Created
June 24, 2024 10:29
-
-
Save duzvik/66919207d7f8a27d7a98ea357fd4d9f8 to your computer and use it in GitHub Desktop.
Revisions
-
duzvik created this gist
Jun 24, 2024 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,18 @@ # Enable PowerShell Logging $regConfig = @" regKey,name,value,type "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging","EnableScriptBlockLogging",1,"DWORD" "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging","EnableScriptBlockInvocationLogging",1,"DWORD" "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging","EnableModuleLogging",1,"DWORD" "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames",*,*,"String" "@ Write-host "Setting up PowerShell registry settings.." $regConfig | ConvertFrom-Csv | ForEach-Object { if(!(Test-Path $_.regKey)){ Write-Host $_.regKey " does not exist.." New-Item $_.regKey -Force } Write-Host "Setting " $_.regKey New-ItemProperty -Path $_.regKey -Name $_.name -Value $_.value -PropertyType $_.type -force } This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,101 @@ [CmdletBinding()] param ( [Parameter(Mandatory=$true)] [ValidateSet("Winlogbeat","Nxlog")] [string]$ShipperAgent, [Parameter(Mandatory=$true)] [string]$ConfigUrl, [Parameter(Mandatory=$false)] [string]$DestinationIP ) if($ShipperAgent -eq "Winlogbeat") { $URL = "https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-8.14.1-windows-x86_64.zip" Resolve-DnsName artifacts.elastic.co } else { $Url = "https://nxlog.co/system/files/products/files/348/nxlog-ce-2.10.2150.msi" Resolve-DnsName nxlog.co } $OutputFile = Split-Path $URL -leaf $NewFile = "C:\ProgramData\$outputFile" # Download Installer write-Host "Downloading $OutputFile .." $wc = new-object System.Net.WebClient $wc.DownloadFile($Url, $NewFile) if (!(Test-Path $NewFile)){ Write-Error "File $NewFile does not exist" -ErrorAction Stop} if($ShipperAgent -eq "Winlogbeat") { # Unzip file write-Host "Decompressing $OutputFile .." $file = (Get-Item $NewFile).Basename expand-archive -path $NewFile -DestinationPath "C:\Program Files\" if (!(Test-Path "C:\Program Files\$file")){ Write-Error "$NewFile was not decompressed successfully" -ErrorAction Stop } # Renaming Folder & File write-Host "Renaming folder from C:\Program Files\$file to C:\Program Files\Winlogbeat .." Rename-Item "C:\Program Files\$file" "C:\Program Files\Winlogbeat" -Force # Backing up default Winlogbeat configuration write-Host "Renaming file from C:\Program Files\Winlogbeat\winlogbeat.yml to C:\Program Files\Winlogbeat\winlogbeat.backup .." Rename-Item "C:\Program Files\Winlogbeat\winlogbeat.yml" "C:\Program Files\Winlogbeat\winlogbeat.backup" -Force # Installing Winlogbeat Service write-Host "Installing Winlogbeat Service.." & "C:\Program Files\Winlogbeat\install-service-winlogbeat.ps1" $shipperConfig = "C:\Program Files\Winlogbeat\winlogbeat.yml" $ServiceName = 'winlogbeat' } else { # Installing nxlog write-Host "Installing nxlog .." & c:\Windows\system32\msiexec /passive /qn /i $NewFile # Download nxlog Config write-Host "waiting for nxlog folder to exist .." while (!(Test-Path "C:\Program Files (x86)\nxlog")) { Start-Sleep 5 } # Renaming File write-Host "Renaming original nxlog config .." while (!(Test-Path "C:\Program Files (x86)\nxlog\conf\nxlog.conf")) { Start-Sleep 5 } Rename-Item "C:\Program Files (x86)\nxlog\conf\nxlog.conf" "C:\Program Files (x86)\nxlog\conf\nxlog.backup.conf" -Force $shipperConfig = "C:\Program Files (x86)\nxlog\conf\nxlog.conf" $ServiceName = 'nxlog' } # Download shipper config write-Host "Downloading shipper config.." $wc.DownloadFile($ConfigUrl, $shipperConfig) if (!(Test-Path $shipperConfig)){ Write-Error "File $shipperConfig does not exist" -ErrorAction Stop } # Updating Config IP ((Get-Content -path $shipperConfig -Raw) -replace 'IPADDRESS',$DestinationIP) | Set-Content -Path $shipperConfig # Installing Service $arrService = Get-Service -Name $ServiceName while ($arrService.Status -ne 'Running') { Start-Service $ServiceName write-host $arrService.status write-host "Service $ServiceName starting" Start-Sleep -seconds 5 $arrService.Refresh() if ($arrService.Status -eq 'Running') { Write-Host "Service $ServiceName is now Running" } } write-Host "$ServiceName is running.." This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,65 @@ # Author: Roberto Rodriguez (@Cyb3rWard0g) # License: GPL-3.0 # References: # https://medium.com/@cosmin.ciobanu/enhanced-endpoint-detection-using-sysmon-and-wef-3b65d491ff95 [CmdletBinding()] param ( [string]$SysmonConfigUrl = "https://raw.githubusercontent.com/OTRF/Blacksmith/master/resources/configs/sysmon/sysmon.xml" ) write-host "[+] Processing Sysmon Installation.." $URL = "https://download.sysinternals.com/files/Sysmon.zip" Resolve-DnsName download.sysinternals.com Resolve-DnsName github.com Resolve-DnsName raw.githubusercontent.com $OutputFile = Split-Path $Url -leaf $File = "C:\ProgramData\$OutputFile" # Download File write-Host "[+] Downloading $OutputFile .." $wc = new-object System.Net.WebClient $wc.DownloadFile($Url, $File) if (!(Test-Path $File)) { Write-Error "File $File does not exist" -ErrorAction Stop } # Decompress if it is zip file if ($File.ToLower().EndsWith(".zip")) { # Unzip file write-Host " [+] Decompressing $OutputFile .." $UnpackName = (Get-Item $File).Basename $SysmonFolder = "C:\ProgramData\$UnpackName" $SysmonBinary = "$SysmonFolder\Sysmon.exe" expand-archive -path $File -DestinationPath $SysmonFolder if (!(Test-Path $SysmonFolder)) { Write-Error "$File was not decompressed successfully" -ErrorAction Stop } } # Downloading Sysmon Configuration write-Host "[+] Downloading Sysmon config.." $SysmonFile = "C:\ProgramData\sysmon.xml" $wc.DownloadFile($SysmonConfigUrl, $SysmonFile) if (!(Test-Path $SysmonFile)) { Write-Error "File $SysmonFile does not exist" -ErrorAction Stop } # Installing Sysmon write-Host "[+] Installing Sysmon.." & $SysmonBinary -i C:\ProgramData\sysmon.xml -accepteula write-Host "[+] Setting Sysmon to start automatically.." & sc.exe config Sysmon start= auto # Setting Sysmon Channel Access permissions write-Host "[+] Setting up Channel Access permissions for Microsoft-Windows-Sysmon/Operational " wevtutil set-log Microsoft-Windows-Sysmon/Operational /ca:'O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS)' #New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational" -Name "ChannelAccess" -PropertyType String -Value "O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS)" -Force write-Host "[+] Restarting Sysmon .." Restart-Service -Name Sysmon -Force write-Host " [*] Verifying if Sysmon is running.." $s = Get-Service -Name Sysmon while ($s.Status -ne 'Running') { Start-Service Sysmon; Start-Sleep 3 } Start-Sleep 5 write-Host " [*] Sysmon is running.." This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,23 @@ winlogbeat.event_logs: - name: Application ignore_older: 240m - name: Security ignore_older: 240m - name: System ignore_older: 240m - name: Microsoft-windows-sysmon/operational ignore_older: 240m - name: Microsoft-windows-PowerShell/Operational ignore_older: 240m event_id: 4103, 4104 - name: Windows PowerShell event_id: 400,600 ignore_older: 240m - name: Microsoft-Windows-WMI-Activity/Operational event_id: 5857,5858,5859,5860,5861 output.kafka: hosts: ["IPADDRESS:9092"] topic: "winlogbeat" max_retries: 2 max_message_bytes: 1000000