$hashdirectory=".\hashes\" $events = get-winevent @{logname="Microsoft-Windows-Sysmon/Operational";id=1,6,7,29} ForEach ($event in $events) { if ($event.id -eq 1){ # Process creation if ($event.Properties.Count -le 16){ $path=$event.Properties[3].Value # Full path of the file $hash=$event.Properties[11].Value # Hashes } ElseIf ($event.Properties.Count -le 17){ $path=$event.Properties[4].Value # Full path of the file $hash=$event.Properties[16].Value # Hashes } Else { $path=$event.Properties[4].Value # Full path of the file $hash=$event.Properties[17].Value # Hashes } } ElseIf ($event.id -eq 29){ # FileExecutableDetected $path=$event.Properties[6].Value # Full path of the file $hash=$event.Properties[7].Value # Hashes } Else{ # Hash and path are part of the message field in Sysmon events 6 and 7. Need to parse the XML $eventXML = [xml]$event.ToXml() If ($event.id -eq 6){ # Driver (.sys) load if ($event.Properties.Count -le 6){ $path=$eventXML.Event.EventData.Data[1]."#text" # Full path of the file $hash=$eventXML.Event.EventData.Data[2]."#text" # Hashes $hash } Else{ $path=$eventXML.Event.EventData.Data[2]."#text" # Full path of the file $hash=$eventXML.Event.EventData.Data[3]."#text" # Hashes } } ElseIf ($event.id -eq 7){ # Image (.dll) load if ($event.Properties.Count -lt 14){ $path=$eventXML.Event.EventData.Data[4]."#text" # Full path of the file $hash=$eventXML.Event.EventData.Data[5]."#text" # Hashes } Elseif ($event.Properties.Count -lt 15){ $path=$eventXML.Event.EventData.Data[5]."#text" # Full path of the file $hash=$eventXML.Event.EventData.Data[10]."#text" # Hashes } Else{ $path=$eventXML.Event.EventData.Data[5]."#text" # Full path of the file $hash=$eventXML.Event.EventData.Data[11]."#text" # Hashes } } Else{ Out-Host "Logic error 1, should not reach here..." Exit 1 } } # Multiple hashes may be logged, we want SHA256. Remove everything through "SHA256=" $SHA256= $hash -Replace "^.*SHA256=","" # Split the string on commas, grab field 0 $SHA256=$SHA256.Split(",")[0] if ($SHA256 -Match '^[0-9A-F]{64}$'){ # SHA256 hashes are 64 character hex strings $hashfile="$hashdirectory\$SHA256" if (-not (Test-Path "$hashfile*")){ # Hash file doesn't exist (or any variants with extensions), create it $path | Set-Content $hashfile } } Else{ Out-Host "No SHA256 hash found. Ensure Sysmon is creating SHA256 hashes" } }