Created
June 30, 2022 01:29
-
-
Save asheroto/863e6bb2a1bb143a2da0d53d913176e2 to your computer and use it in GitHub Desktop.
PowerShell script to check for the presence of Invoke-Command, such as that ran by Empire and other fileless malware.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $result = Get-WinEvent -FilterHashTable @{LogName="Microsoft-Windows-Sysmon/Operational"; StartTime=(get-date).AddHours(-1); EndTime=(Get-Date); ID=1}| ?{$_.Message -match "Invoke-Command" } | |
| if($result.Count -gt 0) { | |
| # PUT YOUR SCRIPT ACTION HERE WHEN DETECTED IN THE LAST HOUR | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment