forked from agreenjay/sysmon
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy paththreat-graph.ps1
63 lines (49 loc) · 2.28 KB
/
threat-graph.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
#need to donwload Doug Finke's PS algorithms
. .\Graph.ps1
. .\GraphVertex.ps1
. .\GraphEdge.ps1
$g = New-Object Graph 1
$Vertices = @{} #contains linked list of process hieararchies
get-sysmonlogs| %{
$obj= New-Object -TypeName psobject
if ($_.OriginalFileName -eq "?") { #fill in name from Image
$key=$_.Image.Substring($_.Image.lastIndexOf('\') + 1)
$obj |add-Member -MemberType NoteProperty -Name Key -Value $key
}
else {$obj |add-Member -MemberType NoteProperty -Name Key -Value $_.OriginalFileName}
$obj |add-Member -MemberType NoteProperty -Name Pid -Value $_.ProcessId
$obj |add-Member -MemberType NoteProperty -Name PPid -Value $_.ParentProcessId
$obj |add-Member -MemberType NoteProperty -Name Weight -Value 0
$obj |add-Member -MemberType NoteProperty -Name Cluster -Value ""
$obj| add-Member -MemberType NoteProperty -Name EdgeCnt -Value 0
$obj| add-Member -MemberType NoteProperty -Name Visited -Value 0
if (!$_.CommandLine -contains $_.OriginalFileName) {
$cl = $_.OriginalFileName +" " + $_.CommandLine
$obj |add-Member -MemberType NoteProperty -Name Cline -Value $cl
}
else {$obj |add-Member -MemberType NoteProperty -Name Cline -Value $_.CommandLine}
$pkey = $_.ParentImage.Substring($_.ParentImage.lastIndexOf('\') + 1)
$obj |add-Member -MemberType NoteProperty -Name PKey -Value $pkey
$obj |add-Member -MemberType NoteProperty -Name User -Value $_.User
$Vertex = New-Object GraphVertex $obj
$g.addVertex($Vertex)|Out-Null
# create "linked list" based on PIDs
if($Vertices[[string]$_.ProcessId] -eq $null) {$Vertices.Add($_.ProcessId,$Vertex)|Out-Null } }
#now build edges
foreach ($v in $g.vertices.Keys) {
$start = $Vertices[$v].value.Key
$end = $Vertices[$v].value.PKey
#now convert to G world
$end = $g.vertices[$end]
$start = $g.vertices[$start]
if( $start -ne $null ) {
if ($start.findEdge($end) -eq $null) {
$edge = New-Object GraphEdge $start,$end,1
$g.AddEdge($edge)|Out-Null
}
else {
$e= $start.findEdge($end)
$e.weight = $e.weight +1
}
}
}