This module is currently in an experimental state. This is the first PowerShell API I’ve written and while I’ve had great feedback working with @Lee_Holmes, I know it still needs work.
Please feel free to file issues if you have suggestions for improving the API.
Download
git clone https://github.com/zacbrown/PowerKrabsEtw.git
Examples
There are two main supported scenarios right now:
- Trace-KrabsEtwProcess – think of this as similar to ProcMon filtered on a specific process.
- This is not yet configurable. The data provided includes the following data sources:
- IPv4/IPv6 TCP send
- IPv4/IPv6 UDP send
- DNS lookups
- remote thread injections
- child process creation (via CreateProcess or similar direct means)
- WMI activity
- registry activity
- file activity
- PowerShell function execution
- DLL load activity
- This is not yet configurable. The data provided includes the following data sources:
- Create explicit providers, filters, and traces – this is a more flexible approach and best for experimentation.
powershell.exe -mta
1. Trace a process’s lifetime.
PS C:\dev\PowerKrabsEtw\PowerKrabsEtw\bin\x64\Debug> import-module .\PowerKrabsEtw PS C:\dev\PowerKrabsEtw\PowerKrabsEtw\bin\x64\Debug> $events = Trace-ProcessWithEtw -ProcessName powershell.exe PS C:\dev\PowerKrabsEtw\PowerKrabsEtw\bin\x64\Debug> $events | select -Unique EtwProviderName EtwProviderName ---------------Microsoft-Windows-Kernel-Registry
Microsoft-Windows-Kernel-Process
Microsoft-Windows-Kernel-File
Microsoft-Windows-PowerShell PS C:\dev\PowerKrabsEtw\PowerKrabsEtw\bin\x64\Debug> $events[0]EtwEventId : 7EtwTimestamp : 11/12/17 11:13:34 PM EtwProcessId : 4980 EtwThreadId : 904 EtwProviderName : Microsoft-Windows-Kernel-RegistryKeyObject : 18446603362009679696 Status : 3221225524InfoClass : 2 DataSize : 524 KeyName :
ValueName : 3c74afb9-8d82-44e3-b52c-365dbf48382a CapturedDataSize : 0 CapturedData :2.Setup a custom trace session for PowerShell events
PS C:\dev\PowerKrabsEtw\demo> Import-Module .\PowerKrabsEtw
>> $trace = New-EtwUserTrace >> $provider = New-EtwUserProvider -ProviderName "Microsoft-Windows-PowerShell"
>> $filter = New-EtwCallbackFilter -EventId 7937 >> Set-EtwCallbackFilter -UserProvider $provider -Filter $filter >> Set-EtwUserProvider -Trace $trace -Provider $provider >>>> Start-EtwUserTrace -Trace $trace | Where-Object { $_.CommandName -like "invoke-mimikatz" }EtwEventId : 7937 EtwTimestamp : 11/12/17 11:19:47 PMEtwProcessId : 5308 EtwThreadId : 2000 EtwProviderName : Microsoft-Windows-PowerShell HostProcess : c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoLogo -mta CommandName : invoke-mimikatz CommandType : Function UserName : ZACBROWNDDDC\zbrown UserData : Payload : Command invoke-mimikatz is Started.EtwEventId : 7937 EtwTimestamp : 11/12/17 11:19:47 PM EtwProcessId : 5308 EtwThreadId : 2000 EtwProviderName : Microsoft-Windows-PowerShell HostProcess : c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoLogo -mta CommandName : invoke-mimikatz CommandType : Function UserName : ZACBROWNDDDC\zbrown UserData : Payload : Command invoke-mimikatz is Stopped.
Source: https://github.com/zacbrown/
Also Read: How To Safeguard Your Phone Against Spyware
Hello, Viewers We offer timely analysis and in-person experiences that form the basis of our professional articles. Our editorial section is a reflection of the emerging technology trends. Our tagline “Fresh News of Technology and More” tries to address the same diversity. 
A5CDC40C9E
ReplyDeletekiralık hacker
hacker arıyorum
kiralık hacker
hacker arıyorum
belek
991B29C76F
ReplyDeletehacker arıyorum
hacker kiralama
tütün dünyası
-
-