PowerShell Module for parsing logs generated by Sysinternals Sysmon for Linux. The module can parse one or more Syslog files from a Linux system and allow for the search of specific events that meet a given criteria. The module can be use also for aiding in the generation of filter rules based on the resulting objects of queries performed against the logs, greatly speeding the creation and tunning of Sysmon configuration files.
The module is available from the PowerShell Gallery https://www.powershellgallery.com/packages/SysmonLinux.Util/ from PowerShell it can be installed using the Install-Module cmdlet.
Install-Module -Name SysmonLinux.Util -Force -Verbose
The module provides the following functions:
- ConvertTo-SysmonRule
- Get-SysmonLinuxConfigChange
- Get-SysmonLinuxEvent
- Get-SysmonLinuxFileCreate
- Get-SysmonLinuxFileDelete
- Get-SysmonLinuxNetworkConnect
- Get-SysmonLinuxProcessCreate
- Get-SysmonLinuxProcessTerminate
- Get-SysmonLinuxRawAccess
- Get-SysmonLinuxState
The module allows for a general search across one or multiple event types by filtering for common fields like:
- ProcessGUID
- ParentProcessGUID
- Image
- User
This is done using the Get-SysmonLinuxEvent function.
PS />Get-SysmonLinuxEvent -EventType Any -ProcessGuid "{de9527a5-6a3f-616f-a52f-d98154560000}"
EventId : 1
Version : 5
EventType : ProcessCreate
Computer : ubuntu
EventRecordID : 35705
RuleName : -
UtcTime : 2021-10-20 01:00:47.600
ProcessGuid : {de9527a5-6a3f-616f-a52f-d98154560000}
ProcessId : 2356
Image : /usr/sbin/dumpe2fs
FileVersion : -
Description : -
Product : -
Company : -
OriginalFileName : -
CommandLine : dumpe2fs -h /dev/sda5
CurrentDirectory : /
User : root
LogonGuid : {de9527a5-0000-0000-0000-000000000000}
LogonId : 0
TerminalSessionId : 4294967295
IntegrityLevel : no level
Hashes : -
ParentProcessGuid : {00000000-0000-0000-0000-000000000000}
ParentProcessId : 874
ParentImage : -
ParentCommandLine : -
ParentUser : -
EventId : 9
Version : 2
EventType : RawAccessRead
Computer : ubuntu
EventRecordID : 35706
RuleName : -
UtcTime : 2021-10-20 01:00:47.619
ProcessGuid : {de9527a5-6a3f-616f-a52f-d98154560000}
ProcessId : 2356
Image : /usr/sbin/dumpe2fs
Device : /dev/sda5
User : root
EventId : 5
Version : 3
EventType : ProcessTerminate
Computer : ubuntu
EventRecordID : 35707
RuleName : -
UtcTime : 2021-10-20 01:00:47.620
ProcessGuid : {de9527a5-6a3f-616f-a52f-d98154560000}
ProcessId : 2356
Image : /usr/sbin/dumpe2fs
User : root
Log files can be specified via the pipeline and filtering for some fileds is possible by specifying one or more values, the use of * as a wildcard is also possible.
PS /> ls syslog* | Get-SysmonLinuxProcessCreate -Image */ping,*/whoami,*/id
EventId : 1
Version : 5
EventType : ProcessCreate
Computer : ubuntu
EventRecordID : 7468
RuleName : -
UtcTime : 2021-10-16 04:51:15.156
ProcessGuid : {de9527a5-5a43-616a-312b-c11c7a550000}
ProcessId : 8455
Image : /usr/bin/ping
FileVersion : -
Description : -
Product : -
Company : -
OriginalFileName : -
CommandLine : ping 8.8.8.8 -c 2
CurrentDirectory : /home/carlos/Desktop
User : carlos
LogonGuid : {de9527a5-0000-0000-e803-000001000000}
LogonId : 1000
TerminalSessionId : 3
IntegrityLevel : no level
Hashes : -
ParentProcessGuid : {de9527a5-5a43-616a-f537-ea5ba5550000}
ParentProcessId : 8454
ParentImage : /usr/bin/dash
ParentCommandLine : /usr/bin/sh
ParentUser : carlos
Resulting objects can be further filtered using PowerShell and leveraging the Select-Object cmdlet they can be trimmed to only those fields of interest and later fed via the pipeline in to ConvertTo-SysmonRule to build compund rules for detections or for exclusion of known behaviour.
PS /home/carlos/Desktop> Get-SysmonLinuxRawAccess | select image,device -unique | ConvertTo-SysmonRule
<Rule groupRelation="and">
<Image condition='is'>/usr/lib/systemd/systemd-logind</Image>
<Device condition='is'>/dev/sda1</Device>
</Rule>
<Rule groupRelation="and">
<Image condition='is'>/usr/lib/systemd/systemd-logind</Image>
<Device condition='is'>/dev/sda</Device>
</Rule>
<Rule groupRelation="and">
<Image condition='is'>/usr/sbin/dumpe2fs</Image>
<Device condition='is'>/dev/sda5</Device>
</Rule>