forked from PSGumshoe/PSGumshoe
-
Notifications
You must be signed in to change notification settings - Fork 0
/
PSGumshoe.psd1
133 lines (117 loc) · 4.09 KB
/
PSGumshoe.psd1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
@{
Author = "Carlos Perez ([email protected])"
# Script module or binary module file associated with this manifest.
RootModule = 'PSGumshoe.psm1'
# Version number of this module.
ModuleVersion = '2.0.4'
# ID used to uniquely identify this module
GUID = '6f0aaa95-8bc2-43ef-b06c-440ba94a7e5d'
# Description of the functionality provided by this module
Description = 'PowerShell module for data collection, incident response, hunting, and security analysis'
# Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export.
FunctionsToExport = @(
# Volatile information functions
#'Get-InjectedThread',
'Get-NamedPipe',
'Measure-CharacterFrequency',
'Measure-DamerauLevenshteinDistance',
'Measure-VectorSimilarity',
#'Stop-Thread',
# Directory Service functions
'Get-DSForest',
'Get-DSDirectoryEntry',
'Get-DSDirectorySearcher',
'Get-DSComputer',
'Get-DSDomain',
'Get-DSGpo',
'Get-DSUser',
'Get-DSGroup'
'Get-DSReplicationAttribute',
'Get-DSGroupMember',
'Get-DSOU',
'Get-DSTrust',
'Get-DSObjectAcl',
# Eventlog functions
'Get-EventPsEngineState',
'Get-EventPsScriptCommandExec',
'Get-EventPsPipeline',
'Get-EventPsIPC',
'Get-EventPsScriptBlock',
'Get-WinEventBaseXPathFilter',
'Get-SysmonProcessAccess',
'Get-SysmonConfigChange',
'Get-SysmonConnectNamedPipe',
'Get-SysmonCreateNamedPipe',
'Get-SysmonCreateRemoteThreadEvent',
'Get-SysmonDriverLoadEvent',
'Get-SysmonFileCreateEvent',
'Get-SysmonFileStreamHash',
'Get-SysmonFileTime',
'Get-SysmonFileDeleteDetectedEvent',
'Get-SysmonImageLoadEvent',
'Get-SysmonNetworkConnect',
'Get-SysmonProcessCreateEvent',
'Get-SysmonProcessTampering',
'Get-SysmonProcessTerminateEvent',
'Get-SysmonRawAccessRead ',
'Get-SysmonRegistryKey',
'Get-SysmonRegistryRename',
'Get-SysmonRegistrySetValue',
'Get-SysmonServiceStateChange',
'Get-SysmonWmiBinding',
'Get-SysmonWmiConsumer',
'Get-SysmonWmiFilter',
'Get-SysmonDNSQuery',
'Get-SysmonProcessActivityEvent',
'Get-SysmonClipboardChange',
'Get-SysmonError',
'Get-EventSystemLogon',
'Get-EventSystemLogoff',
'Get-EventTerminalLogon',
'Get-EventTerminalLogoff',
'Get-EventScheduledTaskStart',
'Get-EventScheduledTaskProcess',
'Get-EventScheduledTaskStop',
'Get-EventScheduledTaskComplete',
'Get-EventBitsTransferComplete',
'Get-EventBitsTransferStart',
'Get-SysmonAccessMask',
'Get-SysmonRuleHash',
'Get-SysmonFileBlockExecutable',
'Get-SysmonFileBlockShredding',
'ConvertTo-SysmonRule',
'Get-EventProcessCreate',
'Clear-WinEvent',
'Export-WinEvent',
'Get-EventWmiQueryError',
'Get-EventWmiProviderStart',
'Get-EventWmiOperationFailure',
'Get-EventWmiTemporaryEvent',
'Get-EventWmiPermanentEvent',
'Get-EventWmiObjectAccess',
# CIM Functions
'Get-CimLogonSession',
'Get-CimProcessLogonSession',
'Get-CimProcess',
'Get-CimComputerInfo',
'Get-CimDNSCache',
'Get-CimNetLogon'
)
# Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell.
PrivateData = @{
PSData = @{
# Tags applied to this module. These help with module discovery in online galleries.
# Tags = @()
# A URL to the license for this module.
# LicenseUri = ''
# A URL to the main website for this project.
# ProjectUri = ''
# A URL to an icon representing this module.
# IconUri = ''
# ReleaseNotes of this module
# ReleaseNotes = ''
} # End of PSData hashtable
} # End of PrivateData hashtable
# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
# DefaultCommandPrefix = 'Psg'
}