Home / .NET / CLI

PowerShell Module for parsing logs generated by Sysinternals Sysmon for Linux

SysmonLinux.Util Description PowerShell Module for parsing logs generated by Sysinternals Sysmon for Linux. The module can parse one or more Syslog fi
Information
Category: .NET / CLI
Watchers: 1
Star: 25
Fork: 1
Last update: Oct 22, 2021
Resource links
https://github.com/darkoperator/SysmonLinux.Util

SysmonLinux.Util

Description

PowerShell Module for parsing logs generated by Sysinternals Sysmon for Linux. The module can parse one or more Syslog files from a Linux system and allow for the search of specific events that meet a given criteria. The module can be use also for aiding in the generation of filter rules based on the resulting objects of queries performed against the logs, greatly speeding the creation and tunning of Sysmon configuration files.

Install

The module is available from the PowerShell Gallery https://www.powershellgallery.com/packages/SysmonLinux.Util/ from PowerShell it can be installed using the Install-Module cmdlet.

Install-Module -Name SysmonLinux.Util -Force -Verbose

Functions

The module provides the following functions:

  • ConvertTo-SysmonRule
  • Get-SysmonLinuxConfigChange
  • Get-SysmonLinuxEvent
  • Get-SysmonLinuxFileCreate
  • Get-SysmonLinuxFileDelete
  • Get-SysmonLinuxNetworkConnect
  • Get-SysmonLinuxProcessCreate
  • Get-SysmonLinuxProcessTerminate
  • Get-SysmonLinuxRawAccess
  • Get-SysmonLinuxState

The module allows for a general search across one or multiple event types by filtering for common fields like:

  • ProcessGUID
  • ParentProcessGUID
  • Image
  • User

This is done using the Get-SysmonLinuxEvent function.

PS />Get-SysmonLinuxEvent -EventType Any -ProcessGuid "{de9527a5-6a3f-616f-a52f-d98154560000}"
    
    EventId           : 1
    Version           : 5
    EventType         : ProcessCreate
    Computer          : ubuntu
    EventRecordID     : 35705
    RuleName          : -
    UtcTime           : 2021-10-20 01:00:47.600
    ProcessGuid       : {de9527a5-6a3f-616f-a52f-d98154560000}
    ProcessId         : 2356
    Image             : /usr/sbin/dumpe2fs
    FileVersion       : -
    Description       : -
    Product           : -
    Company           : -
    OriginalFileName  : -
    CommandLine       : dumpe2fs -h /dev/sda5
    CurrentDirectory  : /
    User              : root
    LogonGuid         : {de9527a5-0000-0000-0000-000000000000}
    LogonId           : 0
    TerminalSessionId : 4294967295
    IntegrityLevel    : no level
    Hashes            : -
    ParentProcessGuid : {00000000-0000-0000-0000-000000000000}
    ParentProcessId   : 874
    ParentImage       : -
    ParentCommandLine : -
    ParentUser        : -
    
    EventId       : 9
    Version       : 2
    EventType     : RawAccessRead
    Computer      : ubuntu
    EventRecordID : 35706
    RuleName      : -
    UtcTime       : 2021-10-20 01:00:47.619
    ProcessGuid   : {de9527a5-6a3f-616f-a52f-d98154560000}
    ProcessId     : 2356
    Image         : /usr/sbin/dumpe2fs
    Device        : /dev/sda5
    User          : root
    
    EventId       : 5
    Version       : 3
    EventType     : ProcessTerminate
    Computer      : ubuntu
    EventRecordID : 35707
    RuleName      : -
    UtcTime       : 2021-10-20 01:00:47.620
    ProcessGuid   : {de9527a5-6a3f-616f-a52f-d98154560000}
    ProcessId     : 2356
    Image         : /usr/sbin/dumpe2fs
    User          : root

Log files can be specified via the pipeline and filtering for some fileds is possible by specifying one or more values, the use of * as a wildcard is also possible.

PS /> ls syslog* | Get-SysmonLinuxProcessCreate -Image */ping,*/whoami,*/id

        EventId           : 1
        Version           : 5
        EventType         : ProcessCreate
        Computer          : ubuntu
        EventRecordID     : 7468
        RuleName          : -
        UtcTime           : 2021-10-16 04:51:15.156
        ProcessGuid       : {de9527a5-5a43-616a-312b-c11c7a550000}
        ProcessId         : 8455
        Image             : /usr/bin/ping
        FileVersion       : -
        Description       : -
        Product           : -
        Company           : -
        OriginalFileName  : -
        CommandLine       : ping 8.8.8.8 -c 2
        CurrentDirectory  : /home/carlos/Desktop
        User              : carlos
        LogonGuid         : {de9527a5-0000-0000-e803-000001000000}
        LogonId           : 1000
        TerminalSessionId : 3
        IntegrityLevel    : no level
        Hashes            : -
        ParentProcessGuid : {de9527a5-5a43-616a-f537-ea5ba5550000}
        ParentProcessId   : 8454
        ParentImage       : /usr/bin/dash
        ParentCommandLine : /usr/bin/sh
        ParentUser        : carlos

Resulting objects can be further filtered using PowerShell and leveraging the Select-Object cmdlet they can be trimmed to only those fields of interest and later fed via the pipeline in to ConvertTo-SysmonRule to build compund rules for detections or for exclusion of known behaviour.

PS /home/carlos/Desktop> Get-SysmonLinuxRawAccess | select image,device -unique | ConvertTo-SysmonRule
<Rule groupRelation="and">
 <Image condition='is'>/usr/lib/systemd/systemd-logind</Image>
 <Device condition='is'>/dev/sda1</Device>
</Rule>
<Rule groupRelation="and">
 <Image condition='is'>/usr/lib/systemd/systemd-logind</Image>
 <Device condition='is'>/dev/sda</Device>
</Rule>
<Rule groupRelation="and">
 <Image condition='is'>/usr/sbin/dumpe2fs</Image>
 <Device condition='is'>/dev/sda5</Device>
</Rule>

v0.0.3(Mar 19, 2022)

  • Adds support for working with Gzip files created by logrotate
  • Fixed some of the regular expressions when filtering.

Contents

    Lt0 sysmon A B/S mode system monitor for Linux. You can remotely watch the usage of your system resources via web browser everywhere.
    berzniz realtime logging for now - https://logs.now.sh
    mattifestation Sysmon Tools for PowerShell
    Sysinternals Procmon is a Linux reimagining of the classic Procmon tool from the Sysinternals suite of tools for Windows
    Sysinternals A Linux version of the ProcDump Sysinternals tool
    vector-sec AWS PowerShell Python Lambda, or PSPy for short, is a simple Python 2.7 AWS Lambda function designed to execute the PowerShell binary and marshal input/output to PowerShell.
    apex Send your AWS CloudWatch Logs to Apex Logs.
    ScarredMonk Sysmon event simulation utility which can be used to simulate the attacks to generate the Sysmon Event logs for testing the EDR detections and correlation rules by Blue teams.
    jantari This PowerShell module lets you create very simple but clickable menus in the PowerShell console.
    EvotecIT PowerShell Generated Status Page
    Sysinternals The Linux port of the Sysinternals Sysmon tool.
    JackBister Logsuck is a program that makes it easier for you to deal with your logs.
    securesean Command line tool to extract/decrypt the password that was stored in the LSA by SysInternals AutoLogon
    ironmansoftware PowerShell Explorer shows information about the PowerShell environment on your machine.
    lucky-luk3 Grafiki is a Django project about Sysmon and graphs, for the time being.
    microsoft Anything Sysmon related from the MSTIC R&D team
    palantir A lightweight platform monitoring tool for Java VMs
    nohwnd Script, ScriptBlock and module performance profiler for PowerShell 5, and PowerShell 7.
    mikebattista Integrate Linux commands into Windows with PowerShell and the Windows Subsystem for Linux (WSL).
    tomstryhn Powershell Module to help manage ADObject ownership in Active Directory
    attakercyebr I have logs fresh victims from this country [ US , DE , BR , AR , NL , MY , IL , CZ , CA , TR , ...etc ] Count : 2600 logs victims device
    Share this repo

    Related Repos


    CLI
    26
    grpc-curl is a command line tool for interacting with gRPC servers
    xoofx grpc-curl grpc-curl is a command line tool for interacting with gRPC servers. This tool is the .NET equivalent of the popular gRPCurl written in Golan
     
    CLI
    6
    This package helps you to make colorful console apps
    Ramin-Guliyev MakeUp Make your console app looks much more pretty 😉 * Introduction This package helps you to make colorful console apps with the best solution. Cur
     
    CLI
    279
    PowerShell Module for Docker
    Microsoft THIS MODULE HAS BEEN DEPRECATED Please note that due to low usage this module is no longer being actively maintained. It is recommended to use either
     
    CLI
    50
    How to spoof the command line when spawning a new process from C#.
    plackyhacker Command Line Spoofer An example of using C# to inject a meterpreter shell, whilst spoofing the command line. The command line is stored in the Process
     
    CLI
    3
    fakys really bad Powershell Northstar Server Watcher
    RomeoCantCode PSNorthstarWatcher faky's really bad Powershell Northstar Server Watcher. Use at own risk. It is very minimalistic and a dev would probably cry when h
     
    CLI
    5
    2D game framework for use with the Pode PowerShell web server
    Badgerati Pode.Game This is still a work in progress, until v1.0.0 expect possible breaking changes in some releases. 💝 A lot of my free time, evenings, and we
     
    CLI
    3
    This is for patching against Log4Shell in Windows via Powershell
    SkeletonMan03 Patch Against Log4Shell This is for patching against Log4Shell in Windows via Powershell What it does This searches your entire computer for jar files
     
    CLI
    8
    log4j PowerShell Checker
    crypt0jan CHAPTER8 - log4j PowerShell Checker CVE-2021-44228 Perform a scan of a single host (using Powershell) to see if it's vulnerable for the above-mentione
     
    CLI
    3
    Customize windows PowerShell using oh-my-posh module and make a simple, elegant and eye ca...
    aminbabu Customize Your Windows Terminal - Like A Pro No more default windows terminal! Let's customize our windows terminal like a pro using oh-my-posh a prom
     
    CLI
    66
    Load any Beacon Object File using Powershell!
    airbus-cert Invoke-Bof Load any Beacon Object File using Powershell! > $BOFBytes = (Invoke-WebRequest -Uri "https://github.com/airbus-cert/Invoke-Bof/raw/main/tes
     
    CLI
    3
    PowerBruteLogon (Ported version of WinBruteLogon in pure PowerShell)
    DarkCoderSc PowerBruteLogon PowerBruteLogon is a ported version of WinBruteLogon in pure PowerShell Notice that this version is slower than WinBruteLogon but has
     
    CLI
    6
    Tools for naturally defining PowerShell dynamic parameters
    wethreetrees ✨ Dynamic ✨ Working with dynamic parameters in PowerShell has never been easy. The Dynamic module will change that forever. In the past, developers we
     
    CLI
    3
    turbinando o powershell
    nathanramorim oh-my-zsh no powershell Sabiam que tem jeito de personalizar o PowerShell similiar a quando utilizamos o oh-my-zsh? Eu nem sabia. Eu curto bastante um
     
    CLI
    3
    PowerShell Module for Advanced Registry Functionality
    jborean93 AdvReg Various cmdlets that expose more advanced functions of the Windows Registry. Documentation Documentation for this module and details on the cmd
     
    CLI
    10
    Demo to create abp module and convert it into microservice.
    antosubash Add a new Module and convert it to a microservice in ABP In this post we will see how to create a modular abp application and convert it to microservi