Analyzing sysmon events with graph

Hello colleagues, this is an example I promised answering this tweet. I used https://github.com/SwiftOnSecurity/sysmon-configthis sysmon config to capture activities happening on my system. Unfortunately it did not capture a lot of network-related activities, perhaps I need to change it to extend network-level filters. But on the other hand it captured a lot of process level activities, so in this example i’d like to try to graph process creation events.
So first thing to do in this case is create a graph object

$g = New-Graph -Type BidirectionalGraph

And now we can fill in the graph with some data right from the event log. It may take few seconds until all events will be processed

Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | ? {$_.id -eq 1} |
    % { if ($_.properties[3]) {Add-Edge -From $_.Properties[-2].value -To $_.properties[3].value -Graph $g}} |
    Out-Null

And then we just display the graph

Show-GraphLayout -Graph $g

This is how it looks like

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s