├── .gitattributes ├── Config.ps1 ├── Filters.ps1 ├── Format ├── Sysmon.ConfigOption.ps1xml ├── Sysmon.Rule.Filter.ps1xml └── Sysmon.Rule.ps1xml ├── Functions ├── ConvertFrom-SysmonBinaryConfiguration.ps1 ├── ConvertTo-SysmonXMLConfiguration.ps1 ├── Get-SysmonConfiguration.ps1 ├── Get-SysmonEventData.ps1 ├── Get-SysmonHashingAlgorithm.ps1 ├── Get-SysmonRule.ps1 ├── Get-SysmonRuleFilter.ps1 ├── New-SysmonConfiguration.ps1 ├── New-SysmonCreateRemoteThreadFilter.ps1 ├── New-SysmonDriverLoadFilter.ps1 ├── New-SysmonFileCreateFilter.ps1 ├── New-SysmonFileCreateStreamHashFilter.ps1 ├── New-SysmonImageLoadFilter.ps1 ├── New-SysmonNetworkConnectFilter.ps1 ├── New-SysmonPipeFilter.ps1 ├── New-SysmonProcessAccessFilter.ps1 ├── New-SysmonProcessCreateFilter.ps1 ├── New-SysmonProcessTerminateFilter.ps1 ├── New-SysmonRawAccessReadFilter.ps1 ├── New-SysmonRegistryFilter.ps1 ├── New-SysmonWmiFilter.ps1 ├── Remove-SysmonRule.ps1 ├── Remove-SysmonRuleFilter.ps1 ├── Schemas │ ├── SysmonConfigurationSchema_3_40.xsd │ └── SysmonConfigurationSchema_4_00.xsd ├── Set-SysmonHashingAlgorithm.ps1 └── Set-SysmonRule.ps1 ├── LICENSE ├── Posh-SysMon.psm1 ├── Posh-Sysmon.psd1 ├── README.md ├── build.ps1 ├── docs ├── Get-SysmonEventData.md ├── Get-SysmonHashingAlgorithm.md ├── Get-SysmonRule.md ├── Get-SysmonRuleFilter.md ├── New-SysmonConfiguration.md ├── New-SysmonDriverLoadFilter.md ├── New-SysmonFileCreateFilter.md ├── New-SysmonFileCreateStreamHash.md ├── New-SysmonFileCreateStreamHashFilter.md ├── New-SysmonImageLoadFilter.md ├── New-SysmonNetworkConnectFilter.md ├── New-SysmonPipeEvent.md ├── New-SysmonPipeFilter.md ├── New-SysmonProcessAccessFilter.md ├── New-SysmonProcessCreateFilter.md ├── New-SysmonProcessTerminateFilter.md ├── New-SysmonRegistryEvent.md ├── New-SysmonRegistryFilter.md ├── Remove-SysmonRule.md ├── Remove-SysmonRuleFilter.md ├── Set-SysmonHashingAlgorithm.md └── Set-SysmonRule.md ├── en-US ├── Posh-SysMon-help.xml └── Posh-SysMon.psm1-Help.xml └── lib ├── sysmon3_1.dtd ├── sysmon3_2.dtd └── sysmon3_3.dtd /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | 4 | # Custom for Visual Studio 5 | *.cs diff=csharp 6 | *.sln merge=union 7 | *.csproj merge=union 8 | *.vbproj merge=union 9 | *.fsproj merge=union 10 | *.dbproj merge=union 11 | 12 | # Standard to msysgit 13 | *.doc diff=astextplain 14 | *.DOC diff=astextplain 15 | *.docx diff=astextplain 16 | *.DOCX diff=astextplain 17 | *.dot diff=astextplain 18 | *.DOT diff=astextplain 19 | *.pdf diff=astextplain 20 | *.PDF diff=astextplain 21 | *.rtf diff=astextplain 22 | *.RTF diff=astextplain 23 | 24 | # Custom for PowerShell*.psm1 text 25 | *.psd1 text 26 | *.psm1 text 27 | *.ps1xml text -------------------------------------------------------------------------------- /Format/Sysmon.ConfigOption.ps1xml: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Sysmon.ConfigOption 6 | 7 | Sysmon.ConfigOption 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | Hashing 16 | 17 | 18 | 19 | Network 20 | 21 | 22 | 23 | ImageLoading 24 | 25 | 26 | 27 | Comment 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | -------------------------------------------------------------------------------- /Format/Sysmon.Rule.Filter.ps1xml: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Sysmon.Rule.Filter 6 | 7 | Sysmon.Rule.Filter 8 | 9 | 10 | 11 | 12 | 12 13 | 14 | 15 | 12 16 | 17 | 18 | 50 19 | 20 | 21 | 22 | 23 | 24 | 25 | EventField 26 | 27 | 28 | Condition 29 | 30 | 31 | Value 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | -------------------------------------------------------------------------------- /Format/Sysmon.Rule.ps1xml: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Sysmon.Rule 6 | 7 | Sysmon.Rule 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | EventType 16 | 17 | 18 | 19 | Scope 20 | 21 | 22 | 23 | DefaultAction 24 | 25 | 26 | 27 | Filters 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | -------------------------------------------------------------------------------- /Functions/ConvertTo-SysmonXMLConfiguration.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | 4 | Recovers a Sysmon XML configuration from a binary configuration. 5 | 6 | .DESCRIPTION 7 | 8 | ConvertTo-SysmonXMLConfiguration takes the parsed output from Get-SysmonConfiguration and converts it to an XML configuration. This function is useful for recovering lost Sysmon configurations or for performing reconnaisance. 9 | 10 | Author: Matthew Graeber (@mattifestation) 11 | License: BSD 3-Clause 12 | 13 | Required Dependencies: Get-SysmonConfiguration 14 | GeneratedCode.ps1 15 | 16 | .PARAMETER Configuration 17 | 18 | Specifies the parsed Sysmon configuration output from Get-SysmonConfiguration. 19 | 20 | .EXAMPLE 21 | 22 | Get-SysmonConfiguration | ConvertTo-SysmonXMLConfiguration 23 | 24 | .EXAMPLE 25 | 26 | $Configuration = Get-SysmonConfiguration 27 | ConvertTo-SysmonXMLConfiguration -Configuration $Configuration 28 | 29 | .INPUTS 30 | 31 | Sysmon.Configuration 32 | 33 | ConvertTo-SysmonXMLConfiguration accepts a single result from Get-SysmonConfiguration over the pipeline. Note: it will not accept input from Get-SysmonConfiguration when "-MatchExeOutput" is specified. 34 | 35 | .OUTPUTS 36 | 37 | System.String 38 | 39 | Outputs a Sysmon XML configuration document. 40 | #> 41 | function ConvertTo-SysmonXMLConfiguration { 42 | [OutputType([String])] 43 | [CmdletBinding()] 44 | param ( 45 | [Parameter(Mandatory = $True, ValueFromPipeline = $True)] 46 | [PSTypeName('Sysmon.Configuration')] 47 | $Configuration 48 | ) 49 | 50 | $SchemaVersion = $Configuration.SchemaVersion 51 | 52 | # Get the parsing code for the respective schema. 53 | # Code injection note: an attacker would be able to influence the schema version used. That would only influence what 54 | # non-injectible source code was supplied to Add-Type, however. $ConfigurationSchemaSource variables should always be 55 | # constant variables with script (i.e. module) scope. 56 | $SchemaSource = Get-Variable -Name "SysmonConfigSchemaSource_$($SchemaVersion.Replace('.', '_'))" -Scope Script -ValueOnly 57 | 58 | # Compile the parsing code 59 | Add-Type -TypeDefinition $SchemaSource -ReferencedAssemblies 'System.Xml' -ErrorAction Stop 60 | 61 | $NamespaceName = "Sysmon_$($SchemaVersion.Replace('.', '_'))" 62 | 63 | # Create a base "Sysmon" object. This serves as the root node that will eventually be serialized to XML. 64 | $Sysmon = New-Object -TypeName "$NamespaceName.Sysmon" 65 | 66 | $Sysmon.schemaversion = $Configuration.SchemaVersion 67 | 68 | if ($Configuration.CRLCheckingEnabled) { $Sysmon.CheckRevocation = New-Object -TypeName "$NamespaceName.SysmonCheckRevocation" } 69 | 70 | # The hashing algorithms need to be lower case in the XML config. 71 | $Sysmon.HashAlgorithms = ($Configuration.HashingAlgorithms | ForEach-Object { $_.ToLower() }) -join ',' 72 | 73 | $ProcessAccessString = ($Configuration.ProcessAccess | ForEach-Object { "$($_.ProcessName):0x$($_.AccessMask.ToString('x'))" }) -join ',' 74 | if ($ProcessAccessString) { $Sysmon.ProcessAccessConfig = $ProcessAccessString } 75 | 76 | # Do not consider redundant event types. A well-formed binary Sysmon rule blob will have 77 | # identical RegistryEvent, PipeEvent, and WmiEvent rule entries as of config schema version 3.4[0] 78 | $EventTypesToExclude = @( 79 | 'RegistryEventSetValue', 80 | 'RegistryEventDeleteKey', 81 | 'PipeEventConnected', 82 | 'WmiEventConsumer', 83 | 'WmiEventConsumerToFilter' 84 | ) 85 | 86 | # Group rules by their respective event types - a requirement for 87 | # setting properties properly in the SysmonEventFiltering instance. 88 | $EventGrouping = $Configuration.Rules | 89 | Where-Object { -not ($EventTypesToExclude -contains $_.EventType) } | 90 | Group-Object -Property EventType 91 | 92 | # A configuration can technically not have any EventFiltering rules. 93 | if ($EventGrouping) { 94 | $Sysmon.EventFiltering = New-Object -TypeName "$NamespaceName.SysmonEventFiltering" 95 | 96 | foreach ($Event in $EventGrouping) { 97 | # The name of the event - e.g. ProcessCreate, FileCreate, etc. 98 | $EventName = $Event.Name 99 | 100 | # Normalize these event names. 101 | # Have a mentioned that I hate that these aren't unique names in Sysmon? 102 | switch ($EventName) { 103 | 'RegistryEventCreateKey' { $EventName = 'RegistryEvent' } 104 | 'PipeEventCreated' { $EventName = 'PipeEvent' } 105 | 'WmiEventFilter' { $EventName = 'WmiEvent' } 106 | } 107 | 108 | if ($Event.Count -gt 2) { 109 | Write-Error "There is more than two $EventName entries. This should not be possible." 110 | return 111 | } 112 | 113 | if (($Event.Count -eq 2) -and ($Event.Group[0].OnMatch -eq $Event.Group[1].OnMatch)) { 114 | Write-Error "The `"onmatch`" attribute values for the $EventName rules are not `"include`" and `"exclude`". This should not be possible." 115 | return 116 | } 117 | 118 | $Events = foreach ($RuleSet in $Event.Group) { 119 | # The dynamic typing that follows relies upon naming consistency in the schema serialization source code. 120 | $EventInstance = New-Object -TypeName "$NamespaceName.SysmonEventFiltering$EventName" -Property @{ 121 | onmatch = $RuleSet.OnMatch.ToLower() 122 | } 123 | 124 | $RuleDefs = @{} 125 | 126 | foreach ($Rule in $RuleSet.Rules) { 127 | $PropertyName = $Rule.RuleType 128 | # Since each property can be of a unique type, resolve it accordingly. 129 | $PropertyTypeName = ("$NamespaceName.SysmonEventFiltering$EventName" -as [Type]).GetProperty($PropertyName).PropertyType.FullName.TrimEnd('[]') 130 | 131 | if (-not $RuleDefs.ContainsKey($PropertyName)) { 132 | $RuleDefs[$PropertyName] = New-Object -TypeName "Collections.ObjectModel.Collection``1[$PropertyTypeName]" 133 | } 134 | 135 | $RuleInstance = New-Object -TypeName $PropertyTypeName 136 | # This needs to be lower case in the XML config. 137 | $RuleInstance.condition = $Rule.Filter.ToLower() 138 | # An exception is thrown here if the value has a space and it is being cast to an enum type. 139 | # Currently, "Protected Process" is the only instance. I'll need to refactor this if more instances arise. 140 | if ($Rule.RuleText -eq 'Protected Process') { $RuleInstance.Value = 'ProtectedProcess' } else { $RuleInstance.Value = $Rule.RuleText } 141 | 142 | $RuleDefs[$PropertyName].Add($RuleInstance) 143 | } 144 | 145 | # Set the collected rule properties accordingly. 146 | foreach ($PropertyName in $RuleDefs.Keys) { 147 | $EventInstance."$PropertyName" = $RuleDefs[$PropertyName] 148 | } 149 | 150 | $EventInstance 151 | } 152 | 153 | $EventPropertyName = $Events[0].GetType().Name.Substring('SysmonEventFiltering'.Length) 154 | $Sysmon.EventFiltering."$EventPropertyName" = $Events 155 | } 156 | } 157 | 158 | $XmlWriter = $null 159 | 160 | try { 161 | $XmlWriterSetting = New-Object -TypeName Xml.XmlWriterSettings 162 | # A Sysmon XML config is not expected to have an XML declaration line. 163 | $XmlWriterSetting.OmitXmlDeclaration = $True 164 | $XmlWriterSetting.Indent = $True 165 | # Use two spaces in place of a tab character. 166 | $XmlWriterSetting.IndentChars = ' ' 167 | # Normalize newlines to CRLF. 168 | $XmlWriterSetting.NewLineHandling = [Xml.NewLineHandling]::Replace 169 | 170 | $XMlStringBuilder = New-Object -TypeName Text.StringBuilder 171 | 172 | $XmlWriter = [Xml.XmlWriter]::Create($XMlStringBuilder, $XmlWriterSetting) 173 | 174 | $XmlSerializer = New-Object -TypeName Xml.Serialization.XmlSerializer -ArgumentList ("$NamespaceName.Sysmon" -as [Type]), '' 175 | # This will strip any additional "xmlns" attributes from the root Sysmon element. 176 | $EmptyNamespaces = New-Object -TypeName Xml.Serialization.XmlSerializerNamespaces 177 | $EmptyNamespaces.Add('', '') 178 | 179 | $XmlSerializer.Serialize($XmlWriter, $Sysmon, $EmptyNamespaces) 180 | } catch { 181 | Write-Error $_ 182 | } finally { 183 | if ($XmlWriter) { $XmlWriter.Close() } 184 | } 185 | 186 | $XMlStringBuilder.ToString() 187 | } 188 | -------------------------------------------------------------------------------- /Functions/Get-SysmonEventData.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Searches for specified SysMon Events and retunrs the Event Data as a custom object. 4 | .DESCRIPTION 5 | Searches for specified SysMon Events and retunrs the Event Data as a custom object. 6 | .EXAMPLE 7 | Get-SysMonEventData -EventId 1 -MaxEvents 10 -EndTime (Get-Date) -StartTime (Get-Date).AddDays(-1) 8 | 9 | All process creation events in the last 24hr 10 | .EXAMPLE 11 | Get-SysMonEventData -EventId 3 -MaxEvents 20 -Path .\export.evtx 12 | 13 | last 20 network connection events from a exported SysMon log. 14 | #> 15 | function Get-SysmonEventData { 16 | [CmdletBinding(DefaultParameterSetName='ID', 17 | HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Get-SysmonEventData.md')] 18 | Param ( 19 | # Sysmon Event ID of records to show 20 | [Parameter(Mandatory=$true, 21 | ParameterSetName='ID', 22 | ValueFromPipelineByPropertyName=$true, 23 | Position=0)] 24 | [ValidateSet(1,2,3,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,255)] 25 | [Int32[]] 26 | $EventId, 27 | 28 | # EventType that a Rule can be written against. 29 | [Parameter(Mandatory=$false, 30 | ParameterSetName='Type', 31 | ValueFromPipelineByPropertyName=$true, 32 | Position=0)] 33 | [string[]] 34 | [ValidateSet('NetworkConnect', 'ProcessCreate', 'FileCreateTime', 35 | 'ProcessTerminate', 'ImageLoad', 'DriverLoad', 36 | 'CreateRemoteThread', 'RawAccessRead', 'ProcessAccess', 'Error', 37 | 'FileCreateStreamHash', 'RegistryValueSet', 'RegistryRename', 38 | 'RegistryAddOrDelete', 'FileCreate','ConfigChange','PipeCreated', 39 | 'PipeConnected', 'WmiFilter', 'WmiConsumer', 'WmiBinding', 40 | 'DnsEvent', 'FileDelete', 'ClipboardChange', 'ProcessTampering')] 41 | $EventType, 42 | 43 | # Specifies the maximum number of events that Get-WinEvent returns. Enter an integer. The default is to return all the events in the logs or files. 44 | [Parameter(Mandatory=$false, 45 | ValueFromPipelineByPropertyName=$true, 46 | Position=1)] 47 | [int] 48 | $MaxEvents, 49 | 50 | # Specifies a path to one or more exported SysMon events in evtx format. 51 | [Parameter(Mandatory=$false, 52 | ValueFromPipeline=$true, 53 | ValueFromPipelineByPropertyName=$true, 54 | HelpMessage='Path to one or more locations.')] 55 | [Alias('PSPath')] 56 | [ValidateNotNullOrEmpty()] 57 | [string[]] 58 | $Path, 59 | 60 | # Start Date to get all event going forward. 61 | [Parameter(Mandatory=$false)] 62 | [datetime] 63 | $StartTime, 64 | 65 | # End data for searching events. 66 | [Parameter(Mandatory=$false)] 67 | [datetime] 68 | $EndTime 69 | ) 70 | 71 | Begin 72 | { 73 | $EventTypeMap = @{ 74 | ProcessCreate = 1 75 | FileCreateTime = 2 76 | NetworkConnect = 3 77 | ProcessTerminate = 5 78 | DriverLoad = 6 79 | ImageLoad = 7 80 | CreateRemoteThread = 8 81 | RawAccessRead = 9 82 | ProcessAccess = 10 83 | FileCreate = 11 84 | RegistryAddOrDelete = 12 85 | RegistryValueSet = 13 86 | RegistryRename = 14 87 | FileCreateStreamHash = 15 88 | ConfigChange = 16 89 | PipeCreated = 17 90 | PipeConnected = 18 91 | WmiFilter = 19 92 | WmiConsumer = 20 93 | WmiBinding = 21 94 | DnsEvent = 22 95 | FileDelete = 23 96 | ClipboardChange = 24 97 | ProcessTampering = 25 98 | Error = 255 99 | } 100 | 101 | $EventIdtoType = @{ 102 | '1' = 'ProcessCreate' 103 | '2' = 'FileCreateTime' 104 | '3' = 'NetworkConnect' 105 | '5' = 'ProcessTerminate' 106 | '6' = 'DriverLoad' 107 | '7' = 'ImageLoad' 108 | '8' = 'CreateRemoteThread' 109 | '9' = 'RawAccessRead' 110 | '10' = 'ProcessAccess' 111 | '11' = 'FileCreate' 112 | '12' = 'RegistryAddOrDelete' 113 | '13' = 'RegistryValueSet' 114 | '14' = 'RegistryRename' 115 | '15' = 'FileCreateStreamHash' 116 | '16' = 'ConfigChange' 117 | '17' = 'PipeCreated' 118 | '18' = 'PipeConnected' 119 | '19' = 'WmiFilter' 120 | '20' = 'WmiConsumer' 121 | '21' = 'WmiBinding' 122 | '22' = 'DnsEvent' 123 | '23' = 'FileDelete' 124 | '24' = 'ClipboardChange' 125 | '25' = 'ProcessTampering' 126 | '255' = 'Error' 127 | 128 | } 129 | } 130 | Process 131 | { 132 | # Hash for filtering 133 | $HashFilter = @{LogName='Microsoft-Windows-Sysmon/Operational'} 134 | 135 | # Hash for command paramteters 136 | $ParamHash = @{} 137 | 138 | if ($MaxEvents -gt 0) 139 | { 140 | $ParamHash.Add('MaxEvents', $MaxEvents) 141 | } 142 | 143 | if ($Path -gt 0) 144 | { 145 | $ParamHash.Add('Path', $Path) 146 | } 147 | 148 | switch ($PSCmdlet.ParameterSetName) { 149 | 'ID' { $HashFilter.Add('Id', $EventId) } 150 | 'Type' { 151 | $EventIds = @() 152 | foreach ($etype in $EventType) 153 | { 154 | $EventIds += $EventTypeMap[$etype] 155 | } 156 | $HashFilter.Add('Id', $EventIds) 157 | } 158 | } 159 | 160 | if ($StartTime) 161 | { 162 | $HashFilter.Add('StartTime', $StartTime) 163 | } 164 | 165 | if ($EndTime) 166 | { 167 | $HashFilter.Add('EndTime', $EndTime) 168 | } 169 | 170 | $ParamHash.Add('FilterHashTable',$HashFilter) 171 | Get-WinEvent @ParamHash | ForEach-Object { 172 | [xml]$evtxml = $_.toxml() 173 | $ProcInfo = [ordered]@{} 174 | $ProcInfo['EventId'] = $evtxml.Event.System.EventID 175 | $ProcInfo['EventType'] = $EventIdtoType[$evtxml.Event.System.EventID] 176 | $ProcInfo['Computer'] = $evtxml.Event.System.Computer 177 | $evtxml.Event.EventData.Data | ForEach-Object { 178 | $ProcInfo[$_.name] = $_.'#text' 179 | } 180 | New-Object psobject -Property $ProcInfo 181 | } 182 | } 183 | End {} 184 | } -------------------------------------------------------------------------------- /Functions/Get-SysmonHashingAlgorithm.ps1: -------------------------------------------------------------------------------- 1 | # .ExternalHelp Posh-SysMon.psm1-Help.xml 2 | function Get-SysmonHashingAlgorithm 3 | { 4 | [CmdletBinding(DefaultParameterSetName = 'Path', 5 | HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Get-SysmonHashingAlgorithm.md')] 6 | Param 7 | ( 8 | # Path to XML config file. 9 | [Parameter(Mandatory=$true, 10 | ValueFromPipelineByPropertyName=$true, 11 | ParameterSetName='Path', 12 | Position=0)] 13 | [ValidateScript({Test-Path -Path $_})] 14 | [string]$Path, 15 | 16 | # Path to XML config file. 17 | [Parameter(Mandatory=$true, 18 | ValueFromPipelineByPropertyName=$true, 19 | ParameterSetName='LiteralPath', 20 | Position=0)] 21 | [ValidateScript({Test-Path -Path $_})] 22 | [Alias('PSPath')] 23 | [string]$LiteralPath 24 | ) 25 | 26 | Begin{} 27 | Process 28 | { 29 | # Check if the file is a valid XML file and if not raise and error. 30 | try 31 | { 32 | switch($psCmdlet.ParameterSetName) 33 | { 34 | 'Path' {[xml]$Config = Get-Content -Path $Path} 35 | 'LiteralPath' {[xml]$Config = Get-Content -LiteralPath $LiteralPath} 36 | } 37 | } 38 | catch [System.Management.Automation.PSInvalidCastException] 39 | { 40 | Write-Error -Message 'Specified file does not appear to be a XML file.' 41 | return 42 | } 43 | 44 | # Validate the XML file is a valid Sysmon file. 45 | if ($Config.SelectSingleNode('//Sysmon') -eq $null) 46 | { 47 | Write-Error -Message 'XML file is not a valid Sysmon config file.' 48 | return 49 | } 50 | 51 | if ($Config.Sysmon.schemaversion -notin $SysMonSupportedVersions) 52 | { 53 | Write-Error -Message 'This version of Sysmon Rule file is not supported.' 54 | return 55 | } 56 | 57 | $ObjOptions = @{} 58 | 59 | if ($Config.Sysmon.SelectSingleNode('//HashAlgorithms')) 60 | { 61 | $ObjOptions['Hashing'] = $config.Sysmon.HashAlgorithms 62 | } 63 | else 64 | { 65 | $ObjOptions['Hashing'] = '' 66 | } 67 | 68 | #$ObjOptions['Comment'] = $Config.'#comment' 69 | $ConfigObj = [pscustomobject]$ObjOptions 70 | $ConfigObj.pstypenames.insert(0,'Sysmon.HashingAlgorithm') 71 | $ConfigObj 72 | 73 | } 74 | End{} 75 | } -------------------------------------------------------------------------------- /Functions/Get-SysmonRule.ps1: -------------------------------------------------------------------------------- 1 | # .ExternalHelp Posh-SysMon.psm1-Help.xml 2 | function Get-SysmonRule 3 | { 4 | [CmdletBinding(DefaultParameterSetName = 'Path', 5 | HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Get-SysmonRule.md')] 6 | Param 7 | ( 8 | # Path to XML config file. 9 | [Parameter(Mandatory=$true, 10 | ValueFromPipelineByPropertyName=$true, 11 | ParameterSetName='Path', 12 | Position=0)] 13 | [ValidateScript({Test-Path -Path $_})] 14 | [string]$Path, 15 | 16 | # Path to XML config file. 17 | [Parameter(Mandatory=$true, 18 | ValueFromPipelineByPropertyName=$true, 19 | ParameterSetName='LiteralPath', 20 | Position=0)] 21 | [ValidateScript({Test-Path -Path $_})] 22 | [Alias('PSPath')] 23 | [string]$LiteralPath, 24 | 25 | # Event type to parse rules for. 26 | [Parameter(Mandatory=$false, 27 | ValueFromPipelineByPropertyName=$true, 28 | Position=1)] 29 | [ValidateSet('ALL', 'NetworkConnect', 'ProcessCreate', 'FileCreateTime', 30 | 'ProcessTerminate', 'ImageLoad', 'DriverLoad', 'ProcessAccess', 31 | 'RawAccessRead','ProcessAccess', 'FileCreateStreamHash', 32 | 'RegistryEvent', 'FileCreate', 'PipeEvent', 'WmiEvent')] 33 | [string[]] 34 | $EventType = @('ALL') 35 | ) 36 | 37 | Begin{} 38 | Process 39 | { 40 | # Check if the file is a valid XML file and if not raise and error. 41 | try 42 | { 43 | switch($psCmdlet.ParameterSetName) 44 | { 45 | 'Path' {[xml]$Config = Get-Content -Path $Path} 46 | 'LiteralPath' {[xml]$Config = Get-Content -LiteralPath $LiteralPath} 47 | } 48 | } 49 | catch [System.Management.Automation.PSInvalidCastException] 50 | { 51 | Write-Error -Message 'Specified file does not appear to be a XML file.' 52 | return 53 | } 54 | 55 | # Validate the XML file is a valid Sysmon file. 56 | if ($Config.SelectSingleNode('//Sysmon') -eq $null) 57 | { 58 | Write-Error -Message 'XML file is not a valid Sysmon config file.' 59 | return 60 | } 61 | 62 | if ($Config.Sysmon.schemaversion -notin $SysMonSupportedVersions) 63 | { 64 | Write-Error -Message 'This version of Sysmon Rule file is not supported.' 65 | return 66 | } 67 | 68 | # Collect all individual rules if they exist. 69 | $Rules = $Config.Sysmon.EventFiltering 70 | 71 | if ($EventType -contains 'ALL') 72 | { 73 | $TypesToParse = @('NetworkConnect', 'ProcessCreate', 'FileCreateTime', 74 | 'ProcessTerminate', 'ImageLoad', 'DriverLoad','CreateRemoteThread', 75 | 'ProcessAccess', 'RawAccessRead', 'FileCreateStreamHash', 76 | 'RegistryEvent', 'FileCreate', 'PipeEvent', 'WmiEvent') 77 | } 78 | else 79 | { 80 | $TypesToParse = $EventType 81 | } 82 | 83 | foreach($Type in $TypesToParse) 84 | { 85 | $EvtType = $MyInvocation.MyCommand.Module.PrivateData[$Type] 86 | $RuleData = $Rules.SelectNodes("//EventFiltering/$($EvtType)") 87 | if($RuleData -ne $null) 88 | { 89 | Write-Verbose -Message "$($EvtType) Rule Found." 90 | Get-RuleWithFilter($RuleData) 91 | } 92 | 93 | } 94 | } 95 | End{} 96 | } -------------------------------------------------------------------------------- /Functions/Get-SysmonRuleFilter.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get the configured filters for a specified Event Type Rule in a Sysmon configuration file. 4 | .DESCRIPTION 5 | Get the configured filters for a specified Event Type Rule in a Sysmon configuration file. 6 | .EXAMPLE 7 | C:\PS> Get-SysmonRuleFilter -Path C:\sysmon.xml -EventType ProcessCreate 8 | Get the filter under the ProcessCreate Rule. 9 | #> 10 | function Get-SysmonRuleFilter { 11 | [CmdletBinding(DefaultParameterSetName = 'Path', 12 | HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Get-SysmonRuleFilter.md')] 13 | Param ( 14 | # Path to XML config file. 15 | [Parameter(Mandatory=$true, 16 | ValueFromPipelineByPropertyName=$true, 17 | ParameterSetName='Path', 18 | Position=0)] 19 | [ValidateScript({Test-Path -Path $_})] 20 | $Path, 21 | 22 | # Path to XML config file. 23 | [Parameter(Mandatory=$true, 24 | ValueFromPipelineByPropertyName=$true, 25 | ParameterSetName='LiteralPath', 26 | Position=0)] 27 | [ValidateScript({Test-Path -Path $_})] 28 | [Alias('PSPath')] 29 | $LiteralPath, 30 | 31 | # Event type rule to get filter for. 32 | [Parameter(Mandatory=$true, 33 | ValueFromPipelineByPropertyName=$true, 34 | ParameterSetName='Path', 35 | Position=1)] 36 | [ValidateSet('NetworkConnect', 'ProcessCreate', 'FileCreateTime', 37 | 'ProcessTerminate', 'ImageLoad', 'DriverLoad', 38 | 'CreateRemoteThread','RawAccessRead', 'ProcessAccess', 39 | 'FileCreateStreamHash', 'RegistryEvent', 'FileCreate', 40 | 'PipeEvent', 'WmiEvent','RuleName')] 41 | [string] 42 | $EventType, 43 | 44 | # Event type on match action. 45 | [Parameter(Mandatory=$true, 46 | ValueFromPipelineByPropertyName=$true, 47 | Position=2)] 48 | [ValidateSet('include', 'exclude')] 49 | [string] 50 | $OnMatch 51 | ) 52 | 53 | Begin{} 54 | Process { 55 | $EvtType = $null 56 | # Check if the file is a valid XML file and if not raise and error. 57 | try { 58 | switch($psCmdlet.ParameterSetName){ 59 | 'Path'{ 60 | [xml]$Config = Get-Content -Path $Path 61 | $FileLocation = (Resolve-Path -Path $Path).Path 62 | } 63 | 'LiteralPath' { 64 | [xml]$Config = Get-Content -LiteralPath $LiteralPath 65 | $FileLocation = (Resolve-Path -LiteralPath $LiteralPath).Path 66 | } 67 | } 68 | } 69 | catch [System.Management.Automation.PSInvalidCastException] { 70 | Write-Error -Message 'Specified file does not appear to be a XML file.' 71 | return 72 | } 73 | 74 | # Validate the XML file is a valid Sysmon file. 75 | if ($Config.SelectSingleNode('//Sysmon') -eq $null){ 76 | Write-Error -Message 'XML file is not a valid Sysmon config file.' 77 | return 78 | } 79 | 80 | $Rules = $Config.SelectSingleNode('//Sysmon/EventFiltering') 81 | 82 | if ($Rules -eq '') { 83 | Write-Error -Message 'Rule element does not exist. This appears to not be a valid config file' 84 | return 85 | } else { 86 | $EvtType = $MyInvocation.MyCommand.Module.PrivateData[$EventType] 87 | 88 | $EventRule = $Rules.SelectNodes("//EventFiltering/$($EvtType)") 89 | } 90 | 91 | if($EventRule -eq $null) { 92 | Write-Error -Message "No rule for $($EvtType) was found." 93 | return 94 | } else { 95 | if ($EventRule.count -eq $null -or $EventRule.Count -eq 1) { 96 | Write-Verbose -Message 'Single Node' 97 | if ($EventRule.onmatch -eq $OnMatch) { 98 | $Filters = $EventRule.SelectNodes('*') 99 | if ($Filters.ChildNodes.Count -gt 0) { 100 | foreach($Filter in $Filters) { 101 | $FilterObjProps = @{} 102 | $FilterObjProps['EventField'] = $Filter.Name 103 | $FilterObjProps['Condition'] = &{if($Filter.condition -eq $null){'is'}else{$Filter.condition}} 104 | $FilterObjProps['Value'] = $Filter.'#text' 105 | $FilterObjProps['EventType'] = $EvtType 106 | $FilterObjProps['OnMatch'] = $OnMatch 107 | $FilterObj = [pscustomobject]$FilterObjProps 108 | $FilterObj.pstypenames.insert(0,'Sysmon.Rule.Filter') 109 | $FilterObj 110 | } 111 | 112 | } 113 | } 114 | } 115 | else 116 | { 117 | Write-Verbose -Message 'Mutiple nodes.' 118 | foreach ($rule in $EventRule) 119 | { 120 | if ($rule.onmatch -eq $OnMatch) 121 | { 122 | $Filters = $rule.SelectNodes('*') 123 | if ($Filters.ChildNodes.Count -gt 0) 124 | { 125 | foreach($Filter in $Filters) 126 | { 127 | $FilterObjProps = @{} 128 | $FilterObjProps['EventField'] = $Filter.Name 129 | $FilterObjProps['Condition'] = &{if($Filter.condition -eq $null){'is'}else{$Filter.condition}} 130 | $FilterObjProps['Value'] = $Filter.'#text' 131 | $FilterObjProps['EventType'] = $EvtType 132 | $FilterObjProps['OnMatch'] = $OnMatch 133 | $FilterObj = [pscustomobject]$FilterObjProps 134 | $FilterObj.pstypenames.insert(0,'Sysmon.Rule.Filter') 135 | $FilterObj 136 | } 137 | 138 | } 139 | } 140 | } 141 | } 142 | } 143 | } 144 | End{} 145 | } -------------------------------------------------------------------------------- /Functions/New-SysmonCreateRemoteThreadFilter.ps1: -------------------------------------------------------------------------------- 1 | # .ExternalHelp Posh-SysMon.psm1-Help.xml 2 | function New-SysmonCreateRemoteThreadFilter { 3 | [CmdletBinding(DefaultParameterSetName = 'Path', 4 | HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonCreateRemoteThreadFilter.md')] 5 | Param ( 6 | # Path to XML config file. 7 | [Parameter(Mandatory=$true, 8 | ValueFromPipelineByPropertyName=$true, 9 | ParameterSetName='Path', 10 | Position=0)] 11 | [ValidateScript({Test-Path -Path $_})] 12 | $Path, 13 | 14 | # Path to XML config file. 15 | [Parameter(Mandatory=$true, 16 | ValueFromPipelineByPropertyName=$true, 17 | ParameterSetName='LiteralPath', 18 | Position=0)] 19 | [ValidateScript({Test-Path -Path $_})] 20 | [Alias('PSPath')] 21 | $LiteralPath, 22 | 23 | # Event type on match action. 24 | [Parameter(Mandatory=$true, 25 | ValueFromPipelineByPropertyName=$true, 26 | Position=1)] 27 | [ValidateSet('include', 'exclude')] 28 | [string] 29 | $OnMatch, 30 | 31 | # Condition for filtering against and event field. 32 | [Parameter(Mandatory=$true, 33 | ValueFromPipelineByPropertyName=$true, 34 | Position=2)] 35 | [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image', 36 | 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')] 37 | [string] 38 | $Condition, 39 | 40 | # Event field to filter on. 41 | [Parameter(Mandatory=$true, 42 | ValueFromPipelineByPropertyName=$true, 43 | Position=3)] 44 | [ValidateSet('SourceImage', 'TargetImage')] 45 | [string] 46 | $EventField, 47 | 48 | # Value of Event Field to filter on. 49 | [Parameter(Mandatory=$true, 50 | ValueFromPipelineByPropertyName=$true, 51 | Position=4)] 52 | [string[]] 53 | $Value, 54 | 55 | # Rule Name for the filter. 56 | [Parameter(Mandatory=$false, 57 | ValueFromPipelineByPropertyName=$true)] 58 | [string] 59 | $RuleName 60 | ) 61 | 62 | Begin { } 63 | Process { 64 | $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField] 65 | $cmdoptions = @{ 66 | 'EventType' = 'CreateRemoteThread' 67 | 'Condition' = $Condition 68 | 'EventField' = $FieldString 69 | 'Value' = $Value 70 | 'OnMatch' = $OnMatch 71 | 72 | } 73 | 74 | if($RuleName) { 75 | $cmdoptions.Add('RuleName',$RuleName) 76 | } 77 | 78 | switch($psCmdlet.ParameterSetName) { 79 | 'Path' { 80 | $cmdOptions.Add('Path',$Path) 81 | New-RuleFilter @cmdOptions 82 | } 83 | 84 | 'LiteralPath' { 85 | $cmdOptions.Add('LiteralPath',$LiteralPath) 86 | New-RuleFilter @cmdOptions 87 | } 88 | } 89 | } 90 | End {} 91 | } -------------------------------------------------------------------------------- /Functions/New-SysmonDriverLoadFilter.ps1: -------------------------------------------------------------------------------- 1 | # .ExternalHelp Posh-SysMon.psm1-Help.xml 2 | function New-SysmonDriverLoadFilter { 3 | [CmdletBinding(DefaultParameterSetName = 'Path', 4 | HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonDriverLoadFilter.md')] 5 | Param ( 6 | # Path to XML config file. 7 | [Parameter(Mandatory=$true, 8 | ValueFromPipelineByPropertyName=$true, 9 | ParameterSetName='Path', 10 | Position=0)] 11 | [ValidateScript({Test-Path -Path $_})] 12 | $Path, 13 | 14 | # Path to XML config file. 15 | [Parameter(Mandatory=$true, 16 | ValueFromPipelineByPropertyName=$true, 17 | ParameterSetName='LiteralPath', 18 | Position=0)] 19 | [ValidateScript({Test-Path -Path $_})] 20 | [Alias('PSPath')] 21 | $LiteralPath, 22 | 23 | # Event type on match action. 24 | [Parameter(Mandatory=$true, 25 | ValueFromPipelineByPropertyName=$true, 26 | Position=1)] 27 | [ValidateSet('include', 'exclude')] 28 | [string] 29 | $OnMatch, 30 | 31 | # Condition for filtering against and event field. 32 | [Parameter(Mandatory=$true, 33 | ValueFromPipelineByPropertyName=$true, 34 | Position=2)] 35 | [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image', 36 | 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')] 37 | [string] 38 | $Condition, 39 | 40 | # Event field to filter on. 41 | [Parameter(Mandatory=$true, 42 | ValueFromPipelineByPropertyName=$true, 43 | Position=3)] 44 | [ValidateSet('UtcTime', 'ImageLoaded', 45 | 'Hashes', 'Signed', 'Signature')] 46 | [string] 47 | $EventField, 48 | 49 | # Value of Event Field to filter on. 50 | [Parameter(Mandatory=$true, 51 | ValueFromPipelineByPropertyName=$true, 52 | Position=4)] 53 | [string[]] 54 | $Value, 55 | 56 | # Rule Name for the filter. 57 | [Parameter(Mandatory=$false, 58 | ValueFromPipelineByPropertyName=$true)] 59 | [string] 60 | $RuleName 61 | ) 62 | 63 | Begin {} 64 | Process { 65 | $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField] 66 | $cmdoptions = @{ 67 | 'EventType' = 'DriverLoad' 68 | 'Condition' = $Condition 69 | 'EventField' = $FieldString 70 | 'Value' = $Value 71 | 'OnMatch' = $OnMatch 72 | 73 | } 74 | 75 | if($RuleName) { 76 | $cmdoptions.Add('RuleName',$RuleName) 77 | } 78 | 79 | switch($psCmdlet.ParameterSetName) { 80 | 'Path' { 81 | $cmdOptions.Add('Path',$Path) 82 | New-RuleFilter @cmdOptions 83 | } 84 | 85 | 'LiteralPath' { 86 | $cmdOptions.Add('LiteralPath',$LiteralPath) 87 | 88 | New-RuleFilter @cmdOptions 89 | } 90 | } 91 | } 92 | End {} 93 | } -------------------------------------------------------------------------------- /Functions/New-SysmonFileCreateFilter.ps1: -------------------------------------------------------------------------------- 1 | # .ExternalHelp Posh-SysMon.psm1-Help.xml 2 | function New-SysmonFileCreateFilter { 3 | [CmdletBinding(DefaultParameterSetName = 'Path', 4 | HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonFileCreateFilter.md')] 5 | Param ( 6 | # Path to XML config file. 7 | [Parameter(Mandatory=$true, 8 | ValueFromPipelineByPropertyName=$true, 9 | ParameterSetName='Path', 10 | Position=0)] 11 | [ValidateScript({Test-Path -Path $_})] 12 | $Path, 13 | 14 | # Path to XML config file. 15 | [Parameter(Mandatory=$true, 16 | ValueFromPipelineByPropertyName=$true, 17 | ParameterSetName='LiteralPath', 18 | Position=0)] 19 | [ValidateScript({Test-Path -Path $_})] 20 | [Alias('PSPath')] 21 | $LiteralPath, 22 | 23 | # Event type on match action. 24 | [Parameter(Mandatory=$true, 25 | ValueFromPipelineByPropertyName=$true, 26 | Position=1)] 27 | [ValidateSet('include', 'exclude')] 28 | [string] 29 | $OnMatch, 30 | 31 | # Condition for filtering against and event field. 32 | [Parameter(Mandatory=$true, 33 | ValueFromPipelineByPropertyName=$true, 34 | Position=2)] 35 | [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image', 36 | 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')] 37 | [string] 38 | $Condition, 39 | 40 | # Event field to filter on. 41 | [Parameter(Mandatory=$true, 42 | ValueFromPipelineByPropertyName=$true, 43 | Position=3)] 44 | [ValidateSet('UtcTime', 'ProcessGuid', 'ProcessId', 'Image', 45 | 'TargetFilename', 'CreationUtcTime', 46 | 'PreviousCreationUtcTime')] 47 | [string] 48 | $EventField, 49 | 50 | # Value of Event Field to filter on. 51 | [Parameter(Mandatory=$true, 52 | ValueFromPipelineByPropertyName=$true, 53 | Position=4)] 54 | [string[]] 55 | $Value, 56 | 57 | # Rule Name for the filter. 58 | [Parameter(Mandatory=$false, 59 | ValueFromPipelineByPropertyName=$true)] 60 | [string] 61 | $RuleName 62 | ) 63 | 64 | Begin {} 65 | Process { 66 | $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField] 67 | $cmdoptions = @{ 68 | 'EventType' = 'FileCreateStreamHash' 69 | 'Condition' = $Condition 70 | 'EventField' = $FieldString 71 | 'Value' = $Value 72 | 'OnMatch' = $OnMatch 73 | } 74 | 75 | if($RuleName) { 76 | $cmdoptions.Add('RuleName',$RuleName) 77 | } 78 | 79 | switch ($PSCmdlet.ParameterSetName) { 80 | 'Path' { 81 | $cmdOptions.Add('Path',$Path) 82 | New-RuleFilter @cmdOptions 83 | } 84 | 85 | 'LiteralPath' { 86 | $cmdOptions.Add('LiteralPath',$LiteralPath) 87 | New-RuleFilter @cmdOptions 88 | } 89 | } 90 | } 91 | End {} 92 | } -------------------------------------------------------------------------------- /Functions/New-SysmonFileCreateStreamHashFilter.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Create a new filter for the logging of the saving of data on a file stream. 4 | .DESCRIPTION 5 | Create a new filter for the logging of the saving of data on a file stream. 6 | #> 7 | function New-SysmonFileCreateStreamHashFilter { 8 | [CmdletBinding(DefaultParameterSetName = 'Path', 9 | HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonFileCreateStreamHashFilter.md')] 10 | Param ( 11 | # Path to XML config file. 12 | [Parameter(Mandatory=$true, 13 | ValueFromPipelineByPropertyName=$true, 14 | ParameterSetName='Path', 15 | Position=0)] 16 | [ValidateScript({Test-Path -Path $_})] 17 | $Path, 18 | 19 | # Path to XML config file. 20 | [Parameter(Mandatory=$true, 21 | ValueFromPipelineByPropertyName=$true, 22 | ParameterSetName='LiteralPath', 23 | Position=0)] 24 | [ValidateScript({Test-Path -Path $_})] 25 | [Alias('PSPath')] 26 | $LiteralPath, 27 | 28 | # Event type on match action. 29 | [Parameter(Mandatory=$true, 30 | ValueFromPipelineByPropertyName=$true, 31 | Position=1)] 32 | [ValidateSet('include', 'exclude')] 33 | [string] 34 | $OnMatch, 35 | 36 | # Condition for filtering against and event field. 37 | [Parameter(Mandatory=$true, 38 | ValueFromPipelineByPropertyName=$true, 39 | Position=2)] 40 | [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image', 41 | 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')] 42 | [string] 43 | $Condition, 44 | 45 | # Event field to filter on. 46 | [Parameter(Mandatory=$true, 47 | ValueFromPipelineByPropertyName=$true, 48 | Position=3)] 49 | [ValidateSet('TargetFilename', 'ProcessGuid', 'ProcessId', 50 | 'Image')] 51 | [string] 52 | $EventField, 53 | 54 | # Value of Event Field to filter on. 55 | [Parameter(Mandatory=$true, 56 | ValueFromPipelineByPropertyName=$true, 57 | Position=4)] 58 | [string[]] 59 | $Value, 60 | 61 | # Rule Name for the filter. 62 | [Parameter(Mandatory=$false, 63 | ValueFromPipelineByPropertyName=$true)] 64 | [string] 65 | $RuleName 66 | ) 67 | 68 | Begin {} 69 | Process { 70 | $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField] 71 | $cmdoptions = @{ 72 | 'EventType' = 'FileCreateStreamHash' 73 | 'Condition' = $Condition 74 | 'EventField' = $FieldString 75 | 'Value' = $Value 76 | 'OnMatch' = $OnMatch 77 | } 78 | 79 | if($RuleName) { 80 | $cmdoptions.Add('RuleName',$RuleName) 81 | } 82 | 83 | switch ($PSCmdlet.ParameterSetName) { 84 | 'Path' { 85 | $cmdOptions.Add('Path',$Path) 86 | New-RuleFilter @cmdOptions 87 | } 88 | 89 | 'LiteralPath' { 90 | $cmdOptions.Add('LiteralPath',$LiteralPath) 91 | New-RuleFilter @cmdOptions 92 | } 93 | } 94 | } 95 | End {} 96 | } -------------------------------------------------------------------------------- /Functions/New-SysmonImageLoadFilter.ps1: -------------------------------------------------------------------------------- 1 | # .ExternalHelp Posh-SysMon.psm1-Help.xml 2 | function New-SysmonImageLoadFilter { 3 | [CmdletBinding(DefaultParameterSetName = 'Path', 4 | HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonImageLoadFilter.md')] 5 | Param ( 6 | # Path to XML config file. 7 | [Parameter(Mandatory=$true, 8 | ValueFromPipelineByPropertyName=$true, 9 | ParameterSetName='Path', 10 | Position=0)] 11 | [ValidateScript({Test-Path -Path $_})] 12 | $Path, 13 | 14 | # Path to XML config file. 15 | [Parameter(Mandatory=$true, 16 | ValueFromPipelineByPropertyName=$true, 17 | ParameterSetName='LiteralPath', 18 | Position=0)] 19 | [ValidateScript({Test-Path -Path $_})] 20 | [Alias('PSPath')] 21 | $LiteralPath, 22 | 23 | # Event type on match action. 24 | [Parameter(Mandatory=$true, 25 | ValueFromPipelineByPropertyName=$true, 26 | Position=1)] 27 | [ValidateSet('include', 'exclude')] 28 | [string] 29 | $OnMatch, 30 | 31 | # Condition for filtering against and event field. 32 | [Parameter(Mandatory=$true, 33 | ValueFromPipelineByPropertyName=$true, 34 | Position=2)] 35 | [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image', 36 | 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')] 37 | [string] 38 | $Condition, 39 | 40 | # Event field to filter on. 41 | [Parameter(Mandatory=$true, 42 | ValueFromPipelineByPropertyName=$true, 43 | Position=3)] 44 | [ValidateSet('UtcTime', 'ProcessGuid', 'ProcessId', 'Image', 45 | 'ImageLoaded', 'Hashes', 'Signed', 46 | 'Signature', 'FileVersion', 47 | 'Description', 'Product', 'Company')] 48 | [string] 49 | $EventField, 50 | 51 | # Value of Event Field to filter on. 52 | [Parameter(Mandatory=$true, 53 | ValueFromPipelineByPropertyName=$true, 54 | Position=4)] 55 | [string[]] 56 | $Value, 57 | 58 | # Rule Name for the filter. 59 | [Parameter(Mandatory=$false, 60 | ValueFromPipelineByPropertyName=$true)] 61 | [string] 62 | $RuleName 63 | ) 64 | 65 | Begin {} 66 | Process 67 | { 68 | switch($psCmdlet.ParameterSetName) 69 | { 70 | 'Path' 71 | { 72 | $ConfigVer = Select-Xml -Path $Path -XPath '//Sysmon/@schemaversion' 73 | } 74 | 75 | 'LiteralPath' 76 | { 77 | $ConfigVer = Select-Xml -LiteralPath $LiteralPath -XPath '//Sysmon/@schemaversion' 78 | } 79 | } 80 | 81 | if ($ConfigVer.Node."#text" -lt 4.0 -and ($EventField -in @('FileVersion','Description', 'Product', 'Company'))) { 82 | Write-Error -Message "The event field $($EventField) is not supported under this schema." 83 | Return 84 | } 85 | 86 | $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField] 87 | $cmdoptions = @{ 88 | 'EventType' = 'ImageLoad' 89 | 'Condition' = $Condition 90 | 'EventField' = $FieldString 91 | 'Value' = $Value 92 | 'OnMatch' = $OnMatch 93 | 94 | } 95 | 96 | if($RuleName) { 97 | $cmdoptions.Add('RuleName',$RuleName) 98 | } 99 | 100 | switch($psCmdlet.ParameterSetName) 101 | { 102 | 'Path' 103 | { 104 | $cmdOptions.Add('Path',$Path) 105 | New-RuleFilter @cmdOptions 106 | } 107 | 108 | 'LiteralPath' 109 | { 110 | $cmdOptions.Add('LiteralPath',$LiteralPath) 111 | New-RuleFilter @cmdOptions 112 | } 113 | } 114 | 115 | } 116 | End { } 117 | } -------------------------------------------------------------------------------- /Functions/New-SysmonNetworkConnectFilter.ps1: -------------------------------------------------------------------------------- 1 | # .ExternalHelp Posh-SysMon.psm1-Help.xml 2 | function New-SysmonNetworkConnectFilter 3 | { 4 | [CmdletBinding(DefaultParameterSetName = 'Path', 5 | HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonNetworkConnectFilter.md')] 6 | Param ( 7 | # Path to XML config file. 8 | [Parameter(Mandatory=$true, 9 | ValueFromPipelineByPropertyName=$true, 10 | ParameterSetName='Path', 11 | Position=0)] 12 | [ValidateScript({Test-Path -Path $_})] 13 | $Path, 14 | 15 | # Path to XML config file. 16 | [Parameter(Mandatory=$true, 17 | ValueFromPipelineByPropertyName=$true, 18 | ParameterSetName='LiteralPath', 19 | Position=0)] 20 | [ValidateScript({Test-Path -Path $_})] 21 | [Alias('PSPath')] 22 | $LiteralPath, 23 | 24 | # Event type on match action. 25 | [Parameter(Mandatory=$true, 26 | ValueFromPipelineByPropertyName=$true, 27 | Position=1)] 28 | [ValidateSet('include', 'exclude')] 29 | [string] 30 | $OnMatch, 31 | 32 | # Condition for filtering against and event field. 33 | [Parameter(Mandatory=$true, 34 | ValueFromPipelineByPropertyName=$true, 35 | Position=2)] 36 | [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image', 37 | 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')] 38 | [string] 39 | $Condition, 40 | 41 | # Event field to filter on. 42 | [Parameter(Mandatory=$true, 43 | ValueFromPipelineByPropertyName=$true, 44 | Position=3)] 45 | [ValidateSet('UtcTime', 'ProcessGuid', 'ProcessId', 'Image', 46 | 'User', 'Protocol', 'Initiated', 'SourceIsIpv6', 47 | 'SourceIp', 'SourceHostname', 'SourcePort', 48 | 'SourcePortName', 'DestinationIsIpv6', 49 | 'DestinationIp', 'DestinationHostname', 50 | 'DestinationPort', 'DestinationPortName')] 51 | [string] 52 | $EventField, 53 | 54 | # Value of Event Field to filter on. 55 | [Parameter(Mandatory=$true, 56 | ValueFromPipelineByPropertyName=$true, 57 | Position=4)] 58 | [string[]] 59 | $Value, 60 | 61 | # Rule Name for the filter. 62 | [Parameter(Mandatory=$false, 63 | ValueFromPipelineByPropertyName=$true)] 64 | [string] 65 | $RuleName 66 | ) 67 | 68 | Begin {} 69 | Process { 70 | $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField] 71 | $cmdoptions = @{ 72 | 'EventType' = 'NetworkConnect' 73 | 'Condition' = $Condition 74 | 'EventField' = $FieldString 75 | 'Value' = $Value 76 | 'OnMatch' = $OnMatch 77 | 78 | } 79 | 80 | if($RuleName) { 81 | $cmdoptions.Add('RuleName',$RuleName) 82 | } 83 | 84 | switch($psCmdlet.ParameterSetName) { 85 | 'Path' { 86 | $cmdOptions.Add('Path',$Path) 87 | New-RuleFilter @cmdOptions 88 | } 89 | 90 | 'LiteralPath' { 91 | $cmdOptions.Add('LiteralPath',$LiteralPath) 92 | New-RuleFilter @cmdOptions 93 | } 94 | } 95 | } 96 | End {} 97 | } -------------------------------------------------------------------------------- /Functions/New-SysmonPipeFilter.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Create a new filter for when a Named Pipe is created or connected. 4 | .DESCRIPTION 5 | Create a new filter for when a Named Pipe is created or connected. 6 | Useful for watching malware inter process communication. 7 | #> 8 | function New-SysmonPipeFilter { 9 | [CmdletBinding(DefaultParameterSetName = 'Path', 10 | HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonPipeFilter.md')] 11 | Param ( 12 | # Path to XML config file. 13 | [Parameter(Mandatory=$true, 14 | ValueFromPipelineByPropertyName=$true, 15 | ParameterSetName='Path', 16 | Position=0)] 17 | [ValidateScript({Test-Path -Path $_})] 18 | $Path, 19 | 20 | # Path to XML config file. 21 | [Parameter(Mandatory=$true, 22 | ValueFromPipelineByPropertyName=$true, 23 | ParameterSetName='LiteralPath', 24 | Position=0)] 25 | [ValidateScript({Test-Path -Path $_})] 26 | [Alias('PSPath')] 27 | $LiteralPath, 28 | 29 | # Event type on match action. 30 | [Parameter(Mandatory=$true, 31 | ValueFromPipelineByPropertyName=$true, 32 | Position=1)] 33 | [ValidateSet('include', 'exclude')] 34 | [string] 35 | $OnMatch, 36 | 37 | # Condition for filtering against and event field. 38 | [Parameter(Mandatory=$true, 39 | ValueFromPipelineByPropertyName=$true, 40 | Position=2)] 41 | [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image', 42 | 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')] 43 | [string] 44 | $Condition, 45 | 46 | # Event field to filter on. 47 | [Parameter(Mandatory=$true, 48 | ValueFromPipelineByPropertyName=$true, 49 | Position=3)] 50 | [ValidateSet('Pipe', 'ProcessGuid', 'ProcessId', 51 | 'Image')] 52 | [string] 53 | $EventField, 54 | 55 | # Value of Event Field to filter on. 56 | [Parameter(Mandatory=$true, 57 | ValueFromPipelineByPropertyName=$true, 58 | Position=4)] 59 | [string[]] 60 | $Value, 61 | 62 | # Rule Name for the filter. 63 | [Parameter(Mandatory=$false, 64 | ValueFromPipelineByPropertyName=$true)] 65 | [string] 66 | $RuleName 67 | ) 68 | 69 | Begin {} 70 | Process { 71 | $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField] 72 | $cmdoptions = @{ 73 | 'EventType' = 'PipeEvent' 74 | 'Condition' = $Condition 75 | 'EventField' = $FieldString 76 | 'Value' = $Value 77 | 'OnMatch' = $OnMatch 78 | 79 | } 80 | 81 | if($RuleName) { 82 | $cmdoptions.Add('RuleName',$RuleName) 83 | } 84 | 85 | switch ($PSCmdlet.ParameterSetName) { 86 | 'Path' { 87 | $cmdOptions.Add('Path',$Path) 88 | New-RuleFilter @cmdOptions 89 | } 90 | 91 | 'LiteralPath' { 92 | $cmdOptions.Add('LiteralPath',$LiteralPath) 93 | New-RuleFilter @cmdOptions 94 | } 95 | } 96 | } 97 | End {} 98 | } -------------------------------------------------------------------------------- /Functions/New-SysmonProcessAccessFilter.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Create a new filter for the logging of when a running process opens another. 4 | .DESCRIPTION 5 | Create a new filter for the logging of when a running process opens another. 6 | .EXAMPLE 7 | C:\PS> New-SysmonProcessAccessFilter -Path .\testver31.xml -OnMatch include -Condition Contains -EventField TargetImage lsass.exe 8 | Log any process trying to open lsass.exe. 9 | #> 10 | function New-SysmonProcessAccessFilter { 11 | [CmdletBinding(DefaultParameterSetName = 'Path', 12 | HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonProcessAccessFilter.md')] 13 | Param ( 14 | # Path to XML config file. 15 | [Parameter(Mandatory=$true, 16 | ValueFromPipelineByPropertyName=$true, 17 | ParameterSetName='Path', 18 | Position=0)] 19 | [ValidateScript({Test-Path -Path $_})] 20 | $Path, 21 | 22 | # Path to XML config file. 23 | [Parameter(Mandatory=$true, 24 | ValueFromPipelineByPropertyName=$true, 25 | ParameterSetName='LiteralPath', 26 | Position=0)] 27 | [ValidateScript({Test-Path -Path $_})] 28 | [Alias('PSPath')] 29 | $LiteralPath, 30 | 31 | # Event type on match action. 32 | [Parameter(Mandatory=$true, 33 | ValueFromPipelineByPropertyName=$true, 34 | Position=1)] 35 | [ValidateSet('include', 'exclude')] 36 | [string] 37 | $OnMatch, 38 | 39 | # Condition for filtering against and event field. 40 | [Parameter(Mandatory=$true, 41 | ValueFromPipelineByPropertyName=$true, 42 | Position=2)] 43 | [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image', 44 | 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')] 45 | [string] 46 | $Condition, 47 | 48 | # Event field to filter on. 49 | [Parameter(Mandatory=$true, 50 | ValueFromPipelineByPropertyName=$true, 51 | Position=3)] 52 | [ValidateSet('UtcTime', 'SourceProcessGUID', 53 | 'SourceProcessId', 'SourceThreadId', 'SourceImage', 54 | 'TargetProcessGUID', 'TargetProcessId', 'TargetImage', 55 | 'GrantedAccess','CallTrace')] 56 | [string] 57 | $EventField, 58 | 59 | # Value of Event Field to filter on. 60 | [Parameter(Mandatory=$true, 61 | ValueFromPipelineByPropertyName=$true, 62 | Position=4)] 63 | [string[]] 64 | $Value, 65 | 66 | # Rule Name for the filter. 67 | [Parameter(Mandatory=$false, 68 | ValueFromPipelineByPropertyName=$true)] 69 | [string] 70 | $RuleName 71 | ) 72 | 73 | Begin {} 74 | Process { 75 | $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField] 76 | $cmdoptions = @{ 77 | 'EventType' = 'ProcessAccess' 78 | 'Condition' = $Condition 79 | 'EventField' = $FieldString 80 | 'Value' = $Value 81 | 'OnMatch' = $OnMatch 82 | 83 | } 84 | 85 | if($RuleName) { 86 | $cmdoptions.Add('RuleName',$RuleName) 87 | } 88 | 89 | switch ($PSCmdlet.ParameterSetName) { 90 | 'Path' { 91 | $cmdOptions.Add('Path',$Path) 92 | New-RuleFilter @cmdOptions 93 | } 94 | 95 | 'LiteralPath' { 96 | $cmdOptions.Add('LiteralPath',$LiteralPath) 97 | New-RuleFilter @cmdOptions 98 | } 99 | } 100 | } 101 | End {} 102 | } -------------------------------------------------------------------------------- /Functions/New-SysmonProcessCreateFilter.ps1: -------------------------------------------------------------------------------- 1 | # .ExternalHelp Posh-SysMon.psm1-Help.xml 2 | function New-SysmonProcessCreateFilter 3 | { 4 | [CmdletBinding(DefaultParameterSetName = 'Path', 5 | HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonProcessCreateFilter.md')] 6 | Param ( 7 | # Path to XML config file. 8 | [Parameter(Mandatory=$true, 9 | ValueFromPipelineByPropertyName=$true, 10 | ParameterSetName='Path', 11 | Position=0)] 12 | [ValidateScript({Test-Path -Path $_})] 13 | $Path, 14 | 15 | # Path to XML config file. 16 | [Parameter(Mandatory=$true, 17 | ValueFromPipelineByPropertyName=$true, 18 | ParameterSetName='LiteralPath', 19 | Position=0)] 20 | [ValidateScript({Test-Path -Path $_})] 21 | [Alias('PSPath')] 22 | $LiteralPath, 23 | 24 | # Event type on match action. 25 | [Parameter(Mandatory=$true, 26 | ValueFromPipelineByPropertyName=$true, 27 | Position=1)] 28 | [ValidateSet('include', 'exclude')] 29 | [string] 30 | $OnMatch, 31 | 32 | # Condition for filtering against and event field. 33 | [Parameter(Mandatory=$true, 34 | ValueFromPipelineByPropertyName=$true, 35 | Position=2)] 36 | [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image', 37 | 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')] 38 | [string] 39 | $Condition, 40 | 41 | # Event field to filter on. 42 | [Parameter(Mandatory=$true, 43 | ValueFromPipelineByPropertyName=$true, 44 | Position=3)] 45 | [ValidateSet('UtcTime', 'ProcessGuid', 'ProcessId', 'Image', 46 | 'CommandLine', 'User', 'LogonGuid', 'LogonId', 47 | 'TerminalSessionId', 'IntegrityLevel', 48 | 'Hashes', 'ParentProcessGuid', 'ParentProcessId', 49 | 'ParentImage', 'ParentCommandLine', 'FileVersion', 50 | 'Description', 'Product', 'Company')] 51 | [string] 52 | $EventField, 53 | 54 | # Value of Event Field to filter on. 55 | [Parameter(Mandatory=$true, 56 | ValueFromPipelineByPropertyName=$true, 57 | Position=4)] 58 | [string[]] 59 | $Value, 60 | 61 | # Rule Name for the filter. 62 | [Parameter(Mandatory=$false, 63 | ValueFromPipelineByPropertyName=$true)] 64 | [string] 65 | $RuleName 66 | ) 67 | 68 | Begin {} 69 | Process { 70 | switch($psCmdlet.ParameterSetName) 71 | { 72 | 'Path' 73 | { 74 | $ConfigVer = Select-Xml -Path $Path -XPath '//Sysmon/@schemaversion' 75 | } 76 | 77 | 'LiteralPath' 78 | { 79 | $ConfigVer = Select-Xml -LiteralPath $LiteralPath -XPath '//Sysmon/@schemaversion' 80 | } 81 | } 82 | 83 | if ($ConfigVer.Node."#text" -lt 4.0 -and ($EventField -in @('FileVersion','Description', 'Product', 'Company'))) { 84 | Write-Error -Message "The event field $($EventField) is not supported under this schema." 85 | Return 86 | } 87 | 88 | $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField] 89 | 90 | $cmdoptions = @{ 91 | 'EventType' = 'ProcessCreate' 92 | 'Condition' = $Condition 93 | 'EventField' = $FieldString 94 | 'Value' = $Value 95 | 'OnMatch' = $OnMatch 96 | 97 | } 98 | 99 | if($RuleName) { 100 | $cmdoptions.Add('RuleName',$RuleName) 101 | } 102 | 103 | switch($psCmdlet.ParameterSetName) { 104 | 'Path' { 105 | $cmdOptions.Add('Path',$Path) 106 | New-RuleFilter @cmdOptions 107 | } 108 | 109 | 'LiteralPath' { 110 | $cmdOptions.Add('LiteralPath',$LiteralPath) 111 | New-RuleFilter @cmdOptions 112 | } 113 | } 114 | } 115 | End { } 116 | } -------------------------------------------------------------------------------- /Functions/New-SysmonProcessTerminateFilter.ps1: -------------------------------------------------------------------------------- 1 | # .ExternalHelp Posh-SysMon.psm1-Help.xml 2 | function New-SysmonProcessTerminateFilter 3 | { 4 | [CmdletBinding(DefaultParameterSetName = 'Path', 5 | HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonProcessTerminateFilter.md')] 6 | Param ( 7 | # Path to XML config file. 8 | [Parameter(Mandatory=$true, 9 | ValueFromPipelineByPropertyName=$true, 10 | ParameterSetName='Path', 11 | Position=0)] 12 | [ValidateScript({Test-Path -Path $_})] 13 | $Path, 14 | 15 | # Path to XML config file. 16 | [Parameter(Mandatory=$true, 17 | ValueFromPipelineByPropertyName=$true, 18 | ParameterSetName='LiteralPath', 19 | Position=0)] 20 | [ValidateScript({Test-Path -Path $_})] 21 | [Alias('PSPath')] 22 | $LiteralPath, 23 | 24 | # Event type on match action. 25 | [Parameter(Mandatory=$true, 26 | ValueFromPipelineByPropertyName=$true, 27 | Position=1)] 28 | [ValidateSet('include', 'exclude')] 29 | [string] 30 | $OnMatch, 31 | 32 | # Condition for filtering against and event field. 33 | [Parameter(Mandatory=$true, 34 | ValueFromPipelineByPropertyName=$true, 35 | Position=2)] 36 | [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image', 37 | 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')] 38 | [string] 39 | $Condition, 40 | 41 | # Event field to filter on. 42 | [Parameter(Mandatory=$true, 43 | ValueFromPipelineByPropertyName=$true, 44 | Position=3)] 45 | [ValidateSet('UtcTime', 'ProcessGuid', 'ProcessId')] 46 | [string] 47 | $EventField, 48 | 49 | # Value of Event Field to filter on. 50 | [Parameter(Mandatory=$true, 51 | ValueFromPipelineByPropertyName=$true, 52 | Position=4)] 53 | [string[]] 54 | $Value, 55 | 56 | # Rule Name for the filter. 57 | [Parameter(Mandatory=$false, 58 | ValueFromPipelineByPropertyName=$true)] 59 | [string] 60 | $RuleName 61 | ) 62 | 63 | Begin {} 64 | Process 65 | { 66 | $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField] 67 | $cmdoptions = @{ 68 | 'EventType' = 'ProcessTerminate' 69 | 'Condition' = $Condition 70 | 'EventField' = $FieldString 71 | 'Value' = $Value 72 | 'OnMatch' = $OnMatch 73 | 74 | } 75 | 76 | if($RuleName) { 77 | $cmdoptions.Add('RuleName',$RuleName) 78 | } 79 | 80 | switch($psCmdlet.ParameterSetName) 81 | { 82 | 'Path' 83 | { 84 | $cmdOptions.Add('Path',$Path) 85 | New-RuleFilter @cmdOptions 86 | } 87 | 88 | 'LiteralPath' 89 | { 90 | $cmdOptions.Add('LiteralPath',$LiteralPath) 91 | New-RuleFilter @cmdOptions 92 | } 93 | } 94 | } 95 | End {} 96 | } -------------------------------------------------------------------------------- /Functions/New-SysmonRawAccessReadFilter.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Create a new filter for the logging of file raw access read actions. 4 | .DESCRIPTION 5 | Create a new filter for the logging of file raw access read actions. 6 | .EXAMPLE 7 | C:\PS> New-SysmonRawAccessReadFilter -Path .\testver31.xml -OnMatch include -Condition Contains -EventField Image NTDS.dit 8 | Log any raw access read of the file NTDS.dit. 9 | #> 10 | function New-SysmonRawAccessReadFilter { 11 | [CmdletBinding(DefaultParameterSetName = 'Path', 12 | HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonRawAccessReadFilter.md')] 13 | Param ( 14 | # Path to XML config file. 15 | [Parameter(Mandatory=$true, 16 | ValueFromPipelineByPropertyName=$true, 17 | ParameterSetName='Path', 18 | Position=0)] 19 | [ValidateScript({Test-Path -Path $_})] 20 | $Path, 21 | 22 | # Path to XML config file. 23 | [Parameter(Mandatory=$true, 24 | ValueFromPipelineByPropertyName=$true, 25 | ParameterSetName='LiteralPath', 26 | Position=0)] 27 | [ValidateScript({Test-Path -Path $_})] 28 | [Alias('PSPath')] 29 | $LiteralPath, 30 | 31 | # Event type on match action. 32 | [Parameter(Mandatory=$true, 33 | ValueFromPipelineByPropertyName=$true, 34 | Position=1)] 35 | [ValidateSet('include', 'exclude')] 36 | [string] 37 | $OnMatch, 38 | 39 | # Condition for filtering against and event field. 40 | [Parameter(Mandatory=$true, 41 | ValueFromPipelineByPropertyName=$true, 42 | Position=2)] 43 | [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image', 44 | 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')] 45 | [string] 46 | $Condition, 47 | 48 | # Event field to filter on. 49 | [Parameter(Mandatory=$true, 50 | ValueFromPipelineByPropertyName=$true, 51 | Position=3)] 52 | [ValidateSet('UtcTime', 'ProcessGuid', 'ProcessId', 53 | 'Image', 'Device')] 54 | [string] 55 | $EventField, 56 | 57 | # Value of Event Field to filter on. 58 | [Parameter(Mandatory=$true, 59 | ValueFromPipelineByPropertyName=$true, 60 | Position=4)] 61 | [string[]] 62 | $Value, 63 | 64 | # Rule Name for the filter. 65 | [Parameter(Mandatory=$false, 66 | ValueFromPipelineByPropertyName=$true)] 67 | [string] 68 | $RuleName 69 | ) 70 | 71 | Begin {} 72 | Process { 73 | $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField] 74 | $cmdoptions = @{ 75 | 'EventType' = 'RawAccessRead' 76 | 'Condition' = $Condition 77 | 'EventField' = $FieldString 78 | 'Value' = $Value 79 | 'OnMatch' = $OnMatch 80 | 81 | } 82 | 83 | if($RuleName) { 84 | $cmdoptions.Add('RuleName',$RuleName) 85 | } 86 | 87 | 88 | switch ($PSCmdlet.ParameterSetName) { 89 | 'Path' { 90 | $cmdOptions.Add('Path',$Path) 91 | New-RuleFilter @cmdOptions 92 | } 93 | 94 | 'LiteralPath' { 95 | $cmdOptions.Add('LiteralPath',$LiteralPath) 96 | New-RuleFilter @cmdOptions 97 | } 98 | } 99 | } 100 | End {} 101 | } -------------------------------------------------------------------------------- /Functions/New-SysmonRegistryFilter.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Create a new filter for the actions against the registry. 4 | .DESCRIPTION 5 | Create a new filter for actions against the registry. Supports filtering 6 | by aby of the following event types: 7 | * CreateKey 8 | * DeleteKey 9 | * RenameKey 10 | * CreateValue 11 | * DeleteValue 12 | * RenameValue 13 | * SetValue 14 | 15 | Hives on Schema 3.2 in TargetObject are referenced as: 16 | * \REGISTRY\MACHINE\HARDWARE 17 | * \REGISTRY\USER\Security ID number 18 | * \REGISTRY\MACHINE\SECURITY 19 | * \REGISTRY\USER\.DEFAULT 20 | * \REGISTRY\MACHINE\SYSTEM 21 | * \REGISTRY\MACHINE\SOFTWARE 22 | * \REGISTRY\MACHINE\SAM 23 | 24 | Hives on Schema 3.3 and above in TargetObject are referenced as: 25 | * HKLM 26 | * HKCR 27 | * HKEY_USER 28 | 29 | .EXAMPLE 30 | C:\PS> New-SysmonRegistryFilter -Path .\32config.xml -OnMatch include -Condition Contains -EventField TargetObject 'RunOnce' 31 | Capture persistance attemp by creating a registry entry in the RunOnce keys. 32 | #> 33 | function New-SysmonRegistryFilter { 34 | [CmdletBinding(DefaultParameterSetName = 'Path', 35 | HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonRegistryFilter.md')] 36 | Param ( 37 | # Path to XML config file. 38 | [Parameter(Mandatory=$true, 39 | ValueFromPipelineByPropertyName=$true, 40 | ParameterSetName='Path', 41 | Position=0)] 42 | [ValidateScript({Test-Path -Path $_})] 43 | $Path, 44 | 45 | # Path to XML config file. 46 | [Parameter(Mandatory=$true, 47 | ValueFromPipelineByPropertyName=$true, 48 | ParameterSetName='LiteralPath', 49 | Position=0)] 50 | [ValidateScript({ Test-Path -Path $_ })] 51 | [Alias('PSPath')] 52 | $LiteralPath, 53 | 54 | # Event type on match action. 55 | [Parameter(Mandatory=$true, 56 | ValueFromPipelineByPropertyName=$true, 57 | Position=1)] 58 | [ValidateSet('include', 'exclude')] 59 | [string] 60 | $OnMatch, 61 | 62 | # Condition for filtering against and event field. 63 | [Parameter(Mandatory=$true, 64 | ValueFromPipelineByPropertyName=$true, 65 | Position=2)] 66 | [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image', 67 | 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')] 68 | [string] 69 | $Condition, 70 | 71 | # Event field to filter on. 72 | [Parameter(Mandatory=$true, 73 | ValueFromPipelineByPropertyName=$true, 74 | Position=3)] 75 | [ValidateSet('TargetObject', 'ProcessGuid', 'ProcessId', 76 | 'Image', 'EventType')] 77 | [string] 78 | $EventField, 79 | 80 | # Value of Event Field to filter on. 81 | [Parameter(Mandatory=$true, 82 | ValueFromPipelineByPropertyName=$true, 83 | Position=4)] 84 | [string[]] 85 | $Value, 86 | 87 | # Rule Name for the filter. 88 | [Parameter(Mandatory=$false, 89 | ValueFromPipelineByPropertyName=$true)] 90 | [string] 91 | $RuleName 92 | ) 93 | 94 | Begin { 95 | # Event types used to validate right type and string case 96 | $EventTypeMap = @{ 97 | CreateKey = 'CreateKey' 98 | DeleteKey = 'DeleteKey' 99 | RenameKey = 'RenameKey' 100 | CreateValue = 'CreateValue' 101 | DeleteValue = 'DeleteValue' 102 | RenameValue = 'RenameValue' 103 | SetValue = 'SetValue' 104 | } 105 | 106 | $Etypes = $EventTypeMap.Keys 107 | } 108 | Process { 109 | $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField] 110 | 111 | if ($EventField -in 'EventType') { 112 | if ($Value -in $Etypes) { 113 | $Value = $EventTypeMap[$Value] 114 | } else { 115 | Write-Error -Message "Not a supported EventType. Supported Event types $($Etypes -join ', ')" 116 | return 117 | } 118 | } 119 | $cmdoptions = @{ 120 | 'EventType' = 'RegistryEvent' 121 | 'Condition' = $Condition 122 | 'EventField' = $FieldString 123 | 'Value' = $Value 124 | 'OnMatch' = $OnMatch 125 | 126 | } 127 | 128 | if($RuleName) { 129 | $cmdoptions.Add('RuleName',$RuleName) 130 | } 131 | 132 | switch ($PSCmdlet.ParameterSetName) { 133 | 'Path' { 134 | $cmdOptions.Add('Path',$Path) 135 | New-RuleFilter @cmdOptions 136 | } 137 | 138 | 'LiteralPath' { 139 | $cmdOptions.Add('LiteralPath',$LiteralPath) 140 | New-RuleFilter @cmdOptions 141 | } 142 | } 143 | } 144 | End {} 145 | } -------------------------------------------------------------------------------- /Functions/New-SysmonWmiFilter.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Create a new filter for WMI Permamanent Event Classes. 4 | .DESCRIPTION 5 | Create a new filter for WMI permamanent event classes are created or connected. 6 | Useful for monitoring for persistence actions. 7 | #> 8 | function New-SysmonWmiFilter { 9 | [CmdletBinding(DefaultParameterSetName = 'Path', 10 | HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonWmiFilter.md')] 11 | Param ( 12 | # Path to XML config file. 13 | [Parameter(Mandatory=$true, 14 | ValueFromPipelineByPropertyName=$true, 15 | ParameterSetName='Path', 16 | Position=0)] 17 | [ValidateScript({Test-Path -Path $_})] 18 | $Path, 19 | 20 | # Path to XML config file. 21 | [Parameter(Mandatory=$true, 22 | ValueFromPipelineByPropertyName=$true, 23 | ParameterSetName='LiteralPath', 24 | Position=0)] 25 | [ValidateScript({Test-Path -Path $_})] 26 | [Alias('PSPath')] 27 | $LiteralPath, 28 | 29 | # Event type on match action. 30 | [Parameter(Mandatory=$true, 31 | ValueFromPipelineByPropertyName=$true, 32 | Position=1)] 33 | [ValidateSet('include', 'exclude')] 34 | [string] 35 | $OnMatch, 36 | 37 | # Condition for filtering against and event field. 38 | [Parameter(Mandatory=$true, 39 | ValueFromPipelineByPropertyName=$true, 40 | Position=2)] 41 | [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image', 42 | 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')] 43 | [string] 44 | $Condition, 45 | 46 | # Event field to filter on. 47 | [Parameter(Mandatory=$true, 48 | ValueFromPipelineByPropertyName=$true, 49 | Position=3)] 50 | [ValidateSet('Name', 'EventNamespace', 'Destination', 51 | 'Type', 'Query', 'Operation', 'Consumer', 'Filter')] 52 | [string] 53 | $EventField, 54 | 55 | # Value of Event Field to filter on. 56 | [Parameter(Mandatory=$true, 57 | ValueFromPipelineByPropertyName=$true, 58 | Position=4)] 59 | [string[]] 60 | $Value, 61 | 62 | # Rule Name for the filter. 63 | [Parameter(Mandatory=$false, 64 | ValueFromPipelineByPropertyName=$true)] 65 | [string] 66 | $RuleName 67 | ) 68 | 69 | Begin {} 70 | Process { 71 | $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField] 72 | $cmdoptions = @{ 73 | 'EventType' = 'WmiEvent' 74 | 'Condition' = $Condition 75 | 'EventField' = $FieldString 76 | 'Value' = $Value 77 | 'OnMatch' = $OnMatch 78 | 79 | } 80 | 81 | if($RuleName) { 82 | $cmdoptions.Add('RuleName',$RuleName) 83 | } 84 | 85 | switch ($PSCmdlet.ParameterSetName) { 86 | 'Path' { 87 | $cmdOptions.Add('Path',$Path) 88 | New-RuleFilter @cmdOptions 89 | } 90 | 91 | 'LiteralPath' { 92 | $cmdOptions.Add('LiteralPath',$LiteralPath) 93 | New-RuleFilter @cmdOptions 94 | } 95 | } 96 | } 97 | End {} 98 | } -------------------------------------------------------------------------------- /Functions/Remove-SysmonRule.ps1: -------------------------------------------------------------------------------- 1 | # .ExternalHelp Posh-SysMon.psm1-Help.xml 2 | function Remove-SysmonRule 3 | { 4 | [CmdletBinding(DefaultParameterSetName = 'Path', 5 | HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Remove-SysmonRule.md')] 6 | Param 7 | ( 8 | # Path to XML config file. 9 | [Parameter(Mandatory=$true, 10 | ValueFromPipelineByPropertyName=$true, 11 | ParameterSetName='Path', 12 | Position=0)] 13 | [ValidateScript({Test-Path -Path $_})] 14 | $Path, 15 | 16 | # Path to XML config file. 17 | [Parameter(Mandatory=$true, 18 | ValueFromPipelineByPropertyName=$true, 19 | ParameterSetName='LiteralPath', 20 | Position=0)] 21 | [ValidateScript({Test-Path -Path $_})] 22 | [Alias('PSPath')] 23 | $LiteralPath, 24 | 25 | # Event type to remove. It is case sensitive. 26 | [Parameter(Mandatory=$true, 27 | ValueFromPipelineByPropertyName=$true, 28 | Position=1)] 29 | [ValidateSet('NetworkConnect', 'ProcessCreate', 'FileCreateTime', 30 | 'ProcessTerminate', 'ImageLoad', 'DriverLoad', 'CreateRemoteThread', 31 | 'ProcessAccess', 'RawAccessRead', 'FileCreateStreamHash', 32 | 'RegistryEvent', 'FileCreate', 'PipeEvent', 'WmiEvent','RuleName')] 33 | [string[]] 34 | $EventType, 35 | 36 | # Action for event type rule and filters. 37 | [Parameter(Mandatory=$true, 38 | ValueFromPipelineByPropertyName=$true, 39 | Position=2)] 40 | [ValidateSet('Include', 'Exclude')] 41 | [String] 42 | $OnMatch = 'Exclude' 43 | ) 44 | 45 | Begin{} 46 | Process 47 | { 48 | # Check if the file is a valid XML file and if not raise and error. 49 | try 50 | { 51 | switch($psCmdlet.ParameterSetName) 52 | { 53 | 'Path' 54 | { 55 | [xml]$Config = Get-Content -Path $Path 56 | $FileLocation = (Resolve-Path -Path $Path).Path 57 | } 58 | 59 | 'LiteralPath' 60 | { 61 | [xml]$Config = Get-Content -LiteralPath $LiteralPath 62 | $FileLocation = (Resolve-Path -LiteralPath $LiteralPath).Path 63 | } 64 | } 65 | } 66 | catch [Management.Automation.PSInvalidCastException] 67 | { 68 | Write-Error -Message 'Specified file does not appear to be a XML file.' 69 | return 70 | } 71 | 72 | # Validate the XML file is a valid Sysmon file. 73 | if ($Config.SelectSingleNode('//Sysmon') -eq $null) 74 | { 75 | Write-Error -Message 'XML file is not a valid Sysmon config file.' 76 | return 77 | } 78 | 79 | if ($Config.Sysmon.schemaversion -notin $SysMonSupportedVersions) 80 | { 81 | Write-Error -Message 'This version of Sysmon Rule file is not supported.' 82 | return 83 | } 84 | 85 | $Rules = $config.SelectSingleNode('//Sysmon/EventFiltering') 86 | foreach ($rule in $rules.ChildNodes) 87 | { 88 | if ($rule.name -in $EventType -and $rule.onmatch -eq $OnMatch) 89 | { 90 | [void]$rule.ParentNode.RemoveChild($rule) 91 | Write-Verbose -Message "Removed rule for $($EventType)." 92 | } 93 | } 94 | 95 | $config.Save($FileLocation) 96 | } 97 | End{} 98 | } -------------------------------------------------------------------------------- /Functions/Remove-SysmonRuleFilter.ps1: -------------------------------------------------------------------------------- 1 | # .ExternalHelp Posh-SysMon.psm1-Help.xml 2 | function Remove-SysmonRuleFilter { 3 | [CmdletBinding(DefaultParameterSetName = 'Path', 4 | HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Remove-SysmonRuleFilter.md')] 5 | Param ( 6 | # Path to XML config file. 7 | [Parameter(Mandatory=$true, 8 | ValueFromPipelineByPropertyName=$true, 9 | ParameterSetName='Path', 10 | Position=0)] 11 | [ValidateScript({Test-Path -Path $_})] 12 | $Path, 13 | 14 | # Path to XML config file. 15 | [Parameter(Mandatory=$true, 16 | ValueFromPipelineByPropertyName=$true, 17 | ParameterSetName='LiteralPath', 18 | Position=0)] 19 | [ValidateScript({Test-Path -Path $_})] 20 | [Alias('PSPath')] 21 | $LiteralPath, 22 | 23 | # Event type to update. 24 | [Parameter(Mandatory=$true, 25 | ValueFromPipelineByPropertyName=$true, 26 | Position=1)] 27 | [ValidateSet('NetworkConnect', 'ProcessCreate', 'FileCreateTime', 28 | 'ProcessTerminate', 'ImageLoad', 'DriverLoad', 29 | 'CreateRemoteThread', 'RawAccessRead', 'ProcessAccess', 30 | 'FileCreateStreamHash', 'RegistryEvent', 'FileCreate', 31 | 'PipeEvent', 'WmiEvent')] 32 | [string] 33 | $EventType, 34 | 35 | # Event type on match action. 36 | [Parameter(Mandatory=$true, 37 | ValueFromPipelineByPropertyName=$true, 38 | Position=2)] 39 | [ValidateSet('include', 'exclude')] 40 | [string] 41 | $OnMatch, 42 | 43 | # Condition for filtering against and event field. 44 | [Parameter(Mandatory=$true, 45 | ValueFromPipelineByPropertyName=$true, 46 | Position=3)] 47 | [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image', 48 | 'BeginWith', 'EndWith', 'LessThan', 'MoreThan')] 49 | [string] 50 | $Condition, 51 | 52 | # Event field to filter on. 53 | [Parameter(Mandatory=$true, 54 | ValueFromPipelineByPropertyName=$true, 55 | Position=4)] 56 | [string] 57 | $EventField, 58 | 59 | # Value of Event Field to filter on. 60 | [Parameter(Mandatory=$true, 61 | ValueFromPipelineByPropertyName=$true, 62 | Position=5)] 63 | [string[]] 64 | $Value 65 | ) 66 | 67 | Begin{} 68 | Process { 69 | $EvtType = $null 70 | # Check if the file is a valid XML file and if not raise and error. 71 | try { 72 | switch($psCmdlet.ParameterSetName) { 73 | 'Path' { 74 | [xml]$Config = Get-Content -Path $Path 75 | $FileLocation = (Resolve-Path -Path $Path).Path 76 | } 77 | 78 | 'LiteralPath' { 79 | [xml]$Config = Get-Content -LiteralPath $LiteralPath 80 | $FileLocation = (Resolve-Path -LiteralPath $LiteralPath).Path 81 | } 82 | } 83 | } 84 | catch [Management.Automation.PSInvalidCastException] { 85 | Write-Error -Message 'Specified file does not appear to be a XML file.' 86 | return 87 | } 88 | 89 | # Validate the XML file is a valid Sysmon file. 90 | if ($Config.SelectSingleNode('//Sysmon') -eq $null) { 91 | Write-Error -Message 'XML file is not a valid Sysmon config file.' 92 | return 93 | } 94 | 95 | $Rules = $Config.SelectSingleNode('//Sysmon/EventFiltering') 96 | 97 | # Select the proper condition string. 98 | switch ($Condition) { 99 | 'Is' {$ConditionString = 'is'} 100 | 'IsNot' {$ConditionString = 'is not'} 101 | 'Contains' {$ConditionString = 'contains'} 102 | 'Excludes' {$ConditionString = 'excludes'} 103 | 'Image' {$ConditionString = 'image'} 104 | 'BeginWith' {$ConditionString = 'begin with'} 105 | 'EndWith' {$ConditionString = 'end with'} 106 | 'LessThan' {$ConditionString = 'less than'} 107 | 'MoreThan' {$ConditionString = 'more than'} 108 | Default {$ConditionString = 'is'} 109 | } 110 | 111 | # Check if the event type exists if not create it. 112 | if ($Rules -eq '') { 113 | Write-Error -Message 'Rule element does not exist. This appears to not be a valid config file' 114 | return 115 | } else { 116 | $EvtType = $MyInvocation.MyCommand.Module.PrivateData[$EventType] 117 | 118 | $EventRule = $Rules.SelectNodes("//EventFiltering/$($EvtType)") 119 | } 120 | 121 | if($EventRule -eq $null) { 122 | Write-Warning -Message "No rule for $($EvtType) was found." 123 | return 124 | } 125 | 126 | if($EventRule -eq $null) { 127 | Write-Error -Message "No rule for $($EvtType) was found." 128 | return 129 | } else { 130 | if ($EventRule.count -eq $null -or $EventRule.Count -eq 1) { 131 | if ($EventRule.onmatch -eq $OnMatch) { 132 | $Filters = $EventRule.SelectNodes('*') 133 | if ($Filters.count -gt 0) { 134 | foreach($val in $Value) { 135 | foreach($Filter in $Filters) { 136 | if ($Filter.Name -eq $EventField) { 137 | if (($Filter.condition -eq $null) -and ($Condition -eq 'is') -and ($Filter.'#text' -eq $val)) { 138 | [void]$Filter.ParentNode.RemoveChild($Filter) 139 | Write-Verbose -Message "Filter for field $($EventField) with condition $($Condition) and value of $($val) removed." 140 | } elseif (($Filter.condition -eq $Condition) -and ($Filter.'#text' -eq $val)) { 141 | [void]$Filter.ParentNode.RemoveChild($Filter) 142 | Write-Verbose -Message "Filter for field $($EventField) with condition $($Condition) and value of $($val) removed." 143 | } 144 | } 145 | } 146 | } 147 | Get-RuleWithFilter($EventRule) 148 | } 149 | } 150 | } else { 151 | Write-Verbose -Message 'Mutiple nodes.' 152 | foreach ($rule in $EventRule) { 153 | if ($rule.onmatch -eq $OnMatch) { 154 | $Filters = $rule.SelectNodes('*') 155 | if ($Filters.count -gt 0) { 156 | foreach($val in $Value) { 157 | foreach($Filter in $Filters) { 158 | if ($Filter.Name -eq $EventField) { 159 | if (($Filter.condition -eq $null) -and ($Condition -eq 'is') -and ($Filter.'#text' -eq $val)) { 160 | [void]$Filter.ParentNode.RemoveChild($Filter) 161 | Write-Verbose -Message "Filter for field $($EventField) with condition $($Condition) and value of $($val) removed." 162 | } elseif (($Filter.condition -eq $Condition) -and ($Filter.'#text' -eq $val)) { 163 | [void]$Filter.ParentNode.RemoveChild($Filter) 164 | Write-Verbose -Message "Filter for field $($EventField) with condition $($Condition) and value of $($val) removed." 165 | } 166 | } 167 | } 168 | } 169 | Get-RuleWithFilter($rule) 170 | } 171 | } 172 | } 173 | } 174 | } 175 | $config.Save($FileLocation) 176 | } 177 | End{} 178 | } 179 | -------------------------------------------------------------------------------- /Functions/Set-SysmonHashingAlgorithm.ps1: -------------------------------------------------------------------------------- 1 | # .ExternalHelp Posh-SysMon.psm1-Help.xml 2 | function Set-SysmonHashingAlgorithm 3 | { 4 | [CmdletBinding(DefaultParameterSetName = 'Path', 5 | HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Set-SysmonHashingAlgorithm.md')] 6 | Param 7 | ( 8 | # Path to XML config file. 9 | [Parameter(Mandatory=$true, 10 | ValueFromPipelineByPropertyName=$true, 11 | ParameterSetName='Path', 12 | Position=0)] 13 | [ValidateScript({Test-Path -Path $_})] 14 | $Path, 15 | 16 | # Path to XML config file. 17 | [Parameter(Mandatory=$true, 18 | ValueFromPipelineByPropertyName=$true, 19 | ParameterSetName='LiteralPath', 20 | Position=0)] 21 | [ValidateScript({Test-Path -Path $_})] 22 | [Alias('PSPath')] 23 | $LiteralPath, 24 | 25 | # Specify one or more hash algorithms used for image identification 26 | [Parameter(Mandatory=$true, 27 | ValueFromPipelineByPropertyName=$true, 28 | Position=1)] 29 | [ValidateSet('ALL', 'MD5', 'SHA1', 'SHA256', 'IMPHASH')] 30 | [string[]] 31 | $HashingAlgorithm 32 | ) 33 | 34 | Begin{} 35 | Process 36 | { 37 | # Check if the file is a valid XML file and if not raise and error. 38 | try 39 | { 40 | switch($psCmdlet.ParameterSetName) 41 | { 42 | 'Path' 43 | { 44 | [xml]$Config = Get-Content -Path $Path 45 | $FileLocation = (Resolve-Path -Path $Path).Path 46 | } 47 | 48 | 'LiteralPath' 49 | { 50 | [xml]$Config = Get-Content -LiteralPath $LiteralPath 51 | $FileLocation = (Resolve-Path -LiteralPath $LiteralPath).Path 52 | } 53 | } 54 | } 55 | catch [System.Management.Automation.PSInvalidCastException] 56 | { 57 | Write-Error -Message 'Specified file does not appear to be a XML file.' 58 | return 59 | } 60 | 61 | # Validate the XML file is a valid Sysmon file. 62 | if ($Config.SelectSingleNode('//Sysmon') -eq $null) 63 | { 64 | Write-Error -Message 'XML file is not a valid Sysmon config file.' 65 | return 66 | } 67 | 68 | if ($Config.Sysmon.schemaversion -notin $SysMonSupportedVersions) 69 | { 70 | Write-Error -Message 'This version of Sysmon Rule file is not supported.' 71 | return 72 | } 73 | 74 | Write-Verbose -Message 'Updating Hashing option.' 75 | if ($HashingAlgorithm -contains 'ALL') 76 | { 77 | $Hash = '*' 78 | } 79 | else 80 | { 81 | $Hash = $HashingAlgorithm -join ',' 82 | } 83 | 84 | # Check if Hashing Alorithm node exists. 85 | if($Config.SelectSingleNode('//Sysmon/HashAlgorithms') -ne $null) 86 | { 87 | $Config.Sysmon.HashAlgorithms = $Hash 88 | } 89 | else 90 | { 91 | $HashElement = $Config.CreateElement('HashAlgorithms') 92 | [void]$Config.Sysmon.Configuration.AppendChild($HashElement) 93 | $Config.Sysmon.Configuration.Hashing = $Hash 94 | } 95 | Write-Verbose -Message 'Hashing option has been updated.' 96 | 97 | 98 | Write-Verbose -Message "Option have been set on $($FileLocation)" 99 | $Config.Save($FileLocation) 100 | } 101 | End{} 102 | } -------------------------------------------------------------------------------- /Functions/Set-SysmonRule.ps1: -------------------------------------------------------------------------------- 1 | # .ExternalHelp Posh-SysMon.psm1-Help.xml 2 | function Set-SysmonRule 3 | { 4 | [CmdletBinding(DefaultParameterSetName = 'Path', 5 | HelpUri = 'https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Set-SysmonRule.md')] 6 | Param 7 | ( 8 | # Path to XML config file. 9 | [Parameter(Mandatory=$true, 10 | ValueFromPipelineByPropertyName=$true, 11 | ParameterSetName='Path', 12 | Position=0)] 13 | [ValidateScript({Test-Path -Path $_})] 14 | $Path, 15 | 16 | # Path to XML config file. 17 | [Parameter(Mandatory=$true, 18 | ValueFromPipelineByPropertyName=$true, 19 | ParameterSetName='LiteralPath', 20 | Position=0)] 21 | [ValidateScript({Test-Path -Path $_})] 22 | [Alias('PSPath')] 23 | $LiteralPath, 24 | 25 | # Event type to update. 26 | [Parameter(Mandatory=$true, 27 | ValueFromPipelineByPropertyName=$true, 28 | Position=1)] 29 | [ValidateSet('NetworkConnect', 'ProcessCreate', 'FileCreateTime', 30 | 'ProcessTerminate', 'ImageLoad', 'DriverLoad', 'CreateRemoteThread', 31 | 'ProcessAccess', 'RawAccessRead', 'FileCreateStreamHash', 32 | 'RegistryEvent', 'FileCreate', 'PipeEvent', 'WmiEvent')] 33 | [string[]] 34 | $EventType, 35 | 36 | # Action for event type rule and filters. 37 | [Parameter(Mandatory=$false, 38 | ValueFromPipelineByPropertyName=$true, 39 | Position=2)] 40 | [ValidateSet('Include', 'Exclude')] 41 | [String] 42 | $OnMatch = 'Exclude', 43 | 44 | # Action to take for Schema 3.0 files. 45 | [Parameter(Mandatory=$false, 46 | ValueFromPipelineByPropertyName=$true)] 47 | [ValidateSet('Modify', 'Add')] 48 | [String] 49 | $Action = 'Modify' 50 | ) 51 | 52 | Begin{} 53 | Process 54 | { 55 | # if no elemrnt create one either if it is schema 2.0 or 3.0. 56 | # If one is present we modify that one if Schema 2.0 and if Schema 3.0 and action modify. 57 | # If Schema 3.0 and action add we check if only is present and that it is not the same OnMatch 58 | # as being specified if it is we do nothing if not we add. 59 | 60 | 61 | # Check if the file is a valid XML file and if not raise and error. 62 | try 63 | { 64 | switch($psCmdlet.ParameterSetName) 65 | { 66 | 'Path' 67 | { 68 | [xml]$Config = Get-Content -Path $Path 69 | $FileLocation = (Resolve-Path -Path $Path).Path 70 | } 71 | 72 | 'LiteralPath' 73 | { 74 | [xml]$Config = Get-Content -LiteralPath $LiteralPath 75 | $FileLocation = (Resolve-Path -LiteralPath $LiteralPath).Path 76 | } 77 | } 78 | } 79 | catch [Management.Automation.PSInvalidCastException] 80 | { 81 | Write-Error -Message 'Specified file does not appear to be a XML file.' 82 | return 83 | } 84 | 85 | # Validate the XML file is a valid Sysmon file. 86 | if ($Config.SelectSingleNode('//Sysmon') -eq $null) 87 | { 88 | Write-Error -Message 'XML file is not a valid Sysmon config file.' 89 | return 90 | } 91 | 92 | if ($Config.Sysmon.schemaversion -notin $SysMonSupportedVersions) 93 | { 94 | Write-Error -Message 'This version of Sysmon Rule file is not supported.' 95 | return 96 | } 97 | 98 | $Rules = $config.SelectSingleNode('//Sysmon/EventFiltering') 99 | 100 | foreach($Type in $EventType) 101 | { 102 | $EvtType = $MyInvocation.MyCommand.Module.PrivateData[$Type] 103 | $RuleData = $Rules.SelectSingleNode("//EventFiltering/$($EvtType)") 104 | $elements = $Rules."$($EvtType)" | Select-Object -property onmatch -Unique 105 | 106 | if($RuleData -ne $null) 107 | { 108 | if ($Rules."$($EvtType)".count -eq $null) 109 | { 110 | if (($Config.Sysmon.schemaversion -eq '2.0') -or ($Config.Sysmon.schemaversion -ge 3.0 -and $Action -eq 'Modify')) 111 | { 112 | Write-Verbose -Message "Setting as default action for $($EvtType) the rule on match of $($OnMatch)." 113 | $RuleData.SetAttribute('onmatch',($OnMatch.ToLower())) 114 | Write-Verbose -Message 'Action has been set.' 115 | } 116 | elseif ($Config.Sysmon.schemaversion -ge 3.0 -and $Action -eq 'Add') 117 | { 118 | if ($RuleData.onmatch -ne $OnMatch) 119 | { 120 | Write-Verbose -Message "Creating rule for event type with action of $($OnMatch)" 121 | $TypeElement = $config.CreateElement($EvtType) 122 | $TypeElement.SetAttribute('onmatch',($OnMatch.ToLower())) 123 | $RuleData = $Rules.AppendChild($TypeElement) 124 | Write-Verbose -Message 'Action has been set.' 125 | } 126 | else 127 | { 128 | Write-Verbose -Message 'A rule with the specified onmatch action already exists.' 129 | } 130 | } 131 | } 132 | elseif ($Config.Sysmon.schemaversion -ge 3.0 -and $elements.count -eq 2) 133 | { 134 | Write-Verbose -Message 'A rule with the specified onmatch action already exists.' 135 | } 136 | else 137 | { 138 | Write-Error -Message 'This XML file does not conform to the schema.' 139 | return 140 | } 141 | } 142 | else 143 | { 144 | Write-Verbose -Message "No rule for $($EvtType) was found." 145 | Write-Verbose -Message "Creating rule for event type with action of $($OnMatch)" 146 | $TypeElement = $config.CreateElement($EvtType) 147 | $TypeElement.SetAttribute('onmatch',($OnMatch.ToLower())) 148 | $RuleData = $Rules.AppendChild($TypeElement) 149 | Write-Verbose -Message 'Action has been set.' 150 | } 151 | 152 | Get-RuleWithFilter($RuleData) 153 | } 154 | $config.Save($FileLocation) 155 | } 156 | End{} 157 | } -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2016, Carlos Perez 2 | All rights reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without 5 | modification, are permitted provided that the following conditions are met: 6 | 7 | * Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | * Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation 12 | and/or other materials provided with the distribution. 13 | 14 | * Neither the name of Posh-Sysmon nor the names of its 15 | contributors may be used to endorse or promote products derived from 16 | this software without specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 24 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 25 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 26 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 27 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | 29 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Posh-Sysmon 2 | PowerShell 3.0 or above module for creating and managing Sysinternals Sysmon v2.0 config files. System Monitor ([Sysmon](https://technet.microsoft.com/en-us/sysinternals/dn798348)) is a Windows system service and device driver that is part of the SysInternal tools from Microsoft. It is written by Mark Russinovich and Thomas Garnier to monitor a Windows system actions and log such actions in to the Windows Event Log. When the tool is installed on a system it can be given a XML configuration file so as to control what is logged and the same file can be used to update the configuration of a previously installed instance of the tool. 3 | 4 | All functions in the PowerShell module include help information and example of usage that can be view using the Get-Help cmdlet. 5 | 6 | ## Installation 7 | 8 | For installation it is highly recomended that you install from the PowerShell Gallery using the Install-Module cmdlet. 9 | 10 | On PowerShell v5 and above: 11 | 12 | ``` Powershell 13 | Install-Module -Name Posh-Sysmon 14 | ``` 15 | 16 | If you are running PS 3.0 to 4.0 you can use the PowerShell Gallery also following instruction in [PowerShell Gallery Documentation](https://msdn.microsoft.com/powershell/gallery/readme) 17 | 18 | ## Change Log 19 | 20 | ### Version 1.2 21 | 22 | * Module only supports the last 2 Schema versions.**[Breaking Change]** 23 | * Support for Sysmon 8.0 Schema version 4.1 RuleName 24 | * Fixed issue when adding a filter for a none existing rule. It will properly error now. 25 | 26 | ### Version 1.0 27 | 28 | * Module only supports the last 2 Schema versions.**[Breaking Change]** 29 | * Support for Sysmon 7.0 Schema version 4.0 30 | * Added new fields for filtering introduced in Sysmon 7.0. 31 | * Modified organization of functions in to their own files for better management while coding. 32 | * Fixed typo in the enabling of rules in rule creation. 33 | 34 | ### Version 0.7.6 35 | 36 | * Support for Schema 3.4 of Sysmon v6.2 37 | * New function New-SysmonWmiEvent. 38 | * Updated Rule and Filter functions for WmiEvents. 39 | * Fixed where some functions did not support PipeEvents. 40 | 41 | ### Version 0.7.5 42 | 43 | * Support for Schema 3.3 of Sysmon v6. 44 | * New function New-SysmonPipeEvent for filtering for named pipeline cration and connection events. 45 | * Support of PipeEvent in config creation and event type functions. 46 | * Several bug fixes on filtering functions when give an array of values. 47 | 48 | ### Version 0.7.3 49 | 50 | * Several bug fixes when creating RawAccess and ProcessOpen rules. 51 | * By default the new schema is 3.2 for the latest version of Sysmon 5.0 52 | * New-SysmonConfiguration function has options to enable all logging for FileCreate, RegistryEvent and FileCreateStreamHash 53 | * Get-SysmonEventData can now parse File Create, Registry and File Stream creation events. 54 | * New function New-SysmonFileCreateFilter for creating file creation filters. 55 | * New function New-SysmonRegistryEvent for creating registry event filters. 56 | * New function New-SysmonFileCreateStreamHash for creating file stream hash event filters. 57 | * Updated Get-SysmonRule, Set-SysmonRule, Remove-SysmonRule and Remove-SysmonRuleFilter for the new event type rules. 58 | * Added Online Help option for all functions. 59 | 60 | ### Version 0.7.2 61 | 62 | * Added missing Event Types to Get-SysmonEventData. 63 | 64 | ### Version 0.7.1 65 | 66 | * Fixed issue with conditions with filters with space in them. 67 | 68 | ### Version 0.7 69 | 70 | * Added support for ProcessAccess filtering added in Sysmon 4.1 71 | * Added function New-SysmonProcessAccess for creating ProcessAccess filters. 72 | * Fixed issue where command was displayed and not ran with New-SysmonDriverLoadFilter. 73 | * Added ProcessAccess type in Get-SysmonEventData and Get-SysmonRuleFilter. 74 | * In verbose output it shows with what version of Sysmon the file will be compatible with after creating it. 75 | 76 | ### Version 0.6 77 | 78 | * Added support for Sysmon 4.0 XML schemea (Schema version 3.0) 79 | * One can select the version of schema to support when creating the configuration file. 80 | * All functions have been updated to support the use of more than one rule as per Schema 3.0 81 | 82 | ### Version 0.5 83 | 84 | * Added Get-SysmonEventData to get the Event Data information as custom object for selected Event Types. 85 | * Added Get-SysmonRuleFilter to get all filters under a specific Event Type Rule. 86 | 87 | ### Version 0.4 88 | 89 | Version 3.0 is a full re-write om how rules work and new event types. This update is SysMon 3.0 only. If you wish to work on SysMon 2.0 rules I recommend you use version 0.3 version of the module. 90 | 91 | * When creating a new sysmon rule it will allow you to enable logging of event types supported. 92 | * Checks that it is only working with the proper XML schema for the rules. 93 | * Can now create specific filter for CreateRemoteThread event type. 94 | * Since Rules and Config got merger config functions (Get-SysmonConfigOptio, Set-SysmonConfigOption) where removed and replaced with Get-SysmonHashingAlgorithm and Set-SysmonHashingAlgorithm 95 | 96 | ### Version 0.3 97 | 98 | * Tons of fixes do to a bad re-facor. 99 | * Filter creation is now done by specific funtions per event type. 100 | * Filter creation functions are now in their own sub-module. 101 | 102 | ### Version 0.2 103 | 104 | * Validate that the file is an XML file and a valid Sysmon configuration file. 105 | * Change option ConfigFile to Path and LiteralPath so as to match other cmdlets that work with files. 106 | * Fixed typos on verbose messages and examples. 107 | * Functions should work better now when passing files through the pipeline using Get-ChildItem. 108 | 109 | ### Version 0.1 110 | 111 | * Initial version for Sysmon 2.0 with XML Schema 1.0 112 | 113 | ## Examples 114 | 115 | ## Create a XML Configuration File 116 | 117 | 
118 | PS C:\> New-SysmonConfiguration -Path .\pc_marketing.xml -HashingAlgorithm IMPHASH,SHA1 -Network -Comment "Sysmon config for deployment in the Marketing PC OU" -Verbose
119 | VERBOSE: Enabling hashing algorithms : IMPHASH,SHA1
120 | VERBOSE: Enabling network connection logging.
121 | VERBOSE: Config file created as C:\pc_marketing.xml
122 |
123 | 124 | 125 | ## Get configured Rules and Filters 126 | 127 | 
128 | PS C:\> Get-SysmonRule -Path .\pc_marketing.xml
129 | 
130 | 
131 | EventType     : NetworkConnect
132 | Scope         : Filtered
133 | DefaultAction : Exclude
134 | Filters       : {@{EventField=Image; Condition=Image; Value=C:\Windows\System32\svchost.exe},
135 |                 @{EventField=Image; Condition=Image; Value=C:\Program Files (x86)\Internet Explorer\iexplore.exe},
136 |                 @{EventField=Image; Condition=Image; Value=C:\Program Files\Internet Explorer\iexplore.exe},
137 |                 @{EventField=Image; Condition=Image; Value=C:\Program Files (x86)\Google\Chrome\Application\chrome.exe}...}
138 | 
139 | 
140 | 
141 | PS C:\> Get-SysmonRules -Path .\pc_marketing.xml | select -ExpandProperty Filters
142 | 
143 | EventField   Condition    Value
144 | ----------   ---------    -----
145 | Image        Image        C:\Windows\System32\svchost.exe
146 | Image        Image        C:\Program Files (x86)\Internet Explorer\iexplo...
147 | Image        Image        C:\Program Files\Internet Explorer\iexplore.exe
148 | Image        Image        C:\Program Files (x86)\Google\Chrome\Applicatio...
149 | Image        Image        C:\Program Files (x86)\PuTTY\putty.exe
150 | Image        Image        C:\Program Files (x86)\PuTTY\plink.exe
151 | Image        Image        C:\Program Files (x86)\PuTTY\pscp.exe
152 | Image        Image        C:\Program Files (x86)\PuTTY\psftp.exe
153 | 
154 | 
155 |
156 | 157 | ## Create or Update a Rule and its Default Action 158 | 159 | 
160 | 
161 | PS C:\> Set-SysmonRule -Path .\pc_marketing.xml -EventType ImageLoad -Verbose
162 | VERBOSE: No rule for ImageLoad was found.
163 | VERBOSE: Creating rule for event type with action of Exclude
164 | VERBOSE: Action has been set.
165 | 
166 | EventType     : ImageLoad
167 | Scope         : All Events
168 | DefaultAction : Exclude
169 | Filters       :
170 | 
171 |
172 | 173 | ## Remove One or More Filters 174 | 175 | 
176 | PS C:\> Get-SysmonRule -Path .\pc_marketing.xml -EventType NetworkConnect
177 | 
178 | EventType     : NetworkConnect
179 | Scope         : Filtered
180 | DefaultAction : Exclude
181 | Filters       : {@{EventField=Image; Condition=Image; Value=C:\Windows\System32\svchost.exe},
182 |                 @{EventField=Image; Condition=Image; Value=C:\Program Files (x86)\Internet Explorer\iexplore.exe},
183 |                 @{EventField=Image; Condition=Image; Value=C:\Program Files\Internet Explorer\iexplore.exe},
184 |                 @{EventField=Image; Condition=Image; Value=C:\Program Files (x86)\Google\Chrome\Application\chrome.exe}...}
185 | 
186 | 
187 | PS C:\> Remove-SysmonRuleFilter -Path .\pc_marketing.xml -EventType NetworkConnect -Condition Image -EventField Image -Value $images -Verbose
188 | VERBOSE: Filter for field Image with condition Image and value of C:\Windows\System32\svchost.exe removed.
189 | VERBOSE: Filter for field Image with condition Image and value of C:\Program Files (x86)\Internet Explorer\iexplore.exe removed.
190 | VERBOSE: Filter for field Image with condition Image and value of C:\Program Files\Internet Explorer\iexplore.exe removed.
191 | VERBOSE: Filter for field Image with condition Image and value of C:\Program Files (x86)\Google\Chrome\Application\chrome.exe removed.
192 | VERBOSE: Filter for field Image with condition Image and value of C:\Program Files (x86)\PuTTY\putty.exe removed.
193 | VERBOSE: Filter for field Image with condition Image and value of C:\Program Files (x86)\PuTTY\plink.exe removed.
194 | VERBOSE: Filter for field Image with condition Image and value of C:\Program Files (x86)\PuTTY\pscp.exe removed.
195 | VERBOSE: Filter for field Image with condition Image and value of C:\Program Files (x86)\PuTTY\psftp.exe removed.
196 | 
197 | 
198 | EventType     : NetworkConnect
199 | Scope         : All Events
200 | DefaultAction : Exclude
201 | Filters       :
202 |
203 | 204 | ## Remove Rule 205 | 206 | 
207 | PS C:\> Remove-SysmonRule -Path .\pc_marketing.xml -EventType ImageLoad,NetworkConnect -Verbose
208 | VERBOSE: Removed rule for ImageLoad.
209 | VERBOSE: Removed rule for NetworkConnect.
210 |
211 | -------------------------------------------------------------------------------- /build.ps1: -------------------------------------------------------------------------------- 1 | [CmdletBinding()] 2 | param( 3 | [ValidateSet("Release","Debug")] 4 | $Configuration = "Release" 5 | ) 6 | 7 | Push-Location $PSScriptRoot 8 | try { 9 | $BuildTimer = New-Object System.Diagnostics.Stopwatch 10 | $BuildTimer.Start() 11 | 12 | $ModuleName = Split-Path $PSScriptRoot -Leaf 13 | $ErrorActionPreference = "Stop" 14 | $version = Get-Metadata ".\Source\${ModuleName}.psd1" 15 | $folder = mkdir $version -Force 16 | 17 | Get-ChildItem Source -filter "${ModuleName}.*" | 18 | Copy-Item -Dest $folder.FullName -PassThru | 19 | ForEach-Object { 20 | Write-Host " $($_.Name) -> $($_.FullName)" 21 | } 22 | 23 | Get-ChildItem Source\Private, Source\Public -Filter *.ps1 -Recurse | 24 | Sort-Object Directory, Name | 25 | Get-Content | 26 | Set-Content "$($folder.FullName)\${ModuleName}.psm1" 27 | Write-Host " $($ModuleName) -> $($folder.FullName)\${ModuleName}.psm1" 28 | 29 | Write-Host 30 | Write-Host "Module build finished." -ForegroundColor Green 31 | $BuildTimer.Stop() 32 | Write-Host "Total Elapsed $($BuildTimer.Elapsed.ToString("hh\:mm\:ss\.ff"))" 33 | } catch { 34 | throw $_ 35 | } finally { 36 | Pop-Location 37 | } -------------------------------------------------------------------------------- /docs/Get-SysmonEventData.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: Posh-SysMon-help.xml 3 | Module Name: Posh-SysMon 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Get-SysmonEventData 9 | 10 | ## SYNOPSIS 11 | Searches for specified SysMon Events and retunrs the Event Data as a custom object. 12 | 13 | ## SYNTAX 14 | 15 | ### ID (Default) 16 | ``` 17 | Get-SysmonEventData [-EventId] [[-MaxEvents] ] [-Path ] [-StartTime ] 18 | [-EndTime ] [] 19 | ``` 20 | 21 | ### Type 22 | ``` 23 | Get-SysmonEventData [[-EventType] ] [[-MaxEvents] ] [-Path ] [-StartTime ] 24 | [-EndTime ] [] 25 | ``` 26 | 27 | ## DESCRIPTION 28 | Searches for specified SysMon Events and retunrs the Event Data as a custom object. 29 | 30 | ## EXAMPLES 31 | 32 | ### EXAMPLE 1 33 | ``` 34 | Get-SysMonEventData -EventId 1 -MaxEvents 10 -EndTime (Get-Date) -StartTime (Get-Date).AddDays(-1) 35 | ``` 36 | 37 | All process creation events in the last 24hr 38 | 39 | ### EXAMPLE 2 40 | ``` 41 | Get-SysMonEventData -EventId 3 -MaxEvents 20 -Path .\export.evtx 42 | ``` 43 | 44 | last 20 network connection events from a exported SysMon log. 45 | 46 | ## PARAMETERS 47 | 48 | ### -EventId 49 | Sysmon Event ID of records to show 50 | 51 | ```yaml 52 | Type: Int32[] 53 | Parameter Sets: ID 54 | Aliases: 55 | 56 | Required: True 57 | Position: 1 58 | Default value: None 59 | Accept pipeline input: True (ByPropertyName) 60 | Accept wildcard characters: False 61 | ``` 62 | 63 | ### -EventType 64 | EventType that a Rule can be written against. 65 | 66 | ```yaml 67 | Type: String[] 68 | Parameter Sets: Type 69 | Aliases: 70 | 71 | Required: False 72 | Position: 1 73 | Default value: None 74 | Accept pipeline input: True (ByPropertyName) 75 | Accept wildcard characters: False 76 | ``` 77 | 78 | ### -MaxEvents 79 | Specifies the maximum number of events that Get-WinEvent returns. 80 | Enter an integer. 81 | The default is to return all the events in the logs or files. 82 | 83 | ```yaml 84 | Type: Int32 85 | Parameter Sets: (All) 86 | Aliases: 87 | 88 | Required: False 89 | Position: 2 90 | Default value: 0 91 | Accept pipeline input: True (ByPropertyName) 92 | Accept wildcard characters: False 93 | ``` 94 | 95 | ### -Path 96 | Specifies a path to one or more exported SysMon events in evtx format. 97 | 98 | ```yaml 99 | Type: String[] 100 | Parameter Sets: (All) 101 | Aliases: PSPath 102 | 103 | Required: False 104 | Position: Named 105 | Default value: None 106 | Accept pipeline input: True (ByPropertyName, ByValue) 107 | Accept wildcard characters: False 108 | ``` 109 | 110 | ### -StartTime 111 | Start Date to get all event going forward. 112 | 113 | ```yaml 114 | Type: DateTime 115 | Parameter Sets: (All) 116 | Aliases: 117 | 118 | Required: False 119 | Position: Named 120 | Default value: None 121 | Accept pipeline input: False 122 | Accept wildcard characters: False 123 | ``` 124 | 125 | ### -EndTime 126 | End data for searching events. 127 | 128 | ```yaml 129 | Type: DateTime 130 | Parameter Sets: (All) 131 | Aliases: 132 | 133 | Required: False 134 | Position: Named 135 | Default value: None 136 | Accept pipeline input: False 137 | Accept wildcard characters: False 138 | ``` 139 | 140 | ### CommonParameters 141 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 142 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 143 | 144 | ## INPUTS 145 | 146 | ## OUTPUTS 147 | 148 | ## NOTES 149 | 150 | ## RELATED LINKS 151 | -------------------------------------------------------------------------------- /docs/Get-SysmonHashingAlgorithm.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: Posh-SysMon-help.xml 3 | Module Name: Posh-SysMon 4 | online version: https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Get-SysmonHashingAlgorithm.md 5 | schema: 2.0.0 6 | --- 7 | 8 | # Get-SysmonHashingAlgorithm 9 | 10 | ## SYNOPSIS 11 | {{Fill in the Synopsis}} 12 | 13 | ## SYNTAX 14 | 15 | ### Path (Default) 16 | ``` 17 | Get-SysmonHashingAlgorithm [-Path] [] 18 | ``` 19 | 20 | ### LiteralPath 21 | ``` 22 | Get-SysmonHashingAlgorithm [-LiteralPath] [] 23 | ``` 24 | 25 | ## DESCRIPTION 26 | {{Fill in the Description}} 27 | 28 | ## EXAMPLES 29 | 30 | ### Example 1 31 | ```powershell 32 | PS C:\> {{ Add example code here }} 33 | ``` 34 | 35 | {{ Add example description here }} 36 | 37 | ## PARAMETERS 38 | 39 | ### -LiteralPath 40 | {{Fill LiteralPath Description}} 41 | 42 | ```yaml 43 | Type: String 44 | Parameter Sets: LiteralPath 45 | Aliases: PSPath 46 | 47 | Required: True 48 | Position: 0 49 | Default value: None 50 | Accept pipeline input: True (ByPropertyName) 51 | Accept wildcard characters: False 52 | ``` 53 | 54 | ### -Path 55 | {{Fill Path Description}} 56 | 57 | ```yaml 58 | Type: String 59 | Parameter Sets: Path 60 | Aliases: 61 | 62 | Required: True 63 | Position: 0 64 | Default value: None 65 | Accept pipeline input: True (ByPropertyName) 66 | Accept wildcard characters: False 67 | ``` 68 | 69 | ### CommonParameters 70 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 71 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 72 | 73 | ## INPUTS 74 | 75 | ### System.String 76 | 77 | ## OUTPUTS 78 | 79 | ### System.Object 80 | ## NOTES 81 | 82 | ## RELATED LINKS 83 | 84 | [https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Get-SysmonHashingAlgorithm.md](https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Get-SysmonHashingAlgorithm.md) 85 | 86 | -------------------------------------------------------------------------------- /docs/Get-SysmonRule.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: Posh-SysMon-help.xml 3 | Module Name: Posh-SysMon 4 | online version: https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Get-SysmonRule.md 5 | schema: 2.0.0 6 | --- 7 | 8 | # Get-SysmonRule 9 | 10 | ## SYNOPSIS 11 | {{Fill in the Synopsis}} 12 | 13 | ## SYNTAX 14 | 15 | ### Path (Default) 16 | ``` 17 | Get-SysmonRule [-Path] [[-EventType] ] [] 18 | ``` 19 | 20 | ### LiteralPath 21 | ``` 22 | Get-SysmonRule [-LiteralPath] [[-EventType] ] [] 23 | ``` 24 | 25 | ## DESCRIPTION 26 | {{Fill in the Description}} 27 | 28 | ## EXAMPLES 29 | 30 | ### Example 1 31 | ```powershell 32 | PS C:\> {{ Add example code here }} 33 | ``` 34 | 35 | {{ Add example description here }} 36 | 37 | ## PARAMETERS 38 | 39 | ### -EventType 40 | {{Fill EventType Description}} 41 | 42 | ```yaml 43 | Type: String[] 44 | Parameter Sets: (All) 45 | Aliases: 46 | Accepted values: ALL, NetworkConnect, ProcessCreate, FileCreateTime, ProcessTerminate, ImageLoad, DriverLoad, ProcessAccess, RawAccessRead, ProcessAccess, FileCreateStreamHash, RegistryEvent, FileCreate, PipeEvent, WmiEvent 47 | 48 | Required: False 49 | Position: 1 50 | Default value: None 51 | Accept pipeline input: True (ByPropertyName) 52 | Accept wildcard characters: False 53 | ``` 54 | 55 | ### -LiteralPath 56 | {{Fill LiteralPath Description}} 57 | 58 | ```yaml 59 | Type: String 60 | Parameter Sets: LiteralPath 61 | Aliases: PSPath 62 | 63 | Required: True 64 | Position: 0 65 | Default value: None 66 | Accept pipeline input: True (ByPropertyName) 67 | Accept wildcard characters: False 68 | ``` 69 | 70 | ### -Path 71 | {{Fill Path Description}} 72 | 73 | ```yaml 74 | Type: String 75 | Parameter Sets: Path 76 | Aliases: 77 | 78 | Required: True 79 | Position: 0 80 | Default value: None 81 | Accept pipeline input: True (ByPropertyName) 82 | Accept wildcard characters: False 83 | ``` 84 | 85 | ### CommonParameters 86 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 87 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 88 | 89 | ## INPUTS 90 | 91 | ### System.String 92 | 93 | ### System.String[] 94 | 95 | ## OUTPUTS 96 | 97 | ### System.Object 98 | ## NOTES 99 | 100 | ## RELATED LINKS 101 | 102 | [https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Get-SysmonRule.md](https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Get-SysmonRule.md) 103 | 104 | -------------------------------------------------------------------------------- /docs/Get-SysmonRuleFilter.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: Posh-SysMon-help.xml 3 | Module Name: Posh-SysMon 4 | online version: https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Get-SysmonRule.md 5 | schema: 2.0.0 6 | --- 7 | 8 | # Get-SysmonRuleFilter 9 | 10 | ## SYNOPSIS 11 | Get the configured filters for a specified Event Type Rule in a Sysmon configuration file. 12 | 13 | ## SYNTAX 14 | 15 | ### Path (Default) 16 | ``` 17 | Get-SysmonRuleFilter [-Path] [-EventType] [-OnMatch] [] 18 | ``` 19 | 20 | ### LiteralPath 21 | ``` 22 | Get-SysmonRuleFilter [-LiteralPath] [-OnMatch] [] 23 | ``` 24 | 25 | ## DESCRIPTION 26 | Get the configured filters for a specified Event Type Rule in a Sysmon configuration file. 27 | 28 | ## EXAMPLES 29 | 30 | ### EXAMPLE 1 31 | ``` 32 | Get-SysmonRuleFilter -Path C:\sysmon.xml -EventType ProcessCreate 33 | ``` 34 | 35 | Get the filter under the ProcessCreate Rule. 36 | 37 | ## PARAMETERS 38 | 39 | ### -Path 40 | Path to XML config file. 41 | 42 | ```yaml 43 | Type: Object 44 | Parameter Sets: Path 45 | Aliases: 46 | 47 | Required: True 48 | Position: 1 49 | Default value: None 50 | Accept pipeline input: True (ByPropertyName) 51 | Accept wildcard characters: False 52 | ``` 53 | 54 | ### -LiteralPath 55 | Path to XML config file. 56 | 57 | ```yaml 58 | Type: Object 59 | Parameter Sets: LiteralPath 60 | Aliases: PSPath 61 | 62 | Required: True 63 | Position: 1 64 | Default value: None 65 | Accept pipeline input: True (ByPropertyName) 66 | Accept wildcard characters: False 67 | ``` 68 | 69 | ### -EventType 70 | Event type rule to get filter for. 71 | 72 | ```yaml 73 | Type: String 74 | Parameter Sets: Path 75 | Aliases: 76 | 77 | Required: True 78 | Position: 2 79 | Default value: None 80 | Accept pipeline input: True (ByPropertyName) 81 | Accept wildcard characters: False 82 | ``` 83 | 84 | ### -OnMatch 85 | Event type on match action. 86 | 87 | ```yaml 88 | Type: String 89 | Parameter Sets: (All) 90 | Aliases: 91 | 92 | Required: True 93 | Position: 3 94 | Default value: None 95 | Accept pipeline input: True (ByPropertyName) 96 | Accept wildcard characters: False 97 | ``` 98 | 99 | ### CommonParameters 100 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 101 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 102 | 103 | ## INPUTS 104 | 105 | ## OUTPUTS 106 | 107 | ## NOTES 108 | 109 | ## RELATED LINKS 110 | -------------------------------------------------------------------------------- /docs/New-SysmonConfiguration.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: Posh-SysMon-help.xml 3 | Module Name: Posh-SysMon 4 | online version: https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonConfiguration.md 5 | schema: 2.0.0 6 | --- 7 | 8 | # New-SysmonConfiguration 9 | 10 | ## SYNOPSIS 11 | {{Fill in the Synopsis}} 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | New-SysmonConfiguration [-Path] [-HashingAlgorithm] [-NetworkConnect] [-DriverLoad] 17 | [-ImageLoad] [-CreateRemoteThread] [-FileCreateTime] [-ProcessCreate] [-ProcessTerminate] [-ProcessAccess] 18 | [-RawAccessRead] [-CheckRevocation] [-RegistryEvent] [-FileCreate] [-FileCreateStreamHash] [-PipeEvent] 19 | [-WmiEvent] [-Comment ] [-SchemaVersion ] [] 20 | ``` 21 | 22 | ## DESCRIPTION 23 | {{Fill in the Description}} 24 | 25 | ## EXAMPLES 26 | 27 | ### Example 1 28 | ```powershell 29 | PS C:\> {{ Add example code here }} 30 | ``` 31 | 32 | {{ Add example description here }} 33 | 34 | ## PARAMETERS 35 | 36 | ### -CheckRevocation 37 | {{Fill CheckRevocation Description}} 38 | 39 | ```yaml 40 | Type: SwitchParameter 41 | Parameter Sets: (All) 42 | Aliases: 43 | 44 | Required: False 45 | Position: 11 46 | Default value: None 47 | Accept pipeline input: True (ByPropertyName) 48 | Accept wildcard characters: False 49 | ``` 50 | 51 | ### -Comment 52 | {{Fill Comment Description}} 53 | 54 | ```yaml 55 | Type: String 56 | Parameter Sets: (All) 57 | Aliases: 58 | 59 | Required: False 60 | Position: Named 61 | Default value: None 62 | Accept pipeline input: True (ByPropertyName) 63 | Accept wildcard characters: False 64 | ``` 65 | 66 | ### -CreateRemoteThread 67 | {{Fill CreateRemoteThread Description}} 68 | 69 | ```yaml 70 | Type: SwitchParameter 71 | Parameter Sets: (All) 72 | Aliases: 73 | 74 | Required: False 75 | Position: 5 76 | Default value: None 77 | Accept pipeline input: True (ByPropertyName) 78 | Accept wildcard characters: False 79 | ``` 80 | 81 | ### -DriverLoad 82 | {{Fill DriverLoad Description}} 83 | 84 | ```yaml 85 | Type: SwitchParameter 86 | Parameter Sets: (All) 87 | Aliases: 88 | 89 | Required: False 90 | Position: 3 91 | Default value: None 92 | Accept pipeline input: True (ByPropertyName) 93 | Accept wildcard characters: False 94 | ``` 95 | 96 | ### -FileCreate 97 | {{Fill FileCreate Description}} 98 | 99 | ```yaml 100 | Type: SwitchParameter 101 | Parameter Sets: (All) 102 | Aliases: 103 | 104 | Required: False 105 | Position: 13 106 | Default value: None 107 | Accept pipeline input: True (ByPropertyName) 108 | Accept wildcard characters: False 109 | ``` 110 | 111 | ### -FileCreateStreamHash 112 | {{Fill FileCreateStreamHash Description}} 113 | 114 | ```yaml 115 | Type: SwitchParameter 116 | Parameter Sets: (All) 117 | Aliases: 118 | 119 | Required: False 120 | Position: 14 121 | Default value: None 122 | Accept pipeline input: True (ByPropertyName) 123 | Accept wildcard characters: False 124 | ``` 125 | 126 | ### -FileCreateTime 127 | {{Fill FileCreateTime Description}} 128 | 129 | ```yaml 130 | Type: SwitchParameter 131 | Parameter Sets: (All) 132 | Aliases: 133 | 134 | Required: False 135 | Position: 6 136 | Default value: None 137 | Accept pipeline input: True (ByPropertyName) 138 | Accept wildcard characters: False 139 | ``` 140 | 141 | ### -HashingAlgorithm 142 | {{Fill HashingAlgorithm Description}} 143 | 144 | ```yaml 145 | Type: String[] 146 | Parameter Sets: (All) 147 | Aliases: 148 | Accepted values: ALL, MD5, SHA1, SHA256, IMPHASH 149 | 150 | Required: True 151 | Position: 1 152 | Default value: None 153 | Accept pipeline input: True (ByPropertyName) 154 | Accept wildcard characters: False 155 | ``` 156 | 157 | ### -ImageLoad 158 | {{Fill ImageLoad Description}} 159 | 160 | ```yaml 161 | Type: SwitchParameter 162 | Parameter Sets: (All) 163 | Aliases: 164 | 165 | Required: False 166 | Position: 4 167 | Default value: None 168 | Accept pipeline input: True (ByPropertyName) 169 | Accept wildcard characters: False 170 | ``` 171 | 172 | ### -NetworkConnect 173 | {{Fill NetworkConnect Description}} 174 | 175 | ```yaml 176 | Type: SwitchParameter 177 | Parameter Sets: (All) 178 | Aliases: 179 | 180 | Required: False 181 | Position: 2 182 | Default value: None 183 | Accept pipeline input: True (ByPropertyName) 184 | Accept wildcard characters: False 185 | ``` 186 | 187 | ### -Path 188 | {{Fill Path Description}} 189 | 190 | ```yaml 191 | Type: String 192 | Parameter Sets: (All) 193 | Aliases: 194 | 195 | Required: True 196 | Position: 0 197 | Default value: None 198 | Accept pipeline input: True (ByPropertyName) 199 | Accept wildcard characters: False 200 | ``` 201 | 202 | ### -PipeEvent 203 | {{Fill PipeEvent Description}} 204 | 205 | ```yaml 206 | Type: SwitchParameter 207 | Parameter Sets: (All) 208 | Aliases: 209 | 210 | Required: False 211 | Position: 15 212 | Default value: None 213 | Accept pipeline input: True (ByPropertyName) 214 | Accept wildcard characters: False 215 | ``` 216 | 217 | ### -ProcessAccess 218 | {{Fill ProcessAccess Description}} 219 | 220 | ```yaml 221 | Type: SwitchParameter 222 | Parameter Sets: (All) 223 | Aliases: 224 | 225 | Required: False 226 | Position: 9 227 | Default value: None 228 | Accept pipeline input: True (ByPropertyName) 229 | Accept wildcard characters: False 230 | ``` 231 | 232 | ### -ProcessCreate 233 | {{Fill ProcessCreate Description}} 234 | 235 | ```yaml 236 | Type: SwitchParameter 237 | Parameter Sets: (All) 238 | Aliases: 239 | 240 | Required: False 241 | Position: 7 242 | Default value: None 243 | Accept pipeline input: True (ByPropertyName) 244 | Accept wildcard characters: False 245 | ``` 246 | 247 | ### -ProcessTerminate 248 | {{Fill ProcessTerminate Description}} 249 | 250 | ```yaml 251 | Type: SwitchParameter 252 | Parameter Sets: (All) 253 | Aliases: 254 | 255 | Required: False 256 | Position: 8 257 | Default value: None 258 | Accept pipeline input: True (ByPropertyName) 259 | Accept wildcard characters: False 260 | ``` 261 | 262 | ### -RawAccessRead 263 | {{Fill RawAccessRead Description}} 264 | 265 | ```yaml 266 | Type: SwitchParameter 267 | Parameter Sets: (All) 268 | Aliases: 269 | 270 | Required: False 271 | Position: 10 272 | Default value: None 273 | Accept pipeline input: True (ByPropertyName) 274 | Accept wildcard characters: False 275 | ``` 276 | 277 | ### -RegistryEvent 278 | {{Fill RegistryEvent Description}} 279 | 280 | ```yaml 281 | Type: SwitchParameter 282 | Parameter Sets: (All) 283 | Aliases: 284 | 285 | Required: False 286 | Position: 12 287 | Default value: None 288 | Accept pipeline input: True (ByPropertyName) 289 | Accept wildcard characters: False 290 | ``` 291 | 292 | ### -SchemaVersion 293 | {{Fill SchemaVersion Description}} 294 | 295 | ```yaml 296 | Type: String 297 | Parameter Sets: (All) 298 | Aliases: 299 | Accepted values: 4.0, 4.1 300 | 301 | Required: False 302 | Position: Named 303 | Default value: None 304 | Accept pipeline input: True (ByPropertyName) 305 | Accept wildcard characters: False 306 | ``` 307 | 308 | ### -WmiEvent 309 | {{Fill WmiEvent Description}} 310 | 311 | ```yaml 312 | Type: SwitchParameter 313 | Parameter Sets: (All) 314 | Aliases: 315 | 316 | Required: False 317 | Position: 16 318 | Default value: None 319 | Accept pipeline input: True (ByPropertyName) 320 | Accept wildcard characters: False 321 | ``` 322 | 323 | ### CommonParameters 324 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 325 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 326 | 327 | ## INPUTS 328 | 329 | ### System.String 330 | 331 | ### System.String[] 332 | 333 | ### System.Management.Automation.SwitchParameter 334 | 335 | ## OUTPUTS 336 | 337 | ### System.Object 338 | ## NOTES 339 | 340 | ## RELATED LINKS 341 | 342 | [https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonConfiguration.md](https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonConfiguration.md) 343 | 344 | -------------------------------------------------------------------------------- /docs/New-SysmonDriverLoadFilter.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: Posh-SysMon-help.xml 3 | Module Name: Posh-SysMon 4 | online version: https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonDriverLoadFilter.md 5 | schema: 2.0.0 6 | --- 7 | 8 | # New-SysmonDriverLoadFilter 9 | 10 | ## SYNOPSIS 11 | {{Fill in the Synopsis}} 12 | 13 | ## SYNTAX 14 | 15 | ### Path (Default) 16 | ``` 17 | New-SysmonDriverLoadFilter [-Path] [-OnMatch] [-Condition] [-EventField] 18 | [-Value] [-RuleName ] [] 19 | ``` 20 | 21 | ### LiteralPath 22 | ``` 23 | New-SysmonDriverLoadFilter [-LiteralPath] [-OnMatch] [-Condition] 24 | [-EventField] [-Value] [-RuleName ] [] 25 | ``` 26 | 27 | ## DESCRIPTION 28 | {{Fill in the Description}} 29 | 30 | ## EXAMPLES 31 | 32 | ### Example 1 33 | ```powershell 34 | PS C:\> {{ Add example code here }} 35 | ``` 36 | 37 | {{ Add example description here }} 38 | 39 | ## PARAMETERS 40 | 41 | ### -Condition 42 | {{Fill Condition Description}} 43 | 44 | ```yaml 45 | Type: String 46 | Parameter Sets: (All) 47 | Aliases: 48 | Accepted values: Is, IsNot, Contains, Excludes, Image, BeginWith, EndWith, LessThan, MoreThan 49 | 50 | Required: True 51 | Position: 2 52 | Default value: None 53 | Accept pipeline input: True (ByPropertyName) 54 | Accept wildcard characters: False 55 | ``` 56 | 57 | ### -EventField 58 | {{Fill EventField Description}} 59 | 60 | ```yaml 61 | Type: String 62 | Parameter Sets: (All) 63 | Aliases: 64 | Accepted values: UtcTime, ImageLoaded, Hashes, Signed, Signature 65 | 66 | Required: True 67 | Position: 3 68 | Default value: None 69 | Accept pipeline input: True (ByPropertyName) 70 | Accept wildcard characters: False 71 | ``` 72 | 73 | ### -LiteralPath 74 | {{Fill LiteralPath Description}} 75 | 76 | ```yaml 77 | Type: Object 78 | Parameter Sets: LiteralPath 79 | Aliases: PSPath 80 | 81 | Required: True 82 | Position: 0 83 | Default value: None 84 | Accept pipeline input: True (ByPropertyName) 85 | Accept wildcard characters: False 86 | ``` 87 | 88 | ### -OnMatch 89 | {{Fill OnMatch Description}} 90 | 91 | ```yaml 92 | Type: String 93 | Parameter Sets: (All) 94 | Aliases: 95 | Accepted values: include, exclude 96 | 97 | Required: True 98 | Position: 1 99 | Default value: None 100 | Accept pipeline input: True (ByPropertyName) 101 | Accept wildcard characters: False 102 | ``` 103 | 104 | ### -Path 105 | {{Fill Path Description}} 106 | 107 | ```yaml 108 | Type: Object 109 | Parameter Sets: Path 110 | Aliases: 111 | 112 | Required: True 113 | Position: 0 114 | Default value: None 115 | Accept pipeline input: True (ByPropertyName) 116 | Accept wildcard characters: False 117 | ``` 118 | 119 | ### -RuleName 120 | {{Fill RuleName Description}} 121 | 122 | ```yaml 123 | Type: String 124 | Parameter Sets: (All) 125 | Aliases: 126 | 127 | Required: False 128 | Position: Named 129 | Default value: None 130 | Accept pipeline input: True (ByPropertyName) 131 | Accept wildcard characters: False 132 | ``` 133 | 134 | ### -Value 135 | {{Fill Value Description}} 136 | 137 | ```yaml 138 | Type: String[] 139 | Parameter Sets: (All) 140 | Aliases: 141 | 142 | Required: True 143 | Position: 4 144 | Default value: None 145 | Accept pipeline input: True (ByPropertyName) 146 | Accept wildcard characters: False 147 | ``` 148 | 149 | ### CommonParameters 150 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 151 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 152 | 153 | ## INPUTS 154 | 155 | ### System.Object 156 | 157 | ### System.String 158 | 159 | ### System.String[] 160 | 161 | ## OUTPUTS 162 | 163 | ### System.Object 164 | ## NOTES 165 | 166 | ## RELATED LINKS 167 | 168 | [https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonDriverLoadFilter.md](https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonDriverLoadFilter.md) 169 | 170 | -------------------------------------------------------------------------------- /docs/New-SysmonFileCreateFilter.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: Posh-SysMon-help.xml 3 | Module Name: Posh-SysMon 4 | online version: https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonDriverLoadFilter.md 5 | schema: 2.0.0 6 | --- 7 | 8 | # New-SysmonFileCreateFilter 9 | 10 | ## SYNOPSIS 11 | Create a new filter for the logging file creation. 12 | 13 | ## SYNTAX 14 | 15 | ### Path (Default) 16 | ``` 17 | New-SysmonFileCreateFilter [-Path] [-OnMatch] [-Condition] [-EventField] 18 | [-Value] [-RuleName ] [] 19 | ``` 20 | 21 | ### LiteralPath 22 | ``` 23 | New-SysmonFileCreateFilter [-LiteralPath] [-OnMatch] [-Condition] 24 | [-EventField] [-Value] [-RuleName ] [] 25 | ``` 26 | 27 | ## DESCRIPTION 28 | Create a new filter for the logging file creation. 29 | 30 | ## EXAMPLES 31 | 32 | ### EXAMPLE 1 33 | ``` 34 | 35 | ``` 36 | 37 | ## PARAMETERS 38 | 39 | ### -Path 40 | Path to XML config file. 41 | 42 | ```yaml 43 | Type: Object 44 | Parameter Sets: Path 45 | Aliases: 46 | 47 | Required: True 48 | Position: 1 49 | Default value: None 50 | Accept pipeline input: True (ByPropertyName) 51 | Accept wildcard characters: False 52 | ``` 53 | 54 | ### -LiteralPath 55 | Path to XML config file. 56 | 57 | ```yaml 58 | Type: Object 59 | Parameter Sets: LiteralPath 60 | Aliases: PSPath 61 | 62 | Required: True 63 | Position: 1 64 | Default value: None 65 | Accept pipeline input: True (ByPropertyName) 66 | Accept wildcard characters: False 67 | ``` 68 | 69 | ### -OnMatch 70 | Event type on match action. 71 | 72 | ```yaml 73 | Type: String 74 | Parameter Sets: (All) 75 | Aliases: 76 | 77 | Required: True 78 | Position: 2 79 | Default value: None 80 | Accept pipeline input: True (ByPropertyName) 81 | Accept wildcard characters: False 82 | ``` 83 | 84 | ### -Condition 85 | Condition for filtering against and event field. 86 | 87 | ```yaml 88 | Type: String 89 | Parameter Sets: (All) 90 | Aliases: 91 | 92 | Required: True 93 | Position: 3 94 | Default value: None 95 | Accept pipeline input: True (ByPropertyName) 96 | Accept wildcard characters: False 97 | ``` 98 | 99 | ### -EventField 100 | Event field to filter on. 101 | 102 | ```yaml 103 | Type: String 104 | Parameter Sets: (All) 105 | Aliases: 106 | 107 | Required: True 108 | Position: 4 109 | Default value: None 110 | Accept pipeline input: True (ByPropertyName) 111 | Accept wildcard characters: False 112 | ``` 113 | 114 | ### -Value 115 | Value of Event Field to filter on. 116 | 117 | ```yaml 118 | Type: String[] 119 | Parameter Sets: (All) 120 | Aliases: 121 | 122 | Required: True 123 | Position: 5 124 | Default value: None 125 | Accept pipeline input: True (ByPropertyName) 126 | Accept wildcard characters: False 127 | ``` 128 | 129 | ### -RuleName 130 | {{Fill RuleName Description}} 131 | 132 | ```yaml 133 | Type: String 134 | Parameter Sets: (All) 135 | Aliases: 136 | 137 | Required: False 138 | Position: Named 139 | Default value: None 140 | Accept pipeline input: True (ByPropertyName) 141 | Accept wildcard characters: False 142 | ``` 143 | 144 | ### CommonParameters 145 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 146 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 147 | 148 | ## INPUTS 149 | 150 | ## OUTPUTS 151 | 152 | ## NOTES 153 | 154 | ## RELATED LINKS 155 | -------------------------------------------------------------------------------- /docs/New-SysmonFileCreateStreamHash.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: Posh-SysMon-help.xml 3 | online version: 4 | schema: 2.0.0 5 | --- 6 | 7 | # New-SysmonFileCreateStreamHash 8 | 9 | ## SYNOPSIS 10 | Create a new filter for the logging of the saving of data on a file stream. 11 | 12 | ## SYNTAX 13 | 14 | ### Path (Default) 15 | ``` 16 | New-SysmonFileCreateStreamHash [-Path] [-OnMatch] [-Condition] 17 | [-EventField] [-Value] 18 | ``` 19 | 20 | ### LiteralPath 21 | ``` 22 | New-SysmonFileCreateStreamHash [-LiteralPath] [-OnMatch] [-Condition] 23 | [-EventField] [-Value] 24 | ``` 25 | 26 | ## DESCRIPTION 27 | Create a new filter for the logging of the saving of data on a file stream. 28 | 29 | ## EXAMPLES 30 | 31 | ### -------------------------- EXAMPLE 1 -------------------------- 32 | ``` 33 | New-SysmonRegistryEvent -Path .\32config.xml -OnMatch include -Condition Contains -EventField TargetObject 'RunOnce' 34 | ``` 35 | 36 | Capture persistance attemp by creating a registry entry in the RunOnce keys. 37 | 38 | ## PARAMETERS 39 | 40 | ### -Path 41 | Path to XML config file. 42 | 43 | ```yaml 44 | Type: Object 45 | Parameter Sets: Path 46 | Aliases: 47 | 48 | Required: True 49 | Position: 1 50 | Default value: None 51 | Accept pipeline input: True (ByPropertyName) 52 | Accept wildcard characters: False 53 | ``` 54 | 55 | ### -LiteralPath 56 | Path to XML config file. 57 | 58 | ```yaml 59 | Type: Object 60 | Parameter Sets: LiteralPath 61 | Aliases: PSPath 62 | 63 | Required: True 64 | Position: 1 65 | Default value: None 66 | Accept pipeline input: True (ByPropertyName) 67 | Accept wildcard characters: False 68 | ``` 69 | 70 | ### -OnMatch 71 | Event type on match action. 72 | 73 | ```yaml 74 | Type: String 75 | Parameter Sets: (All) 76 | Aliases: 77 | 78 | Required: True 79 | Position: 2 80 | Default value: None 81 | Accept pipeline input: True (ByPropertyName) 82 | Accept wildcard characters: False 83 | ``` 84 | 85 | ### -Condition 86 | Condition for filtering against and event field. 87 | 88 | ```yaml 89 | Type: String 90 | Parameter Sets: (All) 91 | Aliases: 92 | 93 | Required: True 94 | Position: 3 95 | Default value: None 96 | Accept pipeline input: True (ByPropertyName) 97 | Accept wildcard characters: False 98 | ``` 99 | 100 | ### -EventField 101 | Event field to filter on. 102 | 103 | ```yaml 104 | Type: String 105 | Parameter Sets: (All) 106 | Aliases: 107 | 108 | Required: True 109 | Position: 4 110 | Default value: None 111 | Accept pipeline input: True (ByPropertyName) 112 | Accept wildcard characters: False 113 | ``` 114 | 115 | ### -Value 116 | Value of Event Field to filter on. 117 | 118 | ```yaml 119 | Type: String[] 120 | Parameter Sets: (All) 121 | Aliases: 122 | 123 | Required: True 124 | Position: 5 125 | Default value: None 126 | Accept pipeline input: True (ByPropertyName) 127 | Accept wildcard characters: False 128 | ``` 129 | 130 | ## INPUTS 131 | 132 | ## OUTPUTS 133 | 134 | ## NOTES 135 | 136 | ## RELATED LINKS 137 | 138 | -------------------------------------------------------------------------------- /docs/New-SysmonFileCreateStreamHashFilter.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: Posh-SysMon-help.xml 3 | Module Name: Posh-SysMon 4 | online version: https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonDriverLoadFilter.md 5 | schema: 2.0.0 6 | --- 7 | 8 | # New-SysmonFileCreateStreamHashFilter 9 | 10 | ## SYNOPSIS 11 | Create a new filter for the logging of the saving of data on a file stream. 12 | 13 | ## SYNTAX 14 | 15 | ### Path (Default) 16 | ``` 17 | New-SysmonFileCreateStreamHashFilter [-Path] [-OnMatch] [-Condition] 18 | [-EventField] [-Value] [-RuleName ] [] 19 | ``` 20 | 21 | ### LiteralPath 22 | ``` 23 | New-SysmonFileCreateStreamHashFilter [-LiteralPath] [-OnMatch] [-Condition] 24 | [-EventField] [-Value] [-RuleName ] [] 25 | ``` 26 | 27 | ## DESCRIPTION 28 | Create a new filter for the logging of the saving of data on a file stream. 29 | 30 | ## EXAMPLES 31 | 32 | ### Example 1 33 | ```powershell 34 | PS C:\> {{ Add example code here }} 35 | ``` 36 | 37 | {{ Add example description here }} 38 | 39 | ## PARAMETERS 40 | 41 | ### -Path 42 | Path to XML config file. 43 | 44 | ```yaml 45 | Type: Object 46 | Parameter Sets: Path 47 | Aliases: 48 | 49 | Required: True 50 | Position: 1 51 | Default value: None 52 | Accept pipeline input: True (ByPropertyName) 53 | Accept wildcard characters: False 54 | ``` 55 | 56 | ### -LiteralPath 57 | Path to XML config file. 58 | 59 | ```yaml 60 | Type: Object 61 | Parameter Sets: LiteralPath 62 | Aliases: PSPath 63 | 64 | Required: True 65 | Position: 1 66 | Default value: None 67 | Accept pipeline input: True (ByPropertyName) 68 | Accept wildcard characters: False 69 | ``` 70 | 71 | ### -OnMatch 72 | Event type on match action. 73 | 74 | ```yaml 75 | Type: String 76 | Parameter Sets: (All) 77 | Aliases: 78 | 79 | Required: True 80 | Position: 2 81 | Default value: None 82 | Accept pipeline input: True (ByPropertyName) 83 | Accept wildcard characters: False 84 | ``` 85 | 86 | ### -Condition 87 | Condition for filtering against and event field. 88 | 89 | ```yaml 90 | Type: String 91 | Parameter Sets: (All) 92 | Aliases: 93 | 94 | Required: True 95 | Position: 3 96 | Default value: None 97 | Accept pipeline input: True (ByPropertyName) 98 | Accept wildcard characters: False 99 | ``` 100 | 101 | ### -EventField 102 | Event field to filter on. 103 | 104 | ```yaml 105 | Type: String 106 | Parameter Sets: (All) 107 | Aliases: 108 | 109 | Required: True 110 | Position: 4 111 | Default value: None 112 | Accept pipeline input: True (ByPropertyName) 113 | Accept wildcard characters: False 114 | ``` 115 | 116 | ### -Value 117 | Value of Event Field to filter on. 118 | 119 | ```yaml 120 | Type: String[] 121 | Parameter Sets: (All) 122 | Aliases: 123 | 124 | Required: True 125 | Position: 5 126 | Default value: None 127 | Accept pipeline input: True (ByPropertyName) 128 | Accept wildcard characters: False 129 | ``` 130 | 131 | ### -RuleName 132 | Rule Name for the filter. 133 | 134 | ```yaml 135 | Type: String 136 | Parameter Sets: (All) 137 | Aliases: 138 | 139 | Required: False 140 | Position: Named 141 | Default value: None 142 | Accept pipeline input: True (ByPropertyName) 143 | Accept wildcard characters: False 144 | ``` 145 | 146 | ### CommonParameters 147 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 148 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 149 | 150 | ## INPUTS 151 | 152 | ## OUTPUTS 153 | 154 | ## NOTES 155 | 156 | ## RELATED LINKS 157 | -------------------------------------------------------------------------------- /docs/New-SysmonImageLoadFilter.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: Posh-SysMon-help.xml 3 | Module Name: Posh-SysMon 4 | online version: https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonImageLoadFilter.md 5 | schema: 2.0.0 6 | --- 7 | 8 | # New-SysmonImageLoadFilter 9 | 10 | ## SYNOPSIS 11 | {{Fill in the Synopsis}} 12 | 13 | ## SYNTAX 14 | 15 | ### Path (Default) 16 | ``` 17 | New-SysmonImageLoadFilter [-Path] [-OnMatch] [-Condition] [-EventField] 18 | [-Value] [-RuleName ] [] 19 | ``` 20 | 21 | ### LiteralPath 22 | ``` 23 | New-SysmonImageLoadFilter [-LiteralPath] [-OnMatch] [-Condition] 24 | [-EventField] [-Value] [-RuleName ] [] 25 | ``` 26 | 27 | ## DESCRIPTION 28 | {{Fill in the Description}} 29 | 30 | ## EXAMPLES 31 | 32 | ### Example 1 33 | ```powershell 34 | PS C:\> {{ Add example code here }} 35 | ``` 36 | 37 | {{ Add example description here }} 38 | 39 | ## PARAMETERS 40 | 41 | ### -Condition 42 | {{Fill Condition Description}} 43 | 44 | ```yaml 45 | Type: String 46 | Parameter Sets: (All) 47 | Aliases: 48 | Accepted values: Is, IsNot, Contains, Excludes, Image, BeginWith, EndWith, LessThan, MoreThan 49 | 50 | Required: True 51 | Position: 2 52 | Default value: None 53 | Accept pipeline input: True (ByPropertyName) 54 | Accept wildcard characters: False 55 | ``` 56 | 57 | ### -EventField 58 | {{Fill EventField Description}} 59 | 60 | ```yaml 61 | Type: String 62 | Parameter Sets: (All) 63 | Aliases: 64 | Accepted values: UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, FileVersion, Description, Product, Company 65 | 66 | Required: True 67 | Position: 3 68 | Default value: None 69 | Accept pipeline input: True (ByPropertyName) 70 | Accept wildcard characters: False 71 | ``` 72 | 73 | ### -LiteralPath 74 | {{Fill LiteralPath Description}} 75 | 76 | ```yaml 77 | Type: Object 78 | Parameter Sets: LiteralPath 79 | Aliases: PSPath 80 | 81 | Required: True 82 | Position: 0 83 | Default value: None 84 | Accept pipeline input: True (ByPropertyName) 85 | Accept wildcard characters: False 86 | ``` 87 | 88 | ### -OnMatch 89 | {{Fill OnMatch Description}} 90 | 91 | ```yaml 92 | Type: String 93 | Parameter Sets: (All) 94 | Aliases: 95 | Accepted values: include, exclude 96 | 97 | Required: True 98 | Position: 1 99 | Default value: None 100 | Accept pipeline input: True (ByPropertyName) 101 | Accept wildcard characters: False 102 | ``` 103 | 104 | ### -Path 105 | {{Fill Path Description}} 106 | 107 | ```yaml 108 | Type: Object 109 | Parameter Sets: Path 110 | Aliases: 111 | 112 | Required: True 113 | Position: 0 114 | Default value: None 115 | Accept pipeline input: True (ByPropertyName) 116 | Accept wildcard characters: False 117 | ``` 118 | 119 | ### -RuleName 120 | {{Fill RuleName Description}} 121 | 122 | ```yaml 123 | Type: String 124 | Parameter Sets: (All) 125 | Aliases: 126 | 127 | Required: False 128 | Position: Named 129 | Default value: None 130 | Accept pipeline input: True (ByPropertyName) 131 | Accept wildcard characters: False 132 | ``` 133 | 134 | ### -Value 135 | {{Fill Value Description}} 136 | 137 | ```yaml 138 | Type: String[] 139 | Parameter Sets: (All) 140 | Aliases: 141 | 142 | Required: True 143 | Position: 4 144 | Default value: None 145 | Accept pipeline input: True (ByPropertyName) 146 | Accept wildcard characters: False 147 | ``` 148 | 149 | ### CommonParameters 150 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 151 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 152 | 153 | ## INPUTS 154 | 155 | ### System.Object 156 | 157 | ### System.String 158 | 159 | ### System.String[] 160 | 161 | ## OUTPUTS 162 | 163 | ### System.Object 164 | ## NOTES 165 | 166 | ## RELATED LINKS 167 | 168 | [https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonImageLoadFilter.md](https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonImageLoadFilter.md) 169 | 170 | -------------------------------------------------------------------------------- /docs/New-SysmonNetworkConnectFilter.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: Posh-SysMon-help.xml 3 | Module Name: Posh-SysMon 4 | online version: https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonNetworkConnectFilter.md 5 | schema: 2.0.0 6 | --- 7 | 8 | # New-SysmonNetworkConnectFilter 9 | 10 | ## SYNOPSIS 11 | {{Fill in the Synopsis}} 12 | 13 | ## SYNTAX 14 | 15 | ### Path (Default) 16 | ``` 17 | New-SysmonNetworkConnectFilter [-Path] [-OnMatch] [-Condition] 18 | [-EventField] [-Value] [-RuleName ] [] 19 | ``` 20 | 21 | ### LiteralPath 22 | ``` 23 | New-SysmonNetworkConnectFilter [-LiteralPath] [-OnMatch] [-Condition] 24 | [-EventField] [-Value] [-RuleName ] [] 25 | ``` 26 | 27 | ## DESCRIPTION 28 | {{Fill in the Description}} 29 | 30 | ## EXAMPLES 31 | 32 | ### Example 1 33 | ```powershell 34 | PS C:\> {{ Add example code here }} 35 | ``` 36 | 37 | {{ Add example description here }} 38 | 39 | ## PARAMETERS 40 | 41 | ### -Condition 42 | {{Fill Condition Description}} 43 | 44 | ```yaml 45 | Type: String 46 | Parameter Sets: (All) 47 | Aliases: 48 | Accepted values: Is, IsNot, Contains, Excludes, Image, BeginWith, EndWith, LessThan, MoreThan 49 | 50 | Required: True 51 | Position: 2 52 | Default value: None 53 | Accept pipeline input: True (ByPropertyName) 54 | Accept wildcard characters: False 55 | ``` 56 | 57 | ### -EventField 58 | {{Fill EventField Description}} 59 | 60 | ```yaml 61 | Type: String 62 | Parameter Sets: (All) 63 | Aliases: 64 | Accepted values: UtcTime, ProcessGuid, ProcessId, Image, User, Protocol, Initiated, SourceIsIpv6, SourceIp, SourceHostname, SourcePort, SourcePortName, DestinationIsIpv6, DestinationIp, DestinationHostname, DestinationPort, DestinationPortName 65 | 66 | Required: True 67 | Position: 3 68 | Default value: None 69 | Accept pipeline input: True (ByPropertyName) 70 | Accept wildcard characters: False 71 | ``` 72 | 73 | ### -LiteralPath 74 | {{Fill LiteralPath Description}} 75 | 76 | ```yaml 77 | Type: Object 78 | Parameter Sets: LiteralPath 79 | Aliases: PSPath 80 | 81 | Required: True 82 | Position: 0 83 | Default value: None 84 | Accept pipeline input: True (ByPropertyName) 85 | Accept wildcard characters: False 86 | ``` 87 | 88 | ### -OnMatch 89 | {{Fill OnMatch Description}} 90 | 91 | ```yaml 92 | Type: String 93 | Parameter Sets: (All) 94 | Aliases: 95 | Accepted values: include, exclude 96 | 97 | Required: True 98 | Position: 1 99 | Default value: None 100 | Accept pipeline input: True (ByPropertyName) 101 | Accept wildcard characters: False 102 | ``` 103 | 104 | ### -Path 105 | {{Fill Path Description}} 106 | 107 | ```yaml 108 | Type: Object 109 | Parameter Sets: Path 110 | Aliases: 111 | 112 | Required: True 113 | Position: 0 114 | Default value: None 115 | Accept pipeline input: True (ByPropertyName) 116 | Accept wildcard characters: False 117 | ``` 118 | 119 | ### -RuleName 120 | {{Fill RuleName Description}} 121 | 122 | ```yaml 123 | Type: String 124 | Parameter Sets: (All) 125 | Aliases: 126 | 127 | Required: False 128 | Position: Named 129 | Default value: None 130 | Accept pipeline input: True (ByPropertyName) 131 | Accept wildcard characters: False 132 | ``` 133 | 134 | ### -Value 135 | {{Fill Value Description}} 136 | 137 | ```yaml 138 | Type: String[] 139 | Parameter Sets: (All) 140 | Aliases: 141 | 142 | Required: True 143 | Position: 4 144 | Default value: None 145 | Accept pipeline input: True (ByPropertyName) 146 | Accept wildcard characters: False 147 | ``` 148 | 149 | ### CommonParameters 150 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 151 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 152 | 153 | ## INPUTS 154 | 155 | ### System.Object 156 | 157 | ### System.String 158 | 159 | ### System.String[] 160 | 161 | ## OUTPUTS 162 | 163 | ### System.Object 164 | ## NOTES 165 | 166 | ## RELATED LINKS 167 | 168 | [https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonNetworkConnectFilter.md](https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonNetworkConnectFilter.md) 169 | 170 | -------------------------------------------------------------------------------- /docs/New-SysmonPipeEvent.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: Posh-SysMon-help.xml 3 | online version: 4 | schema: 2.0.0 5 | --- 6 | 7 | # New-SysmonPipeEvent 8 | 9 | ## SYNOPSIS 10 | Create a new filter for when a Named Pipe is created or connected. 11 | 12 | ## SYNTAX 13 | 14 | ### Path (Default) 15 | ``` 16 | New-SysmonPipeEvent [-Path] [-OnMatch] [-Condition] [-EventField] 17 | [-Value] 18 | ``` 19 | 20 | ### LiteralPath 21 | ``` 22 | New-SysmonPipeEvent [-LiteralPath] [-OnMatch] [-Condition] [-EventField] 23 | [-Value] 24 | ``` 25 | 26 | ## DESCRIPTION 27 | Create a new filter for when a Named Pipe is created or connected. 28 | Useful for watching malware inter process communication. 29 | 30 | ## EXAMPLES 31 | 32 | ### Example 1 33 | ``` 34 | PS C:\> {{ Add example code here }} 35 | ``` 36 | 37 | {{ Add example description here }} 38 | 39 | ## PARAMETERS 40 | 41 | ### -Path 42 | Path to XML config file. 43 | 44 | ```yaml 45 | Type: Object 46 | Parameter Sets: Path 47 | Aliases: 48 | 49 | Required: True 50 | Position: 1 51 | Default value: None 52 | Accept pipeline input: True (ByPropertyName) 53 | Accept wildcard characters: False 54 | ``` 55 | 56 | ### -LiteralPath 57 | Path to XML config file. 58 | 59 | ```yaml 60 | Type: Object 61 | Parameter Sets: LiteralPath 62 | Aliases: PSPath 63 | 64 | Required: True 65 | Position: 1 66 | Default value: None 67 | Accept pipeline input: True (ByPropertyName) 68 | Accept wildcard characters: False 69 | ``` 70 | 71 | ### -OnMatch 72 | Event type on match action. 73 | 74 | ```yaml 75 | Type: String 76 | Parameter Sets: (All) 77 | Aliases: 78 | 79 | Required: True 80 | Position: 2 81 | Default value: None 82 | Accept pipeline input: True (ByPropertyName) 83 | Accept wildcard characters: False 84 | ``` 85 | 86 | ### -Condition 87 | Condition for filtering against and event field. 88 | 89 | ```yaml 90 | Type: String 91 | Parameter Sets: (All) 92 | Aliases: 93 | 94 | Required: True 95 | Position: 3 96 | Default value: None 97 | Accept pipeline input: True (ByPropertyName) 98 | Accept wildcard characters: False 99 | ``` 100 | 101 | ### -EventField 102 | Event field to filter on. 103 | 104 | ```yaml 105 | Type: String 106 | Parameter Sets: (All) 107 | Aliases: 108 | 109 | Required: True 110 | Position: 4 111 | Default value: None 112 | Accept pipeline input: True (ByPropertyName) 113 | Accept wildcard characters: False 114 | ``` 115 | 116 | ### -Value 117 | Value of Event Field to filter on. 118 | 119 | ```yaml 120 | Type: String[] 121 | Parameter Sets: (All) 122 | Aliases: 123 | 124 | Required: True 125 | Position: 5 126 | Default value: None 127 | Accept pipeline input: True (ByPropertyName) 128 | Accept wildcard characters: False 129 | ``` 130 | 131 | ## INPUTS 132 | 133 | ## OUTPUTS 134 | 135 | ## NOTES 136 | 137 | ## RELATED LINKS 138 | 139 | -------------------------------------------------------------------------------- /docs/New-SysmonPipeFilter.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: Posh-SysMon-help.xml 3 | Module Name: Posh-SysMon 4 | online version: https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonNetworkConnectFilter.md 5 | schema: 2.0.0 6 | --- 7 | 8 | # New-SysmonPipeFilter 9 | 10 | ## SYNOPSIS 11 | Create a new filter for when a Named Pipe is created or connected. 12 | 13 | ## SYNTAX 14 | 15 | ### Path (Default) 16 | ``` 17 | New-SysmonPipeFilter [-Path] [-OnMatch] [-Condition] [-EventField] 18 | [-Value] [-RuleName ] [] 19 | ``` 20 | 21 | ### LiteralPath 22 | ``` 23 | New-SysmonPipeFilter [-LiteralPath] [-OnMatch] [-Condition] [-EventField] 24 | [-Value] [-RuleName ] [] 25 | ``` 26 | 27 | ## DESCRIPTION 28 | Create a new filter for when a Named Pipe is created or connected. 29 | Useful for watching malware inter process communication. 30 | 31 | ## EXAMPLES 32 | 33 | ### Example 1 34 | ```powershell 35 | PS C:\> {{ Add example code here }} 36 | ``` 37 | 38 | {{ Add example description here }} 39 | 40 | ## PARAMETERS 41 | 42 | ### -Path 43 | Path to XML config file. 44 | 45 | ```yaml 46 | Type: Object 47 | Parameter Sets: Path 48 | Aliases: 49 | 50 | Required: True 51 | Position: 1 52 | Default value: None 53 | Accept pipeline input: True (ByPropertyName) 54 | Accept wildcard characters: False 55 | ``` 56 | 57 | ### -LiteralPath 58 | Path to XML config file. 59 | 60 | ```yaml 61 | Type: Object 62 | Parameter Sets: LiteralPath 63 | Aliases: PSPath 64 | 65 | Required: True 66 | Position: 1 67 | Default value: None 68 | Accept pipeline input: True (ByPropertyName) 69 | Accept wildcard characters: False 70 | ``` 71 | 72 | ### -OnMatch 73 | Event type on match action. 74 | 75 | ```yaml 76 | Type: String 77 | Parameter Sets: (All) 78 | Aliases: 79 | 80 | Required: True 81 | Position: 2 82 | Default value: None 83 | Accept pipeline input: True (ByPropertyName) 84 | Accept wildcard characters: False 85 | ``` 86 | 87 | ### -Condition 88 | Condition for filtering against and event field. 89 | 90 | ```yaml 91 | Type: String 92 | Parameter Sets: (All) 93 | Aliases: 94 | 95 | Required: True 96 | Position: 3 97 | Default value: None 98 | Accept pipeline input: True (ByPropertyName) 99 | Accept wildcard characters: False 100 | ``` 101 | 102 | ### -EventField 103 | Event field to filter on. 104 | 105 | ```yaml 106 | Type: String 107 | Parameter Sets: (All) 108 | Aliases: 109 | 110 | Required: True 111 | Position: 4 112 | Default value: None 113 | Accept pipeline input: True (ByPropertyName) 114 | Accept wildcard characters: False 115 | ``` 116 | 117 | ### -Value 118 | Value of Event Field to filter on. 119 | 120 | ```yaml 121 | Type: String[] 122 | Parameter Sets: (All) 123 | Aliases: 124 | 125 | Required: True 126 | Position: 5 127 | Default value: None 128 | Accept pipeline input: True (ByPropertyName) 129 | Accept wildcard characters: False 130 | ``` 131 | 132 | ### -RuleName 133 | Rule Name for the filter. 134 | 135 | ```yaml 136 | Type: String 137 | Parameter Sets: (All) 138 | Aliases: 139 | 140 | Required: False 141 | Position: Named 142 | Default value: None 143 | Accept pipeline input: True (ByPropertyName) 144 | Accept wildcard characters: False 145 | ``` 146 | 147 | ### CommonParameters 148 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 149 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 150 | 151 | ## INPUTS 152 | 153 | ## OUTPUTS 154 | 155 | ## NOTES 156 | 157 | ## RELATED LINKS 158 | -------------------------------------------------------------------------------- /docs/New-SysmonProcessAccessFilter.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: Posh-SysMon-help.xml 3 | Module Name: Posh-SysMon 4 | online version: https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonNetworkConnectFilter.md 5 | schema: 2.0.0 6 | --- 7 | 8 | # New-SysmonProcessAccessFilter 9 | 10 | ## SYNOPSIS 11 | Create a new filter for the logging of when a running process opens another. 12 | 13 | ## SYNTAX 14 | 15 | ### Path (Default) 16 | ``` 17 | New-SysmonProcessAccessFilter [-Path] [-OnMatch] [-Condition] [-EventField] 18 | [-Value] [-RuleName ] [] 19 | ``` 20 | 21 | ### LiteralPath 22 | ``` 23 | New-SysmonProcessAccessFilter [-LiteralPath] [-OnMatch] [-Condition] 24 | [-EventField] [-Value] [-RuleName ] [] 25 | ``` 26 | 27 | ## DESCRIPTION 28 | Create a new filter for the logging of when a running process opens another. 29 | 30 | ## EXAMPLES 31 | 32 | ### EXAMPLE 1 33 | ``` 34 | New-SysmonProcessAccessFilter -Path .\testver31.xml -OnMatch include -Condition Contains -EventField TargetImage lsass.exe 35 | ``` 36 | 37 | Log any process trying to open lsass.exe. 38 | 39 | ## PARAMETERS 40 | 41 | ### -Path 42 | Path to XML config file. 43 | 44 | ```yaml 45 | Type: Object 46 | Parameter Sets: Path 47 | Aliases: 48 | 49 | Required: True 50 | Position: 1 51 | Default value: None 52 | Accept pipeline input: True (ByPropertyName) 53 | Accept wildcard characters: False 54 | ``` 55 | 56 | ### -LiteralPath 57 | Path to XML config file. 58 | 59 | ```yaml 60 | Type: Object 61 | Parameter Sets: LiteralPath 62 | Aliases: PSPath 63 | 64 | Required: True 65 | Position: 1 66 | Default value: None 67 | Accept pipeline input: True (ByPropertyName) 68 | Accept wildcard characters: False 69 | ``` 70 | 71 | ### -OnMatch 72 | Event type on match action. 73 | 74 | ```yaml 75 | Type: String 76 | Parameter Sets: (All) 77 | Aliases: 78 | 79 | Required: True 80 | Position: 2 81 | Default value: None 82 | Accept pipeline input: True (ByPropertyName) 83 | Accept wildcard characters: False 84 | ``` 85 | 86 | ### -Condition 87 | Condition for filtering against and event field. 88 | 89 | ```yaml 90 | Type: String 91 | Parameter Sets: (All) 92 | Aliases: 93 | 94 | Required: True 95 | Position: 3 96 | Default value: None 97 | Accept pipeline input: True (ByPropertyName) 98 | Accept wildcard characters: False 99 | ``` 100 | 101 | ### -EventField 102 | Event field to filter on. 103 | 104 | ```yaml 105 | Type: String 106 | Parameter Sets: (All) 107 | Aliases: 108 | 109 | Required: True 110 | Position: 4 111 | Default value: None 112 | Accept pipeline input: True (ByPropertyName) 113 | Accept wildcard characters: False 114 | ``` 115 | 116 | ### -Value 117 | Value of Event Field to filter on. 118 | 119 | ```yaml 120 | Type: String[] 121 | Parameter Sets: (All) 122 | Aliases: 123 | 124 | Required: True 125 | Position: 5 126 | Default value: None 127 | Accept pipeline input: True (ByPropertyName) 128 | Accept wildcard characters: False 129 | ``` 130 | 131 | ### -RuleName 132 | Rule Name for the filter. 133 | 134 | ```yaml 135 | Type: String 136 | Parameter Sets: (All) 137 | Aliases: 138 | 139 | Required: False 140 | Position: Named 141 | Default value: None 142 | Accept pipeline input: True (ByPropertyName) 143 | Accept wildcard characters: False 144 | ``` 145 | 146 | ### CommonParameters 147 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 148 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 149 | 150 | ## INPUTS 151 | 152 | ## OUTPUTS 153 | 154 | ## NOTES 155 | 156 | ## RELATED LINKS 157 | -------------------------------------------------------------------------------- /docs/New-SysmonProcessCreateFilter.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: Posh-SysMon-help.xml 3 | Module Name: Posh-SysMon 4 | online version: https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonProcessCreateFilter.md 5 | schema: 2.0.0 6 | --- 7 | 8 | # New-SysmonProcessCreateFilter 9 | 10 | ## SYNOPSIS 11 | {{Fill in the Synopsis}} 12 | 13 | ## SYNTAX 14 | 15 | ### Path (Default) 16 | ``` 17 | New-SysmonProcessCreateFilter [-Path] [-OnMatch] [-Condition] [-EventField] 18 | [-Value] [-RuleName ] [] 19 | ``` 20 | 21 | ### LiteralPath 22 | ``` 23 | New-SysmonProcessCreateFilter [-LiteralPath] [-OnMatch] [-Condition] 24 | [-EventField] [-Value] [-RuleName ] [] 25 | ``` 26 | 27 | ## DESCRIPTION 28 | {{Fill in the Description}} 29 | 30 | ## EXAMPLES 31 | 32 | ### Example 1 33 | ```powershell 34 | PS C:\> {{ Add example code here }} 35 | ``` 36 | 37 | {{ Add example description here }} 38 | 39 | ## PARAMETERS 40 | 41 | ### -Condition 42 | {{Fill Condition Description}} 43 | 44 | ```yaml 45 | Type: String 46 | Parameter Sets: (All) 47 | Aliases: 48 | Accepted values: Is, IsNot, Contains, Excludes, Image, BeginWith, EndWith, LessThan, MoreThan 49 | 50 | Required: True 51 | Position: 2 52 | Default value: None 53 | Accept pipeline input: True (ByPropertyName) 54 | Accept wildcard characters: False 55 | ``` 56 | 57 | ### -EventField 58 | {{Fill EventField Description}} 59 | 60 | ```yaml 61 | Type: String 62 | Parameter Sets: (All) 63 | Aliases: 64 | Accepted values: UtcTime, ProcessGuid, ProcessId, Image, CommandLine, User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, Hashes, ParentProcessGuid, ParentProcessId, ParentImage, ParentCommandLine, FileVersion, Description, Product, Company 65 | 66 | Required: True 67 | Position: 3 68 | Default value: None 69 | Accept pipeline input: True (ByPropertyName) 70 | Accept wildcard characters: False 71 | ``` 72 | 73 | ### -LiteralPath 74 | {{Fill LiteralPath Description}} 75 | 76 | ```yaml 77 | Type: Object 78 | Parameter Sets: LiteralPath 79 | Aliases: PSPath 80 | 81 | Required: True 82 | Position: 0 83 | Default value: None 84 | Accept pipeline input: True (ByPropertyName) 85 | Accept wildcard characters: False 86 | ``` 87 | 88 | ### -OnMatch 89 | {{Fill OnMatch Description}} 90 | 91 | ```yaml 92 | Type: String 93 | Parameter Sets: (All) 94 | Aliases: 95 | Accepted values: include, exclude 96 | 97 | Required: True 98 | Position: 1 99 | Default value: None 100 | Accept pipeline input: True (ByPropertyName) 101 | Accept wildcard characters: False 102 | ``` 103 | 104 | ### -Path 105 | {{Fill Path Description}} 106 | 107 | ```yaml 108 | Type: Object 109 | Parameter Sets: Path 110 | Aliases: 111 | 112 | Required: True 113 | Position: 0 114 | Default value: None 115 | Accept pipeline input: True (ByPropertyName) 116 | Accept wildcard characters: False 117 | ``` 118 | 119 | ### -RuleName 120 | {{Fill RuleName Description}} 121 | 122 | ```yaml 123 | Type: String 124 | Parameter Sets: (All) 125 | Aliases: 126 | 127 | Required: False 128 | Position: Named 129 | Default value: None 130 | Accept pipeline input: True (ByPropertyName) 131 | Accept wildcard characters: False 132 | ``` 133 | 134 | ### -Value 135 | {{Fill Value Description}} 136 | 137 | ```yaml 138 | Type: String[] 139 | Parameter Sets: (All) 140 | Aliases: 141 | 142 | Required: True 143 | Position: 4 144 | Default value: None 145 | Accept pipeline input: True (ByPropertyName) 146 | Accept wildcard characters: False 147 | ``` 148 | 149 | ### CommonParameters 150 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 151 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 152 | 153 | ## INPUTS 154 | 155 | ### System.Object 156 | 157 | ### System.String 158 | 159 | ### System.String[] 160 | 161 | ## OUTPUTS 162 | 163 | ### System.Object 164 | ## NOTES 165 | 166 | ## RELATED LINKS 167 | 168 | [https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonProcessCreateFilter.md](https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonProcessCreateFilter.md) 169 | 170 | -------------------------------------------------------------------------------- /docs/New-SysmonProcessTerminateFilter.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: Posh-SysMon-help.xml 3 | Module Name: Posh-SysMon 4 | online version: https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonProcessTerminateFilter.md 5 | schema: 2.0.0 6 | --- 7 | 8 | # New-SysmonProcessTerminateFilter 9 | 10 | ## SYNOPSIS 11 | {{Fill in the Synopsis}} 12 | 13 | ## SYNTAX 14 | 15 | ### Path (Default) 16 | ``` 17 | New-SysmonProcessTerminateFilter [-Path] [-OnMatch] [-Condition] 18 | [-EventField] [-Value] [-RuleName ] [] 19 | ``` 20 | 21 | ### LiteralPath 22 | ``` 23 | New-SysmonProcessTerminateFilter [-LiteralPath] [-OnMatch] [-Condition] 24 | [-EventField] [-Value] [-RuleName ] [] 25 | ``` 26 | 27 | ## DESCRIPTION 28 | {{Fill in the Description}} 29 | 30 | ## EXAMPLES 31 | 32 | ### Example 1 33 | ```powershell 34 | PS C:\> {{ Add example code here }} 35 | ``` 36 | 37 | {{ Add example description here }} 38 | 39 | ## PARAMETERS 40 | 41 | ### -Condition 42 | {{Fill Condition Description}} 43 | 44 | ```yaml 45 | Type: String 46 | Parameter Sets: (All) 47 | Aliases: 48 | Accepted values: Is, IsNot, Contains, Excludes, Image, BeginWith, EndWith, LessThan, MoreThan 49 | 50 | Required: True 51 | Position: 2 52 | Default value: None 53 | Accept pipeline input: True (ByPropertyName) 54 | Accept wildcard characters: False 55 | ``` 56 | 57 | ### -EventField 58 | {{Fill EventField Description}} 59 | 60 | ```yaml 61 | Type: String 62 | Parameter Sets: (All) 63 | Aliases: 64 | Accepted values: UtcTime, ProcessGuid, ProcessId 65 | 66 | Required: True 67 | Position: 3 68 | Default value: None 69 | Accept pipeline input: True (ByPropertyName) 70 | Accept wildcard characters: False 71 | ``` 72 | 73 | ### -LiteralPath 74 | {{Fill LiteralPath Description}} 75 | 76 | ```yaml 77 | Type: Object 78 | Parameter Sets: LiteralPath 79 | Aliases: PSPath 80 | 81 | Required: True 82 | Position: 0 83 | Default value: None 84 | Accept pipeline input: True (ByPropertyName) 85 | Accept wildcard characters: False 86 | ``` 87 | 88 | ### -OnMatch 89 | {{Fill OnMatch Description}} 90 | 91 | ```yaml 92 | Type: String 93 | Parameter Sets: (All) 94 | Aliases: 95 | Accepted values: include, exclude 96 | 97 | Required: True 98 | Position: 1 99 | Default value: None 100 | Accept pipeline input: True (ByPropertyName) 101 | Accept wildcard characters: False 102 | ``` 103 | 104 | ### -Path 105 | {{Fill Path Description}} 106 | 107 | ```yaml 108 | Type: Object 109 | Parameter Sets: Path 110 | Aliases: 111 | 112 | Required: True 113 | Position: 0 114 | Default value: None 115 | Accept pipeline input: True (ByPropertyName) 116 | Accept wildcard characters: False 117 | ``` 118 | 119 | ### -RuleName 120 | {{Fill RuleName Description}} 121 | 122 | ```yaml 123 | Type: String 124 | Parameter Sets: (All) 125 | Aliases: 126 | 127 | Required: False 128 | Position: Named 129 | Default value: None 130 | Accept pipeline input: True (ByPropertyName) 131 | Accept wildcard characters: False 132 | ``` 133 | 134 | ### -Value 135 | {{Fill Value Description}} 136 | 137 | ```yaml 138 | Type: String[] 139 | Parameter Sets: (All) 140 | Aliases: 141 | 142 | Required: True 143 | Position: 4 144 | Default value: None 145 | Accept pipeline input: True (ByPropertyName) 146 | Accept wildcard characters: False 147 | ``` 148 | 149 | ### CommonParameters 150 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 151 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 152 | 153 | ## INPUTS 154 | 155 | ### System.Object 156 | 157 | ### System.String 158 | 159 | ### System.String[] 160 | 161 | ## OUTPUTS 162 | 163 | ### System.Object 164 | ## NOTES 165 | 166 | ## RELATED LINKS 167 | 168 | [https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonProcessTerminateFilter.md](https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonProcessTerminateFilter.md) 169 | 170 | -------------------------------------------------------------------------------- /docs/New-SysmonRegistryEvent.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: Posh-SysMon-help.xml 3 | online version: 4 | schema: 2.0.0 5 | --- 6 | 7 | # New-SysmonRegistryEvent 8 | 9 | ## SYNOPSIS 10 | Create a new filter for the actions against the registry. 11 | 12 | ## SYNTAX 13 | 14 | ### Path (Default) 15 | ``` 16 | New-SysmonRegistryEvent [-Path] [-OnMatch] [-Condition] [-EventField] 17 | [-Value] 18 | ``` 19 | 20 | ### LiteralPath 21 | ``` 22 | New-SysmonRegistryEvent [-LiteralPath] [-OnMatch] [-Condition] 23 | [-EventField] [-Value] 24 | ``` 25 | 26 | ## DESCRIPTION 27 | Create a new filter for actions against the registry. 28 | Supports filtering 29 | by aby of the following event types: 30 | * CreateKey 31 | * DeleteKey 32 | * RenameKey 33 | * CreateValue 34 | * DeleteValue 35 | * RenameValue 36 | * SetValue 37 | 38 | Hives in TargetObject are referenced as: 39 | * \REGISTRY\MACHINE\HARDWARE 40 | * \REGISTRY\USER\Security ID number 41 | * \REGISTRY\MACHINE\SECURITY 42 | * \REGISTRY\USER\.DEFAULT 43 | * \REGISTRY\MACHINE\SYSTEM 44 | * \REGISTRY\MACHINE\SOFTWARE 45 | * \REGISTRY\MACHINE\SAM 46 | 47 | ## EXAMPLES 48 | 49 | ### -------------------------- EXAMPLE 1 -------------------------- 50 | ``` 51 | 52 | ``` 53 | 54 | ## PARAMETERS 55 | 56 | ### -Path 57 | Path to XML config file. 58 | 59 | ```yaml 60 | Type: Object 61 | Parameter Sets: Path 62 | Aliases: 63 | 64 | Required: True 65 | Position: 1 66 | Default value: None 67 | Accept pipeline input: True (ByPropertyName) 68 | Accept wildcard characters: False 69 | ``` 70 | 71 | ### -LiteralPath 72 | Path to XML config file. 73 | 74 | ```yaml 75 | Type: Object 76 | Parameter Sets: LiteralPath 77 | Aliases: PSPath 78 | 79 | Required: True 80 | Position: 1 81 | Default value: None 82 | Accept pipeline input: True (ByPropertyName) 83 | Accept wildcard characters: False 84 | ``` 85 | 86 | ### -OnMatch 87 | Event type on match action. 88 | 89 | ```yaml 90 | Type: String 91 | Parameter Sets: (All) 92 | Aliases: 93 | 94 | Required: True 95 | Position: 2 96 | Default value: None 97 | Accept pipeline input: True (ByPropertyName) 98 | Accept wildcard characters: False 99 | ``` 100 | 101 | ### -Condition 102 | Condition for filtering against and event field. 103 | 104 | ```yaml 105 | Type: String 106 | Parameter Sets: (All) 107 | Aliases: 108 | 109 | Required: True 110 | Position: 3 111 | Default value: None 112 | Accept pipeline input: True (ByPropertyName) 113 | Accept wildcard characters: False 114 | ``` 115 | 116 | ### -EventField 117 | Event field to filter on. 118 | 119 | ```yaml 120 | Type: String 121 | Parameter Sets: (All) 122 | Aliases: 123 | 124 | Required: True 125 | Position: 4 126 | Default value: None 127 | Accept pipeline input: True (ByPropertyName) 128 | Accept wildcard characters: False 129 | ``` 130 | 131 | ### -Value 132 | Value of Event Field to filter on. 133 | 134 | ```yaml 135 | Type: String[] 136 | Parameter Sets: (All) 137 | Aliases: 138 | 139 | Required: True 140 | Position: 5 141 | Default value: None 142 | Accept pipeline input: True (ByPropertyName) 143 | Accept wildcard characters: False 144 | ``` 145 | 146 | ## INPUTS 147 | 148 | ## OUTPUTS 149 | 150 | ## NOTES 151 | 152 | ## RELATED LINKS 153 | 154 | -------------------------------------------------------------------------------- /docs/New-SysmonRegistryFilter.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: Posh-SysMon-help.xml 3 | Module Name: Posh-SysMon 4 | online version: https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonProcessTerminateFilter.md 5 | schema: 2.0.0 6 | --- 7 | 8 | # New-SysmonRegistryFilter 9 | 10 | ## SYNOPSIS 11 | Create a new filter for the actions against the registry. 12 | 13 | ## SYNTAX 14 | 15 | ### Path (Default) 16 | ``` 17 | New-SysmonRegistryFilter [-Path] [-OnMatch] [-Condition] [-EventField] 18 | [-Value] [-RuleName ] [] 19 | ``` 20 | 21 | ### LiteralPath 22 | ``` 23 | New-SysmonRegistryFilter [-LiteralPath] [-OnMatch] [-Condition] 24 | [-EventField] [-Value] [-RuleName ] [] 25 | ``` 26 | 27 | ## DESCRIPTION 28 | Create a new filter for actions against the registry. 29 | Supports filtering 30 | by aby of the following event types: 31 | * CreateKey 32 | * DeleteKey 33 | * RenameKey 34 | * CreateValue 35 | * DeleteValue 36 | * RenameValue 37 | * SetValue 38 | 39 | Hives on Schema 3.2 in TargetObject are referenced as: 40 | * \REGISTRY\MACHINE\HARDWARE 41 | * \REGISTRY\USER\Security ID number 42 | * \REGISTRY\MACHINE\SECURITY 43 | * \REGISTRY\USER\.DEFAULT 44 | * \REGISTRY\MACHINE\SYSTEM 45 | * \REGISTRY\MACHINE\SOFTWARE 46 | * \REGISTRY\MACHINE\SAM 47 | 48 | Hives on Schema 3.3 and above in TargetObject are referenced as: 49 | * HKLM 50 | * HKCR 51 | * HKEY_USER 52 | 53 | ## EXAMPLES 54 | 55 | ### EXAMPLE 1 56 | ``` 57 | New-SysmonRegistryFilter -Path .\32config.xml -OnMatch include -Condition Contains -EventField TargetObject 'RunOnce' 58 | ``` 59 | 60 | Capture persistance attemp by creating a registry entry in the RunOnce keys. 61 | 62 | ## PARAMETERS 63 | 64 | ### -Path 65 | Path to XML config file. 66 | 67 | ```yaml 68 | Type: Object 69 | Parameter Sets: Path 70 | Aliases: 71 | 72 | Required: True 73 | Position: 1 74 | Default value: None 75 | Accept pipeline input: True (ByPropertyName) 76 | Accept wildcard characters: False 77 | ``` 78 | 79 | ### -LiteralPath 80 | Path to XML config file. 81 | 82 | ```yaml 83 | Type: Object 84 | Parameter Sets: LiteralPath 85 | Aliases: PSPath 86 | 87 | Required: True 88 | Position: 1 89 | Default value: None 90 | Accept pipeline input: True (ByPropertyName) 91 | Accept wildcard characters: False 92 | ``` 93 | 94 | ### -OnMatch 95 | Event type on match action. 96 | 97 | ```yaml 98 | Type: String 99 | Parameter Sets: (All) 100 | Aliases: 101 | 102 | Required: True 103 | Position: 2 104 | Default value: None 105 | Accept pipeline input: True (ByPropertyName) 106 | Accept wildcard characters: False 107 | ``` 108 | 109 | ### -Condition 110 | Condition for filtering against and event field. 111 | 112 | ```yaml 113 | Type: String 114 | Parameter Sets: (All) 115 | Aliases: 116 | 117 | Required: True 118 | Position: 3 119 | Default value: None 120 | Accept pipeline input: True (ByPropertyName) 121 | Accept wildcard characters: False 122 | ``` 123 | 124 | ### -EventField 125 | Event field to filter on. 126 | 127 | ```yaml 128 | Type: String 129 | Parameter Sets: (All) 130 | Aliases: 131 | 132 | Required: True 133 | Position: 4 134 | Default value: None 135 | Accept pipeline input: True (ByPropertyName) 136 | Accept wildcard characters: False 137 | ``` 138 | 139 | ### -Value 140 | Value of Event Field to filter on. 141 | 142 | ```yaml 143 | Type: String[] 144 | Parameter Sets: (All) 145 | Aliases: 146 | 147 | Required: True 148 | Position: 5 149 | Default value: None 150 | Accept pipeline input: True (ByPropertyName) 151 | Accept wildcard characters: False 152 | ``` 153 | 154 | ### -RuleName 155 | Rule Name for the filter. 156 | 157 | ```yaml 158 | Type: String 159 | Parameter Sets: (All) 160 | Aliases: 161 | 162 | Required: False 163 | Position: Named 164 | Default value: None 165 | Accept pipeline input: True (ByPropertyName) 166 | Accept wildcard characters: False 167 | ``` 168 | 169 | ### CommonParameters 170 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 171 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 172 | 173 | ## INPUTS 174 | 175 | ## OUTPUTS 176 | 177 | ## NOTES 178 | 179 | ## RELATED LINKS 180 | -------------------------------------------------------------------------------- /docs/Remove-SysmonRule.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: Posh-SysMon-help.xml 3 | Module Name: Posh-SysMon 4 | online version: https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Remove-SysmonRule.md 5 | schema: 2.0.0 6 | --- 7 | 8 | # Remove-SysmonRule 9 | 10 | ## SYNOPSIS 11 | {{Fill in the Synopsis}} 12 | 13 | ## SYNTAX 14 | 15 | ### Path (Default) 16 | ``` 17 | Remove-SysmonRule [-Path] [-EventType] [-OnMatch] [] 18 | ``` 19 | 20 | ### LiteralPath 21 | ``` 22 | Remove-SysmonRule [-LiteralPath] [-EventType] [-OnMatch] [] 23 | ``` 24 | 25 | ## DESCRIPTION 26 | {{Fill in the Description}} 27 | 28 | ## EXAMPLES 29 | 30 | ### Example 1 31 | ```powershell 32 | PS C:\> {{ Add example code here }} 33 | ``` 34 | 35 | {{ Add example description here }} 36 | 37 | ## PARAMETERS 38 | 39 | ### -EventType 40 | {{Fill EventType Description}} 41 | 42 | ```yaml 43 | Type: String[] 44 | Parameter Sets: (All) 45 | Aliases: 46 | Accepted values: NetworkConnect, ProcessCreate, FileCreateTime, ProcessTerminate, ImageLoad, DriverLoad, CreateRemoteThread, ProcessAccess, RawAccessRead, FileCreateStreamHash, RegistryEvent, FileCreate, PipeEvent, WmiEvent, RuleName 47 | 48 | Required: True 49 | Position: 1 50 | Default value: None 51 | Accept pipeline input: True (ByPropertyName) 52 | Accept wildcard characters: False 53 | ``` 54 | 55 | ### -LiteralPath 56 | {{Fill LiteralPath Description}} 57 | 58 | ```yaml 59 | Type: Object 60 | Parameter Sets: LiteralPath 61 | Aliases: PSPath 62 | 63 | Required: True 64 | Position: 0 65 | Default value: None 66 | Accept pipeline input: True (ByPropertyName) 67 | Accept wildcard characters: False 68 | ``` 69 | 70 | ### -OnMatch 71 | {{Fill OnMatch Description}} 72 | 73 | ```yaml 74 | Type: String 75 | Parameter Sets: (All) 76 | Aliases: 77 | Accepted values: Include, Exclude 78 | 79 | Required: True 80 | Position: 2 81 | Default value: None 82 | Accept pipeline input: True (ByPropertyName) 83 | Accept wildcard characters: False 84 | ``` 85 | 86 | ### -Path 87 | {{Fill Path Description}} 88 | 89 | ```yaml 90 | Type: Object 91 | Parameter Sets: Path 92 | Aliases: 93 | 94 | Required: True 95 | Position: 0 96 | Default value: None 97 | Accept pipeline input: True (ByPropertyName) 98 | Accept wildcard characters: False 99 | ``` 100 | 101 | ### CommonParameters 102 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 103 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 104 | 105 | ## INPUTS 106 | 107 | ### System.Object 108 | 109 | ### System.String[] 110 | 111 | ### System.String 112 | 113 | ## OUTPUTS 114 | 115 | ### System.Object 116 | ## NOTES 117 | 118 | ## RELATED LINKS 119 | 120 | [https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Remove-SysmonRule.md](https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Remove-SysmonRule.md) 121 | 122 | -------------------------------------------------------------------------------- /docs/Remove-SysmonRuleFilter.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: Posh-SysMon-help.xml 3 | Module Name: Posh-SysMon 4 | online version: https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Remove-SysmonRuleFilter.md 5 | schema: 2.0.0 6 | --- 7 | 8 | # Remove-SysmonRuleFilter 9 | 10 | ## SYNOPSIS 11 | {{Fill in the Synopsis}} 12 | 13 | ## SYNTAX 14 | 15 | ### Path (Default) 16 | ``` 17 | Remove-SysmonRuleFilter [-Path] [-EventType] [-OnMatch] [-Condition] 18 | [-EventField] [-Value] [] 19 | ``` 20 | 21 | ### LiteralPath 22 | ``` 23 | Remove-SysmonRuleFilter [-LiteralPath] [-EventType] [-OnMatch] [-Condition] 24 | [-EventField] [-Value] [] 25 | ``` 26 | 27 | ## DESCRIPTION 28 | {{Fill in the Description}} 29 | 30 | ## EXAMPLES 31 | 32 | ### Example 1 33 | ```powershell 34 | PS C:\> {{ Add example code here }} 35 | ``` 36 | 37 | {{ Add example description here }} 38 | 39 | ## PARAMETERS 40 | 41 | ### -Condition 42 | {{Fill Condition Description}} 43 | 44 | ```yaml 45 | Type: String 46 | Parameter Sets: (All) 47 | Aliases: 48 | Accepted values: Is, IsNot, Contains, Excludes, Image, BeginWith, EndWith, LessThan, MoreThan 49 | 50 | Required: True 51 | Position: 3 52 | Default value: None 53 | Accept pipeline input: True (ByPropertyName) 54 | Accept wildcard characters: False 55 | ``` 56 | 57 | ### -EventField 58 | {{Fill EventField Description}} 59 | 60 | ```yaml 61 | Type: String 62 | Parameter Sets: (All) 63 | Aliases: 64 | 65 | Required: True 66 | Position: 4 67 | Default value: None 68 | Accept pipeline input: True (ByPropertyName) 69 | Accept wildcard characters: False 70 | ``` 71 | 72 | ### -EventType 73 | {{Fill EventType Description}} 74 | 75 | ```yaml 76 | Type: String 77 | Parameter Sets: (All) 78 | Aliases: 79 | Accepted values: NetworkConnect, ProcessCreate, FileCreateTime, ProcessTerminate, ImageLoad, DriverLoad, CreateRemoteThread, RawAccessRead, ProcessAccess, FileCreateStreamHash, RegistryEvent, FileCreate, PipeEvent, WmiEvent 80 | 81 | Required: True 82 | Position: 1 83 | Default value: None 84 | Accept pipeline input: True (ByPropertyName) 85 | Accept wildcard characters: False 86 | ``` 87 | 88 | ### -LiteralPath 89 | {{Fill LiteralPath Description}} 90 | 91 | ```yaml 92 | Type: Object 93 | Parameter Sets: LiteralPath 94 | Aliases: PSPath 95 | 96 | Required: True 97 | Position: 0 98 | Default value: None 99 | Accept pipeline input: True (ByPropertyName) 100 | Accept wildcard characters: False 101 | ``` 102 | 103 | ### -OnMatch 104 | {{Fill OnMatch Description}} 105 | 106 | ```yaml 107 | Type: String 108 | Parameter Sets: (All) 109 | Aliases: 110 | Accepted values: include, exclude 111 | 112 | Required: True 113 | Position: 2 114 | Default value: None 115 | Accept pipeline input: True (ByPropertyName) 116 | Accept wildcard characters: False 117 | ``` 118 | 119 | ### -Path 120 | {{Fill Path Description}} 121 | 122 | ```yaml 123 | Type: Object 124 | Parameter Sets: Path 125 | Aliases: 126 | 127 | Required: True 128 | Position: 0 129 | Default value: None 130 | Accept pipeline input: True (ByPropertyName) 131 | Accept wildcard characters: False 132 | ``` 133 | 134 | ### -Value 135 | {{Fill Value Description}} 136 | 137 | ```yaml 138 | Type: String[] 139 | Parameter Sets: (All) 140 | Aliases: 141 | 142 | Required: True 143 | Position: 5 144 | Default value: None 145 | Accept pipeline input: True (ByPropertyName) 146 | Accept wildcard characters: False 147 | ``` 148 | 149 | ### CommonParameters 150 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 151 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 152 | 153 | ## INPUTS 154 | 155 | ### System.Object 156 | 157 | ### System.String 158 | 159 | ### System.String[] 160 | 161 | ## OUTPUTS 162 | 163 | ### System.Object 164 | ## NOTES 165 | 166 | ## RELATED LINKS 167 | 168 | [https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Remove-SysmonRuleFilter.md](https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Remove-SysmonRuleFilter.md) 169 | 170 | -------------------------------------------------------------------------------- /docs/Set-SysmonHashingAlgorithm.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: Posh-SysMon-help.xml 3 | Module Name: Posh-SysMon 4 | online version: https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Set-SysmonHashingAlgorithm.md 5 | schema: 2.0.0 6 | --- 7 | 8 | # Set-SysmonHashingAlgorithm 9 | 10 | ## SYNOPSIS 11 | {{Fill in the Synopsis}} 12 | 13 | ## SYNTAX 14 | 15 | ### Path (Default) 16 | ``` 17 | Set-SysmonHashingAlgorithm [-Path] [-HashingAlgorithm] [] 18 | ``` 19 | 20 | ### LiteralPath 21 | ``` 22 | Set-SysmonHashingAlgorithm [-LiteralPath] [-HashingAlgorithm] [] 23 | ``` 24 | 25 | ## DESCRIPTION 26 | {{Fill in the Description}} 27 | 28 | ## EXAMPLES 29 | 30 | ### Example 1 31 | ```powershell 32 | PS C:\> {{ Add example code here }} 33 | ``` 34 | 35 | {{ Add example description here }} 36 | 37 | ## PARAMETERS 38 | 39 | ### -HashingAlgorithm 40 | {{Fill HashingAlgorithm Description}} 41 | 42 | ```yaml 43 | Type: String[] 44 | Parameter Sets: (All) 45 | Aliases: 46 | Accepted values: ALL, MD5, SHA1, SHA256, IMPHASH 47 | 48 | Required: True 49 | Position: 1 50 | Default value: None 51 | Accept pipeline input: True (ByPropertyName) 52 | Accept wildcard characters: False 53 | ``` 54 | 55 | ### -LiteralPath 56 | {{Fill LiteralPath Description}} 57 | 58 | ```yaml 59 | Type: Object 60 | Parameter Sets: LiteralPath 61 | Aliases: PSPath 62 | 63 | Required: True 64 | Position: 0 65 | Default value: None 66 | Accept pipeline input: True (ByPropertyName) 67 | Accept wildcard characters: False 68 | ``` 69 | 70 | ### -Path 71 | {{Fill Path Description}} 72 | 73 | ```yaml 74 | Type: Object 75 | Parameter Sets: Path 76 | Aliases: 77 | 78 | Required: True 79 | Position: 0 80 | Default value: None 81 | Accept pipeline input: True (ByPropertyName) 82 | Accept wildcard characters: False 83 | ``` 84 | 85 | ### CommonParameters 86 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 87 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 88 | 89 | ## INPUTS 90 | 91 | ### System.Object 92 | 93 | ### System.String[] 94 | 95 | ## OUTPUTS 96 | 97 | ### System.Object 98 | ## NOTES 99 | 100 | ## RELATED LINKS 101 | 102 | [https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Set-SysmonHashingAlgorithm.md](https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Set-SysmonHashingAlgorithm.md) 103 | 104 | -------------------------------------------------------------------------------- /docs/Set-SysmonRule.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: Posh-SysMon-help.xml 3 | Module Name: Posh-SysMon 4 | online version: https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Set-SysmonRule.md 5 | schema: 2.0.0 6 | --- 7 | 8 | # Set-SysmonRule 9 | 10 | ## SYNOPSIS 11 | {{Fill in the Synopsis}} 12 | 13 | ## SYNTAX 14 | 15 | ### Path (Default) 16 | ``` 17 | Set-SysmonRule [-Path] [-EventType] [[-OnMatch] ] [-Action ] 18 | [] 19 | ``` 20 | 21 | ### LiteralPath 22 | ``` 23 | Set-SysmonRule [-LiteralPath] [-EventType] [[-OnMatch] ] [-Action ] 24 | [] 25 | ``` 26 | 27 | ## DESCRIPTION 28 | {{Fill in the Description}} 29 | 30 | ## EXAMPLES 31 | 32 | ### Example 1 33 | ```powershell 34 | PS C:\> {{ Add example code here }} 35 | ``` 36 | 37 | {{ Add example description here }} 38 | 39 | ## PARAMETERS 40 | 41 | ### -Action 42 | {{Fill Action Description}} 43 | 44 | ```yaml 45 | Type: String 46 | Parameter Sets: (All) 47 | Aliases: 48 | Accepted values: Modify, Add 49 | 50 | Required: False 51 | Position: Named 52 | Default value: None 53 | Accept pipeline input: True (ByPropertyName) 54 | Accept wildcard characters: False 55 | ``` 56 | 57 | ### -EventType 58 | {{Fill EventType Description}} 59 | 60 | ```yaml 61 | Type: String[] 62 | Parameter Sets: (All) 63 | Aliases: 64 | Accepted values: NetworkConnect, ProcessCreate, FileCreateTime, ProcessTerminate, ImageLoad, DriverLoad, CreateRemoteThread, ProcessAccess, RawAccessRead, FileCreateStreamHash, RegistryEvent, FileCreate, PipeEvent, WmiEvent 65 | 66 | Required: True 67 | Position: 1 68 | Default value: None 69 | Accept pipeline input: True (ByPropertyName) 70 | Accept wildcard characters: False 71 | ``` 72 | 73 | ### -LiteralPath 74 | {{Fill LiteralPath Description}} 75 | 76 | ```yaml 77 | Type: Object 78 | Parameter Sets: LiteralPath 79 | Aliases: PSPath 80 | 81 | Required: True 82 | Position: 0 83 | Default value: None 84 | Accept pipeline input: True (ByPropertyName) 85 | Accept wildcard characters: False 86 | ``` 87 | 88 | ### -OnMatch 89 | {{Fill OnMatch Description}} 90 | 91 | ```yaml 92 | Type: String 93 | Parameter Sets: (All) 94 | Aliases: 95 | Accepted values: Include, Exclude 96 | 97 | Required: False 98 | Position: 2 99 | Default value: None 100 | Accept pipeline input: True (ByPropertyName) 101 | Accept wildcard characters: False 102 | ``` 103 | 104 | ### -Path 105 | {{Fill Path Description}} 106 | 107 | ```yaml 108 | Type: Object 109 | Parameter Sets: Path 110 | Aliases: 111 | 112 | Required: True 113 | Position: 0 114 | Default value: None 115 | Accept pipeline input: True (ByPropertyName) 116 | Accept wildcard characters: False 117 | ``` 118 | 119 | ### CommonParameters 120 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 121 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 122 | 123 | ## INPUTS 124 | 125 | ### System.Object 126 | 127 | ### System.String[] 128 | 129 | ### System.String 130 | 131 | ## OUTPUTS 132 | 133 | ### System.Object 134 | ## NOTES 135 | 136 | ## RELATED LINKS 137 | 138 | [https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Set-SysmonRule.md](https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Set-SysmonRule.md) 139 | 140 | -------------------------------------------------------------------------------- /lib/sysmon3_1.dtd: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | -------------------------------------------------------------------------------- /lib/sysmon3_2.dtd: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | -------------------------------------------------------------------------------- /lib/sysmon3_3.dtd: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | --------------------------------------------------------------------------------