter for when a Named Pipe is created or connected.\nUseful for watching malware inter process communication.\n#>\nfunction New-SysmonPipeFilter {\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonPipeFilter.md')]\n Param (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type on match action.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('include', 'exclude')]\n [string]\n $OnMatch,\n\n # Condition for filtering against and event field.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image',\n 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')]\n [string]\n $Condition,\n\n # Event field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=3)]\n [ValidateSet('Pipe', 'ProcessGuid', 'ProcessId',\n 'Image')]\n [string]\n $EventField,\n\n # Value of Event Field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=4)]\n [string[]]\n $Value\n )\n\n Begin {}\n Process {\n $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField]\n $cmdoptions = @{\n 'EventType' = 'PipeEvent'\n 'Condition' = $Condition\n 'EventField' = $FieldString\n 'Value' = $Value\n 'OnMatch' = $OnMatch\n\n }\n switch ($PSCmdlet.ParameterSetName) {\n 'Path' {\n $cmdOptions.Add('Path',$Path)\n New-RuleFilter @cmdOptions\n }\n\n 'LiteralPath' {\n $cmdOptions.Add('LiteralPath',$LiteralPath)\n New-RuleFilter @cmdOptions\n }\n }\n }\n End {}\n}\n\n<#\n.SYNOPSIS\nCreate a new filter for WMI Permamanent Event Classes.\n.DESCRIPTION\nCreate a new filter for WMI permamanent event classes are created or connected.\nUseful for monitoring for persistence actions.\n#>\nfunction New-SysmonWmiFilter {\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonWmiFilter.md')]\n Param (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type on match action.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('include', 'exclude')]\n [string]\n $OnMatch,\n\n # Condition for filtering against and event field.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image',\n 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')]\n [string]\n $Condition,\n\n # Event field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=3)]\n [ValidateSet('Name', 'EventNamespace', 'Destination',\n 'Type', 'Query', 'Operation', 'Consumer', 'Filter')]\n [string]\n $EventField,\n\n # Value of Event Field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=4)]\n [string[]]\n $Value\n )\n\n Begin {}\n Process {\n $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField]\n $cmdoptions = @{\n 'EventType' = 'WmiEvent'\n 'Condition' = $Condition\n 'EventField' = $FieldString\n 'Value' = $Value\n 'OnMatch' = $OnMatch\n\n }\n switch ($PSCmdlet.ParameterSetName) {\n 'Path' {\n $cmdOptions.Add('Path',$Path)\n New-RuleFilter @cmdOptions\n }\n\n 'LiteralPath' {\n $cmdOptions.Add('LiteralPath',$LiteralPath)\n New-RuleFilter @cmdOptions\n }\n }\n }\n End {}\n}\n\n\n# .ExternalHelp Posh-SysMon.psm1-Help.xml\nfunction Remove-SysmonRuleFilter {\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Remove-SysmonRuleFilter.md')]\n Param (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type to update.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('NetworkConnect', 'ProcessCreate', 'FileCreateTime',\n 'ProcessTerminate', 'ImageLoad', 'DriverLoad',\n 'CreateRemoteThread', 'RawAccessRead', 'ProcessAccess',\n 'FileCreateStreamHash', 'RegistryEvent', 'FileCreate',\n 'PipeEvent', 'WmiEvent')]\n [string]\n $EventType,\n\n # Event type on match action.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('include', 'exclude')]\n [string]\n $OnMatch,\n\n # Condition for filtering against and event field.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=3)]\n [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image',\n 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')]\n [string]\n $Condition,\n\n # Event field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=4)]\n [string]\n $EventField,\n\n # Value of Event Field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=5)]\n [string[]]\n $Value\n )\n\n Begin{}\n Process {\n $EvtType = $null\n # Check if the file is a valid XML file and if not raise and error.\n try {\n switch($psCmdlet.ParameterSetName) {\n 'Path' {\n [xml]$Config = Get-Content -Path $Path\n $FileLocation = (Resolve-Path -Path $Path).Path\n }\n\n 'LiteralPath' {\n [xml]$Config = Get-Content -LiteralPath $LiteralPath\n $FileLocation = (Resolve-Path -LiteralPath $LiteralPath).Path\n }\n }\n }\n catch [Management.Automation.PSInvalidCastException] {\n Write-Error -Message 'Specified file does not appear to be a XML file.'\n return\n }\n\n # Validate the XML file is a valid Sysmon file.\n if ($Config.SelectSingleNode('//Sysmon') -eq $null) {\n Write-Error -Message 'XML file is not a valid Sysmon config file.'\n return\n }\n\n $Rules = $Config.SelectSingleNode('//Sysmon/EventFiltering')\n\n # Select the proper condition string.\n switch ($Condition) {\n 'Is' {$ConditionString = 'is'}\n 'IsNot' {$ConditionString = 'is not'}\n 'Contains' {$ConditionString = 'contains'}\n 'Excludes' {$ConditionString = 'excludes'}\n 'Image' {$ConditionString = 'image'}\n 'BeginWith' {$ConditionString = 'begin with'}\n 'EndWith' {$ConditionString = 'end with'}\n 'LessThan' {$ConditionString = 'less than'}\n 'MoreThan' {$ConditionString = 'more than'}\n Default {$ConditionString = 'is'}\n }\n\n # Check if the event type exists if not create it.\n if ($Rules -eq '') {\n Write-Error -Message 'Rule element does not exist. This appears to not be a valid config file'\n return\n } else {\n $EvtType = $MyInvocation.MyCommand.Module.PrivateData[$EventType]\n\n $EventRule = $Rules.SelectNodes(\"//EventFiltering/$($EvtType)\")\n }\n\n if($EventRule -eq $null) {\n Write-Warning -Message \"No rule for $($EvtType) was found.\"\n return\n }\n\n if($EventRule -eq $null) {\n Write-Error -Message \"No rule for $($EvtType) was found.\"\n return\n } else {\n if ($EventRule.count -eq $null -or $EventRule.Count -eq 1) {\n if ($EventRule.onmatch -eq $OnMatch) {\n $Filters = $EventRule.SelectNodes('*')\n if ($Filters.count -gt 0) {\n foreach($val in $Value) {\n foreach($Filter in $Filters) {\n if ($Filter.Name -eq $EventField) {\n if (($Filter.condition -eq $null) -and ($Condition -eq 'is') -and ($Filter.'#text' -eq $val)) {\n [void]$Filter.ParentNode.RemoveChild($Filter)\n Write-Verbose -Message \"Filter for field $($EventField) with condition $($Condition) and value of $($val) removed.\"\n } elseif (($Filter.condition -eq $Condition) -and ($Filter.'#text' -eq $val)) {\n [void]$Filter.ParentNode.RemoveChild($Filter)\n Write-Verbose -Message \"Filter for field $($EventField) with condition $($Condition) and value of $($val) removed.\"\n }\n }\n }\n }\n Get-RuleWithFilter($EventRule)\n }\n }\n } else {\n Write-Verbose -Message 'Mutiple nodes.'\n foreach ($rule in $EventRule) {\n if ($rule.onmatch -eq $OnMatch) {\n $Filters = $rule.SelectNodes('*')\n if ($Filters.count -gt 0) {\n foreach($val in $Value) {\n foreach($Filter in $Filters) {\n if ($Filter.Name -eq $EventField) {\n if (($Filter.condition -eq $null) -and ($Condition -eq 'is') -and ($Filter.'#text' -eq $val)) {\n [void]$Filter.ParentNode.RemoveChild($Filter)\n Write-Verbose -Message \"Filter for field $($EventField) with condition $($Condition) and value of $($val) removed.\"\n } elseif (($Filter.condition -eq $Condition) -and ($Filter.'#text' -eq $val)) {\n [void]$Filter.ParentNode.RemoveChild($Filter)\n Write-Verbose -Message \"Filter for field $($EventField) with condition $($Condition) and value of $($val) removed.\"\n }\n }\n }\n }\n Get-RuleWithFilter($rule)\n }\n }\n }\n }\n }\n $config.Save($FileLocation)\n }\n End{}\n}\n\n<#\n.SYNOPSIS\nGet the configured filters for a specified Event Type Rule in a Sysmon configuration file.\n.DESCRIPTION\nGet the configured filters for a specified Event Type Rule in a Sysmon configuration file.\n.EXAMPLE\nC:\\PS> Get-SysmonRuleFilter -Path C:\\sysmon.xml -EventType ProcessCreate\nGet the filter under the ProcessCreate Rule.\n#>\nfunction Get-SysmonRuleFilter {\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Get-SysmonRuleFilter.md')]\n Param (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type rule to get filter for.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=1)]\n [ValidateSet('NetworkConnect', 'ProcessCreate', 'FileCreateTime',\n 'ProcessTerminate', 'ImageLoad', 'DriverLoad',\n 'CreateRemoteThread','RawAccessRead', 'ProcessAccess',\n 'FileCreateStreamHash', 'RegistryEvent', 'FileCreate',\n 'PipeEvent', 'WmiEvent')]\n [string]\n $EventType,\n\n # Event type on match action.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('include', 'exclude')]\n [string]\n $OnMatch\n )\n\n Begin{}\n Process {\n $EvtType = $null\n # Check if the file is a valid XML file and if not raise and error.\n try {\n switch($psCmdlet.ParameterSetName){\n 'Path'{\n [xml]$Config = Get-Content -Path $Path\n $FileLocation = (Resolve-Path -Path $Path).Path\n }\n 'LiteralPath' {\n [xml]$Config = Get-Content -LiteralPath $LiteralPath\n $FileLocation = (Resolve-Path -LiteralPath $LiteralPath).Path\n }\n }\n }\n catch [System.Management.Automation.PSInvalidCastException] {\n Write-Error -Message 'Specified file does not appear to be a XML file.'\n return\n }\n\n # Validate the XML file is a valid Sysmon file.\n if ($Config.SelectSingleNode('//Sysmon') -eq $null){\n Write-Error -Message 'XML file is not a valid Sysmon config file.'\n return\n }\n\n $Rules = $Config.SelectSingleNode('//Sysmon/EventFiltering')\n\n if ($Rules -eq '') {\n Write-Error -Message 'Rule element does not exist. This appears to not be a valid config file'\n return\n } else {\n $EvtType = $MyInvocation.MyCommand.Module.PrivateData[$EventType]\n\n $EventRule = $Rules.SelectNodes(\"//EventFiltering/$($EvtType)\")\n }\n\n if($EventRule -eq $null) {\n Write-Error -Message \"No rule for $($EvtType) was found.\"\n return\n } else {\n if ($EventRule.count -eq $null -or $EventRule.Count -eq 1) {\n Write-Verbose -Message 'Single Node'\n if ($EventRule.onmatch -eq $OnMatch) {\n $Filters = $EventRule.SelectNodes('*')\n if ($Filters.ChildNodes.Count -gt 0) {\n foreach($Filter in $Filters) {\n $FilterObjProps = @{}\n $FilterObjProps['EventField'] = $Filter.Name\n $FilterObjProps['Condition'] = &{if($Filter.condition -eq $null){'is'}else{$Filter.condition}}\n $FilterObjProps['Value'] = $Filter.'#text'\n $FilterObjProps['EventType'] = $EvtType\n $FilterObjProps['OnMatch'] = $OnMatch\n $FilterObj = [pscustomobject]$FilterObjProps\n $FilterObj.pstypenames.insert(0,'Sysmon.Rule.Filter')\n $FilterObj\n }\n\n }\n }\n }\n else\n {\n Write-Verbose -Message 'Mutiple nodes.'\n foreach ($rule in $EventRule)\n {\n if ($rule.onmatch -eq $OnMatch)\n {\n $Filters = $rule.SelectNodes('*')\n if ($Filters.ChildNodes.Count -gt 0)\n {\n foreach($Filter in $Filters)\n {\n $FilterObjProps = @{}\n $FilterObjProps['EventField'] = $Filter.Name\n $FilterObjProps['Condition'] = &{if($Filter.condition -eq $null){'is'}else{$Filter.condition}}\n $FilterObjProps['Value'] = $Filter.'#text'\n $FilterObjProps['EventType'] = $EvtType\n $FilterObjProps['OnMatch'] = $OnMatch\n $FilterObj = [pscustomobject]$FilterObjProps\n $FilterObj.pstypenames.insert(0,'Sysmon.Rule.Filter')\n $FilterObj\n }\n\n }\n }\n }\n }\n }\n }\n End{}\n}\n\n<#\n.Synopsis\nSearches for specified SysMon Events and retunrs the Event Data as a custom object.\n.DESCRIPTION\nSearches for specified SysMon Events and retunrs the Event Data as a custom object.\n.EXAMPLE\nGet-SysMonEventData -EventId 1 -MaxEvents 10 -EndTime (Get-Date) -StartTime (Get-Date).AddDays(-1)\n\nAll process creation events in the last 24hr\n.EXAMPLE\nGet-SysMonEventData -EventId 3 -MaxEvents 20 -Path .\\export.evtx\n\nlast 20 network connection events from a exported SysMon log.\n#>\nfunction Get-SysmonEventData {\n [CmdletBinding(DefaultParameterSetName='ID',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Get-SysmonEventData.md')]\n Param (\n # Sysmon Event ID of records to show\n [Parameter(Mandatory=$true,\n ParameterSetName='ID',\n ValueFromPipelineByPropertyName=$true,\n Position=0)]\n [ValidateSet(1,2,3,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,255)]\n [Int32[]]\n $EventId,\n\n # EventType that a Rule can be written against.\n [Parameter(Mandatory=$false,\n ParameterSetName='Type',\n ValueFromPipelineByPropertyName=$true,\n Position=0)]\n [string[]]\n [ValidateSet('NetworkConnect', 'ProcessCreate', 'FileCreateTime',\n 'ProcessTerminate', 'ImageLoad', 'DriverLoad',\n 'CreateRemoteThread', 'RawAccessRead', 'ProcessAccess', 'Error',\n 'FileCreateStreamHash', 'RegistryValueSet', 'RegistryRename',\n 'RegistryAddOrDelete', 'FileCreate','ConfigChange','PipeCreated',\n 'PipeConnected', 'WmiFilter', 'WmiConsumer', 'WmiBinding')]\n $EventType,\n\n # Specifies the maximum number of events that Get-WinEvent returns. Enter an integer. The default is to return all the events in the logs or files.\n [Parameter(Mandatory=$false,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [int]\n $MaxEvents,\n\n # Specifies a path to one or more exported SysMon events in evtx format.\n [Parameter(Mandatory=$false,\n ValueFromPipeline=$true,\n ValueFromPipelineByPropertyName=$true,\n HelpMessage='Path to one or more locations.')]\n [Alias('PSPath')]\n [ValidateNotNullOrEmpty()]\n [string[]]\n $Path,\n\n # Start Date to get all event going forward.\n [Parameter(Mandatory=$false)]\n [datetime]\n $StartTime,\n\n # End data for searching events.\n [Parameter(Mandatory=$false)]\n [datetime]\n $EndTime\n )\n\n Begin\n {\n $EventTypeMap = @{\n ProcessCreate = 1\n FileCreateTime = 2\n NetworkConnect = 3\n ProcessTerminate = 5\n DriverLoad = 6\n ImageLoad = 7\n CreateRemoteThread = 8\n RawAccessRead = 9\n ProcessAccess = 10\n FileCreate = 11\n RegistryAddOrDelete = 12\n RegistryValueSet = 13\n RegistryRename = 14\n FileCreateStreamHash = 15\n ConfigChange = 16\n PipeCreated = 17\n PipeConnected = 18\n WmiFilter = 19\n WmiConsumer = 20\n WmiBinding = 21\n Error = 255\n }\n\n $EventIdtoType = @{\n '1' = 'ProcessCreate'\n '2' = 'FileCreateTime'\n '3' = 'NetworkConnect'\n '5' = 'ProcessTerminate'\n '6' = 'DriverLoad'\n '7' = 'ImageLoad'\n '8' = 'CreateRemoteThread'\n '9' = 'RawAccessRead'\n '10' = 'ProcessAccess'\n '11' = 'FileCreate'\n '12' = 'RegistryAddOrDelete'\n '13' = 'RegistryValueSet'\n '14' = 'RegistryRename'\n '15' = 'FileCreateStreamHash'\n '16' = 'ConfigChange'\n '17' = 'PipeCreated'\n '18' = 'PipeConnected'\n '19' = 'WmiFilter'\n '20' = 'WmiConsumer'\n '21' = 'WmiBinding'\n '255' = 'Error'\n\n }\n }\n Process\n {\n # Hash for filtering\n $HashFilter = @{LogName='Microsoft-Windows-Sysmon/Operational'}\n\n # Hash for command paramteters\n $ParamHash = @{}\n\n if ($MaxEvents -gt 0)\n {\n $ParamHash.Add('MaxEvents', $MaxEvents)\n }\n\n if ($Path -gt 0)\n {\n $ParamHash.Add('Path', $Path)\n }\n\n switch ($PSCmdlet.ParameterSetName) {\n 'ID' { $HashFilter.Add('Id', $EventId) }\n 'Type' {\n $EventIds = @()\n foreach ($etype in $EventType)\n {\n $EventIds += $EventTypeMap[$etype]\n }\n $HashFilter.Add('Id', $EventIds)\n }\n }\n\n if ($StartTime)\n {\n $HashFilter.Add('StartTime', $StartTime)\n }\n\n if ($EndTime)\n {\n $HashFilter.Add('EndTime', $EndTime)\n }\n\n $ParamHash.Add('FilterHashTable',$HashFilter)\n Get-WinEvent @ParamHash | ForEach-Object {\n [xml]$evtxml = $_.toxml()\n $ProcInfo = [ordered]@{}\n $ProcInfo['EventId'] = $evtxml.Event.System.EventID\n $ProcInfo['EventType'] = $EventIdtoType[$evtxml.Event.System.EventID]\n $ProcInfo['Computer'] = $evtxml.Event.System.Computer\n $evtxml.Event.EventData.Data | ForEach-Object {\n $ProcInfo[$_.name] = $_.'#text'\n }\n New-Object psobject -Property $ProcInfo\n }\n }\n End {}\n}\n"
},
{
"path": "Format/Sysmon.ConfigOption.ps1xml",
"content": "\n\n\n\n Sysmon.ConfigOption\n \n Sysmon.ConfigOption\n \n \n \n \n \n \n \n Hashing\n \n \n \n Network\n \n \n \n ImageLoading\n \n \n \n Comment\n \n \n \n \n \n\n\n"
},
{
"path": "Format/Sysmon.Rule.Filter.ps1xml",
"content": "\n\n\n\n Sysmon.Rule.Filter\n \n Sysmon.Rule.Filter\n \n \n \n \n 12\n \n \n 12\n \n \n 50\n \n \n \n \n \n \n EventField\n \n \n Condition\n \n \n Value\n \n \n \n \n \n\n\n"
},
{
"path": "Format/Sysmon.Rule.ps1xml",
"content": "\n\n\n\n Sysmon.Rule\n \n Sysmon.Rule\n \n \n \n \n \n \n \n EventType\n \n \n \n Scope\n \n \n \n DefaultAction\n \n \n \n Filters\n \n \n \n \n \n\n\n"
},
{
"path": "Functions/ConvertFrom-SysmonBinaryConfiguration.ps1",
"content": "<#\n.SYNOPSIS\n\nParses a binary Sysmon configuration.\n\n.DESCRIPTION\n\nConvertFrom-SysmonBinaryConfiguration parses a binary Sysmon configuration. The configuration is typically stored in the registry at the following path: HKLM\\SYSTEM\\CurrentControlSet\\Services\\SysmonDrv\\Parameters\\Rules\n\nConvertFrom-SysmonBinaryConfiguration currently only supports the following schema versions: 3.30, 3.40 and 4.0\n\nAuthor: Matthew Graeber (@mattifestation)\nLicense: BSD 3-Clause\n\n.PARAMETER RuleBytes\n\nSpecifies the raw bytes of a Sysmon configuration from the registry.\n\n.EXAMPLE\n\n[Byte[]] $RuleBytes = Get-ItemPropertyValue -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\SysmonDrv\\Parameters -Name Rules\nConvertFrom-SysmonBinaryConfiguration -RuleBytes $RuleBytes\n\n.OUTPUTS\n\nSysmon.EventCollection\n\nOutput a fully-parsed rule object including the hash of the rules blob.\n\n.NOTES\n\nConvertFrom-SysmonBinaryConfiguration is designed to serve as a helper function for Get-SysmonConfiguration.\n#>\n\nfunction ConvertFrom-SysmonBinaryConfiguration {\n [OutputType('Sysmon.EventCollection')]\n [CmdletBinding()]\n param (\n [Parameter(Mandatory = $True)]\n [Byte[]]\n [ValidateNotNullOrEmpty()]\n $RuleBytes\n )\n\n #region Define byte to string mappings. This may change across verions.\n $SupportedSchemaVersions = @(\n [Version] '3.30.0.0',\n [Version] '3.40.0.0',\n [Version] '4.00.0.0'\n )\n\n $EventConditionMapping = @{\n 0 = 'Is'\n 1 = 'IsNot'\n 2 = 'Contains'\n 3 = 'Excludes'\n 4 = 'BeginWith'\n 5 = 'EndWith'\n 6 = 'LessThan'\n 7 = 'MoreThan'\n 8 = 'Image'\n }\n\n # The following value to string mappings were all pulled from\n # IDA and will require manual validation with with each new\n # Sysmon and schema version. Here's hoping they don't change often!\n $ProcessCreateMapping = @{\n 0 = 'UtcTime'\n 1 = 'ProcessGuid'\n 2 = 'ProcessId'\n 3 = 'Image'\n 4 = 'CommandLine'\n 5 = 'CurrentDirectory'\n 6 = 'User'\n 7 = 'LogonGuid'\n 8 = 'LogonId'\n 9 = 'TerminalSessionId'\n 10 = 'IntegrityLevel'\n 11 = 'Hashes'\n 12 = 'ParentProcessGuid'\n 13 = 'ParentProcessId'\n 14 = 'ParentImage'\n 15 = 'ParentCommandLine'\n }\n\n $ProcessCreateMapping_4_00 = @{\n 0 = 'UtcTime'\n 1 = 'ProcessGuid'\n 2 = 'ProcessId'\n 3 = 'Image'\n 4 = 'FileVersion'\n 5 = 'Description'\n 6 = 'Product'\n 7 = 'Company'\n 8 = 'CommandLine'\n 9 = 'CurrentDirectory'\n 10 = 'User'\n 11 = 'LogonGuid'\n 12 = 'LogonId'\n 13 = 'TerminalSessionId'\n 14 = 'IntegrityLevel'\n 15 = 'Hashes'\n 16 = 'ParentProcessGuid'\n 17 = 'ParentProcessId'\n 18 = 'ParentImage'\n 19 = 'ParentCommandLine'\n }\n\n $FileCreateTimeMapping = @{\n 0 = 'UtcTime'\n 1 = 'ProcessGuid'\n 2 = 'ProcessId'\n 3 = 'Image'\n 4 = 'TargetFilename'\n 5 = 'CreationUtcTime'\n 6 = 'PreviousCreationUtcTime'\n }\n\n $NetworkConnectMapping = @{\n 0 = 'UtcTime'\n 1 = 'ProcessGuid'\n 2 = 'ProcessId'\n 3 = 'Image'\n 4 = 'User'\n 5 = 'Protocol'\n 6 = 'Initiated'\n 7 = 'SourceIsIpv6'\n 8 = 'SourceIp'\n 9 = 'SourceHostname'\n 10 = 'SourcePort'\n 11 = 'SourcePortName'\n 12 = 'DestinationIsIpv6'\n 13 = 'DestinationIp'\n 14 = 'DestinationHostname'\n 15 = 'DestinationPort'\n 16 = 'DestinationPortName'\n }\n\n $SysmonServiceStateChangeMapping = @{\n 0 = 'UtcTime'\n 1 = 'State'\n 2 = 'Version'\n 3 = 'SchemaVersion'\n }\n\n $ProcessTerminateMapping = @{\n 0 = 'UtcTime'\n 1 = 'ProcessGuid'\n 2 = 'ProcessId'\n 3 = 'Image'\n }\n\n $DriverLoadMapping = @{\n 0 = 'UtcTime'\n 1 = 'ImageLoaded'\n 2 = 'Hashes'\n 3 = 'Signed'\n 4 = 'Signature'\n 5 = 'SignatureStatus'\n }\n\n $ImageLoadMapping = @{\n 0 = 'UtcTime'\n 1 = 'ProcessGuid'\n 2 = 'ProcessId'\n 3 = 'Image'\n 4 = 'ImageLoaded'\n 5 = 'Hashes'\n 6 = 'Signed'\n 7 = 'Signature'\n 8 = 'SignatureStatus'\n }\n\n $ImageLoadMapping_4_00 = @{\n 0 = 'UtcTime'\n 1 = 'ProcessGuid'\n 2 = 'ProcessId'\n 3 = 'Image'\n 4 = 'ImageLoaded'\n 5 = 'FileVersion'\n 6 = 'Description'\n 7 = 'Product'\n 8 = 'Company'\n 9 = 'Hashes'\n 10 = 'Signed'\n 11 = 'Signature'\n 12 = 'SignatureStatus'\n }\n\n $CreateRemoteThreadMapping = @{\n 0 = 'UtcTime'\n 1 = 'SourceProcessGuid'\n 2 = 'SourceProcessId'\n 3 = 'SourceImage'\n 4 = 'TargetProcessGuid'\n 5 = 'TargetProcessId'\n 6 = 'TargetImage'\n 7 = 'NewThreadId'\n 8 = 'StartAddress'\n 9 = 'StartModule'\n 10 = 'StartFunction'\n }\n\n $RawAccessReadMapping = @{\n 0 = 'UtcTime'\n 1 = 'ProcessGuid'\n 2 = 'ProcessId'\n 3 = 'Image'\n 4 = 'Device'\n }\n\n $ProcessAccessMapping = @{\n 0 = 'UtcTime'\n 1 = 'SourceProcessGUID'\n 2 = 'SourceProcessId'\n 3 = 'SourceThreadId'\n 4 = 'SourceImage'\n 5 = 'TargetProcessGUID'\n 6 = 'TargetProcessId'\n 7 = 'TargetImage'\n 8 = 'GrantedAccess'\n 9 = 'CallTrace'\n }\n\n $FileCreateMapping = @{\n 0 = 'UtcTime'\n 1 = 'ProcessGuid'\n 2 = 'ProcessId'\n 3 = 'Image'\n 4 = 'TargetFilename'\n 5 = 'CreationUtcTime'\n }\n\n $RegistryEventCreateKeyMapping = @{\n 0 = 'EventType'\n 1 = 'UtcTime'\n 2 = 'ProcessGuid'\n 3 = 'ProcessId'\n 4 = 'Image'\n 5 = 'TargetObject'\n }\n\n $RegistryEventSetValueMapping = @{\n 0 = 'EventType'\n 1 = 'UtcTime'\n 2 = 'ProcessGuid'\n 3 = 'ProcessId'\n 4 = 'Image'\n 5 = 'TargetObject'\n 6 = 'Details'\n }\n\n $RegistryEventDeleteKeyMapping = @{\n 0 = 'EventType'\n 1 = 'UtcTime'\n 2 = 'ProcessGuid'\n 3 = 'ProcessId'\n 4 = 'Image'\n 5 = 'TargetObject'\n 6 = 'NewName'\n }\n\n $FileCreateStreamHashMapping = @{\n 0 = 'UtcTime'\n 1 = 'ProcessGuid'\n 2 = 'ProcessId'\n 3 = 'Image'\n 4 = 'TargetFilename'\n 5 = 'CreationUtcTime'\n 6 = 'Hash'\n }\n\n $SysmonConfigurationChangeMapping = @{\n 0 = 'UtcTime'\n 1 = 'Configuration'\n 2 = 'ConfigurationFileHash'\n }\n\n $PipeEventCreatedMapping = @{\n 0 = 'UtcTime'\n 1 = 'ProcessGuid'\n 2 = 'ProcessId'\n 3 = 'PipeName'\n 4 = 'Image'\n }\n\n $PipeEventConnectedMapping = @{\n 0 = 'UtcTime'\n 1 = 'ProcessGuid'\n 2 = 'ProcessId'\n 3 = 'PipeName'\n 4 = 'Image'\n }\n\n $WmiEventFilterMapping = @{\n 0 = 'EventType'\n 1 = 'UtcTime'\n 2 = 'Operation'\n 3 = 'User'\n 4 = 'EventNamespace'\n 5 = 'Name'\n 6 = 'Query'\n }\n\n $WmiEventConsumerMapping = @{\n 0 = 'EventType'\n 1 = 'UtcTime'\n 2 = 'Operation'\n 3 = 'User'\n 4 = 'Name'\n 5 = 'Type'\n 6 = 'Destination'\n }\n\n $WmiEventConsumerToFilterMapping = @{\n 0 = 'EventType'\n 1 = 'UtcTime'\n 2 = 'Operation'\n 3 = 'User'\n 4 = 'Consumer'\n 5 = 'Filter'\n }\n\n $EventTypeMapping = @{\n 1 = @('ProcessCreate', $ProcessCreateMapping)\n 2 = @('FileCreateTime', $FileCreateTimeMapping)\n 3 = @('NetworkConnect', $NetworkConnectMapping)\n # SysmonServiceStateChange is not actually present in the schema. It is here for the sake of completeness.\n 4 = @('SysmonServiceStateChange', $SysmonServiceStateChangeMapping)\n 5 = @('ProcessTerminate', $ProcessTerminateMapping)\n 6 = @('DriverLoad', $DriverLoadMapping)\n 7 = @('ImageLoad', $ImageLoadMapping)\n 8 = @('CreateRemoteThread', $CreateRemoteThreadMapping)\n 9 = @('RawAccessRead', $RawAccessReadMapping)\n 10 = @('ProcessAccess', $ProcessAccessMapping)\n 11 = @('FileCreate', $FileCreateMapping)\n 12 = @('RegistryEventCreateKey', $RegistryEventCreateKeyMapping)\n 13 = @('RegistryEventSetValue', $RegistryEventSetValueMapping)\n 14 = @('RegistryEventDeleteKey', $RegistryEventDeleteKeyMapping)\n 15 = @('FileCreateStreamHash', $FileCreateStreamHashMapping)\n # SysmonConfigurationChange is not actually present in the schema. It is here for the sake of completeness.\n 16 = @('SysmonConfigurationChange', $SysmonConfigurationChangeMapping)\n 17 = @('PipeEventCreated', $PipeEventCreatedMapping)\n 18 = @('PipeEventConnected', $PipeEventConnectedMapping)\n 19 = @('WmiEventFilter', $WmiEventFilterMapping)\n 20 = @('WmiEventConsumer', $WmiEventConsumerMapping)\n 21 = @('WmiEventConsumerToFilter', $WmiEventConsumerToFilterMapping)\n }\n #endregion\n\n $RuleMemoryStream = New-Object -TypeName System.IO.MemoryStream -ArgumentList @(,$RuleBytes)\n\n $RuleReader = New-Object -TypeName System.IO.BinaryReader -ArgumentList $RuleMemoryStream\n\n # I'm noting here for the record that parsing could be slightly more robust to account for malformed\n # rule blobs. I'm writing this in my spare time so I likely won't put too much work into increased\n # parsing robustness.\n\n if ($RuleBytes.Count -lt 16) {\n $RuleReader.Dispose()\n $RuleMemoryStream.Dispose()\n throw 'Insufficient length to contain a Sysmon rule header.'\n }\n\n # This value should be either 0 or 1. 1 should be expected for a current Sysmon config.\n # A value of 1 indicates that offset 8 will contain the file offset to the first rule grouping.\n # A value of 0 should indicate that offset 8 will be the start of the first rule grouping.\n # Currently, I am just going to check that the value is 1 and throw an exception if it's not.\n $HeaderValue0 = $RuleReader.ReadUInt16()\n\n if ($HeaderValue0 -ne 1) {\n $RuleReader.Dispose()\n $RuleMemoryStream.Dispose()\n throw \"Incorrect header value at offset 0x00. Expected: 1. Actual: $HeaderValue0\"\n }\n\n # This value is expected to be 1. Any other value will indicate the presence of a \"registry rule version\"\n # that is incompatible with the current Sysmon schema version. A value other than 1 likely indicates the\n # presence of an old version of Sysmon. Any value besides 1 will not be supported in this script.\n $HeaderValue1 = $RuleReader.ReadUInt16()\n\n if ($HeaderValue1 -ne 1) {\n $RuleReader.Dispose()\n $RuleMemoryStream.Dispose()\n throw \"Incorrect header value at offset 0x02. Expected: 1. Actual: $HeaderValue1\"\n }\n\n $RuleGroupCount = $RuleReader.ReadUInt32()\n $RuleGroupBeginOffset = $RuleReader.ReadUInt32()\n\n $SchemaVersionMinor = $RuleReader.ReadUInt16()\n $SchemaVersionMajor = $RuleReader.ReadUInt16()\n\n $SchemaVersion = New-Object -TypeName System.Version -ArgumentList $SchemaVersionMajor, $SchemaVersionMinor, 0, 0\n\n Write-Verbose \"Obtained the following schema version: $($SchemaVersion.ToString(2))\"\n\n if (-not ($SupportedSchemaVersions -contains $SchemaVersion)) {\n $RuleReader.Dispose()\n $RuleMemoryStream.Dispose()\n throw \"Unsupported schema version: $($SchemaVersion.ToString(2)). Schema version must be at least $($MinimumSupportedSchemaVersion.ToString(2))\"\n }\n\n #region Perform offset updates depending upon the schema version here\n # This logic should be the first candidate for refactoring should the schema change drastically in the future.\n switch ($SchemaVersion.ToString(2)) {\n '4.0' {\n Write-Verbose 'Using schema version 4.00 updated offsets.'\n # ProcessCreate and ImageLoad values changed\n $EventTypeMapping[1][1] = $ProcessCreateMapping_4_00\n $EventTypeMapping[7][1] = $ImageLoadMapping_4_00\n }\n }\n #endregion\n\n $null = $RuleReader.BaseStream.Seek($RuleGroupBeginOffset, 'Begin')\n\n $EventCollection = for ($i = 0; $i -lt $RuleGroupCount; $i++) {\n $EventTypeValue = $RuleReader.ReadInt32()\n $EventType = $EventTypeMapping[$EventTypeValue][0]\n $EventTypeRuleTypes = $EventTypeMapping[$EventTypeValue][1]\n $OnMatchValue = $RuleReader.ReadInt32()\n\n $OnMatch = $null\n\n switch ($OnMatchValue) {\n 0 { $OnMatch = 'Exclude' }\n 1 { $OnMatch = 'Include' }\n default { $OnMatch = '?' }\n }\n\n $NextEventTypeOffset = $RuleReader.ReadInt32()\n $RuleCount = $RuleReader.ReadInt32()\n [PSObject[]] $Rules = New-Object -TypeName PSObject[]($RuleCount)\n\n # Parse individual rules here\n for ($j = 0; $j -lt $RuleCount; $j++) {\n $RuleType = $EventTypeRuleTypes[$RuleReader.ReadInt32()]\n $Filter = $EventConditionMapping[$RuleReader.ReadInt32()]\n $NextRuleOffset = $RuleReader.ReadInt32()\n $RuleTextLength = $RuleReader.ReadInt32()\n $RuleTextBytes = $RuleReader.ReadBytes($RuleTextLength)\n $RuleText = [Text.Encoding]::Unicode.GetString($RuleTextBytes).TrimEnd(\"`0\")\n\n $Rules[$j] = [PSCustomObject] @{\n PSTypeName = 'Sysmon.Rule'\n RuleType = $RuleType\n Filter = $Filter\n RuleText = $RuleText\n }\n\n $null = $RuleReader.BaseStream.Seek($NextRuleOffset, 'Begin')\n }\n\n [PSCustomObject] @{\n PSTypeName = 'Sysmon.EventGroup'\n EventType = $EventType\n OnMatch = $OnMatch\n Rules = $Rules\n }\n\n $null = $RuleReader.BaseStream.Seek($NextEventTypeOffset, 'Begin')\n }\n\n $RuleReader.Dispose()\n $RuleMemoryStream.Dispose()\n\n # Calculate the hash of the binary rule blob\n $SHA256Hasher = New-Object -TypeName System.Security.Cryptography.SHA256CryptoServiceProvider\n $ConfigBlobSHA256Hash = ($SHA256Hasher.ComputeHash($RuleBytes) | ForEach-Object { $_.ToString('X2') }) -join ''\n\n [PSCustomObject] @{\n PSTypeName = 'Sysmon.EventCollection'\n SchemaVersion = $SchemaVersion\n ConfigBlobSHA256Hash = $ConfigBlobSHA256Hash\n Events = $EventCollection\n }\n}\n"
},
{
"path": "Functions/ConvertTo-SysmonXMLConfiguration.ps1",
"content": "<#\n.SYNOPSIS\n\nRecovers a Sysmon XML configuration from a binary configuration.\n\n.DESCRIPTION\n\nConvertTo-SysmonXMLConfiguration takes the parsed output from Get-SysmonConfiguration and converts it to an XML configuration. This function is useful for recovering lost Sysmon configurations or for performing reconnaisance.\n\nAuthor: Matthew Graeber (@mattifestation)\nLicense: BSD 3-Clause\n\nRequired Dependencies: Get-SysmonConfiguration\n GeneratedCode.ps1\n\n.PARAMETER Configuration\n\nSpecifies the parsed Sysmon configuration output from Get-SysmonConfiguration.\n\n.EXAMPLE\n\nGet-SysmonConfiguration | ConvertTo-SysmonXMLConfiguration\n\n.EXAMPLE\n\n$Configuration = Get-SysmonConfiguration\nConvertTo-SysmonXMLConfiguration -Configuration $Configuration\n\n.INPUTS\n\nSysmon.Configuration\n\nConvertTo-SysmonXMLConfiguration accepts a single result from Get-SysmonConfiguration over the pipeline. Note: it will not accept input from Get-SysmonConfiguration when \"-MatchExeOutput\" is specified.\n\n.OUTPUTS\n\nSystem.String\n\nOutputs a Sysmon XML configuration document.\n#>\nfunction ConvertTo-SysmonXMLConfiguration {\n [OutputType([String])]\n [CmdletBinding()]\n param (\n [Parameter(Mandatory = $True, ValueFromPipeline = $True)]\n [PSTypeName('Sysmon.Configuration')]\n $Configuration\n )\n\n $SchemaVersion = $Configuration.SchemaVersion\n\n # Get the parsing code for the respective schema.\n # Code injection note: an attacker would be able to influence the schema version used. That would only influence what\n # non-injectible source code was supplied to Add-Type, however. $ConfigurationSchemaSource variables should always be\n # constant variables with script (i.e. module) scope.\n $SchemaSource = Get-Variable -Name \"SysmonConfigSchemaSource_$($SchemaVersion.Replace('.', '_'))\" -Scope Script -ValueOnly\n \n # Compile the parsing code\n Add-Type -TypeDefinition $SchemaSource -ReferencedAssemblies 'System.Xml' -ErrorAction Stop\n\n $NamespaceName = \"Sysmon_$($SchemaVersion.Replace('.', '_'))\"\n\n # Create a base \"Sysmon\" object. This serves as the root node that will eventually be serialized to XML.\n $Sysmon = New-Object -TypeName \"$NamespaceName.Sysmon\"\n\n $Sysmon.schemaversion = $Configuration.SchemaVersion\n\n if ($Configuration.CRLCheckingEnabled) { $Sysmon.CheckRevocation = New-Object -TypeName \"$NamespaceName.SysmonCheckRevocation\" }\n\n # The hashing algorithms need to be lower case in the XML config.\n $Sysmon.HashAlgorithms = ($Configuration.HashingAlgorithms | ForEach-Object { $_.ToLower() }) -join ','\n\n $ProcessAccessString = ($Configuration.ProcessAccess | ForEach-Object { \"$($_.ProcessName):0x$($_.AccessMask.ToString('x'))\" }) -join ','\n if ($ProcessAccessString) { $Sysmon.ProcessAccessConfig = $ProcessAccessString }\n\n # Do not consider redundant event types. A well-formed binary Sysmon rule blob will have\n # identical RegistryEvent, PipeEvent, and WmiEvent rule entries as of config schema version 3.4[0]\n $EventTypesToExclude = @(\n 'RegistryEventSetValue',\n 'RegistryEventDeleteKey',\n 'PipeEventConnected',\n 'WmiEventConsumer',\n 'WmiEventConsumerToFilter'\n )\n\n # Group rules by their respective event types - a requirement for\n # setting properties properly in the SysmonEventFiltering instance.\n $EventGrouping = $Configuration.Rules |\n Where-Object { -not ($EventTypesToExclude -contains $_.EventType) } |\n Group-Object -Property EventType\n\n # A configuration can technically not have any EventFiltering rules.\n if ($EventGrouping) {\n $Sysmon.EventFiltering = New-Object -TypeName \"$NamespaceName.SysmonEventFiltering\"\n\n foreach ($Event in $EventGrouping) {\n # The name of the event - e.g. ProcessCreate, FileCreate, etc.\n $EventName = $Event.Name\n\n # Normalize these event names.\n # Have a mentioned that I hate that these aren't unique names in Sysmon?\n switch ($EventName) {\n 'RegistryEventCreateKey' { $EventName = 'RegistryEvent' }\n 'PipeEventCreated' { $EventName = 'PipeEvent' }\n 'WmiEventFilter' { $EventName = 'WmiEvent' }\n }\n\n if ($Event.Count -gt 2) {\n Write-Error \"There is more than two $EventName entries. This should not be possible.\"\n return\n }\n\n if (($Event.Count -eq 2) -and ($Event.Group[0].OnMatch -eq $Event.Group[1].OnMatch)) {\n Write-Error \"The `\"onmatch`\" attribute values for the $EventName rules are not `\"include`\" and `\"exclude`\". This should not be possible.\"\n return\n }\n\n $Events = foreach ($RuleSet in $Event.Group) {\n # The dynamic typing that follows relies upon naming consistency in the schema serialization source code.\n $EventInstance = New-Object -TypeName \"$NamespaceName.SysmonEventFiltering$EventName\" -Property @{\n onmatch = $RuleSet.OnMatch.ToLower()\n }\n\n $RuleDefs = @{}\n\n foreach ($Rule in $RuleSet.Rules) {\n $PropertyName = $Rule.RuleType\n # Since each property can be of a unique type, resolve it accordingly.\n $PropertyTypeName = (\"$NamespaceName.SysmonEventFiltering$EventName\" -as [Type]).GetProperty($PropertyName).PropertyType.FullName.TrimEnd('[]')\n\n if (-not $RuleDefs.ContainsKey($PropertyName)) {\n $RuleDefs[$PropertyName] = New-Object -TypeName \"Collections.ObjectModel.Collection``1[$PropertyTypeName]\"\n }\n\n $RuleInstance = New-Object -TypeName $PropertyTypeName\n # This needs to be lower case in the XML config.\n $RuleInstance.condition = $Rule.Filter.ToLower()\n # An exception is thrown here if the value has a space and it is being cast to an enum type.\n # Currently, \"Protected Process\" is the only instance. I'll need to refactor this if more instances arise.\n if ($Rule.RuleText -eq 'Protected Process') { $RuleInstance.Value = 'ProtectedProcess' } else { $RuleInstance.Value = $Rule.RuleText }\n\n $RuleDefs[$PropertyName].Add($RuleInstance)\n }\n\n # Set the collected rule properties accordingly.\n foreach ($PropertyName in $RuleDefs.Keys) {\n $EventInstance.\"$PropertyName\" = $RuleDefs[$PropertyName]\n }\n\n $EventInstance\n }\n\n $EventPropertyName = $Events[0].GetType().Name.Substring('SysmonEventFiltering'.Length)\n $Sysmon.EventFiltering.\"$EventPropertyName\" = $Events\n }\n }\n\n $XmlWriter = $null\n\n try {\n $XmlWriterSetting = New-Object -TypeName Xml.XmlWriterSettings\n # A Sysmon XML config is not expected to have an XML declaration line.\n $XmlWriterSetting.OmitXmlDeclaration = $True\n $XmlWriterSetting.Indent = $True\n # Use two spaces in place of a tab character.\n $XmlWriterSetting.IndentChars = ' '\n # Normalize newlines to CRLF.\n $XmlWriterSetting.NewLineHandling = [Xml.NewLineHandling]::Replace\n\n $XMlStringBuilder = New-Object -TypeName Text.StringBuilder\n\n $XmlWriter = [Xml.XmlWriter]::Create($XMlStringBuilder, $XmlWriterSetting)\n\n $XmlSerializer = New-Object -TypeName Xml.Serialization.XmlSerializer -ArgumentList (\"$NamespaceName.Sysmon\" -as [Type]), ''\n # This will strip any additional \"xmlns\" attributes from the root Sysmon element.\n $EmptyNamespaces = New-Object -TypeName Xml.Serialization.XmlSerializerNamespaces\n $EmptyNamespaces.Add('', '')\n\n $XmlSerializer.Serialize($XmlWriter, $Sysmon, $EmptyNamespaces)\n } catch {\n Write-Error $_\n } finally {\n if ($XmlWriter) { $XmlWriter.Close() }\n }\n\n $XMlStringBuilder.ToString()\n}\n"
},
{
"path": "Functions/Get-SysmonConfiguration.ps1",
"content": "<#\n.SYNOPSIS\n\nParses a Sysmon driver configuration from the registry. Output is nearly identical to that of \"sysmon.exe -c\" but without the requirement to run sysmon.exe.\n\n.DESCRIPTION\n\nGet-SysmonConfiguration parses a Sysmon configuration from the registry without the need to run \"sysmon.exe -c\". This function is designed to enable Sysmon configuration auditing at scale as well as reconnaissance for red teamers. \n\nGet-SysmonConfiguration has been tested with the following Sysmon versions: 6.20\n\nDue to the admin-only ACL set on the Sysmon driver registry key, Get-SysmonConfiguration will typically need to run in an elevated context. Because the user-mode service and driver names can be changed, Get-SysmonConfiguration will locate the service and driver regardless of their names.\n\nAuthor: Matthew Graeber (@mattifestation)\nLicense: BSD 3-Clause\n\nRequired Dependencies: ConvertFrom-SysmonBinaryConfiguration\n\n.PARAMETER MatchExeOutput\n\nMirrors the text output of \"sysmon.exe -c\". This parameter was implemented primarily to enable testing scenarios - i.e. to ensure that the output matches that of the version of Sysmon (or schema) being tested against.\n\n.EXAMPLE\n\nGet-SysmonConfiguration\n\n.EXAMPLE\n\nGet-SysmonConfiguration -MatchExeOutput\n\n.OUTPUTS\n\nSysmon.Configuration\n\nOutputs a fully parsed Sysmon configuration including the hash of the registry rule blob for auditing purposes.\n\nSystem.String\n\nOutputs mirrored output from \"sysmon.exe -c\".\n\n.NOTES\n\nGet-SysmonConfiguration will have to be manually validated for each new Sysmon and configuration schema version. Please report all bugs and indiscrepencies with new versions by supplying the following information:\n\n1) The Sysmon config XML that's generating the error (only schema versions 3.30 and later).\n2) The version of Sysmon being used (only 6.20 and later).\n#>\nfunction Get-SysmonConfiguration {\n\n\n [OutputType('Sysmon.Configuration', ParameterSetName = 'PSOutput')]\n [OutputType([String], ParameterSetName = 'ExeOutput')]\n [CmdletBinding(DefaultParameterSetName = 'PSOutput')]\n param (\n [Parameter(ParameterSetName = 'ExeOutput')]\n [Switch]\n $MatchExeOutput\n )\n\n # Find the Sysmon driver based solely off the presence of the \"Rules\" value.\n # This is being done because the user can optionally specify a driver name other than the default: SysmonDrv\n $ServiceParameters = Get-ChildItem -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services -Recurse -Include 'Parameters' -ErrorAction SilentlyContinue\n $DriverParameters = $ServiceParameters | Where-Object { $_.Property -contains 'Rules' }\n\n if (-not $DriverParameters) {\n Write-Error 'Unable to locate a Sysmon driver. Either it is not installed or you do not have permissions to read the driver configuration in the registry.'\n return\n }\n\n $FoundSysmonMatch = $False\n $SysmonDriverName = $null\n $SysmonServiceName = $null\n $SysmonDriverParams = $null\n\n # Just in case there is more than one instance where there is a \"Rules\" value, correlate it with the user-mode service to confirm.\n $DriverParameters | ForEach-Object {\n $CandidateDriverName = $_.PSParentPath.Split('\\')[-1]\n $CandidateDriverParams = $_\n\n $CandidateUserModeServices = $ServiceParameters | Where-Object { $_.Property -contains 'DriverName' }\n\n if (-not $CandidateUserModeServices) {\n Write-Error 'Unable to locate a user-mode Sysmon service.'\n return\n }\n\n $CandidateUserModeServices | ForEach-Object {\n $CandidateServiceName = $_.PSParentPath.Split('\\')[-1]\n $DriverName = ($_ | Get-ItemProperty).DriverName\n\n # We have a matching user-mode Sysmon service and Sysmon driver.\n if ($DriverName -eq $CandidateDriverName) {\n $FoundSysmonMatch = $True\n $SysmonDriverName = $CandidateDriverName\n $SysmonServiceName = $CandidateServiceName\n $SysmonDriverParams = $CandidateDriverParams | Get-ItemProperty\n }\n }\n }\n\n if ($FoundSysmonMatch) {\n # HKLM\\SYSTEM\\CurrentControlSet\\Services\\\\Parameters\n $RuleBytes = $SysmonDriverParams.Rules # REG_BINARY\n $Options = $SysmonDriverParams.Options # REG_DWORD\n $HashingAlgorithmValue = $SysmonDriverParams.HashingAlgorithm # REG_DWORD\n $ProcessAccessMasks = $SysmonDriverParams.ProcessAccessMasks # REG_BINARY - No larger than size: 0x28 (0x28 / 4 == 10: unique masks to interpret alongside ProcessAccessNames)\n $ProcessAccessNames = $SysmonDriverParams.ProcessAccessNames # REG_MULTI_SZ - Can have no more than 10 entries\n $CheckRevocation = $SysmonDriverParams.CheckRevocation # REG_BINARY of size: 1 byte\n\n # The high-order bit of HashingAlgorithm must be set to 1 (i.e. 0x80000000)\n $HashingAlgorithms = if ($HashingAlgorithmValue) {\n if ($HashingAlgorithmValue -band 1) { 'SHA1' }\n if ($HashingAlgorithmValue -band 2) { 'MD5' }\n if ($HashingAlgorithmValue -band 4) { 'SHA256' }\n if ($HashingAlgorithmValue -band 8) { 'IMPHASH' }\n }\n\n $NetworkConnection = $False\n if ($Options -band 1) { $NetworkConnection = $True }\n\n $ImageLoading = $False\n if ($Options -band 2) { $ImageLoading = $True }\n\n $CRLChecking = $False\n if (($CheckRevocation.Count -gt 0) -and ($CheckRevocation[0] -eq 1)) { $CRLChecking = $True }\n\n # Parse the binary rules blob.\n $Rules = ConvertFrom-SysmonBinaryConfiguration -RuleBytes $RuleBytes\n\n $ProcessAccess = $False\n if ($Rules.Events.EventType -contains 'ProcessAccess') { $ProcessAccess = $True }\n\n # Process ProcessAccessNames and ProcessAccessMasks.\n # The code path to actually use these appears to be a dead one now.\n # I'm only parsing this to mirror Sysmon 6.20 supporting parsing.\n $ProcessAccessList = New-Object -TypeName PSObject[]($ProcessAccessNames.Count)\n for ($i = 0; $i -lt $ProcessAccessNames.Count; $i++) {\n $ProcessAccessList[$i] = [PSCustomObject] @{\n ProcessName = $ProcessAccessNames[$i]\n AccessMask = [BitConverter]::ToInt32($ProcessAccessMasks, $i * 4)\n }\n }\n\n $Properties = [Ordered] @{\n PSTypeName = 'Sysmon.Configuration'\n ServiceName = $SysmonServiceName\n DriverName = $SysmonDriverName\n HashingAlgorithms = $HashingAlgorithms\n NetworkConnectionEnabled = $NetworkConnection\n ImageLoadingEnabled = $ImageLoading\n CRLCheckingEnabled = $CRLChecking\n ProcessAccessEnabled = $ProcessAccess\n ProcessAccess = $ProcessAccessList\n SchemaVersion = $Rules.SchemaVersion.ToString(2)\n ConfigBlobSHA256Hash = $Rules.ConfigBlobSHA256Hash\n Rules = $Rules.Events\n }\n\n # Don't print the ProcessAccess property if it's not populated. With Sysmon 6.20, this\n # should never be present anyway unless there's a stale artifact from an older version.\n if ($ProcessAccessList.Count -eq 0) { $Properties.Remove('ProcessAccess') }\n\n if ($MatchExeOutput) {\n\n $NetworkConnectionString = if ($NetworkConnection) { 'enabled' } else { 'disabled' }\n $ImageLoadingString = if ($ImageLoading) { 'enabled' } else { 'disabled' }\n $CRLCheckingString = if ($CRLChecking) { 'enabled' } else { 'disabled' }\n $ProcessAccessString = if ($ProcessAccess) { 'enabled' } else { 'disabled' }\n if ($ProcessAccessList) {\n $ProcessAccessString = ($ProcessAccessList | ForEach-Object { \"`\"$($_.ProcessName)`\":0x$($_.AccessMask.ToString('x'))\" }) -join ','\n }\n\n $AllRuleText = $Rules.Events | ForEach-Object {\n # Dumb hacks to format output to the original \"sysmon.exe -c\" output\n $EventType = $_.EventType\n if ($EventType.StartsWith('RegistryEvent')) { $EventType = 'RegistryEvent' }\n if ($EventType.StartsWith('WmiEvent')) { $EventType = 'WmiEvent' }\n if ($EventType.StartsWith('PipeEvent')) { $EventType = 'PipeEvent' }\n\n $RuleText = $_.Rules | ForEach-Object {\n $FilterText = switch ($_.Filter) {\n 'Is' { 'is' }\n 'IsNot' { 'is not' }\n 'Contains' { 'contains' }\n 'Excludes' { 'excludes' }\n 'BeginWith' { 'begin with' }\n 'EndWith' { 'end with' }\n 'LessThan' { 'less than' }\n 'MoreThan' { 'more than' }\n 'Image' { 'image' }\n }\n\n \"`t{0,-30} filter: {1,-12} value: '{2}'\" -f $_.RuleType, $FilterText, $_.RuleText\n }\n\n $RuleSet = @\"\n - {0,-34} onmatch: {1}\n{2}\n\"@ -f $EventType,\n $_.OnMatch.ToLower(),\n ($RuleText | Out-String).TrimEnd(\"`r`n\")\n\n $RuleSet.TrimEnd(\"`r`n\")\n }\n\n\n $ConfigOutput = @\"\nCurrent configuration:\n{0,-34}{1}\n{2,-34}{3}\n{4,-34}{5}\n{6,-34}{7}\n{8,-34}{9}\n{10,-34}{11}\n{12,-34}{13}\n\nRule configuration (version {14}):\n{15}\n\"@ -f ' - Service name:',\n $SysmonServiceName,\n ' - Driver name:',\n $SysmonDriverName,\n ' - HashingAlgorithms:',\n ($HashingAlgorithms -join ','),\n ' - Network connection:',\n $NetworkConnectionString,\n ' - Image loading:',\n $ImageLoadingString,\n ' - CRL checking:',\n $CRLCheckingString,\n ' - Process Access:',\n $ProcessAccessString,\n \"$($Rules.SchemaVersion.Major).$($Rules.SchemaVersion.Minor.ToString().PadRight(2, '0'))\",\n ($AllRuleText | Out-String).TrimEnd(\"`r`n\")\n\n $ConfigOutput\n } else {\n [PSCustomObject] $Properties\n }\n } else {\n Write-Error 'Unable to locate a Sysmon driver and user-mode service.'\n }\n}\n"
},
{
"path": "Functions/Get-SysmonEventData.ps1",
"content": "<#\n.Synopsis\nSearches for specified SysMon Events and retunrs the Event Data as a custom object.\n.DESCRIPTION\nSearches for specified SysMon Events and retunrs the Event Data as a custom object.\n.EXAMPLE\nGet-SysMonEventData -EventId 1 -MaxEvents 10 -EndTime (Get-Date) -StartTime (Get-Date).AddDays(-1)\n\nAll process creation events in the last 24hr\n.EXAMPLE\nGet-SysMonEventData -EventId 3 -MaxEvents 20 -Path .\\export.evtx\n\nlast 20 network connection events from a exported SysMon log.\n#>\nfunction Get-SysmonEventData {\n [CmdletBinding(DefaultParameterSetName='ID',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Get-SysmonEventData.md')]\n Param (\n # Sysmon Event ID of records to show\n [Parameter(Mandatory=$true,\n ParameterSetName='ID',\n ValueFromPipelineByPropertyName=$true,\n Position=0)]\n [ValidateSet(1,2,3,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,255)]\n [Int32[]]\n $EventId,\n\n # EventType that a Rule can be written against.\n [Parameter(Mandatory=$false,\n ParameterSetName='Type',\n ValueFromPipelineByPropertyName=$true,\n Position=0)]\n [string[]]\n [ValidateSet('NetworkConnect', 'ProcessCreate', 'FileCreateTime',\n 'ProcessTerminate', 'ImageLoad', 'DriverLoad',\n 'CreateRemoteThread', 'RawAccessRead', 'ProcessAccess', 'Error',\n 'FileCreateStreamHash', 'RegistryValueSet', 'RegistryRename',\n 'RegistryAddOrDelete', 'FileCreate','ConfigChange','PipeCreated',\n 'PipeConnected', 'WmiFilter', 'WmiConsumer', 'WmiBinding',\n 'DnsEvent', 'FileDelete', 'ClipboardChange', 'ProcessTampering')]\n $EventType,\n\n # Specifies the maximum number of events that Get-WinEvent returns. Enter an integer. The default is to return all the events in the logs or files.\n [Parameter(Mandatory=$false,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [int]\n $MaxEvents,\n\n # Specifies a path to one or more exported SysMon events in evtx format.\n [Parameter(Mandatory=$false,\n ValueFromPipeline=$true,\n ValueFromPipelineByPropertyName=$true,\n HelpMessage='Path to one or more locations.')]\n [Alias('PSPath')]\n [ValidateNotNullOrEmpty()]\n [string[]]\n $Path,\n\n # Start Date to get all event going forward.\n [Parameter(Mandatory=$false)]\n [datetime]\n $StartTime,\n\n # End data for searching events.\n [Parameter(Mandatory=$false)]\n [datetime]\n $EndTime\n )\n\n Begin\n {\n $EventTypeMap = @{\n ProcessCreate = 1\n FileCreateTime = 2\n NetworkConnect = 3\n ProcessTerminate = 5\n DriverLoad = 6\n ImageLoad = 7\n CreateRemoteThread = 8\n RawAccessRead = 9\n ProcessAccess = 10\n FileCreate = 11\n RegistryAddOrDelete = 12\n RegistryValueSet = 13\n RegistryRename = 14\n FileCreateStreamHash = 15\n ConfigChange = 16\n PipeCreated = 17\n PipeConnected = 18\n WmiFilter = 19\n WmiConsumer = 20\n WmiBinding = 21\n DnsEvent = 22\n FileDelete = 23\n ClipboardChange = 24\n ProcessTampering = 25\n Error = 255\n }\n\n $EventIdtoType = @{\n '1' = 'ProcessCreate'\n '2' = 'FileCreateTime'\n '3' = 'NetworkConnect'\n '5' = 'ProcessTerminate'\n '6' = 'DriverLoad'\n '7' = 'ImageLoad'\n '8' = 'CreateRemoteThread'\n '9' = 'RawAccessRead'\n '10' = 'ProcessAccess'\n '11' = 'FileCreate'\n '12' = 'RegistryAddOrDelete'\n '13' = 'RegistryValueSet'\n '14' = 'RegistryRename'\n '15' = 'FileCreateStreamHash'\n '16' = 'ConfigChange'\n '17' = 'PipeCreated'\n '18' = 'PipeConnected'\n '19' = 'WmiFilter'\n '20' = 'WmiConsumer'\n '21' = 'WmiBinding'\n '22' = 'DnsEvent'\n '23' = 'FileDelete'\n '24' = 'ClipboardChange'\n '25' = 'ProcessTampering'\n '255' = 'Error'\n\n }\n }\n Process\n {\n # Hash for filtering\n $HashFilter = @{LogName='Microsoft-Windows-Sysmon/Operational'}\n\n # Hash for command paramteters\n $ParamHash = @{}\n\n if ($MaxEvents -gt 0)\n {\n $ParamHash.Add('MaxEvents', $MaxEvents)\n }\n\n if ($Path -gt 0)\n {\n $ParamHash.Add('Path', $Path)\n }\n\n switch ($PSCmdlet.ParameterSetName) {\n 'ID' { $HashFilter.Add('Id', $EventId) }\n 'Type' {\n $EventIds = @()\n foreach ($etype in $EventType)\n {\n $EventIds += $EventTypeMap[$etype]\n }\n $HashFilter.Add('Id', $EventIds)\n }\n }\n\n if ($StartTime)\n {\n $HashFilter.Add('StartTime', $StartTime)\n }\n\n if ($EndTime)\n {\n $HashFilter.Add('EndTime', $EndTime)\n }\n\n $ParamHash.Add('FilterHashTable',$HashFilter)\n Get-WinEvent @ParamHash | ForEach-Object {\n [xml]$evtxml = $_.toxml()\n $ProcInfo = [ordered]@{}\n $ProcInfo['EventId'] = $evtxml.Event.System.EventID\n $ProcInfo['EventType'] = $EventIdtoType[$evtxml.Event.System.EventID]\n $ProcInfo['Computer'] = $evtxml.Event.System.Computer\n $evtxml.Event.EventData.Data | ForEach-Object {\n $ProcInfo[$_.name] = $_.'#text'\n }\n New-Object psobject -Property $ProcInfo\n }\n }\n End {}\n}"
},
{
"path": "Functions/Get-SysmonHashingAlgorithm.ps1",
"content": "# .ExternalHelp Posh-SysMon.psm1-Help.xml\nfunction Get-SysmonHashingAlgorithm\n{\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Get-SysmonHashingAlgorithm.md')]\n Param\n (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [string]$Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n [string]$LiteralPath\n )\n\n Begin{}\n Process\n {\n # Check if the file is a valid XML file and if not raise and error.\n try\n {\n switch($psCmdlet.ParameterSetName)\n {\n 'Path' {[xml]$Config = Get-Content -Path $Path}\n 'LiteralPath' {[xml]$Config = Get-Content -LiteralPath $LiteralPath}\n }\n }\n catch [System.Management.Automation.PSInvalidCastException]\n {\n Write-Error -Message 'Specified file does not appear to be a XML file.'\n return\n }\n\n # Validate the XML file is a valid Sysmon file.\n if ($Config.SelectSingleNode('//Sysmon') -eq $null)\n {\n Write-Error -Message 'XML file is not a valid Sysmon config file.'\n return\n }\n\n if ($Config.Sysmon.schemaversion -notin $SysMonSupportedVersions)\n {\n Write-Error -Message 'This version of Sysmon Rule file is not supported.'\n return\n }\n\n $ObjOptions = @{}\n\n if ($Config.Sysmon.SelectSingleNode('//HashAlgorithms'))\n {\n $ObjOptions['Hashing'] = $config.Sysmon.HashAlgorithms\n }\n else\n {\n $ObjOptions['Hashing'] = ''\n }\n\n #$ObjOptions['Comment'] = $Config.'#comment'\n $ConfigObj = [pscustomobject]$ObjOptions\n $ConfigObj.pstypenames.insert(0,'Sysmon.HashingAlgorithm')\n $ConfigObj\n\n }\n End{}\n}"
},
{
"path": "Functions/Get-SysmonRule.ps1",
"content": "# .ExternalHelp Posh-SysMon.psm1-Help.xml\nfunction Get-SysmonRule\n{\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Get-SysmonRule.md')]\n Param\n (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [string]$Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n [string]$LiteralPath,\n\n # Event type to parse rules for.\n [Parameter(Mandatory=$false,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('ALL', 'NetworkConnect', 'ProcessCreate', 'FileCreateTime',\n 'ProcessTerminate', 'ImageLoad', 'DriverLoad', 'ProcessAccess',\n 'RawAccessRead','ProcessAccess', 'FileCreateStreamHash',\n 'RegistryEvent', 'FileCreate', 'PipeEvent', 'WmiEvent')]\n [string[]]\n $EventType = @('ALL')\n )\n\n Begin{}\n Process\n {\n # Check if the file is a valid XML file and if not raise and error.\n try\n {\n switch($psCmdlet.ParameterSetName)\n {\n 'Path' {[xml]$Config = Get-Content -Path $Path}\n 'LiteralPath' {[xml]$Config = Get-Content -LiteralPath $LiteralPath}\n }\n }\n catch [System.Management.Automation.PSInvalidCastException]\n {\n Write-Error -Message 'Specified file does not appear to be a XML file.'\n return\n }\n\n # Validate the XML file is a valid Sysmon file.\n if ($Config.SelectSingleNode('//Sysmon') -eq $null)\n {\n Write-Error -Message 'XML file is not a valid Sysmon config file.'\n return\n }\n\n if ($Config.Sysmon.schemaversion -notin $SysMonSupportedVersions)\n {\n Write-Error -Message 'This version of Sysmon Rule file is not supported.'\n return\n }\n\n # Collect all individual rules if they exist.\n $Rules = $Config.Sysmon.EventFiltering\n\n if ($EventType -contains 'ALL')\n {\n $TypesToParse = @('NetworkConnect', 'ProcessCreate', 'FileCreateTime',\n 'ProcessTerminate', 'ImageLoad', 'DriverLoad','CreateRemoteThread',\n 'ProcessAccess', 'RawAccessRead', 'FileCreateStreamHash',\n 'RegistryEvent', 'FileCreate', 'PipeEvent', 'WmiEvent')\n }\n else\n {\n $TypesToParse = $EventType\n }\n\n foreach($Type in $TypesToParse)\n {\n $EvtType = $MyInvocation.MyCommand.Module.PrivateData[$Type]\n $RuleData = $Rules.SelectNodes(\"//EventFiltering/$($EvtType)\")\n if($RuleData -ne $null)\n {\n Write-Verbose -Message \"$($EvtType) Rule Found.\"\n Get-RuleWithFilter($RuleData)\n }\n\n }\n }\n End{}\n}"
},
{
"path": "Functions/Get-SysmonRuleFilter.ps1",
"content": "<#\n.SYNOPSIS\nGet the configured filters for a specified Event Type Rule in a Sysmon configuration file.\n.DESCRIPTION\nGet the configured filters for a specified Event Type Rule in a Sysmon configuration file.\n.EXAMPLE\nC:\\PS> Get-SysmonRuleFilter -Path C:\\sysmon.xml -EventType ProcessCreate\nGet the filter under the ProcessCreate Rule.\n#>\nfunction Get-SysmonRuleFilter {\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Get-SysmonRuleFilter.md')]\n Param (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type rule to get filter for.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=1)]\n [ValidateSet('NetworkConnect', 'ProcessCreate', 'FileCreateTime',\n 'ProcessTerminate', 'ImageLoad', 'DriverLoad',\n 'CreateRemoteThread','RawAccessRead', 'ProcessAccess',\n 'FileCreateStreamHash', 'RegistryEvent', 'FileCreate',\n 'PipeEvent', 'WmiEvent','RuleName')]\n [string]\n $EventType,\n\n # Event type on match action.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('include', 'exclude')]\n [string]\n $OnMatch\n )\n\n Begin{}\n Process {\n $EvtType = $null\n # Check if the file is a valid XML file and if not raise and error.\n try {\n switch($psCmdlet.ParameterSetName){\n 'Path'{\n [xml]$Config = Get-Content -Path $Path\n $FileLocation = (Resolve-Path -Path $Path).Path\n }\n 'LiteralPath' {\n [xml]$Config = Get-Content -LiteralPath $LiteralPath\n $FileLocation = (Resolve-Path -LiteralPath $LiteralPath).Path\n }\n }\n }\n catch [System.Management.Automation.PSInvalidCastException] {\n Write-Error -Message 'Specified file does not appear to be a XML file.'\n return\n }\n\n # Validate the XML file is a valid Sysmon file.\n if ($Config.SelectSingleNode('//Sysmon') -eq $null){\n Write-Error -Message 'XML file is not a valid Sysmon config file.'\n return\n }\n\n $Rules = $Config.SelectSingleNode('//Sysmon/EventFiltering')\n\n if ($Rules -eq '') {\n Write-Error -Message 'Rule element does not exist. This appears to not be a valid config file'\n return\n } else {\n $EvtType = $MyInvocation.MyCommand.Module.PrivateData[$EventType]\n\n $EventRule = $Rules.SelectNodes(\"//EventFiltering/$($EvtType)\")\n }\n\n if($EventRule -eq $null) {\n Write-Error -Message \"No rule for $($EvtType) was found.\"\n return\n } else {\n if ($EventRule.count -eq $null -or $EventRule.Count -eq 1) {\n Write-Verbose -Message 'Single Node'\n if ($EventRule.onmatch -eq $OnMatch) {\n $Filters = $EventRule.SelectNodes('*')\n if ($Filters.ChildNodes.Count -gt 0) {\n foreach($Filter in $Filters) {\n $FilterObjProps = @{}\n $FilterObjProps['EventField'] = $Filter.Name\n $FilterObjProps['Condition'] = &{if($Filter.condition -eq $null){'is'}else{$Filter.condition}}\n $FilterObjProps['Value'] = $Filter.'#text'\n $FilterObjProps['EventType'] = $EvtType\n $FilterObjProps['OnMatch'] = $OnMatch\n $FilterObj = [pscustomobject]$FilterObjProps\n $FilterObj.pstypenames.insert(0,'Sysmon.Rule.Filter')\n $FilterObj\n }\n\n }\n }\n }\n else\n {\n Write-Verbose -Message 'Mutiple nodes.'\n foreach ($rule in $EventRule)\n {\n if ($rule.onmatch -eq $OnMatch)\n {\n $Filters = $rule.SelectNodes('*')\n if ($Filters.ChildNodes.Count -gt 0)\n {\n foreach($Filter in $Filters)\n {\n $FilterObjProps = @{}\n $FilterObjProps['EventField'] = $Filter.Name\n $FilterObjProps['Condition'] = &{if($Filter.condition -eq $null){'is'}else{$Filter.condition}}\n $FilterObjProps['Value'] = $Filter.'#text'\n $FilterObjProps['EventType'] = $EvtType\n $FilterObjProps['OnMatch'] = $OnMatch\n $FilterObj = [pscustomobject]$FilterObjProps\n $FilterObj.pstypenames.insert(0,'Sysmon.Rule.Filter')\n $FilterObj\n }\n\n }\n }\n }\n }\n }\n }\n End{}\n}"
},
{
"path": "Functions/New-SysmonConfiguration.ps1",
"content": "# .ExternalHelp Posh-SysMon.psm1-Help.xml\nfunction New-SysmonConfiguration\n{\n [CmdletBinding(HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonConfiguration.md')]\n Param\n (\n # Path to write XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=0)]\n [String]\n $Path,\n\n # Specify one or more hash algorithms used for image identification\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('ALL', 'MD5', 'SHA1', 'SHA256', 'IMPHASH')]\n [string[]]\n $HashingAlgorithm,\n\n # Log Network Connections\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [Switch]\n $NetworkConnect,\n\n # Log process loading of modules.\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true,\n Position=3)]\n [Switch]\n $DriverLoad,\n\n # Log process loading of modules.\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true,\n Position=4)]\n [Switch]\n $ImageLoad,\n\n # Log create remote thread actions.\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true,\n Position=5)]\n [Switch]\n $CreateRemoteThread,\n\n # Log file creation time modifications.\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true,\n Position=6)]\n [Switch]\n $FileCreateTime,\n\n # Log process creation.\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true,\n Position=7)]\n [Switch]\n $ProcessCreate,\n\n # Log process termination.\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true,\n Position=8)]\n [Switch]\n $ProcessTerminate,\n\n # Log when a running process opens another process.\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true,\n Position=9)]\n [Switch]\n $ProcessAccess,\n\n # Log raw access reads of files.\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true,\n Position=10)]\n [Switch]\n $RawAccessRead,\n\n # Check for signature certificate revocation.\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true,\n Position=11 )]\n [Switch]\n $CheckRevocation,\n\n # Log Registry events.\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true,\n Position=12 )]\n [Switch]\n $RegistryEvent,\n\n # Log File Creation events.\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true,\n Position=13 )]\n [Switch]\n $FileCreate,\n\n # Log File Stream creations events.\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true,\n Position=14 )]\n [Switch]\n $FileCreateStreamHash,\n\n # Log NamedPipes connection and creations events.\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true,\n Position=15 )]\n [Switch]\n $PipeEvent,\n\n # WMI Permanent Event component events.\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true,\n Position=16 )]\n [Switch]\n $WmiEvent,\n\n # Comment for purpose of the configuration file.\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true)]\n [String]\n $Comment,\n\n # Schema Vesion for the configuration file, default is 4.1.\n [Parameter(Mandatory=$False,\n ValueFromPipelineByPropertyName=$true)]\n [ValidateSet('4.0','4.1')]\n [string]\n $SchemaVersion = '4.1'\n )\n\n Begin{}\n Process {\n if ($HashingAlgorithm -contains 'ALL') {\n $Hash = '*'\n } else {\n $Hash = $HashingAlgorithm -join ','\n }\n\n $Config = ($ExecutionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath($Path))\n\n # get an XMLTextWriter to create the XML\n\n $XmlWriter = New-Object System.XMl.XmlTextWriter($Config,$Null)\n\n # choose a pretty formatting:\n $xmlWriter.Formatting = 'Indented'\n $xmlWriter.Indentation = 1\n\n # write the header\n if ($Comment)\n {\n $xmlWriter.WriteComment($Comment)\n }\n $xmlWriter.WriteStartElement('Sysmon')\n\n $XmlWriter.WriteAttributeString('schemaversion', $SchemaVersion)\n\n Write-Verbose -Message \"Enabling hashing algorithms : $($Hash)\"\n $xmlWriter.WriteElementString('HashAlgorithms',$Hash)\n\n # Enable checking revocation.\n if ($CheckRevocation) {\n Write-Verbose -message 'Enabling CheckRevocation.'\n $xmlWriter.WriteElementString('CheckRevocation','')\n }\n\n # Create empty EventFiltering section.\n $xmlWriter.WriteStartElement('EventFiltering')\n\n if ($NetworkConnect) {\n Write-Verbose -Message 'Enabling network connection logging for all connections by setting no filter and onmatch to exclude.'\n $xmlWriter.WriteStartElement('NetworkConnect')\n $XmlWriter.WriteAttributeString('onmatch', 'exclude')\n $xmlWriter.WriteFullEndElement()\n }\n\n if ($DriverLoad) {\n Write-Verbose -Message 'Enabling logging all driver loading by setting no filter and onmatch to exclude.'\n $xmlWriter.WriteStartElement('DriverLoad ')\n $XmlWriter.WriteAttributeString('onmatch', 'exclude')\n $xmlWriter.WriteFullEndElement()\n }\n\n if ($ImageLoad) {\n Write-Verbose -Message 'Enabling logging all image loading by setting no filter and onmatch to exclude.'\n $xmlWriter.WriteStartElement('ImageLoad ')\n $XmlWriter.WriteAttributeString('onmatch', 'exclude')\n $xmlWriter.WriteFullEndElement()\n }\n\n if ($CreateRemoteThread) {\n Write-Verbose -Message 'Enabling logging all CreateRemoteThread API actions by setting no filter and onmatch to exclude.'\n $xmlWriter.WriteStartElement('CreateRemoteThread ')\n $XmlWriter.WriteAttributeString('onmatch', 'exclude')\n $xmlWriter.WriteFullEndElement()\n }\n\n if ($ProcessCreate) {\n Write-Verbose -Message 'Enabling logging all process creation by setting no filter and onmatch to exclude.'\n $xmlWriter.WriteStartElement('ProcessCreate ')\n $XmlWriter.WriteAttributeString('onmatch', 'exclude')\n $xmlWriter.WriteFullEndElement()\n }\n\n if ($ProcessTerminate) {\n Write-Verbose -Message 'Enabling logging all process termination by setting no filter and onmatch to exclude.'\n $xmlWriter.WriteStartElement('ProcessTerminate ')\n $XmlWriter.WriteAttributeString('onmatch', 'exclude')\n $xmlWriter.WriteFullEndElement()\n }\n\n if ($FileCreateTime) {\n Write-Verbose -Message 'Enabling logging all process creation by setting no filter and onmatch to exclude.'\n $xmlWriter.WriteStartElement('FileCreateTime ')\n $XmlWriter.WriteAttributeString('onmatch', 'exclude')\n $xmlWriter.WriteFullEndElement()\n }\n\n if ($ProcessAccess) {\n Write-Verbose -Message 'Enabling logging all process access by setting no filter and onmatch to exclude.'\n $xmlWriter.WriteStartElement('ProcessAccess ')\n $XmlWriter.WriteAttributeString('onmatch', 'exclude')\n $xmlWriter.WriteFullEndElement()\n }\n\n if ($RawAccessRead) {\n Write-Verbose -Message 'Enabling logging all process access by setting no filter and onmatch to exclude.'\n $xmlWriter.WriteStartElement('RawAccessRead ')\n $XmlWriter.WriteAttributeString('onmatch', 'exclude')\n $xmlWriter.WriteFullEndElement()\n }\n\n # Log registry events.\n if ($RegistryEvent) {\n Write-Verbose -message 'Enabling RegistryEvent.'\n $xmlWriter.WriteStartElement('RegistryEvent ')\n $XmlWriter.WriteAttributeString('onmatch', 'exclude')\n $xmlWriter.WriteFullEndElement()\n }\n\n # Log file create events.\n if ($FileCreate) {\n Write-Verbose -message 'Enabling FileCreate.'\n $xmlWriter.WriteStartElement('FileCreate ')\n $XmlWriter.WriteAttributeString('onmatch', 'exclude')\n $xmlWriter.WriteFullEndElement()\n }\n\n # Log file create events.\n if ($FileCreateStreamHash) {\n Write-Verbose -message 'Enabling FileCreateStreamHash.'\n $xmlWriter.WriteStartElement('FileCreateStreamHash ')\n $XmlWriter.WriteAttributeString('onmatch', 'exclude')\n $xmlWriter.WriteFullEndElement()\n }\n\n # NamedPipes create and connect events.\n if ($PipeEvent) {\n Write-Verbose -message 'Enabling PipeEvent.'\n $xmlWriter.WriteStartElement('PipeEvent ')\n $XmlWriter.WriteAttributeString('onmatch', 'exclude')\n $xmlWriter.WriteFullEndElement()\n }\n\n # NamedPipes create and connect events.\n if ($WmiEvent) {\n Write-Verbose -message 'Enabling WmiEvent.'\n $xmlWriter.WriteStartElement('WmiEvent ')\n $XmlWriter.WriteAttributeString('onmatch', 'exclude')\n $xmlWriter.WriteFullEndElement()\n }\n\n # End Element of EventFiltering\n $xmlWriter.WriteFullEndElement()\n\n # Sysmon\n $xmlWriter.WriteEndElement()\n\n # finalize the document:\n #$xmlWriter.WriteEndDocument()\n $xmlWriter.Flush()\n $xmlWriter.Close()\n Write-Verbose -Message \"Config file created as $($Config)\"\n write-verbose -Message \"Configuration is for Sysmon $($sysmonVerMap[$SchemaVersion])\"\n }\n End {}\n}"
},
{
"path": "Functions/New-SysmonCreateRemoteThreadFilter.ps1",
"content": "# .ExternalHelp Posh-SysMon.psm1-Help.xml\nfunction New-SysmonCreateRemoteThreadFilter {\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonCreateRemoteThreadFilter.md')]\n Param (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type on match action.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('include', 'exclude')]\n [string]\n $OnMatch,\n\n # Condition for filtering against and event field.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image',\n 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')]\n [string]\n $Condition,\n\n # Event field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=3)]\n [ValidateSet('SourceImage', 'TargetImage')]\n [string]\n $EventField,\n\n # Value of Event Field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=4)]\n [string[]]\n $Value,\n\n # Rule Name for the filter.\n [Parameter(Mandatory=$false,\n ValueFromPipelineByPropertyName=$true)]\n [string]\n $RuleName\n )\n\n Begin { }\n Process {\n $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField]\n $cmdoptions = @{\n 'EventType' = 'CreateRemoteThread'\n 'Condition' = $Condition\n 'EventField' = $FieldString\n 'Value' = $Value\n 'OnMatch' = $OnMatch\n\n }\n\n if($RuleName) {\n $cmdoptions.Add('RuleName',$RuleName)\n }\n\n switch($psCmdlet.ParameterSetName) {\n 'Path' {\n $cmdOptions.Add('Path',$Path)\n New-RuleFilter @cmdOptions\n }\n\n 'LiteralPath' {\n $cmdOptions.Add('LiteralPath',$LiteralPath)\n New-RuleFilter @cmdOptions\n }\n }\n }\n End {}\n}"
},
{
"path": "Functions/New-SysmonDriverLoadFilter.ps1",
"content": "# .ExternalHelp Posh-SysMon.psm1-Help.xml\nfunction New-SysmonDriverLoadFilter {\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonDriverLoadFilter.md')]\n Param (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type on match action.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('include', 'exclude')]\n [string]\n $OnMatch,\n\n # Condition for filtering against and event field.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image',\n 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')]\n [string]\n $Condition,\n\n # Event field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=3)]\n [ValidateSet('UtcTime', 'ImageLoaded',\n 'Hashes', 'Signed', 'Signature')]\n [string]\n $EventField,\n\n # Value of Event Field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=4)]\n [string[]]\n $Value,\n\n # Rule Name for the filter.\n [Parameter(Mandatory=$false,\n ValueFromPipelineByPropertyName=$true)]\n [string]\n $RuleName\n )\n\n Begin {}\n Process {\n $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField]\n $cmdoptions = @{\n 'EventType' = 'DriverLoad'\n 'Condition' = $Condition\n 'EventField' = $FieldString\n 'Value' = $Value\n 'OnMatch' = $OnMatch\n\n }\n\n if($RuleName) {\n $cmdoptions.Add('RuleName',$RuleName)\n }\n\n switch($psCmdlet.ParameterSetName) {\n 'Path' {\n $cmdOptions.Add('Path',$Path)\n New-RuleFilter @cmdOptions\n }\n\n 'LiteralPath' {\n $cmdOptions.Add('LiteralPath',$LiteralPath)\n\n New-RuleFilter @cmdOptions\n }\n }\n }\n End {}\n}"
},
{
"path": "Functions/New-SysmonFileCreateFilter.ps1",
"content": "# .ExternalHelp Posh-SysMon.psm1-Help.xml\nfunction New-SysmonFileCreateFilter {\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonFileCreateFilter.md')]\n Param (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type on match action.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('include', 'exclude')]\n [string]\n $OnMatch,\n\n # Condition for filtering against and event field.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image',\n 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')]\n [string]\n $Condition,\n\n # Event field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=3)]\n [ValidateSet('UtcTime', 'ProcessGuid', 'ProcessId', 'Image',\n 'TargetFilename', 'CreationUtcTime',\n 'PreviousCreationUtcTime')]\n [string]\n $EventField,\n\n # Value of Event Field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=4)]\n [string[]]\n $Value,\n\n # Rule Name for the filter.\n [Parameter(Mandatory=$false,\n ValueFromPipelineByPropertyName=$true)]\n [string]\n $RuleName\n )\n\n Begin {}\n Process {\n $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField]\n $cmdoptions = @{\n 'EventType' = 'FileCreateStreamHash'\n 'Condition' = $Condition\n 'EventField' = $FieldString\n 'Value' = $Value\n 'OnMatch' = $OnMatch\n }\n\n if($RuleName) {\n $cmdoptions.Add('RuleName',$RuleName)\n }\n\n switch ($PSCmdlet.ParameterSetName) {\n 'Path' {\n $cmdOptions.Add('Path',$Path)\n New-RuleFilter @cmdOptions\n }\n\n 'LiteralPath' {\n $cmdOptions.Add('LiteralPath',$LiteralPath)\n New-RuleFilter @cmdOptions\n }\n }\n }\n End {}\n}"
},
{
"path": "Functions/New-SysmonFileCreateStreamHashFilter.ps1",
"content": "<#\n.SYNOPSIS\nCreate a new filter for the logging of the saving of data on a file stream.\n.DESCRIPTION\nCreate a new filter for the logging of the saving of data on a file stream.\n#>\nfunction New-SysmonFileCreateStreamHashFilter {\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonFileCreateStreamHashFilter.md')]\n Param (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type on match action.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('include', 'exclude')]\n [string]\n $OnMatch,\n\n # Condition for filtering against and event field.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image',\n 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')]\n [string]\n $Condition,\n\n # Event field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=3)]\n [ValidateSet('TargetFilename', 'ProcessGuid', 'ProcessId',\n 'Image')]\n [string]\n $EventField,\n\n # Value of Event Field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=4)]\n [string[]]\n $Value,\n\n # Rule Name for the filter.\n [Parameter(Mandatory=$false,\n ValueFromPipelineByPropertyName=$true)]\n [string]\n $RuleName\n )\n\n Begin {}\n Process {\n $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField]\n $cmdoptions = @{\n 'EventType' = 'FileCreateStreamHash'\n 'Condition' = $Condition\n 'EventField' = $FieldString\n 'Value' = $Value\n 'OnMatch' = $OnMatch\n }\n\n if($RuleName) {\n $cmdoptions.Add('RuleName',$RuleName)\n }\n\n switch ($PSCmdlet.ParameterSetName) {\n 'Path' {\n $cmdOptions.Add('Path',$Path)\n New-RuleFilter @cmdOptions\n }\n\n 'LiteralPath' {\n $cmdOptions.Add('LiteralPath',$LiteralPath)\n New-RuleFilter @cmdOptions\n }\n }\n }\n End {}\n}"
},
{
"path": "Functions/New-SysmonImageLoadFilter.ps1",
"content": "# .ExternalHelp Posh-SysMon.psm1-Help.xml\nfunction New-SysmonImageLoadFilter {\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonImageLoadFilter.md')]\n Param (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type on match action.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('include', 'exclude')]\n [string]\n $OnMatch,\n\n # Condition for filtering against and event field.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image',\n 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')]\n [string]\n $Condition,\n\n # Event field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=3)]\n [ValidateSet('UtcTime', 'ProcessGuid', 'ProcessId', 'Image',\n 'ImageLoaded', 'Hashes', 'Signed',\n 'Signature', 'FileVersion',\n 'Description', 'Product', 'Company')]\n [string]\n $EventField,\n\n # Value of Event Field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=4)]\n [string[]]\n $Value,\n\n # Rule Name for the filter.\n [Parameter(Mandatory=$false,\n ValueFromPipelineByPropertyName=$true)]\n [string]\n $RuleName\n )\n\n Begin {}\n Process\n {\n switch($psCmdlet.ParameterSetName)\n {\n 'Path'\n {\n $ConfigVer = Select-Xml -Path $Path -XPath '//Sysmon/@schemaversion'\n }\n\n 'LiteralPath'\n {\n $ConfigVer = Select-Xml -LiteralPath $LiteralPath -XPath '//Sysmon/@schemaversion'\n }\n }\n\n if ($ConfigVer.Node.\"#text\" -lt 4.0 -and ($EventField -in @('FileVersion','Description', 'Product', 'Company'))) {\n Write-Error -Message \"The event field $($EventField) is not supported under this schema.\"\n Return\n }\n\n $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField]\n $cmdoptions = @{\n 'EventType' = 'ImageLoad'\n 'Condition' = $Condition\n 'EventField' = $FieldString\n 'Value' = $Value\n 'OnMatch' = $OnMatch\n\n }\n\n if($RuleName) {\n $cmdoptions.Add('RuleName',$RuleName)\n }\n\n switch($psCmdlet.ParameterSetName)\n {\n 'Path'\n {\n $cmdOptions.Add('Path',$Path)\n New-RuleFilter @cmdOptions\n }\n\n 'LiteralPath'\n {\n $cmdOptions.Add('LiteralPath',$LiteralPath)\n New-RuleFilter @cmdOptions\n }\n }\n\n }\n End { }\n}"
},
{
"path": "Functions/New-SysmonNetworkConnectFilter.ps1",
"content": "# .ExternalHelp Posh-SysMon.psm1-Help.xml\nfunction New-SysmonNetworkConnectFilter\n{\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonNetworkConnectFilter.md')]\n Param (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type on match action.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('include', 'exclude')]\n [string]\n $OnMatch,\n\n # Condition for filtering against and event field.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image',\n 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')]\n [string]\n $Condition,\n\n # Event field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=3)]\n [ValidateSet('UtcTime', 'ProcessGuid', 'ProcessId', 'Image',\n 'User', 'Protocol', 'Initiated', 'SourceIsIpv6',\n 'SourceIp', 'SourceHostname', 'SourcePort',\n 'SourcePortName', 'DestinationIsIpv6',\n 'DestinationIp', 'DestinationHostname',\n 'DestinationPort', 'DestinationPortName')]\n [string]\n $EventField,\n\n # Value of Event Field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=4)]\n [string[]]\n $Value,\n\n # Rule Name for the filter.\n [Parameter(Mandatory=$false,\n ValueFromPipelineByPropertyName=$true)]\n [string]\n $RuleName\n )\n\n Begin {}\n Process {\n $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField]\n $cmdoptions = @{\n 'EventType' = 'NetworkConnect'\n 'Condition' = $Condition\n 'EventField' = $FieldString\n 'Value' = $Value\n 'OnMatch' = $OnMatch\n\n }\n\n if($RuleName) {\n $cmdoptions.Add('RuleName',$RuleName)\n }\n\n switch($psCmdlet.ParameterSetName) {\n 'Path' {\n $cmdOptions.Add('Path',$Path)\n New-RuleFilter @cmdOptions\n }\n\n 'LiteralPath' {\n $cmdOptions.Add('LiteralPath',$LiteralPath)\n New-RuleFilter @cmdOptions\n }\n }\n }\n End {}\n}"
},
{
"path": "Functions/New-SysmonPipeFilter.ps1",
"content": "<#\n.SYNOPSIS\nCreate a new filter for when a Named Pipe is created or connected.\n.DESCRIPTION\nCreate a new filter for when a Named Pipe is created or connected.\nUseful for watching malware inter process communication.\n#>\nfunction New-SysmonPipeFilter {\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonPipeFilter.md')]\n Param (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type on match action.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('include', 'exclude')]\n [string]\n $OnMatch,\n\n # Condition for filtering against and event field.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image',\n 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')]\n [string]\n $Condition,\n\n # Event field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=3)]\n [ValidateSet('Pipe', 'ProcessGuid', 'ProcessId',\n 'Image')]\n [string]\n $EventField,\n\n # Value of Event Field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=4)]\n [string[]]\n $Value,\n\n # Rule Name for the filter.\n [Parameter(Mandatory=$false,\n ValueFromPipelineByPropertyName=$true)]\n [string]\n $RuleName\n )\n\n Begin {}\n Process {\n $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField]\n $cmdoptions = @{\n 'EventType' = 'PipeEvent'\n 'Condition' = $Condition\n 'EventField' = $FieldString\n 'Value' = $Value\n 'OnMatch' = $OnMatch\n\n }\n\n if($RuleName) {\n $cmdoptions.Add('RuleName',$RuleName)\n }\n\n switch ($PSCmdlet.ParameterSetName) {\n 'Path' {\n $cmdOptions.Add('Path',$Path)\n New-RuleFilter @cmdOptions\n }\n\n 'LiteralPath' {\n $cmdOptions.Add('LiteralPath',$LiteralPath)\n New-RuleFilter @cmdOptions\n }\n }\n }\n End {}\n}"
},
{
"path": "Functions/New-SysmonProcessAccessFilter.ps1",
"content": "<#\n.SYNOPSIS\nCreate a new filter for the logging of when a running process opens another.\n.DESCRIPTION\nCreate a new filter for the logging of when a running process opens another.\n.EXAMPLE\nC:\\PS> New-SysmonProcessAccessFilter -Path .\\testver31.xml -OnMatch include -Condition Contains -EventField TargetImage lsass.exe\nLog any process trying to open lsass.exe.\n#>\nfunction New-SysmonProcessAccessFilter {\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonProcessAccessFilter.md')]\n Param (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type on match action.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('include', 'exclude')]\n [string]\n $OnMatch,\n\n # Condition for filtering against and event field.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image',\n 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')]\n [string]\n $Condition,\n\n # Event field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=3)]\n [ValidateSet('UtcTime', 'SourceProcessGUID',\n 'SourceProcessId', 'SourceThreadId', 'SourceImage',\n 'TargetProcessGUID', 'TargetProcessId', 'TargetImage',\n 'GrantedAccess','CallTrace')]\n [string]\n $EventField,\n\n # Value of Event Field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=4)]\n [string[]]\n $Value,\n\n # Rule Name for the filter.\n [Parameter(Mandatory=$false,\n ValueFromPipelineByPropertyName=$true)]\n [string]\n $RuleName\n )\n\n Begin {}\n Process {\n $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField]\n $cmdoptions = @{\n 'EventType' = 'ProcessAccess'\n 'Condition' = $Condition\n 'EventField' = $FieldString\n 'Value' = $Value\n 'OnMatch' = $OnMatch\n\n }\n\n if($RuleName) {\n $cmdoptions.Add('RuleName',$RuleName)\n }\n\n switch ($PSCmdlet.ParameterSetName) {\n 'Path' {\n $cmdOptions.Add('Path',$Path)\n New-RuleFilter @cmdOptions\n }\n\n 'LiteralPath' {\n $cmdOptions.Add('LiteralPath',$LiteralPath)\n New-RuleFilter @cmdOptions\n }\n }\n }\n End {}\n}"
},
{
"path": "Functions/New-SysmonProcessCreateFilter.ps1",
"content": "# .ExternalHelp Posh-SysMon.psm1-Help.xml\nfunction New-SysmonProcessCreateFilter\n{\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonProcessCreateFilter.md')]\n Param (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type on match action.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('include', 'exclude')]\n [string]\n $OnMatch,\n\n # Condition for filtering against and event field.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image',\n 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')]\n [string]\n $Condition,\n\n # Event field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=3)]\n [ValidateSet('UtcTime', 'ProcessGuid', 'ProcessId', 'Image',\n 'CommandLine', 'User', 'LogonGuid', 'LogonId',\n 'TerminalSessionId', 'IntegrityLevel',\n 'Hashes', 'ParentProcessGuid', 'ParentProcessId',\n 'ParentImage', 'ParentCommandLine', 'FileVersion',\n 'Description', 'Product', 'Company')]\n [string]\n $EventField,\n\n # Value of Event Field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=4)]\n [string[]]\n $Value,\n\n # Rule Name for the filter.\n [Parameter(Mandatory=$false,\n ValueFromPipelineByPropertyName=$true)]\n [string]\n $RuleName\n )\n\n Begin {}\n Process {\n switch($psCmdlet.ParameterSetName)\n {\n 'Path'\n {\n $ConfigVer = Select-Xml -Path $Path -XPath '//Sysmon/@schemaversion'\n }\n\n 'LiteralPath'\n {\n $ConfigVer = Select-Xml -LiteralPath $LiteralPath -XPath '//Sysmon/@schemaversion'\n }\n }\n\n if ($ConfigVer.Node.\"#text\" -lt 4.0 -and ($EventField -in @('FileVersion','Description', 'Product', 'Company'))) {\n Write-Error -Message \"The event field $($EventField) is not supported under this schema.\"\n Return\n }\n\n $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField]\n\n $cmdoptions = @{\n 'EventType' = 'ProcessCreate'\n 'Condition' = $Condition\n 'EventField' = $FieldString\n 'Value' = $Value\n 'OnMatch' = $OnMatch\n\n }\n\n if($RuleName) {\n $cmdoptions.Add('RuleName',$RuleName)\n }\n\n switch($psCmdlet.ParameterSetName) {\n 'Path' {\n $cmdOptions.Add('Path',$Path)\n New-RuleFilter @cmdOptions\n }\n\n 'LiteralPath' {\n $cmdOptions.Add('LiteralPath',$LiteralPath)\n New-RuleFilter @cmdOptions\n }\n }\n }\n End { }\n}"
},
{
"path": "Functions/New-SysmonProcessTerminateFilter.ps1",
"content": "# .ExternalHelp Posh-SysMon.psm1-Help.xml\nfunction New-SysmonProcessTerminateFilter\n{\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonProcessTerminateFilter.md')]\n Param (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type on match action.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('include', 'exclude')]\n [string]\n $OnMatch,\n\n # Condition for filtering against and event field.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image',\n 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')]\n [string]\n $Condition,\n\n # Event field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=3)]\n [ValidateSet('UtcTime', 'ProcessGuid', 'ProcessId')]\n [string]\n $EventField,\n\n # Value of Event Field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=4)]\n [string[]]\n $Value,\n\n # Rule Name for the filter.\n [Parameter(Mandatory=$false,\n ValueFromPipelineByPropertyName=$true)]\n [string]\n $RuleName\n )\n\n Begin {}\n Process\n {\n $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField]\n $cmdoptions = @{\n 'EventType' = 'ProcessTerminate'\n 'Condition' = $Condition\n 'EventField' = $FieldString\n 'Value' = $Value\n 'OnMatch' = $OnMatch\n\n }\n\n if($RuleName) {\n $cmdoptions.Add('RuleName',$RuleName)\n }\n\n switch($psCmdlet.ParameterSetName)\n {\n 'Path'\n {\n $cmdOptions.Add('Path',$Path)\n New-RuleFilter @cmdOptions\n }\n\n 'LiteralPath'\n {\n $cmdOptions.Add('LiteralPath',$LiteralPath)\n New-RuleFilter @cmdOptions\n }\n }\n }\n End {}\n}"
},
{
"path": "Functions/New-SysmonRawAccessReadFilter.ps1",
"content": "<#\n.SYNOPSIS\nCreate a new filter for the logging of file raw access read actions.\n.DESCRIPTION\nCreate a new filter for the logging of file raw access read actions.\n.EXAMPLE\nC:\\PS> New-SysmonRawAccessReadFilter -Path .\\testver31.xml -OnMatch include -Condition Contains -EventField Image NTDS.dit\nLog any raw access read of the file NTDS.dit.\n#>\nfunction New-SysmonRawAccessReadFilter {\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonRawAccessReadFilter.md')]\n Param (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type on match action.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('include', 'exclude')]\n [string]\n $OnMatch,\n\n # Condition for filtering against and event field.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image',\n 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')]\n [string]\n $Condition,\n\n # Event field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=3)]\n [ValidateSet('UtcTime', 'ProcessGuid', 'ProcessId',\n 'Image', 'Device')]\n [string]\n $EventField,\n\n # Value of Event Field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=4)]\n [string[]]\n $Value,\n\n # Rule Name for the filter.\n [Parameter(Mandatory=$false,\n ValueFromPipelineByPropertyName=$true)]\n [string]\n $RuleName\n )\n\n Begin {}\n Process {\n $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField]\n $cmdoptions = @{\n 'EventType' = 'RawAccessRead'\n 'Condition' = $Condition\n 'EventField' = $FieldString\n 'Value' = $Value\n 'OnMatch' = $OnMatch\n\n }\n\n if($RuleName) {\n $cmdoptions.Add('RuleName',$RuleName)\n }\n\n\n switch ($PSCmdlet.ParameterSetName) {\n 'Path' {\n $cmdOptions.Add('Path',$Path)\n New-RuleFilter @cmdOptions\n }\n\n 'LiteralPath' {\n $cmdOptions.Add('LiteralPath',$LiteralPath)\n New-RuleFilter @cmdOptions\n }\n }\n }\n End {}\n}"
},
{
"path": "Functions/New-SysmonRegistryFilter.ps1",
"content": "<#\n.SYNOPSIS\nCreate a new filter for the actions against the registry.\n.DESCRIPTION\nCreate a new filter for actions against the registry. Supports filtering\nby aby of the following event types:\n* CreateKey\n* DeleteKey\n* RenameKey\n* CreateValue\n* DeleteValue\n* RenameValue\n* SetValue\n\nHives on Schema 3.2 in TargetObject are referenced as:\n* \\REGISTRY\\MACHINE\\HARDWARE\n* \\REGISTRY\\USER\\Security ID number\n* \\REGISTRY\\MACHINE\\SECURITY\n* \\REGISTRY\\USER\\.DEFAULT\n* \\REGISTRY\\MACHINE\\SYSTEM\n* \\REGISTRY\\MACHINE\\SOFTWARE\n* \\REGISTRY\\MACHINE\\SAM\n\nHives on Schema 3.3 and above in TargetObject are referenced as:\n* HKLM\n* HKCR\n* HKEY_USER\n\n.EXAMPLE\nC:\\PS> New-SysmonRegistryFilter -Path .\\32config.xml -OnMatch include -Condition Contains -EventField TargetObject 'RunOnce'\nCapture persistance attemp by creating a registry entry in the RunOnce keys.\n#>\nfunction New-SysmonRegistryFilter {\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonRegistryFilter.md')]\n Param (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({ Test-Path -Path $_ })]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type on match action.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('include', 'exclude')]\n [string]\n $OnMatch,\n\n # Condition for filtering against and event field.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image',\n 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')]\n [string]\n $Condition,\n\n # Event field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=3)]\n [ValidateSet('TargetObject', 'ProcessGuid', 'ProcessId',\n 'Image', 'EventType')]\n [string]\n $EventField,\n\n # Value of Event Field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=4)]\n [string[]]\n $Value,\n\n # Rule Name for the filter.\n [Parameter(Mandatory=$false,\n ValueFromPipelineByPropertyName=$true)]\n [string]\n $RuleName\n )\n\n Begin {\n # Event types used to validate right type and string case\n $EventTypeMap = @{\n CreateKey = 'CreateKey'\n DeleteKey = 'DeleteKey'\n RenameKey = 'RenameKey'\n CreateValue = 'CreateValue'\n DeleteValue = 'DeleteValue'\n RenameValue = 'RenameValue'\n SetValue = 'SetValue'\n }\n\n $Etypes = $EventTypeMap.Keys\n }\n Process {\n $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField]\n\n if ($EventField -in 'EventType') {\n if ($Value -in $Etypes) {\n $Value = $EventTypeMap[$Value]\n } else {\n Write-Error -Message \"Not a supported EventType. Supported Event types $($Etypes -join ', ')\"\n return\n }\n }\n $cmdoptions = @{\n 'EventType' = 'RegistryEvent'\n 'Condition' = $Condition\n 'EventField' = $FieldString\n 'Value' = $Value\n 'OnMatch' = $OnMatch\n\n }\n\n if($RuleName) {\n $cmdoptions.Add('RuleName',$RuleName)\n }\n\n switch ($PSCmdlet.ParameterSetName) {\n 'Path' {\n $cmdOptions.Add('Path',$Path)\n New-RuleFilter @cmdOptions\n }\n\n 'LiteralPath' {\n $cmdOptions.Add('LiteralPath',$LiteralPath)\n New-RuleFilter @cmdOptions\n }\n }\n }\n End {}\n}"
},
{
"path": "Functions/New-SysmonWmiFilter.ps1",
"content": "<#\n.SYNOPSIS\nCreate a new filter for WMI Permamanent Event Classes.\n.DESCRIPTION\nCreate a new filter for WMI permamanent event classes are created or connected.\nUseful for monitoring for persistence actions.\n#>\nfunction New-SysmonWmiFilter {\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonWmiFilter.md')]\n Param (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type on match action.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('include', 'exclude')]\n [string]\n $OnMatch,\n\n # Condition for filtering against and event field.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image',\n 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')]\n [string]\n $Condition,\n\n # Event field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=3)]\n [ValidateSet('Name', 'EventNamespace', 'Destination',\n 'Type', 'Query', 'Operation', 'Consumer', 'Filter')]\n [string]\n $EventField,\n\n # Value of Event Field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=4)]\n [string[]]\n $Value,\n\n # Rule Name for the filter.\n [Parameter(Mandatory=$false,\n ValueFromPipelineByPropertyName=$true)]\n [string]\n $RuleName\n )\n\n Begin {}\n Process {\n $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField]\n $cmdoptions = @{\n 'EventType' = 'WmiEvent'\n 'Condition' = $Condition\n 'EventField' = $FieldString\n 'Value' = $Value\n 'OnMatch' = $OnMatch\n\n }\n\n if($RuleName) {\n $cmdoptions.Add('RuleName',$RuleName)\n }\n\n switch ($PSCmdlet.ParameterSetName) {\n 'Path' {\n $cmdOptions.Add('Path',$Path)\n New-RuleFilter @cmdOptions\n }\n\n 'LiteralPath' {\n $cmdOptions.Add('LiteralPath',$LiteralPath)\n New-RuleFilter @cmdOptions\n }\n }\n }\n End {}\n}"
},
{
"path": "Functions/Remove-SysmonRule.ps1",
"content": "# .ExternalHelp Posh-SysMon.psm1-Help.xml\nfunction Remove-SysmonRule\n{\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Remove-SysmonRule.md')]\n Param\n (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type to remove. It is case sensitive.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('NetworkConnect', 'ProcessCreate', 'FileCreateTime',\n 'ProcessTerminate', 'ImageLoad', 'DriverLoad', 'CreateRemoteThread',\n 'ProcessAccess', 'RawAccessRead', 'FileCreateStreamHash',\n 'RegistryEvent', 'FileCreate', 'PipeEvent', 'WmiEvent','RuleName')]\n [string[]]\n $EventType,\n\n # Action for event type rule and filters.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('Include', 'Exclude')]\n [String]\n $OnMatch = 'Exclude'\n )\n\n Begin{}\n Process\n {\n # Check if the file is a valid XML file and if not raise and error.\n try\n {\n switch($psCmdlet.ParameterSetName)\n {\n 'Path'\n {\n [xml]$Config = Get-Content -Path $Path\n $FileLocation = (Resolve-Path -Path $Path).Path\n }\n\n 'LiteralPath'\n {\n [xml]$Config = Get-Content -LiteralPath $LiteralPath\n $FileLocation = (Resolve-Path -LiteralPath $LiteralPath).Path\n }\n }\n }\n catch [Management.Automation.PSInvalidCastException]\n {\n Write-Error -Message 'Specified file does not appear to be a XML file.'\n return\n }\n\n # Validate the XML file is a valid Sysmon file.\n if ($Config.SelectSingleNode('//Sysmon') -eq $null)\n {\n Write-Error -Message 'XML file is not a valid Sysmon config file.'\n return\n }\n\n if ($Config.Sysmon.schemaversion -notin $SysMonSupportedVersions)\n {\n Write-Error -Message 'This version of Sysmon Rule file is not supported.'\n return\n }\n\n $Rules = $config.SelectSingleNode('//Sysmon/EventFiltering')\n foreach ($rule in $rules.ChildNodes)\n {\n if ($rule.name -in $EventType -and $rule.onmatch -eq $OnMatch)\n {\n [void]$rule.ParentNode.RemoveChild($rule)\n Write-Verbose -Message \"Removed rule for $($EventType).\"\n }\n }\n\n $config.Save($FileLocation)\n }\n End{}\n}"
},
{
"path": "Functions/Remove-SysmonRuleFilter.ps1",
"content": "# .ExternalHelp Posh-SysMon.psm1-Help.xml\nfunction Remove-SysmonRuleFilter {\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Remove-SysmonRuleFilter.md')]\n Param (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type to update.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('NetworkConnect', 'ProcessCreate', 'FileCreateTime',\n 'ProcessTerminate', 'ImageLoad', 'DriverLoad',\n 'CreateRemoteThread', 'RawAccessRead', 'ProcessAccess',\n 'FileCreateStreamHash', 'RegistryEvent', 'FileCreate',\n 'PipeEvent', 'WmiEvent')]\n [string]\n $EventType,\n\n # Event type on match action.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('include', 'exclude')]\n [string]\n $OnMatch,\n\n # Condition for filtering against and event field.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=3)]\n [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image',\n 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')]\n [string]\n $Condition,\n\n # Event field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=4)]\n [string]\n $EventField,\n\n # Value of Event Field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=5)]\n [string[]]\n $Value\n )\n\n Begin{}\n Process {\n $EvtType = $null\n # Check if the file is a valid XML file and if not raise and error.\n try {\n switch($psCmdlet.ParameterSetName) {\n 'Path' {\n [xml]$Config = Get-Content -Path $Path\n $FileLocation = (Resolve-Path -Path $Path).Path\n }\n\n 'LiteralPath' {\n [xml]$Config = Get-Content -LiteralPath $LiteralPath\n $FileLocation = (Resolve-Path -LiteralPath $LiteralPath).Path\n }\n }\n }\n catch [Management.Automation.PSInvalidCastException] {\n Write-Error -Message 'Specified file does not appear to be a XML file.'\n return\n }\n\n # Validate the XML file is a valid Sysmon file.\n if ($Config.SelectSingleNode('//Sysmon') -eq $null) {\n Write-Error -Message 'XML file is not a valid Sysmon config file.'\n return\n }\n\n $Rules = $Config.SelectSingleNode('//Sysmon/EventFiltering')\n\n # Select the proper condition string.\n switch ($Condition) {\n 'Is' {$ConditionString = 'is'}\n 'IsNot' {$ConditionString = 'is not'}\n 'Contains' {$ConditionString = 'contains'}\n 'Excludes' {$ConditionString = 'excludes'}\n 'Image' {$ConditionString = 'image'}\n 'BeginWith' {$ConditionString = 'begin with'}\n 'EndWith' {$ConditionString = 'end with'}\n 'LessThan' {$ConditionString = 'less than'}\n 'MoreThan' {$ConditionString = 'more than'}\n Default {$ConditionString = 'is'}\n }\n\n # Check if the event type exists if not create it.\n if ($Rules -eq '') {\n Write-Error -Message 'Rule element does not exist. This appears to not be a valid config file'\n return\n } else {\n $EvtType = $MyInvocation.MyCommand.Module.PrivateData[$EventType]\n\n $EventRule = $Rules.SelectNodes(\"//EventFiltering/$($EvtType)\")\n }\n\n if($EventRule -eq $null) {\n Write-Warning -Message \"No rule for $($EvtType) was found.\"\n return\n }\n\n if($EventRule -eq $null) {\n Write-Error -Message \"No rule for $($EvtType) was found.\"\n return\n } else {\n if ($EventRule.count -eq $null -or $EventRule.Count -eq 1) {\n if ($EventRule.onmatch -eq $OnMatch) {\n $Filters = $EventRule.SelectNodes('*')\n if ($Filters.count -gt 0) {\n foreach($val in $Value) {\n foreach($Filter in $Filters) {\n if ($Filter.Name -eq $EventField) {\n if (($Filter.condition -eq $null) -and ($Condition -eq 'is') -and ($Filter.'#text' -eq $val)) {\n [void]$Filter.ParentNode.RemoveChild($Filter)\n Write-Verbose -Message \"Filter for field $($EventField) with condition $($Condition) and value of $($val) removed.\"\n } elseif (($Filter.condition -eq $Condition) -and ($Filter.'#text' -eq $val)) {\n [void]$Filter.ParentNode.RemoveChild($Filter)\n Write-Verbose -Message \"Filter for field $($EventField) with condition $($Condition) and value of $($val) removed.\"\n }\n }\n }\n }\n Get-RuleWithFilter($EventRule)\n }\n }\n } else {\n Write-Verbose -Message 'Mutiple nodes.'\n foreach ($rule in $EventRule) {\n if ($rule.onmatch -eq $OnMatch) {\n $Filters = $rule.SelectNodes('*')\n if ($Filters.count -gt 0) {\n foreach($val in $Value) {\n foreach($Filter in $Filters) {\n if ($Filter.Name -eq $EventField) {\n if (($Filter.condition -eq $null) -and ($Condition -eq 'is') -and ($Filter.'#text' -eq $val)) {\n [void]$Filter.ParentNode.RemoveChild($Filter)\n Write-Verbose -Message \"Filter for field $($EventField) with condition $($Condition) and value of $($val) removed.\"\n } elseif (($Filter.condition -eq $Condition) -and ($Filter.'#text' -eq $val)) {\n [void]$Filter.ParentNode.RemoveChild($Filter)\n Write-Verbose -Message \"Filter for field $($EventField) with condition $($Condition) and value of $($val) removed.\"\n }\n }\n }\n }\n Get-RuleWithFilter($rule)\n }\n }\n }\n }\n }\n $config.Save($FileLocation)\n }\n End{}\n}\n"
},
{
"path": "Functions/Schemas/SysmonConfigurationSchema_3_40.xsd",
"content": "\n\n \n \n \n Represents the set of supported onmatch attribute values.\n \n \n \n \n \n \n \n \n \n \n \n Represents the set of supported condition attribute values.\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n \n \n \n Represents the set of supported condition attribute values in the case where it only makes sense to support \"is\" and \"is not\".\n \n \n \n \n \n \n \n\n \n \n \n Represents the set of supported process integrity levels.\n \n \n \n \n \n \n \n \n \n \n \n\n \n \n \n Represents the set of supported WMI events.\n \n \n \n \n \n \n \n \n\n \n \n \n Represents the set of supported WMI operations.\n \n \n \n \n \n \n \n \n \n \n \n \n\n \n \n \n Represents the set of supported digital signature validation results.\n \n \n \n \n \n \n \n \n \n\n \n \n \n Represents a well-formatted GUID.\n \n \n \n \n \n \n \n\n \n \n \n Represents a well-formatted hexadecimal string. Note that the hex digits must be upper case.\n \n \n \n \n \n \n \n\n \n \n \n Represents the set of supported hash algorithms.\n \n \n \n \n \n \n \n \n\n \n \n \n Represents a well-formatted major.minor version number where both number can be represented with up to two digits.\n \n \n \n \n \n \n\n \n \n \n This type is applied to a Sysmon rule element where there are no constraints on the value.\n \n \n \n \n \n \n \n \n\n \n \n \n This type is applied to a Sysmon rule element where the value is expected to be a GUID.\n \n \n \n \n \n \n \n \n\n \n \n \n This type is applied to a Sysmon rule element where the value is expected to be a hexadecimal value.\n \n \n \n \n \n \n \n \n\n \n \n \n This type is applied to a Sysmon rule element where the value is expected to be a specific process integrity level.\n \n \n \n \n \n \n \n \n \n \n \n \n This type is applied to a Sysmon rule element where the value is expected to be a specific WMI operation.\n \n \n \n \n \n \n \n \n\n \n \n \n This type is applied to a Sysmon rule element where the value is expected to be a specific WMI event.\n \n \n \n \n \n \n \n \n\n \n \n \n This type is applied to a Sysmon rule element where the value is expected to be either \"true\" or \"false\".\n \n \n \n \n \n \n \n \n\n \n \n \n This type is applied to a Sysmon rule element where the value is expected to be an unsigned integer.\n \n \n \n \n \n \n \n \n\n \n \n \n This type is applied to a Sysmon rule element where the value is expected to be an unsigned short.\n \n \n \n \n \n \n \n \n\n \n \n \n This type is applied to a Sysmon rule element where the value is expected to be a specific signature validation status.\n \n \n \n \n \n \n \n \n\n \n \n \n Sysmon 3.4[0] schema\n \n \n \n \n \n \n \n \n Specifies a set of events to trigger on.\n \n \n \n \n \n \n \n \n \n Event ID: 1\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n Event ID: 2\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n Event ID: 3\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n Event ID: 5\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n Event ID: 6\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n Event ID: 7\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n Event ID: 8\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n Event ID: 9\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n Event ID: 10\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n Event ID: 11\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n Event ID: 12, 13, 14\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n Event ID: 15\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n Event ID: 17, 18\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n Event ID: 19, 20, 21\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n Specifies the hashes that will be calculated upon an event firing.\n \n \n \n \n \n \n Specifies the name of the Sysmon driver to be used upon installation of the Sysmon service. This is an alternative to the sysmon.exe \"-d\" switch.\n \n \n \n \n \n \n \n The purpose of ProcessAccessConfig is unknown now that ProcessAccess event rules are supported. Perhaps this offers legacy schema support.\n \n \n \n \n \n \n \n The purpose of PipeMonitoringConfig is unknown now that PipeEvent event rules are supported. Perhaps this offers legacy schema support.\n \n \n \n \n \n \n \n CheckRevocation is an empty element where when present, indicates that certificate revocation checking should be performed. This is an alternative to the sysmon.exe \"-r\" switch.\n \n \n \n \n \n \n \n \n Specifies the sysmon schema version number.\n \n \n \n \n \n \n\n"
},
{
"path": "Functions/Schemas/SysmonConfigurationSchema_4_00.xsd",
"content": "\n\n \n \n \n Represents the set of supported onmatch attribute values.\n \n \n \n \n \n \n \n \n \n \n \n Represents the set of supported condition attribute values.\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n \n \n \n Represents the set of supported condition attribute values in the case where it only makes sense to support \"is\" and \"is not\".\n \n \n \n \n \n \n \n\n \n \n \n Represents the set of supported process integrity levels.\n \n \n \n \n \n \n \n \n \n \n \n\n \n \n \n Represents the set of supported WMI events.\n \n \n \n \n \n \n \n \n\n \n \n \n Represents the set of supported WMI operations.\n \n \n \n \n \n \n \n \n \n \n \n \n\n \n \n \n Represents the set of supported digital signature validation results.\n \n \n \n \n \n \n \n \n \n\n \n \n \n Represents a well-formatted GUID.\n \n \n \n \n \n \n \n\n \n \n \n Represents a well-formatted hexadecimal string. Note that the hex digits must be upper case.\n \n \n \n \n \n \n \n\n \n \n \n Represents the set of supported hash algorithms.\n \n \n \n \n \n \n \n \n\n \n \n \n Represents a well-formatted major.minor version number where both number can be represented with up to two digits.\n \n \n \n \n \n \n\n \n \n \n This type is applied to a Sysmon rule element where there are no constraints on the value.\n \n \n \n \n \n \n \n \n\n \n \n \n This type is applied to a Sysmon rule element where the value is expected to be a GUID.\n \n \n \n \n \n \n \n \n\n \n \n \n This type is applied to a Sysmon rule element where the value is expected to be a hexadecimal value.\n \n \n \n \n \n \n \n \n\n \n \n \n This type is applied to a Sysmon rule element where the value is expected to be a specific process integrity level.\n \n \n \n \n \n \n \n \n \n \n \n \n This type is applied to a Sysmon rule element where the value is expected to be a specific WMI operation.\n \n \n \n \n \n \n \n \n\n \n \n \n This type is applied to a Sysmon rule element where the value is expected to be a specific WMI event.\n \n \n \n \n \n \n \n \n\n \n \n \n This type is applied to a Sysmon rule element where the value is expected to be either \"true\" or \"false\".\n \n \n \n \n \n \n \n \n\n \n \n \n This type is applied to a Sysmon rule element where the value is expected to be an unsigned integer.\n \n \n \n \n \n \n \n \n\n \n \n \n This type is applied to a Sysmon rule element where the value is expected to be an unsigned short.\n \n \n \n \n \n \n \n \n\n \n \n \n This type is applied to a Sysmon rule element where the value is expected to be a specific signature validation status.\n \n \n \n \n \n \n \n \n\n \n \n \n Sysmon 4.0[0] schema\n \n \n \n \n \n \n \n \n Specifies a set of events to trigger on.\n \n \n \n \n \n \n \n \n \n Event ID: 1\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n Event ID: 2\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n Event ID: 3\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n Event ID: 5\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n Event ID: 6\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n Event ID: 7\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n Event ID: 8\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n Event ID: 9\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n Event ID: 10\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n Event ID: 11\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n Event ID: 12, 13, 14\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n Event ID: 15\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n Event ID: 17, 18\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n Event ID: 19, 20, 21\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n Specifies the hashes that will be calculated upon an event firing.\n \n \n \n \n \n \n Specifies the name of the Sysmon driver to be used upon installation of the Sysmon service. This is an alternative to the sysmon.exe \"-d\" switch.\n \n \n \n \n \n \n \n The purpose of ProcessAccessConfig is unknown now that ProcessAccess event rules are supported. Perhaps this offers legacy schema support.\n \n \n \n \n \n \n \n The purpose of PipeMonitoringConfig is unknown now that PipeEvent event rules are supported. Perhaps this offers legacy schema support.\n \n \n \n \n \n \n \n CheckRevocation is an empty element where when present, indicates that certificate revocation checking should be performed. This is an alternative to the sysmon.exe \"-r\" switch.\n \n \n \n \n \n \n \n \n Specifies the sysmon schema version number.\n \n \n \n \n \n \n\n"
},
{
"path": "Functions/Set-SysmonHashingAlgorithm.ps1",
"content": "# .ExternalHelp Posh-SysMon.psm1-Help.xml\nfunction Set-SysmonHashingAlgorithm\n{\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Set-SysmonHashingAlgorithm.md')]\n Param\n (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Specify one or more hash algorithms used for image identification\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('ALL', 'MD5', 'SHA1', 'SHA256', 'IMPHASH')]\n [string[]]\n $HashingAlgorithm\n )\n\n Begin{}\n Process\n {\n # Check if the file is a valid XML file and if not raise and error.\n try\n {\n switch($psCmdlet.ParameterSetName)\n {\n 'Path'\n {\n [xml]$Config = Get-Content -Path $Path\n $FileLocation = (Resolve-Path -Path $Path).Path\n }\n\n 'LiteralPath'\n {\n [xml]$Config = Get-Content -LiteralPath $LiteralPath\n $FileLocation = (Resolve-Path -LiteralPath $LiteralPath).Path\n }\n }\n }\n catch [System.Management.Automation.PSInvalidCastException]\n {\n Write-Error -Message 'Specified file does not appear to be a XML file.'\n return\n }\n\n # Validate the XML file is a valid Sysmon file.\n if ($Config.SelectSingleNode('//Sysmon') -eq $null)\n {\n Write-Error -Message 'XML file is not a valid Sysmon config file.'\n return\n }\n\n if ($Config.Sysmon.schemaversion -notin $SysMonSupportedVersions)\n {\n Write-Error -Message 'This version of Sysmon Rule file is not supported.'\n return\n }\n\n Write-Verbose -Message 'Updating Hashing option.'\n if ($HashingAlgorithm -contains 'ALL')\n {\n $Hash = '*'\n }\n else\n {\n $Hash = $HashingAlgorithm -join ','\n }\n\n # Check if Hashing Alorithm node exists.\n if($Config.SelectSingleNode('//Sysmon/HashAlgorithms') -ne $null)\n {\n $Config.Sysmon.HashAlgorithms = $Hash\n }\n else\n {\n $HashElement = $Config.CreateElement('HashAlgorithms')\n [void]$Config.Sysmon.Configuration.AppendChild($HashElement)\n $Config.Sysmon.Configuration.Hashing = $Hash\n }\n Write-Verbose -Message 'Hashing option has been updated.'\n\n\n Write-Verbose -Message \"Option have been set on $($FileLocation)\"\n $Config.Save($FileLocation)\n }\n End{}\n}"
},
{
"path": "Functions/Set-SysmonRule.ps1",
"content": "# .ExternalHelp Posh-SysMon.psm1-Help.xml\nfunction Set-SysmonRule\n{\n [CmdletBinding(DefaultParameterSetName = 'Path',\n HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Set-SysmonRule.md')]\n Param\n (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n $Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n $LiteralPath,\n\n # Event type to update.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('NetworkConnect', 'ProcessCreate', 'FileCreateTime',\n 'ProcessTerminate', 'ImageLoad', 'DriverLoad', 'CreateRemoteThread',\n 'ProcessAccess', 'RawAccessRead', 'FileCreateStreamHash',\n 'RegistryEvent', 'FileCreate', 'PipeEvent', 'WmiEvent')]\n [string[]]\n $EventType,\n\n # Action for event type rule and filters.\n [Parameter(Mandatory=$false,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('Include', 'Exclude')]\n [String]\n $OnMatch = 'Exclude',\n\n # Action to take for Schema 3.0 files.\n [Parameter(Mandatory=$false,\n ValueFromPipelineByPropertyName=$true)]\n [ValidateSet('Modify', 'Add')]\n [String]\n $Action = 'Modify'\n )\n\n Begin{}\n Process\n {\n # if no elemrnt create one either if it is schema 2.0 or 3.0.\n # If one is present we modify that one if Schema 2.0 and if Schema 3.0 and action modify.\n # If Schema 3.0 and action add we check if only is present and that it is not the same OnMatch\n # as being specified if it is we do nothing if not we add.\n\n\n # Check if the file is a valid XML file and if not raise and error.\n try\n {\n switch($psCmdlet.ParameterSetName)\n {\n 'Path'\n {\n [xml]$Config = Get-Content -Path $Path\n $FileLocation = (Resolve-Path -Path $Path).Path\n }\n\n 'LiteralPath'\n {\n [xml]$Config = Get-Content -LiteralPath $LiteralPath\n $FileLocation = (Resolve-Path -LiteralPath $LiteralPath).Path\n }\n }\n }\n catch [Management.Automation.PSInvalidCastException]\n {\n Write-Error -Message 'Specified file does not appear to be a XML file.'\n return\n }\n\n # Validate the XML file is a valid Sysmon file.\n if ($Config.SelectSingleNode('//Sysmon') -eq $null)\n {\n Write-Error -Message 'XML file is not a valid Sysmon config file.'\n return\n }\n\n if ($Config.Sysmon.schemaversion -notin $SysMonSupportedVersions)\n {\n Write-Error -Message 'This version of Sysmon Rule file is not supported.'\n return\n }\n\n $Rules = $config.SelectSingleNode('//Sysmon/EventFiltering')\n\n foreach($Type in $EventType)\n {\n $EvtType = $MyInvocation.MyCommand.Module.PrivateData[$Type]\n $RuleData = $Rules.SelectSingleNode(\"//EventFiltering/$($EvtType)\")\n $elements = $Rules.\"$($EvtType)\" | Select-Object -property onmatch -Unique\n\n if($RuleData -ne $null)\n {\n if ($Rules.\"$($EvtType)\".count -eq $null)\n {\n if (($Config.Sysmon.schemaversion -eq '2.0') -or ($Config.Sysmon.schemaversion -ge 3.0 -and $Action -eq 'Modify'))\n {\n Write-Verbose -Message \"Setting as default action for $($EvtType) the rule on match of $($OnMatch).\"\n $RuleData.SetAttribute('onmatch',($OnMatch.ToLower()))\n Write-Verbose -Message 'Action has been set.'\n }\n elseif ($Config.Sysmon.schemaversion -ge 3.0 -and $Action -eq 'Add')\n {\n if ($RuleData.onmatch -ne $OnMatch)\n {\n Write-Verbose -Message \"Creating rule for event type with action of $($OnMatch)\"\n $TypeElement = $config.CreateElement($EvtType)\n $TypeElement.SetAttribute('onmatch',($OnMatch.ToLower()))\n $RuleData = $Rules.AppendChild($TypeElement)\n Write-Verbose -Message 'Action has been set.'\n }\n else\n {\n Write-Verbose -Message 'A rule with the specified onmatch action already exists.'\n }\n }\n }\n elseif ($Config.Sysmon.schemaversion -ge 3.0 -and $elements.count -eq 2)\n {\n Write-Verbose -Message 'A rule with the specified onmatch action already exists.'\n }\n else\n {\n Write-Error -Message 'This XML file does not conform to the schema.'\n return\n }\n }\n else\n {\n Write-Verbose -Message \"No rule for $($EvtType) was found.\"\n Write-Verbose -Message \"Creating rule for event type with action of $($OnMatch)\"\n $TypeElement = $config.CreateElement($EvtType)\n $TypeElement.SetAttribute('onmatch',($OnMatch.ToLower()))\n $RuleData = $Rules.AppendChild($TypeElement)\n Write-Verbose -Message 'Action has been set.'\n }\n\n Get-RuleWithFilter($RuleData)\n }\n $config.Save($FileLocation)\n }\n End{}\n}"
},
{
"path": "LICENSE",
"content": "Copyright (c) 2016, Carlos Perez\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met:\n\n* Redistributions of source code must retain the above copyright notice, this\n list of conditions and the following disclaimer.\n\n* Redistributions in binary form must reproduce the above copyright notice,\n this list of conditions and the following disclaimer in the documentation\n and/or other materials provided with the distribution.\n\n* Neither the name of Posh-Sysmon nor the names of its\n contributors may be used to endorse or promote products derived from\n this software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\"\nAND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\nIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE\nFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\nDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\nSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER\nCAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,\nOR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n\n"
},
{
"path": "Posh-SysMon.psm1",
"content": "\n# Load functions\n . \"$($PSScriptRoot)\\Functions\\Get-SysmonEventData.ps1\"\n . \"$($PSScriptRoot)\\Functions\\Get-SysmonHashingAlgorithm.ps1\"\n . \"$($PSScriptRoot)\\Functions\\Get-SysmonRule.ps1\"\n . \"$($PSScriptRoot)\\Functions\\Get-SysmonRuleFilter.ps1\"\n . \"$($PSScriptRoot)\\Functions\\New-SysmonConfiguration.ps1\"\n . \"$($PSScriptRoot)\\Functions\\New-SysmonCreateRemoteThreadFilter.ps1\"\n . \"$($PSScriptRoot)\\Functions\\New-SysmonDriverLoadFilter.ps1\"\n . \"$($PSScriptRoot)\\Functions\\New-SysmonFileCreateFilter.ps1\"\n . \"$($PSScriptRoot)\\Functions\\New-SysmonFileCreateStreamHashFilter.ps1\"\n . \"$($PSScriptRoot)\\Functions\\New-SysmonImageLoadFilter.ps1\"\n . \"$($PSScriptRoot)\\Functions\\New-SysmonNetworkConnectFilter.ps1\"\n . \"$($PSScriptRoot)\\Functions\\New-SysmonPipeFilter.ps1\"\n . \"$($PSScriptRoot)\\Functions\\New-SysmonProcessAccessFilter.ps1\"\n . \"$($PSScriptRoot)\\Functions\\New-SysmonProcessCreateFilter.ps1\"\n . \"$($PSScriptRoot)\\Functions\\New-SysmonProcessTerminateFilter.ps1\"\n . \"$($PSScriptRoot)\\Functions\\New-SysmonRawAccessReadFilter.ps1\"\n . \"$($PSScriptRoot)\\Functions\\New-SysmonRegistryFilter.ps1\"\n . \"$($PSScriptRoot)\\Functions\\New-SysmonWmiFilter.ps1\"\n . \"$($PSScriptRoot)\\Functions\\Remove-SysmonRule.ps1\"\n . \"$($PSScriptRoot)\\Functions\\Remove-SysmonRuleFilter.ps1\"\n . \"$($PSScriptRoot)\\Functions\\Set-SysmonHashingAlgorithm.ps1\"\n . \"$($PSScriptRoot)\\Functions\\Set-SysmonRule.ps1\"\n . \"$($PSScriptRoot)\\Functions\\Get-SysmonConfiguration.ps1\"\n . \"$($PSScriptRoot)\\Functions\\ConvertTo-SysmonXMLConfiguration.ps1\"\n . \"$($PSScriptRoot)\\Functions\\ConvertFrom-SysmonBinaryConfiguration.ps1\"\n\n# Supporteted Sysmon schema versions.\n$SysMonSupportedVersions = @(\n '4.0'\n '4.1'\n )\n\n# Table that maps schema version to Sysmon version.\n$sysmonVerMap = @{\n '2.0' = '3.0'\n '3.0' = '4.0'\n '3.1' = '4.11'\n '3.2' = '5.0'\n '3.3' = '6.0'\n '3.4' = '6.1, 6.2'\n '4.0' = '7.0'\n '4.1' = '8.0'\n }\n\nfunction Get-RuleWithFilter\n{\n Param\n (\n [Parameter(Mandatory=$true)]\n $Rules\n )\n foreach ($rule in $Rules)\n {\n $RuleObjOptions = [ordered]@{}\n $RuleObjOptions['EventType'] = $Rule.Name\n if ($Rule.onmatch -eq $null -or $Rule.onmatch -eq 'exclude')\n {\n $RuleObjOptions.Add('DefaultAction','Exclude')\n }\n else\n {\n $RuleObjOptions.Add('DefaultAction','Include')\n }\n\n # Process individual filters\n $Nodes = $Rule.selectnodes('*')\n if ($Nodes.count -eq 0)\n {\n $RuleObjOptions.add('Scope','All Events')\n }\n else\n {\n $RuleObjOptions.add('Scope','Filtered')\n $Filters = @()\n foreach ($Node in $Nodes)\n {\n $FilterObjProps = [ordered]@{}\n $FilterObjProps['EventField'] = $Node.LocalName\n $FilterObjProps['RuleName'] = $Node.Name\n $FilterObjProps['Condition'] = &{if($Node.condition -eq $null){'is'}else{$Node.condition}}\n $FilterObjProps['Value'] = $Node.'#text'\n $FilterObj = New-Object -TypeName psobject -Property $FilterObjProps\n $FilterObj.pstypenames.insert(0,'Sysmon.Rule.Filter')\n $Filters += $FilterObj\n }\n $RuleObjOptions.add('Filters',$Filters)\n }\n\n $RuleObj = New-Object -TypeName psobject -Property $RuleObjOptions\n $RuleObj.pstypenames.insert(0,'Sysmon.Rule')\n $RuleObj\n }\n}\n\n<#\n.Synopsis\n Creates a filter for an event field for an event type in a Sysmon XML configuration file.\n.DESCRIPTION\n Creates a filter for an event field for an event type in a Sysmon XML configuration file.\n.EXAMPLE\n New-nRuleFilter -Path .\\pc_cofig.xml -EventType NetworkConnect -EventField image -Condition Is -Value 'iexplorer.exe' -Verbose\n\n VERBOSE: No rule for NetworkConnect was found.\n VERBOSE: Creating rule for event type with default action if Exclude\n VERBOSE: Rule created succesfully\n\n C:\\PS>Get-GetSysmonRules -Path .\\pc_cofig.xml -EventType NetworkConnect\n\n\n EventType : NetworkConnect\n Scope : Filtered\n DefaultAction : Exclude\n Filters : {@{EventField=image; Condition=Is; Value=iexplorer.exe}}\n\n\n Create a filter to capture all network connections from iexplorer.exe.\n#>\nfunction New-RuleFilter\n{\n [CmdletBinding(DefaultParameterSetName = 'Path')]\n Param\n (\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='Path',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [string]$Path,\n\n # Path to XML config file.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n ParameterSetName='LiteralPath',\n Position=0)]\n [ValidateScript({Test-Path -Path $_})]\n [Alias('PSPath')]\n [string]$LiteralPath,\n\n # Event type to create filter for.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=1)]\n [ValidateSet('NetworkConnect', 'ProcessCreate', 'FileCreateTime',\n 'ProcessTerminate', 'ImageLoad', 'DriverLoad',\n 'CreateRemoteThread', 'ProcessAccess','RawAccessRead',\n 'FileCreate', 'RegistryEvent', 'FileCreateStreamHash',\n 'PipeEvent', 'WmiEvent',IgnoreCase = $false)]\n [string]\n $EventType,\n\n # Event type to create filter for.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=2)]\n [ValidateSet('include', 'exclude')]\n [string]\n $OnMatch,\n\n # Condition for filtering against and event field.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=3)]\n [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image',\n 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')]\n [string]\n $Condition,\n\n # Event field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=4)]\n [string]\n $EventField,\n\n # Value of Event Field to filter on.\n [Parameter(Mandatory=$true,\n ValueFromPipelineByPropertyName=$true,\n Position=5)]\n [string[]]\n $Value,\n\n # Rule Name for the filter.\n [Parameter(Mandatory=$false,\n ValueFromPipelineByPropertyName=$true)]\n [string]\n $RuleName\n )\n\n Begin{}\n Process\n {\n # Check if the file is a valid XML file and if not raise and error.\n try\n {\n switch($psCmdlet.ParameterSetName)\n {\n 'Path'\n {\n [xml]$Config = Get-Content -Path $Path\n $FileLocation = (Resolve-Path -Path $Path).Path\n }\n\n 'LiteralPath'\n {\n [xml]$Config = Get-Content -LiteralPath $LiteralPath\n $FileLocation = (Resolve-Path -LiteralPath $LiteralPath).Path\n }\n }\n }\n catch [Management.Automation.PSInvalidCastException]\n {\n Write-Error -Message 'Specified file does not appear to be a XML file.'\n return\n }\n\n # Validate the XML file is a valid Sysmon file.\n if ($Config.SelectSingleNode('//Sysmon') -eq $null)\n {\n Write-Error -Message 'XML file is not a valid Sysmon config file.'\n return\n }\n\n if ($Config.Sysmon.schemaversion -notin $SysMonSupportedVersions)\n {\n Write-Error -Message 'This version of Sysmon Rule file is not supported.'\n return\n }\n\n $Rules = $Config.SelectSingleNode('//Sysmon/EventFiltering')\n\n # Select the proper condition string and make sure it is the proper case.\n switch ($Condition)\n {\n 'Is' {$ConditionString = 'is'}\n 'IsNot' {$ConditionString = 'is not'}\n 'Contains' {$ConditionString = 'contains'}\n 'Excludes' {$ConditionString = 'excludes'}\n 'Image' {$ConditionString = 'image'}\n 'BeginWith' {$ConditionString = 'begin with'}\n 'EndWith' {$ConditionString = 'end with'}\n 'LessThan' {$ConditionString = 'less than'}\n 'MoreThan' {$ConditionString = 'more than'}\n Default {$ConditionString = 'is'}\n }\n\n # Check if the event type exists if not create it.\n\n $RuleData = $Rules.SelectNodes(\"//EventFiltering/$($EventType)\")\n\n if($RuleData -eq $null)\n {\n Write-Error -Message \"No rule for $($EventType) was found.\"\n return\n } # If only one element this will return null, more than one this will provide a value.\n else\n {\n if ($RuleData.count -eq 1)\n {\n if ($RuleData.Attributes.\"#text\" -eq $OnMatch)\n {\n Write-Verbose -Message 'Single node.'\n Write-Verbose -Message \"Creating filters for event type $($EventType).\"\n # For each value for the event type create a filter.\n foreach($val in $value)\n {\n Write-Verbose -Message \"Creating filter for event filed $($EventField) with condition $($Condition) for value $($val).\"\n $FieldElement = $Config.CreateElement($EventField)\n $Filter = $RuleData.AppendChild($FieldElement)\n if ($RuleName) {\n $Filter.SetAttribute('name',$RuleName)\n }\n $Filter.SetAttribute('condition',$ConditionString)\n $filter.InnerText = $val\n $Config.Save($FileLocation)\n }\n }\n else\n {\n write-error -Message \"Event type $($EventType) with a on match condition of $($OnMatch) was not found.\"\n return\n }\n }\n else\n {\n Write-Verbose -Message 'Mutiple nodes.'\n foreach ($rule in $RuleData)\n {\n if ($rule.onmatch -eq $OnMatch)\n {\n Write-Verbose -Message \"Found rule for event type $($EventType) with $($OnMatch)\"\n Write-Verbose -Message \"Creating filters for event type $($EventType).\"\n # For each value for the event type create a filter.\n foreach($val in $value)\n {\n Write-Verbose -Message \"Creating filter for event filed $($EventField) with condition $($Condition) for value $($val).\"\n $FieldElement = $Config.CreateElement($EventField)\n $Filter = $rule.AppendChild($FieldElement)\n if ($RuleName) {\n $Filter.SetAttribute('name',$RuleName)\n }\n $Filter.SetAttribute('condition',$ConditionString)\n $filter.InnerText = $val\n $Config.Save($FileLocation)\n }\n $RuleData = $rule\n }\n }\n }\n\n }\n Get-RuleWithFilter($RuleData)\n }\n End{}\n}\n"
},
{
"path": "Posh-Sysmon.psd1",
"content": "#\n# Module manifest for module 'PSGet_Posh-Sysmon'\n#\n# Generated by: Carlos Perez carlos_Perez@darkoperator.com\n#\n# Generated on: 8/16/2016\n#\n\n@{\n\n# Script module or binary module file associated with this manifest.\nRootModule = '.\\Posh-SysMon.psm1'\n\n# Version number of this module.\nModuleVersion = '1.2'\n\n# Supported PSEditions\n# CompatiblePSEditions = @()\n\n# ID used to uniquely identify this module\nGUID = 'a8ade6cb-39d5-45a1-b4aa-acf29ee34aed'\n\n# Author of this module\nAuthor = 'Carlos Perez carlos_Perez@darkoperator.com'\n\n# Company or vendor of this module\nCompanyName = 'Darkoperator.com'\n\n# Copyright statement for this module\nCopyright = '(c) 2018 Carlos Perez carlos_Perez@darkoperator.com. All rights reserved.'\n\n# Description of the functionality provided by this module\nDescription = 'Module for the creation and managing of Sysinternal Sysmon configuration XML files.'\n\n# Minimum version of the Windows PowerShell engine required by this module\nPowerShellVersion = '3.0'\n\n# Name of the Windows PowerShell host required by this module\n# PowerShellHostName = ''\n\n# Minimum version of the Windows PowerShell host required by this module\n# PowerShellHostVersion = ''\n\n# Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only.\n# DotNetFrameworkVersion = ''\n\n# Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only.\n# CLRVersion = ''\n\n# Processor architecture (None, X86, Amd64) required by this module\n# ProcessorArchitecture = ''\n\n# Modules that must be imported into the global environment prior to importing this module\n# RequiredModules = @()\n\n# Assemblies that must be loaded prior to importing this module\n# RequiredAssemblies = @()\n\n# Script files (.ps1) that are run in the caller's environment prior to importing this module.\n# ScriptsToProcess = @()\n\n# Type files (.ps1xml) to be loaded when importing this module\n# TypesToProcess = @()\n\n# Format files (.ps1xml) to be loaded when importing this module\nFormatsToProcess = 'Format\\Sysmon.ConfigOption.ps1xml', 'Format\\Sysmon.Rule.ps1xml',\n 'Format\\Sysmon.Rule.Filter.ps1xml'\n\n# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess\n# NestedModules = @()\n\n# Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export.\nFunctionsToExport = 'Get-SysmonHashingAlgorithm', 'Get-SysmonRule',\n 'New-SysmonConfiguration', 'New-SysmonDriverLoadFilter',\n 'New-SysmonFileCreateFilter', 'New-SysmonImageLoadFilter',\n 'New-SysmonNetworkConnectFilter', 'New-SysmonProcessCreateFilter',\n 'New-SysmonProcessTerminateFilter', 'Remove-SysmonRule',\n 'Remove-SysmonRuleFilter', 'Set-SysmonHashingAlgorithm',\n 'Set-SysmonRule', 'Get-SysmonEventData', 'Get-SysmonRuleFilter',\n 'New-SysmonProcessAccessFilter', 'New-SysmonFileCreateStreamHashFilter',\n 'New-SysmonRegistryFilter', 'New-SysmonFileCreateFilter',\n 'New-SysmonPipeFIlter', 'New-SysmonWmiFilter', 'New-SysmonWmiFilter',\n 'ConvertFrom-SysmonBinaryConfiguration', 'ConvertTo-SysmonXMLConfiguration',\n 'Get-SysmonConfiguration'\n\n# Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.\nCmdletsToExport = @()\n\n# Variables to export from this module\n# VariablesToExport = @()\n\n# Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export.\nAliasesToExport = @()\n\n# DSC resources to export from this module\n# DscResourcesToExport = @()\n\n# List of all modules packaged with this module\n# ModuleList = @()\n\n# List of all files packaged with this module\n# FileList = @()\n\n# Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell.\nPrivateData = @{\n\n #NetworkConnect of this module\n NetworkConnect = 'NetworkConnect'\n\n #DriverLoad of this module\n DriverLoad = 'DriverLoad'\n\n #ProcessAccess of this module\n ProcessAccess = 'ProcessAccess'\n\n #CommandLine of this module\n CommandLine = 'CommandLine'\n\n #SourceImage of this module\n SourceImage = 'SourceImage'\n\n #Protocol of this module\n Protocol = 'Protocol'\n\n #TargetProcessGUID of this module\n TargetProcessGUID = 'TargetProcessGUID'\n\n #CallTrace of this module\n CallTrace = 'CallTrace'\n\n #RawAccessRead of this module\n RawAccessRead = 'RawAccessRead'\n\n #DestinationPort of this module\n DestinationPort = 'DestinationPort'\n\n #SourceHostname of this module\n SourceHostname = 'SourceHostname'\n\n #DestinationIp of this module\n DestinationIp = 'DestinationIp'\n\n #SourceIsIpv6 of this module\n SourceIsIpv6 = 'SourceIsIpv6'\n\n #Initiated of this module\n Initiated = 'Initiated'\n\n #SourceProcessGUID of this module\n SourceProcessGUID = 'SourceProcessGUID'\n\n #SourcePort of this module\n SourcePort = 'SourcePort'\n\n #PreviousCreationUtcTime of this module\n PreviousCreationUtcTime = 'PreviousCreationUtcTime'\n\n #TargetProcessId of this module\n TargetProcessId = 'TargetProcessId'\n\n #ProcessTerminate of this module\n ProcessTerminate = 'ProcessTerminate'\n\n #ParentProcessId of this module\n ParentProcessId = 'ParentProcessId'\n\n #SourceThreadId of this module\n SourceThreadId = 'SourceThreadId'\n\n #IntegrityLevel of this module\n IntegrityLevel = 'IntegrityLevel'\n\n #ProcessGuid of this module\n ProcessGuid = 'ProcessGuid'\n\n #ProcessCreate of this module\n ProcessCreate = 'ProcessCreate'\n\n #CreateRemoteThread of this module\n CreateRemoteThread = 'CreateRemoteThread'\n\n #TargetImage of this module\n TargetImage = 'TargetImage'\n\n #Hashes of this module\n Hashes = 'Hashes'\n\n #UtcTime of this module\n UtcTime = 'UtcTime'\n\n #SourcePortName of this module\n SourcePortName = 'SourcePortName'\n\n #SourceIp of this module\n SourceIp = 'SourceIp'\n\n #ParentCommandLine of this module\n ParentCommandLine = 'ParentCommandLine'\n\n #ImageLoaded of this module\n ImageLoaded = 'ImageLoaded'\n\n #TerminalSessionId of this module\n TerminalSessionId = 'TerminalSessionId'\n\n #ProcessId of this module\n ProcessId = 'ProcessId'\n\n #GrantedAccess of this module\n GrantedAccess = 'GrantedAccess'\n\n #FileCreateTime of this module\n FileCreateTime = 'FileCreateTime'\n\n #ParentImage of this module\n ParentImage = 'ParentImage'\n\n #ImageLoad of this module\n ImageLoad = 'ImageLoad'\n\n #ParentProcessGuid of this module\n ParentProcessGuid = 'ParentProcessGuid'\n\n #Signed of this module\n Signed = 'Signed'\n\n #DestinationHostname of this module\n DestinationHostname = 'DestinationHostname'\n\n #Signature of this module\n Signature = 'Signature'\n\n #LogonGuid of this module\n LogonGuid = 'LogonGuid'\n\n #Image of this module\n Image = 'Image'\n\n #User of this module\n User = 'User'\n\n #DestinationPortName of this module\n DestinationPortName = 'DestinationPortName'\n\n #LogonId of this module\n LogonId = 'LogonId'\n\n #TargetFilename of this module\n TargetFilename = 'TargetFilename'\n\n #CreationUtcTime of this module\n CreationUtcTime = 'CreationUtcTime'\n\n #DestinationIsIpv6 of this module\n DestinationIsIpv6 = 'DestinationIsIpv6'\n\n # hash for FileCreateStreamHash events.\n Hash = 'Hash'\n\n # Target object in registry events.\n TargetObject = 'TargetObject'\n\n FileCreateStreamHash = 'FileCreateStreamHash'\n\n RegistryEvent = 'RegistryEvent'\n\n FileCreate = 'FileCreate'\n\n Pipe = 'Pipe'\n\n PipeEvent = 'PipeEvent'\n\n WmiEvent = 'WmiEvent'\n\n EventType = 'EventType'\n\n EventNamespace = 'EventNamespace'\n\n # Name given to a WMI object.\n Name = 'Name'\n\n # Namespace where a WMI object was created at.\n Destination = 'Destination'\n\n Type = 'Type'\n\n # Query used by a WMI Filter.\n Query = 'Query'\n\n # Operation of a WMI component event.\n Operation = 'Operation'\n\n # Consumer name of a WMI binding event.\n Consumer = 'Consumer'\n\n # WMI Filter in a EventFilter event.\n Filter = 'Filter'\n\n FileVersion = 'FileVersion'\n\n Description = 'Description'\n\n Product = 'Product'\n\n Company = 'Company'\n\n PSData = @{\n\n # Tags applied to this module. These help with module discovery in online galleries.\n Tags = 'Sysmon','Security','Logging'\n\n # A URL to the license for this module.\n LicenseUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/LICENSE'\n\n # A URL to the main website for this project.\n ProjectUri = 'https://github.com/darkoperator/Posh-Sysmon'\n\n # A URL to an icon representing this module.\n # IconUri = ''\n\n # ReleaseNotes of this module\n # ReleaseNotes = ''\n\n # External dependent modules of this module\n # ExternalModuleDependencies = ''\n\n } # End of PSData hashtable\n\n} # End of PrivateData hashtable\n\n# HelpInfo URI of this module\n# HelpInfoURI = ''\n\n# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.\n# DefaultCommandPrefix = ''\n\n}\n\n"
},
{
"path": "README.md",
"content": "# Posh-Sysmon\nPowerShell 3.0 or above module for creating and managing Sysinternals Sysmon v2.0 config files. System Monitor ([Sysmon](https://technet.microsoft.com/en-us/sysinternals/dn798348)) is a Windows system service and device driver that is part of the SysInternal tools from Microsoft. It is written by Mark Russinovich and Thomas Garnier to monitor a Windows system actions and log such actions in to the Windows Event Log. When the tool is installed on a system it can be given a XML configuration file so as to control what is logged and the same file can be used to update the configuration of a previously installed instance of the tool.\n\nAll functions in the PowerShell module include help information and example of usage that can be view using the Get-Help cmdlet.\n\n## Installation\n\nFor installation it is highly recomended that you install from the PowerShell Gallery using the Install-Module cmdlet.\n\nOn PowerShell v5 and above:\n\n``` Powershell\nInstall-Module -Name Posh-Sysmon\n```\n\nIf you are running PS 3.0 to 4.0 you can use the PowerShell Gallery also following instruction in [PowerShell Gallery Documentation](https://msdn.microsoft.com/powershell/gallery/readme)\n\n## Change Log\n\n### Version 1.2\n\n* Module only supports the last 2 Schema versions.**[Breaking Change]**\n* Support for Sysmon 8.0 Schema version 4.1 RuleName\n* Fixed issue when adding a filter for a none existing rule. It will properly error now.\n\n### Version 1.0\n\n* Module only supports the last 2 Schema versions.**[Breaking Change]**\n* Support for Sysmon 7.0 Schema version 4.0\n* Added new fields for filtering introduced in Sysmon 7.0.\n* Modified organization of functions in to their own files for better management while coding.\n* Fixed typo in the enabling of rules in rule creation.\n\n### Version 0.7.6\n\n* Support for Schema 3.4 of Sysmon v6.2\n* New function New-SysmonWmiEvent.\n* Updated Rule and Filter functions for WmiEvents.\n* Fixed where some functions did not support PipeEvents.\n\n### Version 0.7.5\n\n* Support for Schema 3.3 of Sysmon v6.\n* New function New-SysmonPipeEvent for filtering for named pipeline cration and connection events.\n* Support of PipeEvent in config creation and event type functions.\n* Several bug fixes on filtering functions when give an array of values.\n\n### Version 0.7.3\n\n* Several bug fixes when creating RawAccess and ProcessOpen rules.\n* By default the new schema is 3.2 for the latest version of Sysmon 5.0\n* New-SysmonConfiguration function has options to enable all logging for FileCreate, RegistryEvent and FileCreateStreamHash\n* Get-SysmonEventData can now parse File Create, Registry and File Stream creation events.\n* New function New-SysmonFileCreateFilter for creating file creation filters.\n* New function New-SysmonRegistryEvent for creating registry event filters.\n* New function New-SysmonFileCreateStreamHash for creating file stream hash event filters.\n* Updated Get-SysmonRule, Set-SysmonRule, Remove-SysmonRule and Remove-SysmonRuleFilter for the new event type rules.\n* Added Online Help option for all functions.\n\n### Version 0.7.2\n\n* Added missing Event Types to Get-SysmonEventData.\n\n### Version 0.7.1\n\n* Fixed issue with conditions with filters with space in them.\n\n### Version 0.7\n\n* Added support for ProcessAccess filtering added in Sysmon 4.1\n* Added function New-SysmonProcessAccess for creating ProcessAccess filters.\n* Fixed issue where command was displayed and not ran with New-SysmonDriverLoadFilter.\n* Added ProcessAccess type in Get-SysmonEventData and Get-SysmonRuleFilter.\n* In verbose output it shows with what version of Sysmon the file will be compatible with after creating it.\n\n### Version 0.6\n\n* Added support for Sysmon 4.0 XML schemea (Schema version 3.0)\n* One can select the version of schema to support when creating the configuration file.\n* All functions have been updated to support the use of more than one rule as per Schema 3.0\n\n### Version 0.5\n\n* Added Get-SysmonEventData to get the Event Data information as custom object for selected Event Types.\n* Added Get-SysmonRuleFilter to get all filters under a specific Event Type Rule.\n\n### Version 0.4\n\nVersion 3.0 is a full re-write om how rules work and new event types. This update is SysMon 3.0 only. If you wish to work on SysMon 2.0 rules I recommend you use version 0.3 version of the module.\n\n* When creating a new sysmon rule it will allow you to enable logging of event types supported.\n* Checks that it is only working with the proper XML schema for the rules.\n* Can now create specific filter for CreateRemoteThread event type.\n* Since Rules and Config got merger config functions (Get-SysmonConfigOptio, Set-SysmonConfigOption) where removed and replaced with Get-SysmonHashingAlgorithm and Set-SysmonHashingAlgorithm\n\n### Version 0.3\n\n* Tons of fixes do to a bad re-facor.\n* Filter creation is now done by specific funtions per event type.\n* Filter creation functions are now in their own sub-module.\n\n### Version 0.2\n\n* Validate that the file is an XML file and a valid Sysmon configuration file.\n* Change option ConfigFile to Path and LiteralPath so as to match other cmdlets that work with files.\n* Fixed typos on verbose messages and examples.\n* Functions should work better now when passing files through the pipeline using Get-ChildItem.\n\n### Version 0.1\n\n* Initial version for Sysmon 2.0 with XML Schema 1.0\n\n## Examples\n\n## Create a XML Configuration File\n\n
\nPS C:\\> New-SysmonConfiguration -Path .\\pc_marketing.xml -HashingAlgorithm IMPHASH,SHA1 -Network -Comment \"Sysmon config for deployment in the Marketing PC OU\" -Verbose\nVERBOSE: Enabling hashing algorithms : IMPHASH,SHA1\nVERBOSE: Enabling network connection logging.\nVERBOSE: Config file created as C:\\pc_marketing.xml\n
\n\n## Create or Update a Rule and its Default Action\n\n
\n\nPS C:\\> Set-SysmonRule -Path .\\pc_marketing.xml -EventType ImageLoad -Verbose\nVERBOSE: No rule for ImageLoad was found.\nVERBOSE: Creating rule for event type with action of Exclude\nVERBOSE: Action has been set.\n\nEventType : ImageLoad\nScope : All Events\nDefaultAction : Exclude\nFilters :\n\n
\n\n## Remove One or More Filters\n\n
\nPS C:\\> Get-SysmonRule -Path .\\pc_marketing.xml -EventType NetworkConnect\n\nEventType : NetworkConnect\nScope : Filtered\nDefaultAction : Exclude\nFilters : {@{EventField=Image; Condition=Image; Value=C:\\Windows\\System32\\svchost.exe},\n @{EventField=Image; Condition=Image; Value=C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe},\n @{EventField=Image; Condition=Image; Value=C:\\Program Files\\Internet Explorer\\iexplore.exe},\n @{EventField=Image; Condition=Image; Value=C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe}...}\n\n\nPS C:\\> Remove-SysmonRuleFilter -Path .\\pc_marketing.xml -EventType NetworkConnect -Condition Image -EventField Image -Value $images -Verbose\nVERBOSE: Filter for field Image with condition Image and value of C:\\Windows\\System32\\svchost.exe removed.\nVERBOSE: Filter for field Image with condition Image and value of C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe removed.\nVERBOSE: Filter for field Image with condition Image and value of C:\\Program Files\\Internet Explorer\\iexplore.exe removed.\nVERBOSE: Filter for field Image with condition Image and value of C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe removed.\nVERBOSE: Filter for field Image with condition Image and value of C:\\Program Files (x86)\\PuTTY\\putty.exe removed.\nVERBOSE: Filter for field Image with condition Image and value of C:\\Program Files (x86)\\PuTTY\\plink.exe removed.\nVERBOSE: Filter for field Image with condition Image and value of C:\\Program Files (x86)\\PuTTY\\pscp.exe removed.\nVERBOSE: Filter for field Image with condition Image and value of C:\\Program Files (x86)\\PuTTY\\psftp.exe removed.\n\n\nEventType : NetworkConnect\nScope : All Events\nDefaultAction : Exclude\nFilters :\n
\n\n## Remove Rule\n\n
\nPS C:\\> Remove-SysmonRule -Path .\\pc_marketing.xml -EventType ImageLoad,NetworkConnect -Verbose\nVERBOSE: Removed rule for ImageLoad.\nVERBOSE: Removed rule for NetworkConnect.\n
\n"
},
{
"path": "build.ps1",
"content": "[CmdletBinding()]\nparam(\n [ValidateSet(\"Release\",\"Debug\")]\n $Configuration = \"Release\"\n)\n\nPush-Location $PSScriptRoot\ntry {\n $BuildTimer = New-Object System.Diagnostics.Stopwatch\n $BuildTimer.Start()\n\n $ModuleName = Split-Path $PSScriptRoot -Leaf\n $ErrorActionPreference = \"Stop\"\n $version = Get-Metadata \".\\Source\\${ModuleName}.psd1\"\n $folder = mkdir $version -Force\n\n Get-ChildItem Source -filter \"${ModuleName}.*\" |\n Copy-Item -Dest $folder.FullName -PassThru |\n ForEach-Object {\n Write-Host \" $($_.Name) -> $($_.FullName)\"\n }\n\n Get-ChildItem Source\\Private, Source\\Public -Filter *.ps1 -Recurse |\n Sort-Object Directory, Name |\n Get-Content |\n Set-Content \"$($folder.FullName)\\${ModuleName}.psm1\"\n Write-Host \" $($ModuleName) -> $($folder.FullName)\\${ModuleName}.psm1\"\n\n Write-Host\n Write-Host \"Module build finished.\" -ForegroundColor Green\n $BuildTimer.Stop()\n Write-Host \"Total Elapsed $($BuildTimer.Elapsed.ToString(\"hh\\:mm\\:ss\\.ff\"))\"\n} catch {\n throw $_\n} finally {\n Pop-Location\n}"
},
{
"path": "docs/Get-SysmonEventData.md",
"content": "---\nexternal help file: Posh-SysMon-help.xml\nModule Name: Posh-SysMon\nonline version:\nschema: 2.0.0\n---\n\n# Get-SysmonEventData\n\n## SYNOPSIS\nSearches for specified SysMon Events and retunrs the Event Data as a custom object.\n\n## SYNTAX\n\n### ID (Default)\n```\nGet-SysmonEventData [-EventId] [[-MaxEvents] ] [-Path ] [-StartTime ]\n [-EndTime ] []\n```\n\n### Type\n```\nGet-SysmonEventData [[-EventType] ] [[-MaxEvents] ] [-Path ] [-StartTime ]\n [-EndTime ] []\n```\n\n## DESCRIPTION\nSearches for specified SysMon Events and retunrs the Event Data as a custom object.\n\n## EXAMPLES\n\n### EXAMPLE 1\n```\nGet-SysMonEventData -EventId 1 -MaxEvents 10 -EndTime (Get-Date) -StartTime (Get-Date).AddDays(-1)\n```\n\nAll process creation events in the last 24hr\n\n### EXAMPLE 2\n```\nGet-SysMonEventData -EventId 3 -MaxEvents 20 -Path .\\export.evtx\n```\n\nlast 20 network connection events from a exported SysMon log.\n\n## PARAMETERS\n\n### -EventId\nSysmon Event ID of records to show\n\n```yaml\nType: Int32[]\nParameter Sets: ID\nAliases:\n\nRequired: True\nPosition: 1\nDefault value: None\nAccept pipeline input: True (ByPropertyName)\nAccept wildcard characters: False\n```\n\n### -EventType\nEventType that a Rule can be written against.\n\n```yaml\nType: String[]\nParameter Sets: Type\nAliases:\n\nRequired: False\nPosition: 1\nDefault value: None\nAccept pipeline input: True (ByPropertyName)\nAccept wildcard characters: False\n```\n\n### -MaxEvents\nSpecifies the maximum number of events that Get-WinEvent returns.\nEnter an integer.\nThe default is to return all the events in the logs or files.\n\n```yaml\nType: Int32\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: 2\nDefault value: 0\nAccept pipeline input: True (ByPropertyName)\nAccept wildcard characters: False\n```\n\n### -Path\nSpecifies a path to one or more exported SysMon events in evtx format.\n\n```yaml\nType: String[]\nParameter Sets: (All)\nAliases: PSPath\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: True (ByPropertyName, ByValue)\nAccept wildcard characters: False\n```\n\n### -StartTime\nStart Date to get all event going forward.\n\n```yaml\nType: DateTime\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n```\n\n### -EndTime\nEnd data for searching events.\n\n```yaml\nType: DateTime\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n```\n\n### CommonParameters\nThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.\nFor more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).\n\n## INPUTS\n\n## OUTPUTS\n\n## NOTES\n\n## RELATED LINKS\n"
},
{
"path": "docs/Get-SysmonHashingAlgorithm.md",
"content": "---\nexternal help file: Posh-SysMon-help.xml\nModule Name: Posh-SysMon\nonline version: https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Get-SysmonHashingAlgorithm.md\nschema: 2.0.0\n---\n\n# Get-SysmonHashingAlgorithm\n\n## SYNOPSIS\n{{Fill in the Synopsis}}\n\n## SYNTAX\n\n### Path (Default)\n```\nGet-SysmonHashingAlgorithm [-Path] []\n```\n\n### LiteralPath\n```\nGet-SysmonHashingAlgorithm [-LiteralPath] []\n```\n\n## DESCRIPTION\n{{Fill in the Description}}\n\n## EXAMPLES\n\n### Example 1\n```powershell\nPS C:\\> {{ Add example code here }}\n```\n\n{{ Add example description here }}\n\n## PARAMETERS\n\n### -LiteralPath\n{{Fill LiteralPath Description}}\n\n```yaml\nType: String\nParameter Sets: LiteralPath\nAliases: PSPath\n\nRequired: True\nPosition: 0\nDefault value: None\nAccept pipeline input: True (ByPropertyName)\nAccept wildcard characters: False\n```\n\n### -Path\n{{Fill Path Description}}\n\n```yaml\nType: String\nParameter Sets: Path\nAliases:\n\nRequired: True\nPosition: 0\nDefault value: None\nAccept pipeline input: True (ByPropertyName)\nAccept wildcard characters: False\n```\n\n### CommonParameters\nThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.\nFor more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).\n\n## INPUTS\n\n### System.String\n\n## OUTPUTS\n\n### System.Object\n## NOTES\n\n## RELATED LINKS\n\n[https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Get-SysmonHashingAlgorithm.md](https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Get-SysmonHashingAlgorithm.md)\n\n"
},
{
"path": "docs/Get-SysmonRule.md",
"content": "---\nexternal help file: Posh-SysMon-help.xml\nModule Name: Posh-SysMon\nonline version: https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Get-SysmonRule.md\nschema: 2.0.0\n---\n\n# Get-SysmonRule\n\n## SYNOPSIS\n{{Fill in the Synopsis}}\n\n## SYNTAX\n\n### Path (Default)\n```\nGet-SysmonRule [-Path] [[-EventType] ] []\n```\n\n### LiteralPath\n```\nGet-SysmonRule [-LiteralPath] [[-EventType] ] []\n```\n\n## DESCRIPTION\n{{Fill in the Description}}\n\n## EXAMPLES\n\n### Example 1\n```powershell\nPS C:\\> {{ Add example code here }}\n```\n\n{{ Add example description here }}\n\n## PARAMETERS\n\n### -EventType\n{{Fill EventType Description}}\n\n```yaml\nType: String[]\nParameter Sets: (All)\nAliases:\nAccepted values: ALL, NetworkConnect, ProcessCreate, FileCreateTime, ProcessTerminate, ImageLoad, DriverLoad, ProcessAccess, RawAccessRead, ProcessAccess, FileCreateStreamHash, RegistryEvent, FileCreate, PipeEvent, WmiEvent\n\nRequired: False\nPosition: 1\nDefault value: None\nAccept pipeline input: True (ByPropertyName)\nAccept wildcard characters: False\n```\n\n### -LiteralPath\n{{Fill LiteralPath Description}}\n\n```yaml\nType: String\nParameter Sets: LiteralPath\nAliases: PSPath\n\nRequired: True\nPosition: 0\nDefault value: None\nAccept pipeline input: True (ByPropertyName)\nAccept wildcard characters: False\n```\n\n### -Path\n{{Fill Path Description}}\n\n```yaml\nType: String\nParameter Sets: Path\nAliases:\n\nRequired: True\nPosition: 0\nDefault value: None\nAccept pipeline input: True (ByPropertyName)\nAccept wildcard characters: False\n```\n\n### CommonParameters\nThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.\nFor more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).\n\n## INPUTS\n\n### System.String\n\n### System.String[]\n\n## OUTPUTS\n\n### System.Object\n## NOTES\n\n## RELATED LINKS\n\n[https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Get-SysmonRule.md](https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Get-SysmonRule.md)\n\n"
},
{
"path": "docs/Get-SysmonRuleFilter.md",
"content": "---\nexternal help file: Posh-SysMon-help.xml\nModule Name: Posh-SysMon\nonline version: https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Get-SysmonRule.md\nschema: 2.0.0\n---\n\n# Get-SysmonRuleFilter\n\n## SYNOPSIS\nGet the configured filters for a specified Event Type Rule in a Sysmon configuration file.\n\n## SYNTAX\n\n### Path (Default)\n```\nGet-SysmonRuleFilter [-Path]