Home Explore Help
Sign In
zhensolid
/
OperatorsKit
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: main
Branches Tags
OperatorsKit
/
KIT
/
EnumSysmon
/
enumsysmon.cna

enumsysmon.cna 1.1 KB
Permalink History Raw

1234567891011121314151617181920212223242526272829303132 
  1. # author REDMED-X
    2. 

  2. 

  3. beacon_command_register(
    4. 

  4.     "enumsysmon", "Verify if Sysmon is running.",
    5. 

  5.     "INFO:\nVerify if Sysmon is running. This can be done by checking the registry or by enumerating Minifilter drivers and search for one that is associated with Sysmon.\n\nOPTIONS:\n[reg]: search the registry to check if Sysmon is present on the system and return the Sysmon service PID if active.\n[driver]: list all the Minifilter drivers on the system to check manually (requires elevated privileges).\n\n" .
    6. 

  6.     "USAGE:\nenumsysmon <reg | driver>\n\n");
    7. 

  7. 

  8. 

  9. alias enumsysmon {
    10. 

  10.     $bid = $1;
    11. 

  11.     $action = $2;
    12. 

  12. 

  13.     if ($action eq "reg" || $action eq "driver") {
    14. 

  14.     }
    15. 

  15.     else {
    16. 

  16.         berror($bid, "Please specify one of the following enumeration options: reg | driver\n");
    17. 

  17.         return;
    18. 

  18.     }
    19. 

  19. 

  20.     # Read in the right BOF file
    21. 

  21.     $handle = openf(script_resource("enumsysmon.o"));
    22. 

  22.     $data   = readb($handle, -1);
    23. 

  23.     closef($handle);
    24. 

  24. 

  25.     # Pack our arguments
    26. 

  26.     $arg_data  = bof_pack($bid, "z", $action);
    27. 

  27. 

  28.     blog($bid, "Tasked to find Sysmon..");
    29. 

  29.     beacon_inline_execute($bid, $data, "go", $arg_data);
    30. 

  30. }
    31. 

  31. 

  32.