From 53ca340244ef7a12499411350a8ddacad0be0e2d Mon Sep 17 00:00:00 2001 From: Olaf Hartong Date: Sun, 13 May 2018 11:42:02 +0200 Subject: [PATCH 1/3] update to 7.0.1 --- Vagrant/scripts/install-splunkuf.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Vagrant/scripts/install-splunkuf.ps1 b/Vagrant/scripts/install-splunkuf.ps1 index 2eb7b77..1ffbaa7 100755 --- a/Vagrant/scripts/install-splunkuf.ps1 +++ b/Vagrant/scripts/install-splunkuf.ps1 @@ -2,10 +2,10 @@ If (-not (Test-Path "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe")) { Write-Host "Downloading Splunk" - $msiFile = $env:Temp + "\splunkforwarder-6.5.2-67571ef4b87d-x64-release.msi" + $msiFile = $env:Temp + "\splunkforwarder-7.1.0-2e75b3406c5b-x64-release.msi" Write-Host "Installing & Starting Splunk" - (New-Object System.Net.WebClient).DownloadFile('https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=windows&version=6.5.2&product=universalforwarder&filename=splunkforwarder-6.5.2-67571ef4b87d-x64-release.msi&wget=true', $msiFile) + (New-Object System.Net.WebClient).DownloadFile('https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=windows&version=7.1.0&product=universalforwarder&filename=splunkforwarder-7.1.0-2e75b3406c5b-x64-release.msi&wget=true', $msiFile) Start-Process -FilePath "c:\windows\system32\msiexec.exe" -ArgumentList '/i', "$msiFile", 'RECEIVING_INDEXER="192.168.38.5:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_APP_ENABLE=1 AGREETOLICENSE=Yes SERVICESTARTTYPE=1 LAUNCHSPLUNK=1 /quiet' -Wait } Else { Write-Host "Splunk is already installed. Moving on." From f2545eef50116c40a339fd29cfdab40a47c37f91 Mon Sep 17 00:00:00 2001 From: Olaf Hartong Date: Sun, 13 May 2018 11:42:27 +0200 Subject: [PATCH 2/3] added olafhartong sysmon-modular config --- Vagrant/scripts/install-sysinternals.ps1 | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/Vagrant/scripts/install-sysinternals.ps1 b/Vagrant/scripts/install-sysinternals.ps1 index 20379b4..48c6818 100755 --- a/Vagrant/scripts/install-sysinternals.ps1 +++ b/Vagrant/scripts/install-sysinternals.ps1 @@ -32,14 +32,8 @@ Invoke-WebRequest -Uri "https://live.sysinternals.com/Sysmon64.exe" -Outfile $sy Invoke-WebRequest -Uri "https://live.sysinternals.com/Tcpview.exe" -Outfile $tcpviewPath Copy-Item $sysmonPath $sysmonDir -# Download SwiftOnSecurity's Sysmon config -Invoke-WebRequest -Uri "https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml" -Outfile "$sysmonConfigPath" - -# Convert Sysmon config schema from 3.30 to 4.0 per GitHub Issue #38 -(Get-Content $sysmonConfigPath) -replace 'schemaversion="3.30"', 'schemaversion="4.00"' | Set-Content $sysmonConfigPath - -# Convert Schema from 3.30 to 4.0 per GitHub Issue #38 -(Get-Content $sysmonConfigPath) -replace 'schemaversion="3.30"', 'schemaversion="4.00"' | Set-Content $sysmonConfigPath +# Download Olaf Hartong's Sysmon config +Invoke-WebRequest -Uri "https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml" -Outfile "$sysmonConfigPath" # Startup Sysmon Write-Host "Starting Sysmon..." From 9f2dada5d1df8d3d17e9c350fc04cd2ea4f2888f Mon Sep 17 00:00:00 2001 From: Olaf Hartong Date: Sun, 13 May 2018 11:49:55 +0200 Subject: [PATCH 3/3] added compatible version --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 4ac3018..bc8ed7b 100644 --- a/README.md +++ b/README.md @@ -34,6 +34,7 @@ OS | Vagrant | Packer | Provider ---|---------|--------|----------- OSX 10.12.4 | 1.9.3 | 1.0.0 | Virtualbox (5.1.14) OSX 10.12.6 | 2.0.1 | 1.1.2 | Virtualbox (5.1.30) +OSX 10.13.4 | 2.0.1 | 1.2.3 | Virtualbox (5.2.6) OSX 10.12.4 | 1.9.2 | 1.0.0 | VMWare Fusion (8.5.6) OSX 10.12.5 | 1.9.3 | 1.0.0 | VMWare Fusion (8.5.8) OSX 10.12.6 | 2.0.1 | 1.1.3 | VMWare Fusion (8.5.9) @@ -240,7 +241,7 @@ Requests for tools and features will be reviewed on a case by case basis, but I ## Credits/Resources A sizable percentage of this code was borrowed and adapted from [Stefan Scherer](https://twitter.com/stefscherer)'s [packer-windows](https://github.com/StefanScherer/packer-windows) and [adfs2](https://github.com/StefanScherer/adfs2) Github repos. A huge thanks to him for building the foundation that allowed me to design this lab environment. -# Acknowledgements +# Acknowledgements * [Microsoft Advanced Threat Analytics](https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics) * [Splunk](https://www.splunk.com) * [osquery](https://osquery.io)