Skip to content

stahler/Sysmon_PowerShell

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
README.md
README.md
 
 
Sysmon.pptx
Sysmon.pptx
 
 
Sysmon_Base.xml
Sysmon_Base.xml
 
 
sysmon.ps1
sysmon.ps1
 
 
sysmonconfig-export.xml
sysmonconfig-export.xml
 
 

Repository files navigation

Sysmon-PowerShell

This project demonstrates basic Sysmon usage, the various events associated with sysmon and how to invoke them.

Event ID Description
1 Process Creation
2 A process changed a file creation time
3 Network connection
4 Sysmon service state changed
5 Process terminated
6 Driver loaded
7 Image loaded
8 CreateRemoteThread
9 RawAccessRead
10 ProcessAccess
11 FileCreate
12 RegistryEvent (Object create and delete)
13 RegistryEvent (Value Set)
14 RegistryEvent (Key and Value Rename)
15 FileCreateStreamHash
16 Sysmon configuration change
17 PipeEvent (Pipe Created)
18 PipeEvent (Pipe Connected)
19 WmiEvent (WmiEventFilter activity detected)
20 WmiEvent (WmiEventConsumer activity detected)
21 WmiEvent (WmiEventConsumerToFilter activity detected)

PowerShell is used to walk through the various event invocations.

Relevent Links

About

Sysmon demo with PowerShell examples

Topics

powershell sysmon

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Languages