-
-
Save trackd/e9e1fe26e4f673163c3f649173853ac2 to your computer and use it in GitHub Desktop.
PowerShell script that creates an audit or block Sysmon config based off of LOLDrivers
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Author: Jonathan Johnson (@jsecurity101) | |
| function New-DriverConfig { | |
| <# | |
| .EXAMPLE | |
| New-DriverConfig -Block | |
| Creates driver block config in the current directory | |
| .EXAMPLE | |
| New-DriverConfig -Audit | |
| Creates driver audit config in the current directory | |
| .EXAMPLE | |
| New-DriverConfig -Audit -ConfigPath C:\Driver.xml | |
| Creates driver audit config in the C:\ directory | |
| #> | |
| param ( | |
| [Parameter()] | |
| [Switch] | |
| $Block, | |
| [Parameter()] | |
| [Switch] | |
| $Audit, | |
| [Parameter()] | |
| [string] | |
| $ConfigPath = "$PWD\Driver.xml" | |
| ) | |
| $RequestContent = (Invoke-WebRequest -Uri 'https://www.loldrivers.io/api/drivers.json' -UseBasicParsing).Content | |
| $RequestContentUpdate = $RequestContent.ToLower() | ConvertFrom-Json | |
| #Beginning of config | |
| Set-Content -Path $ConfigPath -Value '<Sysmon schemaversion="4.90"> | |
| <EventFiltering>' | |
| if ($PSBoundParameters.ContainsKey('Audit')) | |
| { | |
| #Beginning of DriverLoad Section | |
| Add-Content -Path $ConfigPath -Value ' <RuleGroup name="Potential Vulnerable or Malicious Driver Load" groupRelation="or"> | |
| <DriverLoad onmatch="include">' | |
| $samples = $RequestContentUpdate | % {$_.knownvulnerablesamples} | |
| $SHA256 = $samples | % {$_.sha256} | |
| foreach($hash in $SHA256){if (($hash -ne $null) -and ($hash -ne " ") -and ($hash -ne "")){$line = " <Hashes condition=`"contains`">SHA256=$hash</Hashes>"; Add-Content -Path $ConfigPath -Value $line}} | |
| Add-Content -Path $ConfigPath -Value ' </DriverLoad> | |
| </RuleGroup>' | |
| #End of DriverLoad Section | |
| #Beginning of Driver Executable Detected | |
| Add-Content -Path $ConfigPath -Value ' <RuleGroup name="Potential Vulnerable or Malicious Driver File Detected" groupRelation="or"> | |
| <FileExecutableDetected onmatch="include">' | |
| foreach($hash in $SHA256){if (($hash -ne $null) -and ($hash -ne " ") -and ($hash -ne "")){$line = " <Hashes condition=`"contains`">SHA256=$hash</Hashes>"; Add-Content -Path $ConfigPath -Value $line}} | |
| Add-Content -Path $ConfigPath -Value ' </FileExecutableDetected> | |
| </RuleGroup>' | |
| #End of Driver Executable Detected | |
| } | |
| if ($PSBoundParameters.ContainsKey('Block')) | |
| { | |
| Add-Content -Path $ConfigPath -Value ' <RuleGroup name="Potential Vulnerable or Malicious Driver File Block" groupRelation="or"> | |
| <FileBlockExecutable onmatch="include">' | |
| $samples = $RequestContentUpdate | % {$_.knownvulnerablesamples} | |
| $SHA256 = $samples | % {$_.sha256} | |
| foreach($hash in $SHA256){if (($hash -ne $null) -and ($hash -ne " ") -and ($hash -ne "")){$line = " <Hashes condition=`"contains`">SHA256=$hash</Hashes>"; Add-Content -Path $ConfigPath -Value $line}} | |
| Add-Content -Path $ConfigPath -Value ' </FileBlockExecutable> | |
| </RuleGroup>' | |
| } | |
| Add-Content -Path $ConfigPath -Value ' </EventFiltering> | |
| </Sysmon>' | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment