Use Powershell to analyze Sysmon events
Hello colleagues, this is an example I promised answering this tweet. I used this sysmon config to capture activities happening on my system. Unfortunately it did not capture a lot of network-related activities, perhaps I need to change it to extend network-level filters. But on the other hand it captured a lot of process level activities, so in this example i’d like to try to graph process creation events.
So first thing to do in this case is create a graph object
$g = New-Graph -Type BidirectionalGraph
And now we can fill in the graph with some data right from the event log. It may take few seconds until all events are processed
Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational |
? {$_.id -eq 1} |
% { if ($_.properties[3]) `
{Add-Edge -From $_.Properties[-2].value `
-To $_.properties[3].value -Graph $g}} |
Out-Null
And then we just display the graph
Show-GraphLayout -Graph $g
This is how it looks like
The YouTube player can not be loaded with disabled JavaScript.
The following video is embedded here:
https://youtube.com/watch?v=LuRo8GEwp1w
The following video is embedded here:
https://youtube.com/watch?v=LuRo8GEwp1w