Manual
  • BluSapphire Manuals
  • BluSapphire
    • Detections
      • Creating "Detections" Using BluSapphire Portal
    • Roles & Permissions
    • Knowledge Base
  • BluGenie
    • Full Function List
      • Add-BluGenieFirewallRule
      • Clear-BlugenieMemory
      • Connect-BluGenieToSystem
      • Convert-BluGenieSID2UserName
      • Convert-BluGenieSize
      • Convert-BluGenieUserName2SID
      • Convert-BluGenieUTCtoLocal
      • ConvertFrom-Yaml
      • ConvertTo-BluGenieDate
      • ConvertTo-Yaml
      • Disable-BluGenieAllFirewallRules
      • Disable-BluGenieFirewallRule
      • Enable-BluGenieAllFirewallRules
      • Enable-BluGenieFirewallRule
      • Enable-BluGenieWinRMoverWMI
      • Expand-BluGenieArchivePS2
      • Format-BluGenieEvent
      • Get-BluGenieADGroupMembers
      • Get-BluGenieADGroups
      • Get-BluGenieADMachineInfo
      • Get-BluGenieAuditProcessTracking
      • Get-BluGenieAutoRuns
      • Get-BluGenieChildItemList
      • Get-BluGenieCOMObjectInfo
      • Get-BluGenieCurrentSessionAliases
      • Get-BluGenieCurrentSessionFunctions
      • Get-BluGenieCurrentSessionVariables
      • Get-BluGenieErrorAction
      • Get-BluGenieFileADS
      • Get-BluGenieFilePermissions
      • Get-BluGenieFileSnapshot
      • Get-BluGenieFileStreams
      • Get-BluGenieFirewallRules
      • Get-BluGenieHashInfo
      • Get-BluGenieHelp
      • Get-BluGenieHostingVersion
      • Get-BluGenieIPrange
      • Get-BluGenieLiteralPath
      • Get-BluGenieLoadedRegHives
      • Get-BluGenieLockingProcess
      • Get-BluGenieMRUActivityView
      • Get-BluGenieProcessList
      • Get-BluGenieRegistry
      • Get-BluGenieRegistryProcessTracking
      • Get-BluGenieRegSnapshot
      • Get-BluGenieRunSpaceSessionAliases
      • Get-BluGenieRunSpaceSessionFunctions
      • Get-BluGenieRunSpaceSessionVariables
      • Get-BluGenieSchTaskInfo
      • Get-BluGenieScriptDirectory
      • Get-BluGenieServiceList
      • Get-BluGenieServiceStatus
      • Get-BluGenieSessionAliasList
      • Get-BluGenieSessionFunctionList
      • Get-BluGenieSessionVariableList
      • Get-BluGenieSettings
      • Get-BluGenieSignature
      • Get-BluGenieSystemInfo
      • Get-BluGenieToolsDirectory
      • Get-BluGenieTranscriptsDir
      • Get-BluGenieTranscriptsFile
      • Get-BluGenieTrapData
      • Get-BluGenieWindowsTitle
      • Get-BluGenieWindowsUpdates
      • Install-BluGenieHarvester
      • Install-BluGenieSysMon
      • Invoke-BluGenieAnalyzer
      • Invoke-BluGenieFileBrowser
      • Invoke-BluGenieLoadAllProfileHives
      • Invoke-BluGenieNetStat
      • Invoke-BluGenieParallel
      • Invoke-BluGenieProcess
      • Invoke-BluGenieProcessHash
      • Invoke-BluGeniePSQuery
      • Invoke-BluGeniePython
      • Invoke-BluGenieSQLLQuery
      • Invoke-BluGenieThreadLock
      • Invoke-BluGenieUnLoadAllProfileHives
      • Invoke-BluGenieWalkThrough
      • Invoke-BluGenieWipe
      • Invoke-BluGenieYara
      • Invoke-PSipcalc
      • Invoke-PSnmap
      • Invoke-SQLiteBulkCopy
      • Invoke-SqliteQuery
      • Invoke-WalkThrough
      • Join-BluGenieObjects
      • New-BluGenieCommand
      • New-BluGenieHelpMenu
      • New-BluGenieService
      • New-BluGenieSessionInfo
      • New-BluGenieTimeStamp
      • New-BluGenieUID
      • New-SQLiteConnection
      • Open-BluGenieLog
      • Open-BluGenieLogDir
      • Open-BluGenieScriptDir
      • Open-BluGenieToolDir
      • Open-BluGenieTransDir
      • Out-DataTable
      • Publish-BluGenieArtifact
      • Publish-BluGenieFirewallRules
      • Remove-BluGenieFile
      • Remove-BluGenieFirewallRule
      • Remove-BluGenieModule
      • Remove-BluGenieService
      • Resolve-BluGenieDnsName
      • Send-BluGenieItem
      • Set-BluGenieAuditProcessPol
      • Set-BluGenieCommands
      • Set-BluGenieCores
      • Set-BluGenieDebugger
      • Set-BluGenieFirewallGPOStatus
      • Set-BluGenieFirewallStatus
      • Set-BluGenieJobId
      • Set-BluGenieJobMemory
      • Set-BluGenieJobTimeout
      • Set-BluGenieNoBanner
      • Set-BluGenieNoExit
      • Set-BluGenieNoSetRes
      • Set-BluGenieParallelCommands
      • Set-BluGeniePostCommands
      • Set-BluGeniePrefetch
      • Set-BluGenieProcessCPUAffinity
      • Set-BluGenieProcessPriority
      • Set-BluGenieRange
      • Set-BluGenieRemoteDesktopProcess
      • Set-BluGenieScriptCredentials
      • Set-BluGenieServiceJob
      • Set-BluGenieSessionInfo
      • Set-BluGenieSettingsPriority
      • Set-BluGenieSystems
      • Set-BluGenieThreadCount
      • Set-BluGenieTrapping
      • Set-BluGenieUpdateMods
      • Set-BluGenieVerbose
      • Show-BluGenieGUI
      • Show-BluGenieMore
      • Start-BluGenieNewProcess
      • Start-BluGenieRunSpace
      • Stop-BluGenieService
      • Test-BluGenieIsFileLocked
      • Test-BluGenieIsMutexAvailable
      • Trace-BluGenieFireWallStatus
      • Update-BluGenieFirewallProfileStatus
      • Update-BluGenieSysinternals
      • Update-Sqlite
      • Write BluGenieVerboseMsg
    • Functions by Category
      • Discovery
        • Registry
        • File/Folder
        • Process
        • System
        • Network
        • ActiveDirectory
      • Execution
        • Registry
        • File/Folder
        • Process
        • System
        • Network
        • Tools
      • Support
    • Artifacts
      • Example Template
      • Tactical Artifacts by Category
        • Combination Query
          • Query Autorun locations for any item nested that is not digitally signed
        • EventLog Query
          • Query for Process execution from unusual directories
          • Query suspicious programs processed by the Task Scheduler using the Event Log
          • Query for unusual instances of rundll32.exe via the Event Log
          • Query for Unusual Instances of rundll32.exe making outbound network connections using SysMon Data
          • Query Suspicious Powershell Command Line Executions
          • Query the Windows System Log for 104, 517, 1102
        • File and Folder Query
          • Query for malicious file types in all users and system temp directories
          • Query Malicious file types from any directory not including the default OS and Install directories
          • Query all users for their Powershell Profile content for Powershell, Powershell_ISE, and VS Code
          • Query to Determine if any lolbin files are installed outside the normal OS and Program Files dir's
        • Network Query
          • Query for Unusual Windows Network Activity
        • Process Query
          • Query for all Processes not running from the Windows and Program Files.* Directories
        • Registry Query
          • Query Information from the Registry on Recentdocs, Recentapps
          • Query Registry for a list of mounted USB storage devices, including external memory cards
          • Query the Most Recently Used items from the Registry
          • Query the Most Recently Open and Saved File information from the Registry
          • Query all Run, RunOnce, and RunOnceEx Registry Keys
          • Query Command list from the MRU Registry List
          • Query Startup Services from the Registry
          • Query Map Network Drives from the Registry
          • Query Shell Folders and User Shell Folders from both the HKLM and HKU Registry Information
          • Query Typed Urls from the Registry
          • Query Current Control Set Services information from the Registry
          • Query Accessibility Features from Image File Execution Options from the Registry
          • Query the Registry for Commands that are automatically executed each time cmd.exe is run
          • Query the Registry for Mounted Device information
          • Query the Registry for Browser Helper Objects (BHO)
          • Query the Registry for Explore Run commands
          • Query the Registry for Winlogon Helper Dll's
          • Query the Registry for Active Setup information
          • Query the Registry for Bypassing UAC Mechanisms from the User-Accessible information
          • Query the Registry for User-Logon, and Startup Scripts
          • Query the Registry for the most common MRU information for All User Hives, including offline users
          • Query the Registry for any user, using the SysInternals Tools
Powered by GitBook
On this page
  • SYNOPSIS
  • SYNTAX
  • DESCRIPTION
  • EXAMPLES
  • PARAMETERS
  1. BluGenie
  2. Full Function List

Install-BluGenieHarvester

Install-BluGenieHarvester

SYNOPSIS

Install-BluGenieHarvester will copy and install the Windows Event Harvester (WinLogBeat)

SYNTAX

Install-BluGenieHarvester [[-Source] <String>] [[-Destination] <String>] [[-ForceCopy]] [[-Walkthrough]] [[-ReturnObject]] [[-OutUnEscapedJSON]] [[-ComputerName] <String>] [[-Install]] [[-Uninstall]] 
[[-Path] <String>] [[-ForceInstall]] [[-CopyOnly]] [<CommonParameters>]

DESCRIPTION

Install-BluGenieHarvester will copy and install the Windows Event Harvester (WinLogBeat)

EXAMPLES

EXAMPLE 1

Install-BluGenieHarvester
This will copy the Harvester Source to the remote systems destination and install the the Harvester service.

EXAMPLE 2

Install-BluGenieHarvester -ForceCopy -ForceInstall
This will copy the Harvester Source to the remote systems destination and install the the Harvester service.
If the files and service already exist the ForceCopy will overwrite the current files and the ForceInstall will
remove and install the Harvester service.

EXAMPLE 3

Install-BluGenieHarvester -Source C:\NewSource -Destination 'C:\Program Files\NewDest'
This will copy the Harvester Source to the remote systems destination and install the the Harvester service.
The Source and Destination can be changed.  The default values are below.

Source:       $ToolsDirectory\Blubin\WinlogBeat
Destination:  C:\Program Files\WinlogBeat623

EXAMPLE 4

Install-BluGenieHarvester -Uninstall
This will remove all the source files for the Harvester and uninstall the service.

EXAMPLE 5

Install-BluGenieHarvester -ReturnObject
This will copy the Harvester Source to the remote systems destination and install the the Harvester service
and return just the Object content

Note:  The default output is a HashTable

EXAMPLE 6

Install-BluGenieHarvester -OutUnEscapedJSON
This will copy the Harvester Source to the remote systems destination and install the the Harvester service
and the return data will be in a beautified json format

PARAMETERS

Source

-Source <String>
   The Source path to the items to want to send
   
   The default is set to $ToolsDirectory\Blubin\WinlogBeat
   
   <Type>String<Type>
   
   Required?                    false
   Position?                    1
   Default value                $('{0}\Blubin\WinlogBeat\*.*' -f $ToolsDirectory)
   Accept pipeline input?       false
   Accept wildcard characters?  false

Destination

-Destination <String>
   The Destination path
   
   The default is set to 'C:\Program Files\WinlogBeat623'
   
   <Type>String<Type>
   
   Required?                    false
   Position?                    2
   Default value                $('{0}\WinlogBeat623' -f $env:ProgramFiles)
   Accept pipeline input?       false
   Accept wildcard characters?  false

ForceCopy

-ForceCopy [<SwitchParameter>]
   Forces the file or directory creation or overwrite
   
   <Type>SwitchParameter<Type>
   
   Required?                    false
   Position?                    3
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

Walkthrough

-Walkthrough [<SwitchParameter>]
   An automated process to walk through the current function and all the parameters
   
   <Type>SwitchParameter<Type>
   
   Required?                    false
   Position?                    4
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

ReturnObject

-ReturnObject [<SwitchParameter>]
   Return information as an Object.
   By default the data is returned as a Hash Table
   
   <Type>SwitchParameter<Type>
   
   Required?                    false
   Position?                    5
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

OutUnEscapedJSON

-OutUnEscapedJSON [<SwitchParameter>]
   Removed UnEsacped Char from the JSON Return.
   This will beautify json and clean up the formatting.
   
   <Type>SwitchParameter<Type>
   
   Required?                    false
   Position?                    6
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

ComputerName

-ComputerName <String>
   Remote computer name
   
   <Type>String<Type>
   
   Required?                    false
   Position?                    7
   Default value                
   Accept pipeline input?       false
   Accept wildcard characters?  false

Install

-Install [<SwitchParameter>]
   Install the Harvester (This is the default option, without being called)
   
   <Type>SwitchParameter<Type>
   
   Required?                    false
   Position?                    8
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

Uninstall

-Uninstall [<SwitchParameter>]
   Uninstall the Harvester
   
   <Type>SwitchParameter<Type>
   
   Required?                    false
   Position?                    9
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

Path

-Path <String>
   The Install path and file name for the Harvester
   
   The default is set to 'C:\Program Files\WinlogBeat623\winlogbeat.exe'
   
   <Type>String<Type>
   
   Required?                    false
   Position?                    10
   Default value                $('{0}\WinlogBeat623\winlogbeat.exe' -f $env:ProgramFiles)
   Accept pipeline input?       false
   Accept wildcard characters?  false

ForceInstall

-ForceInstall [<SwitchParameter>]
   Overwrite the current installation and remove and reinstall the service.
   
   <Type>SwitchParameter<Type>
   
   Required?                    false
   Position?                    11
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

CopyOnly

-CopyOnly [<SwitchParameter>]
   Copies the files to the remote system but, does not process an installation
   
   <Type>SwitchParameter<Type>
   
   Required?                    false
   Position?                    12
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

CommonParameters

PreviousGet-BluGenieWindowsUpdatesNextInstall-BluGenieSysMon

Last updated 3 years ago

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see .

about_CommonParameters