Many Splunk fixes, add sponsors list to README

2020-08-06 23:50:10 -07:00
parent ec4c5d1483
commit 34889a8bb6
4 changed files with 1598 additions and 5 deletions
--- a/README.md
+++ b/README.md
@@ -111,3 +111,30 @@ A sizable percentage of this code was borrowed and adapted from [Stefan Scherer]
 * [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team)
 * [Hunting for Beacons](http://findingbad.blogspot.com/2020/05/hunting-for-beacons-part-2.html)
 * [BadBlood](https://github.com/davidprowe/BadBlood)
+
+# DetectionLab Sponsors
+#### Lated updated: 8/8/2020
+I would like to extend thanks to the following sponsors for funding DetectionLab development. If you are interested in becoming a sponsor, please visit the [sponsors page](https://github.com/sponsors/clong).
+
+### Diamond Sponsors:
+* [Veramine](https://github.com/veramine)
+* [Thinkst](https://github.com/ThinkstAppliedResearch)
+
+### Premium Sponsors:
+* [CyDefUnicorn](https://github.com/CyDefUnicorn)
+* [dlee35](https://github.com/dlee35)
+* [chrissanders](https://github.com/chrissanders)
+* [punchdrunktux](https://github.com/punchdrunktux)
+* [jaredhaight](https://github.com/jaredhaight)
+* [iamfuntime](https://github.com/iamfuntime)
+* +1 private sponsor
+
+### Standard Sponsors:
+* [dtonomy](https://github.com/dtonomy)
+* [braimee](https://github.com/braimee)
+* [iLoC0dez](https://github.com/iLoC0dez)
+* [defensivedepth](https://github.com/defensivedepth)
+* [elreydetoda](https://github.com/elreydetoda)
+* [kafkaesqu3](https://github.com/kafkaesqu3)
+* [anthonysecurity](https://github.com/anthonysecurity)
+* +2 private sponsors
--- a/Vagrant/bootstrap.sh
+++ b/Vagrant/bootstrap.sh
@@ -165,11 +165,6 @@ install_splunk() {
    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/link-analysis-app-for-splunk_161.tgz -auth 'admin:changeme'
    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_144.tgz -auth 'admin:changeme'

-    ## Fix a bug with the ThreatHunting App (https://github.com/olafhartong/ThreatHunting/pull/57)
-    mv /opt/splunk/etc/apps/ThreatHunting/lookups/sysmonevencodes.csv /opt/splunk/etc/apps/ThreatHunting/lookups/sysmoneventcodes.csv
-    sed -i 's/= sysmoneventcode /= sysmoneventcodes.csv /g' /opt/splunk/etc/apps/ThreatHunting/default/props.conf
-    sed -i 's/sysmoneventcode.csv/sysmoneventcodes.csv/g' /opt/splunk/etc/apps/ThreatHunting/default/props.conf
-
    # Install the Maxmind license key for the ASNgen App
    if [ -n "$MAXMIND_LICENSE" ]; then
      mkdir /opt/splunk/etc/apps/TA-asngen/local
@@ -177,8 +172,17 @@ install_splunk() {
      sed -i "s/license_key =/license_key = $MAXMIND_LICENSE/g" /opt/splunk/etc/apps/TA-asngen/local/asngen.conf
    fi

+    # Replace the props.conf for Sysmon TA and Windows TA
+    # Removed all the 'rename = xmlwineventlog' directives
+    # I know youre not supposed to modify files in "default",
+    # but for some reason adding them to "local" wasnt working
+    cp /vagrant/resources/splunk_server/windows_ta_props.conf /opt/splunk/etc/apps/Splunk_TA_windows/default/props.conf
+    cp /vagrant/resources/splunk_server/sysmon_ta_props.conf /opt/splunk/etc/apps/TA-microsoft-sysmon/default/props.conf
+
    # Add custom Macro definitions for ThreatHunting App
    cp /vagrant/resources/splunk_server/macros.conf /opt/splunk/etc/apps/ThreatHunting/default/macros.conf
+    # Fix props.conf in ThreatHunting App
+    sed -i 's/EVAL-host_fqdn = Computer/EVAL-host_fqdn = ComputerName/g' /opt/splunk/etc/apps/ThreatHunting/default/props.conf
    # Fix Windows TA macros
    mkdir /opt/splunk/etc/apps/Splunk_TA_windows/local
    cp /opt/splunk/etc/apps/Splunk_TA_windows/default/macros.conf /opt/splunk/etc/apps/Splunk_TA_windows/local
--- a/Vagrant/resources/splunk_server/sysmon_ta_props.conf
+++ b/Vagrant/resources/splunk_server/sysmon_ta_props.conf
@@ -0,0 +1,67 @@
+##Below fields extractions have been moved from [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+[source::XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+#SEDCMD-pwd_rule1 = s/ -pw ([^\s\<])+/ -pw ***MASK***/g
+REPORT-sysmon = sysmon-eventid,sysmon-version,sysmon-level,sysmon-task,sysmon-opcode,sysmon-keywords,sysmon-created,sysmon-record,sysmon-correlation,sysmon-channel,sysmon-computer,sysmon-sid,sysmon-data,sysmon-md5,sysmon-sha1,sysmon-sha256,sysmon-imphash,sysmon-hashes,sysmon-filename,sysmon-registry,sysmon-dns-record-data,sysmon-dns-ip-data
+
+FIELDALIAS-src_ip = SourceIp AS src_ip
+FIELDALIAS-src_host = SourceHostname AS src_host
+EVAL-src = if(isnotnull(SourceHostname),SourceHostname,SourceIp)
+FIELDALIAS-src_port = SourcePort AS src_port
+FIELDALIAS-app = Image AS app
+FIELDALIAS-dest_ip = DestinationIp AS dest_ip
+FIELDALIAS-dest_host = DestinationHostname AS dest_host
+EVAL-dest = case(EventCode=="3" AND isnotnull(DestinationHostname),DestinationHostname,EventCode=="3",DestinationIp,EventCode=="1" OR EventCode == "11" OR EventCode == "12" OR EventCode == "13" OR EventCode == "14", Computer)
+FIELDALIAS-dest_port = DestinationPort AS dest_port
+EVAL-direction = if(Initiated=="true","outbound","inbound")
+FIELDALIAS-dvc = Computer AS dvc
+FIELDALIAS-transport = Protocol AS transport
+EVAL-protocol = if(Initiated=="true",DestinationPortName,SourcePortName)
+FIELDALIAS-session_id = ProcessGuid AS session_id
+EVAL-vendor_product = "Microsoft Sysmon"
+FIELDALIAS-cmdline = CommandLine AS cmdline
+
+#Common fieldnames for Registry, Process, FileSystem Node in Endpoint Datamodel
+EVAL-action = case(EventCode=="1","allowed",EventCode=="12" AND EventType=="CreateKey","created",EventCode=="12" AND (EventType=="DeleteKey" OR EventType=="DeleteValue") ,"deleted",EventCode=="13" AND EventType=="SetValue","modified",EventCode=="11" AND EventDescription=="File Created","created")
+
+#Ports Node
+EVAL-creation_time = case(EventCode=="3",UtcTime)
+EVAL-state = case(EventCode=="3", "listening")
+
+#Processes Node
+EVAL-parent_process_exec = case(EventCode=="1" OR EventCode=="2" OR EventCode=="3" OR EventCode=="5" OR EventCode=="7" OR EventCode=="9" OR EventCode=="11" OR EventCode=="12" OR EventCode=="13" OR EventCode=="14" OR EventCode=="15" OR EventCode=="17" OR EventCode=="18", replace(ParentImage,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)",""),1==1,"")
+FIELDALIAS-parent_process_id = ParentProcessId AS parent_process_id
+FIELDALIAS-parent_process_guid = ParentProcessGuid AS parent_process_guid
+FIELDALIAS-parent_process_path = ParentImage AS parent_process_path
+FIELDALIAS-process_current_directory = CurrentDirectory AS process_current_directory
+EVAL-process_exec = case(EventCode=="1" OR EventCode=="2" OR EventCode=="3" OR EventCode=="5" OR EventCode=="7" OR EventCode=="9" OR EventCode=="11" OR EventCode=="12" OR EventCode=="13" OR EventCode=="14" OR EventCode=="15" OR EventCode=="17" OR EventCode=="18" OR EventCode="22", replace(Image,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)",""),EventCode=="6","System",EventCode=="8" OR EventCode=="10",replace(SourceImage,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)",""),1==1,"")
+FIELDALIAS-process_hash = Hashes AS process_hash
+FIELDALIAS-process_guid = ProcessGuid AS process_guid
+FIELDALIAS-process_id = ProcessId AS process_id
+FIELDALIAS-process_integrity_level = IntegrityLevel AS process_integrity_level
+FIELDALIAS-process_path = Image AS process_path
+FIELDALIAS-user_id = UserID AS user_id
+REPORT-user_for_sysmon = User_as_user
+FIELDALIAS-parent_process = ParentCommandLine AS parent_process
+EVAL-parent_process_name = case(EventCode=="1" OR EventCode=="2" OR EventCode=="3" OR EventCode=="5" OR EventCode=="7" OR EventCode=="9" OR EventCode=="11" OR EventCode=="12" OR EventCode=="13" OR EventCode=="14" OR EventCode=="15" OR EventCode=="17" OR EventCode=="18", replace(ParentImage,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)",""),1==1,"")
+FIELDALIAS-process = CommandLine AS process
+EVAL-process_name = case(EventCode=="1" OR EventCode=="2" OR EventCode=="3" OR EventCode=="5" OR EventCode=="7" OR EventCode=="9" OR EventCode=="11" OR EventCode=="12" OR EventCode=="13" OR EventCode=="14" OR EventCode=="15" OR EventCode=="17" OR EventCode=="18" OR EventCode="22", replace(Image,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)",""),EventCode=="6","System",EventCode=="8" OR EventCode=="10",replace(SourceImage,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)",""),1==1,"")
+
+#Filesystem Node
+FIELDALIAS-file_path = TargetFilename AS file_path
+FIELDALIAS-file_create_time = CreationUtcTime AS file_create_time
+
+#Fields for ChangeAnalysis DM (old field names)
+EVAL-object_category = case(EventCode=="11" OR EventCode=="2", "file", EventCode=="12" OR EventCode=="13" OR EventCode="14", "registry", EventCode=="19" OR EventCode=="20" OR EventCode="21", "wmi")
+EVAL-object_path = case(EventCode=="12" OR EventCode=="13", TargetObject, EventCode=="14", NewName)
+LOOKUP-eventcode = eventcode EventCode OUTPUTNEW EventDescription EventDescription AS signature
+FIELDALIAS-signature_id = EventCode AS signature_id
+FIELDALIAS-eventid = EventCode AS EventID
+
+#Registry Node
+EVAL-registry_path = case(EventCode=="12" OR EventCode=="13" OR EventCode=="14", TargetObject)
+EVAL-registry_value_name = case(EventCode=="13", Details)
+EVAL-registry_key_name = case(EventCode=="12" OR EventCode=="13" OR EventCode=="14",replace(TargetObject,".+\\\\",""))
+
+#DNS Node
+FIELDALIAS-query = QueryName AS query
+FIELDALIAS-replycode = QueryStatus AS reply_code_id
--- a/Vagrant/resources/splunk_server/windows_ta_props.conf
+++ b/Vagrant/resources/splunk_server/windows_ta_props.conf