|
https://gist.github.com/psrdrgz/f87e73c4a89c4968f4ac67bf99267cc4
Sysmon is a SysInternals tool from Microsoft which allows logging of things the computer does to the Event Log. It includes things like file writes/creates/reads, network access, process start/stop, etc. You can find it in the Event Viewer under: Applications and Services\Microsoft\Windows\Sysmon\Operational Here are some powershell commands to parse out useful information: Get all Sysmon events, this will take a few minutes, do this before using further commands to filter the data: $Sysmon = Get-WinEvent -filterhashtable @{logname="Microsoft-Windows-Sysmon/Operational";id=1} See all fields available: $sysmon[0] | fl * Display all process creations with time: $sysmon | %{"$(([datetime]$_.properties[0].value).ToLocalTime()) $($_.Properties[3].Value)"} Display all process creations with command line: $sysmon | %{"$(([datetime]$_.properties[0].value).ToLocalTime()) $($_.Properties[4].Value)"} Display a sorted list of all .exe files executed, one per file: $sysmon | %{$_.Properties[3].Value}| sort -Unique Save all Radia commands ran to a file on your desktop: $sysmon | where { $_.Properties[3].Value -match "\\Agent\\" } | %{"$(([datetime]$_.properties[0].value).ToLocalTime()) $($_.Properties[4].Value)"} > "$($ENV:USERPROFILE)\Desktop\Radia.txt" Find more examples here: http://909research.com/windows-log-hunting-with-powershell/ Keywords: Sysinternals, System Monitor, Mark Russinovich |