Shell is Only the Beginning
Sysmon has been a great tool to enhance logging in Windows for many year allowing well organized teams to cover many gaps in their log and even improve their capabilities at detecting all kinds of attacks. Microsoft released a version of Sysmon for Linux to provide the same type of value to those defending Linux systems. Logs are saved in to Syslog as single line XML blobs that can be ingested and parsed by SIEM products. To aid with extracting the Sysmon specific events from syslog I wrote the SysmonLinux.Util module. The module can parse one or more Syslog files even GZip files archived by LogRotate from a Linux system and allow for the search of specific events that meet a given criteria. The module can be use also for aiding in the generation of filter rules based on the resulting objects of queries performed against the logs, greatly speeding the creation and tunning of Sysmon configuration files.
Install
The recommended method for installing the module is to install the module from the PowerShell Gallery, https://www.powershellgallery.com/packages/SysmonLinux.Util The command to install the module is
Install-Module -Name SysmonLinux.Util -ForceThe module source code can also be downloaded from GitHub https://github.com/darkoperator/SysmonLinux.Util/
Exploring the Module
Once the module is installed we can take a look at the functions made available for working with tge Get-Command cmdlet in PowerShell.
PS /home/carlos> Get-Command -Module sysmonlinux.util
CommandType Name Version Source
----------- ---- ------- ------
Function ConvertTo-SysmonRule 0.0.3 SysmonLinux.Util
Function Get-SysmonLinuxConfigChange 0.0.3 SysmonLinux.Util
Function Get-SysmonLinuxEvent 0.0.3 SysmonLinux.Util
Function Get-SysmonLinuxFileCreate 0.0.3 SysmonLinux.Util
Function Get-SysmonLinuxFileDelete
[...]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: