├── sysmonmap.html
├── liveprocessmap.html
├── LFO.ps1
├── ExecTimeQuery.ps1
├── ProcessMapperLive.ps1
├── ProcessMapper.ps1
└── SysmonMapper1.1.ps1


/sysmonmap.html:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/glassdfir/SysmonMapper/HEAD/sysmonmap.html


--------------------------------------------------------------------------------
/liveprocessmap.html:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/glassdfir/SysmonMapper/HEAD/liveprocessmap.html


--------------------------------------------------------------------------------
/LFO.ps1:
--------------------------------------------------------------------------------
 1 | Param(
 2 |    [Parameter(Mandatory=$False)]
 3 |    [String] $Remote =""
 4 | )
 5 | $ComputerName="LocalHost"
 6 | If($Remote -ne ""){$ComputerName = $Remote}
 7 | $global:imagenames = @()
 8 | $Events = Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational -ComputerName $ComputerName|Where-Object { ( $_.id -eq 1)}
 9 | ForEach($event in $Events){
10 |     $eventxmldata = [xml]$event.toxml()
11 |     $EventData = $eventxmldata.Event.EventData.Data
12 |     $Image =$EventData | where {$_.name -eq "Image"}
13 |     $global:imagenames += $Image."#text"
14 |     }
15 | $global:imagenames|group|sort-object -property count,Name|Format-Table -Property count,name -AutoSize| Ft -autosize | out-string -width 4096 
16 | 


--------------------------------------------------------------------------------
/ExecTimeQuery.ps1:
--------------------------------------------------------------------------------
 1 | Param(
 2 |    [Parameter(Mandatory=$False)]
 3 |    [String] $Remote ="",
 4 |    [Parameter(Mandatory=$True)]
 5 |    [String] $query ="",
 6 |    [Parameter(Mandatory=$False)]
 7 |    [Switch] $exact = $False
 8 | )
 9 | $ComputerName="LocalHost"
10 | If($Remote -ne ""){$ComputerName = $Remote}
11 | If($exact){
12 |     $events = Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational -FilterXPath 'Event[System[EventID=1] and EventData[Data[@Name="Image"]="4"]]'
13 |     ForEach($event in $events){$event.TimeCreated}
14 |     }
15 |     Else{
16 | 
17 |         $events = get-winevent -LogName microsoft-windows-sysmon/operational -ComputerName $ComputerName|Where-Object { ( $_.id -eq 1)}
18 |         ForEach($event in $events){
19 |             $image = $event |% {(([xml]$_.toxml()).Event.EventData.Data | ? {$_.name -eq "Image" })."#text"}
20 |             if($image -match $query){Write-host ($event.TimeCreated.ToString() + "`t" + $image)}
21 |         }
22 | }


--------------------------------------------------------------------------------
/ProcessMapperLive.ps1:
--------------------------------------------------------------------------------
 1 | [CmdletBinding(PositionalBinding=$false)]             
 2 | Param(
 3 |    [Parameter(Mandatory=$False)]
 4 |    [String] $Remote =""
 5 | )
 6 | 
 7 | $global:outputlines = @()
 8 | $outfile = "liveprocessmap.html"
 9 | $ComputerName="LocalHost"
10 | 
11 | $Header = "
12 | <html>
13 | <head>
14 | <script type='text/javascript' src='https://www.google.com/jsapi'></script>
15 | <script type='text/javascript'>
16 | google.load('visualization', '1', {packages:['orgchart']});
17 | google.setOnLoadCallback(drawChart);
18 | function drawChart() {
19 | var data = new google.visualization.DataTable();
20 | data.addColumn('string', 'ProcessID');
21 | data.addColumn('string', 'Label');
22 | data.addColumn('string', 'ToolTip');
23 | data.addRows([
24 | " 
25 | $Header| Out-File $outfile
26 | If($Remote=""){$ComputerName = $Remote}
27 | $RunningProcesses = Get-WmiObject win32_process -ComputerName $ComputerName| select ProcessID,ParentProcessID,name,commandline 
28 | ForEach($RunningProcess in $RunningProcesses){
29 |     $processID = $RunningProcess.ProcessID
30 |     $parentprocessID = $RunningProcess.ParentProcessID
31 |     $processname = $RunningProcess.Name
32 |     $commandline = $RunningProcess.CommandLine -replace "`'",""
33 |     $commandline = $commandline -replace '"',""
34 |     $OutLine = "[{v:'" + $processID + "', f:'" + $processID + "<div>" + $processname  + "</div>'},'" + $ParentProcessID + "','" + $commandline +"']"
35 |           $OutLine = $Outline -replace '\\','\\'
36 |                 $global:outputlines+=$Outline
37 | 
38 | }
39 | ForEach($line in $global:outputlines){
40 |     If($global:outputlines.IndexOf($line) -eq $global:outputlines.GetUpperBound(0)){ $comma = " " } Else { $comma = ","}
41 |     $line + $comma | Add-Content $outfile 
42 |     }
43 | $footer = "]);
44 |  var chart = new google.visualization.OrgChart(document.getElementById('chart_div'));
45 |         chart.draw(data, {allowHtml:true,allowCollapse:true});
46 |       }
47 |     </script>
48 |   </head>
49 |   <body>
50 |     <div id=`'chart_div`'></div>
51 |   </body>
52 | </html>
53 | "
54 | $footer| Add-Content $outfile


--------------------------------------------------------------------------------
/ProcessMapper.ps1:
--------------------------------------------------------------------------------
 1 | #Parse Windows Security Logs for 4688 events
 2 | #Map processes to parent processes
 3 | 
 4 | [CmdletBinding(PositionalBinding=$false)]             
 5 | Param(
 6 |    [Parameter(Mandatory=$True)]
 7 |    [datetime]$StartDate,
 8 |    [Parameter(Mandatory=$True)]
 9 |    [datetime]$StopDate
10 | )
11 | 
12 | 
13 | $global:outputlines = @()
14 | 
15 | $outfile = "processmap.html"
16 | 
17 | $Header = "
18 | <html>
19 | <head>
20 | <script type='text/javascript' src='https://www.google.com/jsapi'></script>
21 | <script type='text/javascript'>
22 | google.load('visualization', '1', {packages:['orgchart']});
23 | google.setOnLoadCallback(drawChart);
24 | function drawChart() {
25 | var data = new google.visualization.DataTable();
26 | data.addColumn('string', 'ProcessID');
27 | data.addColumn('string', 'Label');
28 | data.addColumn('string', 'ToolTip');
29 | data.addRows([
30 | " 
31 | $Header| Out-File $outfile
32 | 
33 | $events = Get-WinEvent -FilterHashtable @{Logname='Security';Id=4688}|Where-Object { ( $_.TimeCreated -gt $StartDate -and $_.TimeCreated -le $StopDate)}|Sort-Object TimeCreated 
34 | ForEach($event in $events){
35 |     $eventxmldata = [xml]$event.toxml()
36 |     $EventData = $eventxmldata.Event.EventData.Data
37 |     $SubjectUserSid = $EventData | where {$_.name -eq "SubjectUserSid"}
38 |     $SubjectDomainName = $EventData | where {$_.name -eq "SubjectDomainName"}
39 |     $SubjectLogonId = $EventData | where {$_.name -eq "SubjectLogonId"}
40 |     $NewProcessId = $EventData | where {$_.name -eq "NewProcessId"}
41 |     $NewProcessName = $EventData | where {$_.name -eq "NewProcessName"}
42 |     $TokenElevationType = $EventData | where {$_.name -eq "TokenElevationType"}
43 |     $ProcessId = $EventData | where {$_.name -eq "ProcessId"}
44 |     $CommandLine = $EventData | where {$_.name -eq "CommandLine"}
45 |     $PIDNUM =[Convert]::ToInt32($NewProcessId.InnerText.Substring(2), 16)
46 |     $PPIDNUM =[Convert]::ToInt32($ProcessId.InnerText.Substring(2), 16)
47 |     $OutLine = "[{v:'" + $PIDNUM + "', f:'" + $PIDNUM + "<div>" + $event.TimeCreated + "<br>" + $NewProcessName."#text" + "</div>'},'" + $PPIDNUM + "', '']"
48 |     $OutLine = $Outline -replace '\\','\\'
49 |     $global:outputlines += $Outline
50 | }
51 | ForEach($line in $global:outputlines){
52 |     If($global:outputlines.IndexOf($line) -eq $global:outputlines.GetUpperBound(0)){ $comma = " " } Else { $comma = ","}
53 |     $line + $comma | Add-Content $outfile 
54 |     }
55 | $footer = "]);
56 |  var chart = new google.visualization.OrgChart(document.getElementById('chart_div'));
57 |         chart.draw(data, {allowHtml:true,allowCollapse:true});
58 |       }
59 |     </script>
60 |   </head>
61 | 
62 |   <body>
63 |     <div id='chart_div'></div>
64 |   </body>
65 | </html>
66 | "
67 | $footer| Add-Content $outfile
68 | 


--------------------------------------------------------------------------------
/SysmonMapper1.1.ps1:
--------------------------------------------------------------------------------
  1 | 
  2 | # Type 1
  3 | # 0 - UtcTime
  4 | # 1 - ProcessGuid
  5 | # 2 - ProcessId
  6 | # 3 - Image
  7 | # 4 - CommandLine
  8 | # 5 - User
  9 | # 6 - LogonId
 10 | # 7 - TerminalSessionId
 11 | # 8 - IntegrityLevel
 12 | # 9 - HashType
 13 | # 10 - Hash
 14 | # 11 - ParentProcessGuid
 15 | # 12 - ParentProcessId
 16 | # 13 - ParentImage
 17 | # 14 - ParentCommandLine
 18 | 
 19 | #Type2
 20 | # 0 - UtcTime
 21 | # 1 - ProcessGuid
 22 | # 2 - ProcessId
 23 | # 3 - Image
 24 | # 4 - TargetFilename
 25 | # 5 - CreationUtcTime
 26 | # 6 - PreviousCreationUtcTime
 27 | 
 28 | #Type3
 29 | # 0 - UtcTime
 30 | # 1 - ProcessGuid
 31 | # 2 - ProcessId
 32 | # 3 - Image
 33 | # 4 - User
 34 | # 5 - Protocol
 35 | # 6 - SourceIsIpv6
 36 | # 7 - SourceIp
 37 | # 8 - SourceHostname
 38 | # 9 - SourcePort
 39 | # 10 - SourcePortName
 40 | # 11 - DestinationIsIpv6
 41 | # 12 - DestinationIp
 42 | # 13 - DestinationHostname
 43 | # 14 - DestinationPort
 44 | # 15 - DestinationPortName
 45 | 
 46 | 
 47 | 
 48 | [CmdletBinding(PositionalBinding=$false)]             
 49 | Param(
 50 |    [Parameter(Mandatory=$False)]
 51 |    [String] $Remote ="",
 52 |    [Parameter(Mandatory=$False)]
 53 |    [Switch] $FA = $false, #File Access
 54 |    [Parameter(Mandatory=$False)]
 55 |    [Switch] $NA = $false, #Network Access
 56 |    [Parameter(Mandatory=$False)]
 57 |    [Int] $P = 0,
 58 |    [Parameter(Mandatory=$True)]
 59 |    [datetime]$StartDate,
 60 |    [Parameter(Mandatory=$True)]
 61 |    [datetime]$StopDate
 62 | )
 63 | $ComputerName="LocalHost"
 64 | If($Remote -ne ""){$ComputerName = $Remote}
 65 | $global:outputlines = @()
 66 | $outfile = "sysmonmap.html"
 67 | 
 68 | $Header = "
 69 | <html>
 70 | <head>
 71 | <script type='text/javascript' src='https://www.google.com/jsapi'></script>
 72 | <script type='text/javascript'>
 73 | google.load('visualization', '1', {packages:['orgchart']});
 74 | google.setOnLoadCallback(drawChart);
 75 | function drawChart() {
 76 | var data = new google.visualization.DataTable();
 77 | data.addColumn('string', 'ProcessID');
 78 | data.addColumn('string', 'Label');
 79 | data.addColumn('string', 'ToolTip');
 80 | data.addRows([
 81 | " 
 82 | $Header| Out-File $outfile
 83 | 
 84 | If($P -ne ""){
 85 |     $events = Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational -ComputerName $ComputerName
 86 |     $ParentProcessEvents = $events|Where-Object { ($_.TimeCreated -le $StopDate -and $_.id -eq 1)}|Sort-Object TimeCreated -Descending
 87 |     Function GetParentProcessPath{
 88 |     Param($PidPie)
 89 |         ForEach($event in $ParentProcessEvents){
 90 |             $eventxmldata = [xml]$event.toxml()
 91 |             $EventData = $eventxmldata.Event.EventData.Data
 92 |             $UtcTime = $EventData | where {$_.name -eq "UtcTime"}
 93 |             $ProcessId = $EventData | where {$_.name -eq "ProcessId"}
 94 |             $Image = $EventData | where {$_.name -eq "Image"}
 95 |             $ParentProcessId = $EventData | where {$_.name -eq "ParentProcessId"}
 96 |             If($ProcessId."#Text" -eq $PidPie.ToString()){
 97 |                 $ToolTip = @()
 98 |                 ForEach($eventdataprop in $EventData){
 99 |                     $PropValueClean = $eventdataprop."#text" -replace '"' -replace "`'"
100 |                     $ToolTip+="`'" + $eventdataprop.name + " : " + $PropValueClean + "`'"
101 |                 }
102 |                 $ToolTipString = $ToolTip -join ","
103 |                 $OutLine = "[{v:'" + $ProcessId."#text" + "', f:'" + $ProcessId."#text" + "<div>" + $UtcTime."#text" + "<br>" + $Image."#text" + "</div>'},'" + $ParentProcessId."#text" + "', tooltip(" + $ToolTipString +")]"
104 |                 $OutLine = $Outline -replace '\\','\\'
105 |                 $global:outputlines+=$Outline
106 |                 Return $ParentProcessId."#Text"}
107 |             }
108 |      }
109 |      $YaPPID = GetParentProcessPath($P)
110 |      While($YaPPID -ne 4){
111 |         $YaPPID = GetParentProcessPath($YaPPID)
112 |         }
113 |      $ChildProcessEvents = $events|Where-Object { ($_.TimeCreated -le $StopDate -and $_.TimeCreated -ge $StartDate)}|Sort-Object TimeCreated
114 |      
115 |      Function GetChildProcessEvents{
116 |         Param($PidPie)
117 |         ForEach($event in $ChildProcessEvents){
118 |             $eventxmldata = [xml]$event.toxml()
119 |             $EventData = $eventxmldata.Event.EventData.Data
120 |             $ToolTip = @()
121 |             ForEach($eventdataprop in $EventData){
122 |                 $PropValueClean = $eventdataprop."#text" -replace '"' -replace "`'"
123 |                 $ToolTip+="`'" + $eventdataprop.name + " : " + $PropValueClean + "`'"
124 |             }
125 |             $ToolTipString = $ToolTip -join ","
126 |             switch($event.id){
127 |                 1 {
128 |                     $UtcTime = $EventData | where {$_.name -eq "UtcTime"}
129 |                     $ProcessId = $EventData | where {$_.name -eq "ProcessId"}
130 |                     $Image = $EventData | where {$_.name -eq "Image"}
131 |                     $ParentProcessId = $EventData | where {$_.name -eq "ParentProcessId"}
132 |                     If($ParentProcessId."#Text" -eq $PidPie.ToString()){
133 |                     $OutLine = "[{v:'" + $ProcessId."#text" + "', f:'" + $ProcessId."#text" + "<div>" + $UtcTime."#text" + "<br>" + $Image."#text" + "</div>'},'" + $ParentProcessId."#text" + "', tooltip(" + $ToolTipString +")]"
134 |                     $OutLine = $Outline -replace '\\','\\'
135 |                     $global:outputlines+=$Outline
136 |                     }
137 |                 }
138 |                 2 {
139 |                     If($FA){
140 |                         $UtcTime = $EventData | where {$_.name -eq "UtcTime"}
141 |                         $ProcessId = $EventData | where {$_.name -eq "ProcessId"}
142 |                         $Image = $EventData | where {$_.name -eq "Image"}
143 |                         $TargetFileName = $EventData | where {$_.name -eq "TargetFileName"}
144 |                         $CreationUtcTime = $EventData | where {$_.name -eq "CreationUtcTime"}
145 |                         $PreviousCreationUtcTime = $EventData | where {$_.name -eq "PreviousCreationUtcTime"}
146 |                         If($ProcessId."#text"=$PidPie.ToString()){
147 |                             $OutLine = "[{v:'" + $TargetFileName."#text" + "', f:'" + $CreationUtcTime."#text" + "<div style="+ [char]34  + "background-color: blue; color:white"+ [char]34 + ">" + $TargetFileName."#text" + "</div>'},'" + $ProcessId."#text" + "', tooltip(" + $ToolTipString +")]"
148 |                             $OutLine = $Outline -replace '\\','\\'
149 |                             $global:outputlines+=$Outline
150 |                         }
151 |                     }              
152 |                 }     
153 |                 3 {
154 |                     If($NA){
155 |                         $UtcTime = $EventData | where {$_.name -eq "UtcTime"}
156 |                         $ProcessId = $EventData | where {$_.name -eq "ProcessId"}
157 |                         $DestinationIp = $EventData | where {$_.name -eq "DestinationIP"}
158 |                         $DestinationHostname = $EventData | where {$_.name -eq "DestinationHostname"}
159 |                         $DestinationPort = $EventData | where {$_.name -eq "DestinationPort"}
160 |                         $rand = Get-Random
161 |                         If($ProcessId."#text"=$PidPie.ToString()){
162 |                             $OutLine = "[{v:'" + $rand + $rand + "', f:'<div style="+ [char]34  + "background-color: green; color:white"+ [char]34 + "><div>" + $DestinationHostname."#text" + "</div><div>DST: " + $DestinationIp."#text" + ":" + $DestinationPort."#text" + "</div></div>'},'" + $ProcessId."#text" + "', tooltip(" + $ToolTipString +")]"
163 |                             $OutLine = $Outline -replace '\\','\\'
164 |                             $global:outputlines+=$Outline
165 |                         }
166 |                     }
167 |                 }
168 |                 
169 | 			}
170 | 		}
171 | 	}        
172 |     GetChildProcessEvents($P)
173 | } 
174 | else {
175 | 
176 |     $events = Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational  -ComputerName $ComputerName |Where-Object { ( $_.TimeCreated -gt $StartDate -and $_.TimeCreated -le $StopDate)}|Sort-Object TimeCreated
177 |     ForEach($event in $events){
178 |         $eventxmldata = [xml]$event.toxml()
179 |         $EventData = $eventxmldata.Event.EventData.Data
180 |         $ToolTip = @()
181 |         ForEach($eventdataprop in $EventData){
182 |             $PropValueClean = $eventdataprop."#text" -replace '"' -replace "`'"
183 |             $ToolTip+="`'" + $eventdataprop.name + " : " + $PropValueClean + "`'"
184 |             }
185 |         $ToolTipString = $ToolTip -join ","
186 |         switch($event.id)
187 |             {
188 |                 1 {
189 |                     $UtcTime = $EventData | where {$_.name -eq "UtcTime"}
190 |                     $ProcessId = $EventData | where {$_.name -eq "ProcessId"}
191 |                     $Image = $EventData | where {$_.name -eq "Image"}
192 |                     $ParentProcessId = $EventData | where {$_.name -eq "ParentProcessId"}
193 |                     $OutLine = "[{v:'" + $ProcessId."#text" + "', f:'" + $ProcessId."#text" + "<div>" + $UtcTime."#text" + "<br>" + $Image."#text" + "</div>'},'" + $ParentProcessId."#text" + "', tooltip(" + $ToolTipString +")]"
194 |                     $OutLine = $Outline -replace '\\','\\'
195 |                     $global:outputlines+=$Outline
196 |                     }
197 | 
198 |                    2 {
199 |                         If($FA){
200 |                             $UtcTime = $EventData | where {$_.name -eq "UtcTime"}
201 |                             $ProcessId = $EventData | where {$_.name -eq "ProcessId"}
202 |                             $Image = $EventData | where {$_.name -eq "Image"}
203 |                             $TargetFileName = $EventData | where {$_.name -eq "TargetFileName"}
204 |                             $CreationUtcTime = $EventData | where {$_.name -eq "CreationUtcTime"}
205 |                             $PreviousCreationUtcTime = $EventData | where {$_.name -eq "PreviousCreationUtcTime"}
206 |                             $OutLine = "[{v:'" + $TargetFileName."#text" + "', f:'" + $CreationUtcTime."#text" + "<div style="+ [char]34  + "background-color: blue; color:white"+ [char]34 + ">" + $TargetFileName."#text" + "</div>'},'" + $ProcessId."#text" + "', tooltip(" + $ToolTipString +")]"
207 |                             $OutLine = $Outline -replace '\\','\\'
208 |                             $global:outputlines+=$Outline
209 |                         }
210 |                     }
211 |                    3 {
212 |                         If($NA){ 
213 |                             $UtcTime = $EventData | where {$_.name -eq "UtcTime"}
214 |                             $ProcessId = $EventData | where {$_.name -eq "ProcessId"}
215 |                             $DestinationIp = $EventData | where {$_.name -eq "DestinationIP"}
216 |                             $DestinationHostname = $EventData | where {$_.name -eq "DestinationHostname"}
217 |                             $DestinationPort = $EventData | where {$_.name -eq "DestinationPort"}
218 |                             $rand = Get-Random
219 |                             $OutLine = "[{v:'" + $rand + $rand + "', f:'<div style="+ [char]34  + "background-color: green; color:white"+ [char]34 + "><div>" + $DestinationHostname."#text" + "</div><div>DST: " + $DestinationIp."#text" + ":" + $DestinationPort."#text" + "</div></div>'},'" + $ProcessId."#text" + "', tooltip(" + $ToolTipString +")]"
220 |                             $OutLine = $Outline -replace '\\','\\'
221 |                             $global:outputlines+=$Outline
222 |                         }
223 |                     }
224 |                 }
225 |             }
226 |     }
227 | ForEach($line in $global:outputlines){
228 |     If($global:outputlines.IndexOf($line) -eq $global:outputlines.GetUpperBound(0)){ $comma = " " } Else { $comma = ","}
229 |     $line + $comma | Add-Content $outfile 
230 |     }
231 | $footer = "]);
232 |  var chart = new google.visualization.OrgChart(document.getElementById('chart_div'));
233 |         chart.draw(data, {allowHtml:true,allowCollapse:true});
234 |       }
235 |     var options = {
236 |       // This line makes the entire category's tooltip active.
237 |     focusTarget: 'category',
238 |     // Use an HTML tooltip.
239 |     tooltip: { isHtml: true }
240 |     }
241 |     function tooltip() {
242 |     var thing =`"`";
243 |     for (var i = 0, j = arguments.length; i < j; i++){
244 |         thing = thing + `'\n`' + arguments[i];
245 |     }
246 |     return thing;
247 |     }
248 | 
249 |     </script>
250 |   </head>
251 | 
252 |   <body>
253 |     <div id=`'chart_div`'></div>
254 |   </body>
255 | </html>
256 | "
257 | $footer| Add-Content $outfile
258 | 


--------------------------------------------------------------------------------