How To Mine The Sysmon Event Log For File Hash Information Using PowerShell

In this video Stuart will show you how to extract file hash information from the Sysinternals Sysmon event log using Windows PowerShell One of the data sets collected by Sysmon covers process creation events including the path and hash(es) of the executable involved. This information can be useful in a number of scenarios, including digital forensics, checking of executables against services such as VirusTotal, building whitelists or simply documenting your IT environment. This video assumes that you already have Sysmon installed on your target device(s) and that you are collecting process creation events. In order to access the Sysmon log you must be running in an elevated session.

Prerequisites include: Sysmon must be installed and the user must be running elevated.