Uproot ~ a Host Based Intrusion Detection System (HIDS) for leveraging WMI Permanent Event Subscriptions.
Uproot is a Host Based Intrusion Detection System (HIDS) that leverages Permanent Windows Management Instrumentation (WMI) Event Susbcriptions to detect malicious activity on a network. For more details on WMI Event Subscriptions please see the WMIEventing Module.
For best results, it is recommended to use Uproot’s AS_GenericHTTP consumer and an Uproot Listening Post to forward events via syslog to a log aggregator such as Splunk.
Note: Uproot was designed for a controller with >= PowerShell v3 compatibility. The module can be used with PowerShell v2, but will be missing a great deal of functionality. Although, Microsoft has consistently included WMI in Microsoft Windows since Windows NT 4.0 and Windows 95. Because of this, Uproot can be used with Windows OS endpoints from Windows NT 4.0 forward.
Latest change 9/24/2015:
+ Updated WMIEventing Tests;
Uproot Listening Post :
The Uproot project includes a service executable that can be used as a Listening Post (LP) (a point in the network that aggregates and forwards on events). The Listening Post receives HTTP POST requests, converts the recieved data to Syslog, and forwards the data to any specified location (ex. Splunk).
You can have multiple Listening Posts throughout your network to allow for load distribution, or to work with firewall restrictions.
Below is a list of Cmdlets to install/configure an Uproot Listening Post:
Get-UprootLP - Lists Uproot Listening Posts on a local or remote computer.
New-UprootLP - Creates a new Uproot Listening Post on a local or remote computer.
Remove-UprootLP - Removes the Uproot Listening Post from a local or remote computer.
Restart-UprootLP - Restarts the Uproot Listening Post on a local or remote computer with new configs.
Start-UprootLP - Starts the Uproot Listening Post on a local or remote computer.
Stop-UprootLP - Stops the Uproot Listening Post on a local or remote computer.
NOTE: To avoid creating a privilege escalation vulnerability, we recommend that you move uprootd.exe to C:\Windows\system32\ before using New-UprootLP
1. (new-object Net.WebClient).DownloadString("http://psget.net/GetPsGet.ps1") | iex
2. Set-ExecutionPolicy RemoteSigned
3. install-module PsUrl
4. install-module -ModuleUrl https://github.com/Invoke-IR/Uproot/archive/master.zip
5. Import-Module Uproot
6. Get-Command -Module Uproot
Source : https://github.com/Invoke-IR