Last active
December 16, 2024 16:16
-
-
Save Purp1eW0lf/d669db5cfca9b020a7f7c982a8256deb to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Meta | |
| Date: 2022 March 28th | |
| Updated: 2023 October 6th | |
| Authors: Dray Agha (Twitter @purp1ew0lf), Dipo Rodipe (Twitter @dipotwb) | |
| Company: Huntress Labs | |
| Purpose: Automate setting up Sysmon and pulling Ippsec's sysmon IoC streamliner. Great for malware lab. | |
| #> | |
| ################################################################################################################ | |
| #The section below contains the architecture detection code, kudos to Remko (twitter @RemkoWeijnen) | |
| $source = @" | |
| using System; | |
| using System.Runtime.InteropServices; | |
| using System.Diagnostics; | |
| using System.ComponentModel; | |
| public static class WinApi | |
| { | |
| public const ushort IMAGE_FILE_MACHINE_UNKNOWN = 0; | |
| public const ushort IMAGE_FILE_MACHINE_TARGET_HOST = 0x0001; // Useful for indicating we want to interact with the host and not a WoW guest. | |
| public const ushort IMAGE_FILE_MACHINE_I386 = 0x014c; // Intel 386. | |
| public const ushort IMAGE_FILE_MACHINE_R3000 = 0x0162; // MIPS little-endian, = 0x160 big-endian | |
| public const ushort IMAGE_FILE_MACHINE_R4000 = 0x0166; // MIPS little-endian | |
| public const ushort IMAGE_FILE_MACHINE_R10000 = 0x0168; // MIPS little-endian | |
| public const ushort IMAGE_FILE_MACHINE_WCEMIPSV2 = 0x0169; // MIPS little-endian WCE v2 | |
| public const ushort IMAGE_FILE_MACHINE_ALPHA = 0x0184; // Alpha_AXP | |
| public const ushort IMAGE_FILE_MACHINE_SH3 = 0x01a2; // SH3 little-endian | |
| public const ushort IMAGE_FILE_MACHINE_SH3DSP = 0x01a3; | |
| public const ushort IMAGE_FILE_MACHINE_SH3E = 0x01a4; // SH3E little-endian | |
| public const ushort IMAGE_FILE_MACHINE_SH4 = 0x01a6; // SH4 little-endian | |
| public const ushort IMAGE_FILE_MACHINE_SH5 = 0x01a8; // SH5 | |
| public const ushort IMAGE_FILE_MACHINE_ARM = 0x01c0; // ARM Little-Endian | |
| public const ushort IMAGE_FILE_MACHINE_THUMB = 0x01c2; // ARM Thumb/Thumb-2 Little-Endian | |
| public const ushort IMAGE_FILE_MACHINE_ARMNT = 0x01c4; // ARM Thumb-2 Little-Endian | |
| public const ushort IMAGE_FILE_MACHINE_AM33 = 0x01d3; | |
| public const ushort IMAGE_FILE_MACHINE_POWERPC = 0x01F0; // IBM PowerPC Little-Endian | |
| public const ushort IMAGE_FILE_MACHINE_POWERPCFP = 0x01f1; | |
| public const ushort IMAGE_FILE_MACHINE_IA64 = 0x0200; // Intel 64 | |
| public const ushort IMAGE_FILE_MACHINE_MIPS16 = 0x0266; // MIPS | |
| public const ushort IMAGE_FILE_MACHINE_ALPHA64 = 0x0284; // ALPHA64 | |
| public const ushort IMAGE_FILE_MACHINE_MIPSFPU = 0x0366; // MIPS | |
| public const ushort IMAGE_FILE_MACHINE_MIPSFPU16 = 0x0466; // MIPS | |
| public const ushort IMAGE_FILE_MACHINE_AXP64 = IMAGE_FILE_MACHINE_ALPHA64; | |
| public const ushort IMAGE_FILE_MACHINE_TRICORE = 0x0520; // Infineon | |
| public const ushort IMAGE_FILE_MACHINE_CEF = 0x0CEF; | |
| public const ushort IMAGE_FILE_MACHINE_EBC = 0x0EBC; // EFI Byte Code | |
| public const ushort IMAGE_FILE_MACHINE_AMD64 = 0x8664; // AMD64 (K8) | |
| public const ushort IMAGE_FILE_MACHINE_M32R = 0x9041; // M32R little-endian | |
| public const ushort IMAGE_FILE_MACHINE_ARM64 = 0xAA64; // ARM64 Little-Endian | |
| public const ushort IMAGE_FILE_MACHINE_CEE = 0xC0EE; | |
| public const UInt32 S_OK = 0; | |
| [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)] | |
| public static extern UInt32 IsWow64GuestMachineSupported(ushort WowGuestMachine, out bool MachineIsSupported); | |
| [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)] | |
| public static extern bool IsWow64Process2(IntPtr hProcess, out ushort pProcessMachine, out ushort pNativeMachine); | |
| [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)] | |
| public static extern IntPtr GetCurrentProcess(); | |
| } | |
| "@ | |
| Add-Type $source | |
| ################################################################################################################ | |
| function admin_check{ | |
| if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(` | |
| [Security.Principal.WindowsBuiltInRole] "Administrator")) { | |
| Write-Warning "Insufficient permissions. Run this Powershell script as Admin please" | |
| Break | |
| } | |
| # if we're all good, let's fire it off | |
| else {Install_various} | |
| } | |
| function install_various{ | |
| #Ensure errors don't ruin anything for us | |
| $ErrorActionPreference = "SilentlyContinue" | |
| $progressPreference = 'silentlyContinue' | |
| # Create and work from specific directory | |
| new-item "C:\users\$env:USERNAME\Desktop\SysmonLab" -ItemType "directory" | |
| Set-Location "C:\users\$env:USERNAME\Desktop\SysmonLab" | |
| #Download sysmon stuff | |
| wget -UseBasicParsing https://download.sysinternals.com/files/Sysmon.zip -outfile "Sysmon.zip" | |
| Expand-archive "Sysmon.zip" -DestinationPath . | |
| wget -UseBasicParsing https://raw.githubusercontent.com/Neo23x0/sysmon-config/master/sysmonconfig-export.xml -outfile "sysmonconfig.xml" | |
| #If you want to swap the sysmon ruleset from Florian's to another's swap the address above | |
| # SwiftOnSecurity's : https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml | |
| # Olaf's : https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml | |
| # Sophos apparently have one but it seems dedicated to malware analysis : https://support.sophos.com/support/s/article/KB-000038882?language=en_US | |
| #install sysmon's stuff | |
| [UInt16]$processMachine = 0; | |
| [UInt16]$nativeMachine = 0; | |
| [WinApi]::IsWow64Process2([WinApi]::GetCurrentProcess(), [ref]$processMachine, [ref]$nativeMachine); | |
| if ($nativeMachine -eq [WinApi]::IMAGE_FILE_MACHINE_AMD64) { | |
| .\Sysmon64.exe -i sysmonconfig.xml -accepteula | |
| } | |
| if ($nativeMachine -eq [WinApi]::IMAGE_FILE_MACHINE_ARM64) { | |
| .\Sysmon64a.exe -i sysmonconfig.xml -accepteula | |
| } | |
| #Ippsec's stuff | |
| wget -UseBasicParsing https://raw.githubusercontent.com/IppSec/PowerSiem/69a575e7dc55b6f91acd0094bd1afa5d251d347a/PowerSiem.ps1 -outfile "PowerSiem.ps1" | |
| #Clean up | |
| remove-item .\"sysmon.zip", .\"sysmon.exe", .\"eula.lnk", .\"Eula.txt" | |
| } | |
| #Execute main function in silence | |
| Admin_Check | out-null | |
| #Message | |
| write-host "`n`nSysmon is " -nonewline; write-host (get-service sysmon*).status -ForegroundColor magenta | |
| Write-host "`nRun " -nonewline; Write-Host "C:\users\$env:USERNAME\Desktop\SysmonLab\PowerSiem.ps1" -foregroundcolor Magenta -NoNewline; Write-host " and then detonate your malware to gather IoCs from Sysmon log`n" | |
| exit |
Hey @Purp1eW0lf , I made a fork of this gist and added the ability to detect and run the correct sysmon executable for the right processor architecture (of ARM or amd64 for Windows 10/11). Would love to get this merged in some form if it suits?
https://gist.github.com/Wither-Bane/91edd6f66006cfaf9fd9cfa16e6acba7
Updated my friend
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hey @Purp1eW0lf , I made a fork of this gist and added the ability to detect and run the correct sysmon executable for the right processor architecture (of ARM or amd64 for Windows 10/11). Would love to get this merged in some form if it suits?
https://gist.github.com/Wither-Bane/91edd6f66006cfaf9fd9cfa16e6acba7