Emphasizes automation in Sysinternals auditing.
This PowerShell script automates the process of auditing system activities using Sysinternals tools, specifically Sysmon, Process Monitor, and Autoruns. It captures logs of system events and processes, saving them in designated directories for further analysis.
- Windows operating system
- Sysinternals Suite installed (Download here)
- Administrative privileges to run the script
- Setup: Defines paths for logs, Sysinternals tools, and configuration files.
- Logging: Creates a log directory if it doesn't exist.
- Sysmon: Installs and starts Sysmon for monitoring system events.
- Process Monitor: Starts Process Monitor to capture process activities.
- Autoruns: Executes Autoruns to capture startup entries and outputs them to a CSV file.
- Running Processes: Captures a list of currently running processes using
tasklist. - Sysmon Logs: Exports Sysmon event logs to both EVTX and CSV formats.
- Cleanup: Uninstalls Sysmon upon completion of the audit.
- Open PowerShell as an administrator.
- Navigate to the directory where the script is saved.
- Run the script:
.\Sysinternals_Audit_Automation.ps1
The script generates the following log files in the C:\SysinternalsAuditLogs directory:
ProcmonLog-YYYYMMDD-HHMMSS.PML: Process Monitor log file. AutorunsLog-YYYYMMDD-HHMMSS.csv: Autoruns output of startup entries. ProcExpLog-YYYYMMDD-HHMMSS.txt: List of running processes.
Ensure that Sysmon is configured appropriately by editing the sysmonconfig.xml file as needed. The script may take some time to run, depending on system performance and log sizes.
Feel free to modify any section to fit your specific needs or preferences!