Core|Threat Agent collects security logs and send them over syslog. Easy to deploy security related logs. Automatically installs Sysmon, sets the necessary registry-keys and policies. Gets the Windows-Events from Sysmon and sends them over syslog to the destination of your choice.
- installs Sysmon
- activates windows logging
- collects sysmon-events
- sends sysmon-events to syslog server
CoreThreatAgent.exe sysmon
CoreThreatAgent.exe auditpol
CoreThreatAgent.exe psaudit
CoreThreatAgent.exe runagent:(ip or hostname):(port):(proto)
Sample: CoreThreatAgent.exe runagent:10.10.10.1:5555:UDP
https://github.com/ipcis/CoreThreatAgent/releases
- hide cmd dialog (background mode)
- run as admin / service
- other kinds of events: powershell, etc.
- threading
- filelog
python -m pip install pywin32 python -m pip install xmltodict