Showing posts with label sysmon. Show all posts
Showing posts with label sysmon. Show all posts

Friday, February 5, 2021

AppLocker Block vs Sysmon Process Create

 This folder is applocker blocked


  




  
So I copied notepad.exe into it, renamed it, then tried to execute and as you can see applocker blocked me





But Sysmon and Windows both generated an Event ID 1 and 4688




Posted by at 45 comments:
Labels: , ,

Wednesday, April 22, 2020

Query Sysmon Logs using Powershell Get-WinEvent

get-winevent -filterhashtable @{logname="Microsoft-Windows-Sysmon/Operational";id=1} | select Message |foreach-object {$a = $_.Message.split([Environment]::NewLine); ""; foreach ($a2 in $a) {$b = $a2.split(':',2); $key = $b[0]; $value = $b[1]; if($key -eq "CommandLine" -or $key -eq "ParentCommandLine"){"{0}={1}" -f ($key,$value)}}}


sample output

CommandLine= sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-update-git-for-windows" --quiet --gui
ParentCommandLine= git.exe update-git-for-windows --quiet --gui

CommandLine= git.exe update-git-for-windows --quiet --gui
ParentCommandLine= cmd\git.exe update-git-for-windows --quiet --gui

CommandLine= cmd\git.exe update-git-for-windows --quiet --gui
ParentCommandLine= "C:\Program Files\Git\git-bash.exe" --hide --no-needs-console --command=cmd\git.exe update-git-for-windows --quiet --gui

CommandLine= "C:\Program Files\Git\git-bash.exe" --hide --no-needs-console --command=cmd\git.exe update-git-for-windows --quiet --gui
ParentCommandLine= C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s Schedule

Posted by at 1 comment:
Labels: , ,
Subscribe to: Posts (Atom)