Sysmon_Lab.ps1

<#
Meta
    Date: 2022 March 28th
    Updated: 2023 October 6th
    Authors: Dray Agha (Twitter @purp1ew0lf), Dipo Rodipe (Twitter @dipotwb)
    Company: Huntress Labs
    Purpose: Automate setting up Sysmon and pulling Ippsec's sysmon IoC streamliner. Great for malware lab. 
#>

################################################################################################################
#The section below contains the architecture detection code, kudos to Remko (twitter @RemkoWeijnen)

$source = @"
using System;
using System.Runtime.InteropServices;
using System.Diagnostics;
using System.ComponentModel;

public static class WinApi
{
    public const ushort IMAGE_FILE_MACHINE_UNKNOWN = 0;
    public const ushort IMAGE_FILE_MACHINE_TARGET_HOST = 0x0001; // Useful for indicating we want to interact with the host and not a WoW guest.
    public const ushort IMAGE_FILE_MACHINE_I386 = 0x014c; // Intel 386.
    public const ushort IMAGE_FILE_MACHINE_R3000 = 0x0162; // MIPS little-endian, = 0x160 big-endian
    public const ushort IMAGE_FILE_MACHINE_R4000 = 0x0166; // MIPS little-endian
    public const ushort IMAGE_FILE_MACHINE_R10000 = 0x0168; // MIPS little-endian
    public const ushort IMAGE_FILE_MACHINE_WCEMIPSV2 = 0x0169; // MIPS little-endian WCE v2
    public const ushort IMAGE_FILE_MACHINE_ALPHA = 0x0184; // Alpha_AXP
    public const ushort IMAGE_FILE_MACHINE_SH3 = 0x01a2; // SH3 little-endian
    public const ushort IMAGE_FILE_MACHINE_SH3DSP = 0x01a3;
    public const ushort IMAGE_FILE_MACHINE_SH3E = 0x01a4; // SH3E little-endian
    public const ushort IMAGE_FILE_MACHINE_SH4 = 0x01a6; // SH4 little-endian
    public const ushort IMAGE_FILE_MACHINE_SH5 = 0x01a8; // SH5
    public const ushort IMAGE_FILE_MACHINE_ARM = 0x01c0; // ARM Little-Endian
    public const ushort IMAGE_FILE_MACHINE_THUMB = 0x01c2; // ARM Thumb/Thumb-2 Little-Endian
    public const ushort IMAGE_FILE_MACHINE_ARMNT = 0x01c4; // ARM Thumb-2 Little-Endian
    public const ushort IMAGE_FILE_MACHINE_AM33 = 0x01d3;
    public const ushort IMAGE_FILE_MACHINE_POWERPC = 0x01F0; // IBM PowerPC Little-Endian
    public const ushort IMAGE_FILE_MACHINE_POWERPCFP = 0x01f1;
    public const ushort IMAGE_FILE_MACHINE_IA64 = 0x0200; // Intel 64
    public const ushort IMAGE_FILE_MACHINE_MIPS16 = 0x0266; // MIPS
    public const ushort IMAGE_FILE_MACHINE_ALPHA64 = 0x0284; // ALPHA64
    public const ushort IMAGE_FILE_MACHINE_MIPSFPU = 0x0366; // MIPS
    public const ushort IMAGE_FILE_MACHINE_MIPSFPU16 = 0x0466; // MIPS
    public const ushort IMAGE_FILE_MACHINE_AXP64 = IMAGE_FILE_MACHINE_ALPHA64;
    public const ushort IMAGE_FILE_MACHINE_TRICORE = 0x0520; // Infineon
    public const ushort IMAGE_FILE_MACHINE_CEF = 0x0CEF;
    public const ushort IMAGE_FILE_MACHINE_EBC = 0x0EBC; // EFI Byte Code
    public const ushort IMAGE_FILE_MACHINE_AMD64 = 0x8664; // AMD64 (K8)
    public const ushort IMAGE_FILE_MACHINE_M32R = 0x9041; // M32R little-endian
    public const ushort IMAGE_FILE_MACHINE_ARM64 = 0xAA64; // ARM64 Little-Endian
    public const ushort IMAGE_FILE_MACHINE_CEE = 0xC0EE;

    public const UInt32 S_OK = 0;

    [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
    public static extern UInt32 IsWow64GuestMachineSupported(ushort WowGuestMachine, out bool MachineIsSupported);

    [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
    public static extern bool IsWow64Process2(IntPtr hProcess, out ushort pProcessMachine, out ushort pNativeMachine);

    [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
    public static extern IntPtr GetCurrentProcess();

}
"@

Add-Type $source

################################################################################################################

function admin_check{
    if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(`
[Security.Principal.WindowsBuiltInRole] "Administrator")) {
        Write-Warning "Insufficient permissions. Run this Powershell script as Admin please"
        Break
    }
    # if we're all good, let's fire it off
    else {Install_various}
}

function install_various{

    #Ensure errors don't ruin anything for us
    $ErrorActionPreference = "SilentlyContinue"
    $progressPreference = 'silentlyContinue'

    # Create and work from specific directory
    new-item "C:\users\$env:USERNAME\Desktop\SysmonLab" -ItemType "directory"
    Set-Location "C:\users\$env:USERNAME\Desktop\SysmonLab"
    
    #Download sysmon stuff
    wget -UseBasicParsing https://download.sysinternals.com/files/Sysmon.zip -outfile "Sysmon.zip"
    Expand-archive "Sysmon.zip"  -DestinationPath .
    wget -UseBasicParsing https://raw.githubusercontent.com/Neo23x0/sysmon-config/master/sysmonconfig-export.xml -outfile "sysmonconfig.xml"
    
    #If you want to swap the sysmon ruleset from Florian's to another's swap the address above
        # SwiftOnSecurity's : https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml
        # Olaf's : https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml
        # Sophos apparently have one but it seems dedicated to malware analysis : https://support.sophos.com/support/s/article/KB-000038882?language=en_US
   
    #install sysmon's stuff
    
    [UInt16]$processMachine = 0;
    [UInt16]$nativeMachine = 0;
    [WinApi]::IsWow64Process2([WinApi]::GetCurrentProcess(), [ref]$processMachine, [ref]$nativeMachine);
    
    if ($nativeMachine -eq [WinApi]::IMAGE_FILE_MACHINE_AMD64) {
        .\Sysmon64.exe -i sysmonconfig.xml -accepteula
    }
    
    if ($nativeMachine -eq [WinApi]::IMAGE_FILE_MACHINE_ARM64) {
        .\Sysmon64a.exe -i sysmonconfig.xml -accepteula
    }
    #Ippsec's stuff
    wget -UseBasicParsing https://raw.githubusercontent.com/IppSec/PowerSiem/69a575e7dc55b6f91acd0094bd1afa5d251d347a/PowerSiem.ps1 -outfile "PowerSiem.ps1"

    #Clean up
    remove-item .\"sysmon.zip", .\"sysmon.exe", .\"eula.lnk", .\"Eula.txt"
}
#Execute main function in silence
Admin_Check | out-null

#Message
write-host "`n`nSysmon is " -nonewline; write-host (get-service sysmon*).status -ForegroundColor magenta
Write-host "`nRun " -nonewline; Write-Host "C:\users\$env:USERNAME\Desktop\SysmonLab\PowerSiem.ps1" -foregroundcolor Magenta -NoNewline; Write-host " and then detonate your malware to gather IoCs from Sysmon log`n"

exit

may I guess that this admin check may fail on localised windows installations? in german the group is called "Administratoren" ... maybe, maybe not.

may I guess that this admin check may fail on localised windows installations? in german the group is called "Administratoren" ... maybe, maybe not.

Probably will fail @MoppelMat, unfortunately my scripting skills are limited to English

You can use the requires keyword in your script to check that it is running as administrator:
#Requires -RunAsAdministrator

Hey @Purp1eW0lf , I made a fork of this gist and added the ability to detect and run the correct sysmon executable for the right processor architecture (of ARM or amd64 for Windows 10/11). Would love to get this merged in some form if it suits?

https://gist.github.com/Wither-Bane/91edd6f66006cfaf9fd9cfa16e6acba7

Hey @Purp1eW0lf , I made a fork of this gist and added the ability to detect and run the correct sysmon executable for the right processor architecture (of ARM or amd64 for Windows 10/11). Would love to get this merged in some form if it suits?

https://gist.github.com/Wither-Bane/91edd6f66006cfaf9fd9cfa16e6acba7

Updated my friend