/sysmon

A collection of useful PowerShell tools to collect, organize, and visualize Sysmon event data

Primary LanguagePowerShell

Sysmon Visualizaton and Tools (work in progress)

A collection of useful PowerShell tools to collect, organize, and visualize Sysmon event data. There's more background of what we're tring to accomplish in this blog post:https://www.varonis.com/blog/sysmon-and-threat-detection-exploring-the-sysmon-log/

To get going with this, you'll need to:

  1. Download Doug Finke's powershell alogithms: https://github.com/dfinke/powershell-algorithms

  2. Install GraphViz and PSGraph:

    #install GraphViz from Chocately

    Find-Package graphviz | Install-Package -ForceBootstrap

    #install module PSGraph

    Find-Module PSGraph | Install-Module

    #import module PSGraph

    Import-Module PSGraph

  3. And finally install and import the delicious PSQuickGraph wrapper:

    Install-Module -Name PSQuickGraph

    Import-Module PSQuickGraph

Then download the Sysmon module and PS scripts

  1. import-module sysmon
  2. . .\threat-graph.ps1 # build $g
  3. .\threat-graph-vi.ps1 # visualize!
  4. Try out threat_search.ps1 and other scripts in repository (random-rater, ..)