Adding Olaf's Threat Hunting App. Fixes. Updates.

Vagrant/bootstrap.sh

@@ -84,8 +84,8 @@ install_splunk() {
     # Get Splunk.com into the DNS cache. Sometimes resolution randomly fails during wget below
     dig @8.8.8.8 splunk.com
     # Download Splunk
-    wget --progress=bar:force -O splunk-7.1.2-a0c72a66db66-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.1.2&product=splunk&filename=splunk-7.1.2-a0c72a66db66-linux-2.6-amd64.deb&wget=true'
-    dpkg -i splunk-7.1.2-a0c72a66db66-linux-2.6-amd64.deb
+    wget --progress=bar:force -O splunk-7.2.1-be11b2c46e23-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.1&product=splunk&filename=splunk-7.2.1-be11b2c46e23-linux-2.6-amd64.deb&wget=true'
+    dpkg -i splunk-7.2.1-be11b2c46e23-linux-2.6-amd64.deb
     /opt/splunk/bin/splunk start --accept-license --answer-yes --no-prompt --seed-passwd changeme
     /opt/splunk/bin/splunk add index wineventlog -auth 'admin:changeme'
     /opt/splunk/bin/splunk add index osquery -auth 'admin:changeme'
@@ -94,9 +94,17 @@ install_splunk() {
     /opt/splunk/bin/splunk add index powershell -auth 'admin:changeme'
     /opt/splunk/bin/splunk add index bro -auth 'admin:changeme'
     /opt/splunk/bin/splunk add index suricata -auth 'admin:changeme'
+    /opt/splunk/bin/splunk add index threathunting -auth 'admin:changeme'
     /opt/splunk/bin/splunk install app /vagrant/resources/splunk_forwarder/splunk-add-on-for-microsoft-windows_500.tgz -auth 'admin:changeme'
     /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/add-on-for-microsoft-sysmon_800.tgz -auth 'admin:changeme'
     /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/asn-lookup-generator_012.tgz -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/force-directed-app-for-splunk_200.tgz  -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/punchcard-custom-visualization_130.tgz  -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/sankey-diagram-custom-visualization_130.tgz  -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_11.tgz  -auth 'admin:changeme'
+    # Add custom Macro definitions for ThreatHunting App
+    cp /vagrant/resources/splunk_server/macros.conf /opt/splunk/etc/apps/ThreatHunting/local
+
     # Add a Splunk TCP input on port 9997
     echo -e "[splunktcp://9997]\nconnection_host = ip" > /opt/splunk/etc/apps/search/local/inputs.conf
     # Add props.conf and transforms.conf
@@ -105,6 +113,7 @@ install_splunk() {
     cp /opt/splunk/etc/system/default/limits.conf /opt/splunk/etc/system/local/limits.conf
     # Bump the memtable limits to allow for the ASN lookup table
     sed -i.bak 's/max_memtable_bytes = 10000000/max_memtable_bytes = 30000000/g' /opt/splunk/etc/system/local/limits.conf
+
     # Skip Splunk Tour and Change Password Dialog
     touch /opt/splunk/etc/.ui_login
     # Enable SSL Login for Splunk

Vagrant/resources/fleet/server.crt

@@ -1,17 +1,17 @@
 -----BEGIN CERTIFICATE-----
-MIICnjCCAYYCCQD3m5L/nC/akjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZr
-b2xpZGUwHhcNMTcxMTAxMjAxMDIxWhcNMTgxMTAxMjAxMDIxWjARMQ8wDQYDVQQD
-DAZrb2xpZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDahfD8pVJN
-KSdE+GoYIPsteyHvyQXXGcCIlrt+EFI5TXKBcHE8Vyyi1xw7hTpGKA3DGbLBf43E
-j26w7NS0hGhbJHwjx5EBujWhDskbH8GTzhQllVoYOOwuU85MWiISQOAWhaytIFYg
-6wnBaA0EtNEOeYPD1J5t1Bt4k9pwS+ATJxAag9BSesMdmU6Uz2zCxSavsDMGepiv
-kaOAzT4Bhy3aVhq56mNayLT2fCdmyEyKlou9gUzteY0dp010ZNfqyxgcsnhogUij
-6LaEsVzsxDRH7HFPtCeGBb8CjnnPhMbAU9nzhn+9EEtiIUvN0Dl0G/DmgziTpKgD
-EEmddbqEK6g9AgMBAAEwDQYJKoZIhvcNAQELBQADggEBALVH183jm9WeKXd3Uhqn
-jyOZ8H4+RhaADm4rkABmVHUAIoqLQOfpnTuvcp/eiAAUBNaRk8B5T+yWosx+IP4u
-SUoRR949zdn5kd/BkoHE5rcJh169goJlKLtKGXkPyCRgcakXC/kDSZtWrIyw/vYu
-6WYjScDLiEDlgVQQuEdI3S5lDm9D0UMvCmiVsUyWYcTic2WgO9vaOErWS5UQMaPV
-crzxIJKxd1eK0++gdyiwWwakWBtHpDQnpjamfFBqltvXKdpY1cIVJsyXROlZ6xNk
-NqbzMLDLt/4zvGjG88zrpwqU2egigX2VkAgOMa8BEnnkvZMuCcgoYkCXbY3CXsts
-YOM=
+MIICnjCCAYYCCQCwK8/9PtNo1TANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZr
+b2xpZGUwHhcNMTgxMjExMDg0NjUxWhcNMjEwOTA2MDg0NjUxWjARMQ8wDQYDVQQD
+DAZrb2xpZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDO6RiMkjD1
+LJmcTR3oiUXrN4Kz+2KWCm3RrM6UanxhmVG12DrX1VPzsFkmzPdc74LKVUqPFJfV
+oAt3U2RQ4oPmMdS9yuvYz9NprbZ8Qe+Toue5reUqyDU9RQhoiYMuCvIdoOS35Zg4
+gHrP8fMkDNLSE3egqHNxtQ0lCTHiIOB3+Lr2MDiuSLP2WM+JLc7tt95Vg4zAU0VG
+38Q/SfET3OhCUIOu2OR/XlpqbKORRHqrc7/0wzuZGxSsw+bei8d/OOfKdvL3WhFd
+35F0OduEa0PGphKt0ePT6R2NtjtGg5GIQ3QhC222qAeYXLOOeNIS2RB42h6rr/Fr
+vXUl/Gj4HGxNAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJu06ushu+H4gBzH65pR
+caBkH7OKbmOUxmVwkZMmHGaTWnHvUmvSNaR70466Sd25YHn1MyNmi3rI0h2LwUjU
+wEXoDbQRUpbKrF410L114D5g5lZ78eMRXN5ItzJluGVHOpdBWCJslpvoksW7ovPD
+awbD2hPNDIOAjVTXC3fgyEST+VSLripjhg6yhgZWVYRNgfcjDl3IG3AIg3Gpr7mu
+ClqTYP27vL4EYTIp+waYhYIc/CEI/lao7/X++5Gp2bJsMscFuSfJDJ3kLvbCebyL
+1GSnkKbtokUFqsDWnG9IoodHCSL/lj8fhTeXJZsi5Zky9yZC7BiIKmGn5/vcOTO6
+oDs=
 -----END CERTIFICATE-----

Vagrant/resources/fleet/server.key

@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEA2oXw/KVSTSknRPhqGCD7LXsh78kF1xnAiJa7fhBSOU1ygXBx
-PFcsotccO4U6RigNwxmywX+NxI9usOzUtIRoWyR8I8eRAbo1oQ7JGx/Bk84UJZVa
-GDjsLlPOTFoiEkDgFoWsrSBWIOsJwWgNBLTRDnmDw9SebdQbeJPacEvgEycQGoPQ
-UnrDHZlOlM9swsUmr7AzBnqYr5GjgM0+AYct2lYauepjWsi09nwnZshMipaLvYFM
-7XmNHadNdGTX6ssYHLJ4aIFIo+i2hLFc7MQ0R+xxT7QnhgW/Ao55z4TGwFPZ84Z/
-vRBLYiFLzdA5dBvw5oM4k6SoAxBJnXW6hCuoPQIDAQABAoIBAGaidD5lc5NUGeKV
-/laY3wBMjfLuarTNnpVInoUmK0hIrNhItJaPpyJQgC0gdO9Qjq4s2r1xKGfCqk2k
-3n5ulgkAyOGRMPUrvVaI+EGqF6RRLTs9u5QW4C8eI43O46PJHrbVT/X8cxeA7RMO
-yNaGCo6O2ilXKpYRAloOr5EAwhyb5OeNrxe/XkngzU2/Sy/XPqqa/gUZGReJzEW1
-/M/iJULNSo2smKftdzDkiSVxH4x5En3q/ri7EUs6NMJZ9V7mUI7LJABeDOBYNta6
-e43b9f6sVfoecFU71FmrXx6QUvUJATNUPEqCwQqp4LfmUrv/Rnty/d39ktQqkpkV
-u4CQ700CgYEA9c6WoE7sK+M4ySmnc08ol0RxoUX4gp9oHbIUe+8fN4al6uLawvc1
-zgPjsev9kMGsw9Ejm2ID+PcuyQirJcE+MkT6Jdj6S39hE0umnFfxytF8vssqVcrG
-bSWS3fLgQ+5k7/IbWFJiQxRW7Y/4qjlOqeHE9tAbPMUyH+viT6nu6w8CgYEA45W3
-fSHVrr72h7WettUwb/dJLSjIj7MbMcMGrq2bStwHkZikXr1tgBtxFBTiOoc2p1JK
-+bII0cilAyobp1wk6spOt501QeciYxnCgHBuenC4TDmzPdgwQvBOHQoMe8oS/ZBd
-SwGpuEBCfBnODnDrWNgAye9rxV1pAXwUTns45/MCgYEAqhLbs2WIEUGxS7ZvbuAp
-ZKhturlwHejvoARUGgA0aDXY3PFDjbyAVN/qDnQLSLpIsGAnM96Ygw18KIq/6GqR
-fzSso71CSTSEVVZ1nB1ZZgyWNGjcDOo1atWhjcH7m+T5n++zLeQqquEK2GpSEm1+
-WRqmLmOFRQHoEaAjQR2B+s8CgYBe5WvISpZuMgRcHBgdBpIW7dbedLYEbVt2iWq8
-5XjuYwbo5+wJ8RS6qTaid/7JBt58MG1A5sKUrwRXaHR1eY+PM2JVX8D4ROdqyS/4
-HGmEtoGyjxC1RfMBxm/b3ffMmjsG7e5ouz3IrUrLsnrgPKd1uUPC8AlRF50UWGej
-PfBBjwKBgDqk/kpJ7aYfJB/lB5F+v+V1YucNyCgxj6cQ/aiBxOq3pN7wi8/vra2K
-/cGiz4JWrSS3PeUmiu7eCsYbItxyi1yjNOcfI1/gJTjm8Mgoh7WT39a8IfPefsLD
-MpJ3ISw+VcV1Vcr8g7/LsZZNfRcTVEZbCWSdPH69KgdDn8vLU1O0
+MIIEowIBAAKCAQEAzukYjJIw9SyZnE0d6IlF6zeCs/tilgpt0azOlGp8YZlRtdg6
+19VT87BZJsz3XO+CylVKjxSX1aALd1NkUOKD5jHUvcrr2M/Taa22fEHvk6Lnua3l
+Ksg1PUUIaImDLgryHaDkt+WYOIB6z/HzJAzS0hN3oKhzcbUNJQkx4iDgd/i69jA4
+rkiz9ljPiS3O7bfeVYOMwFNFRt/EP0nxE9zoQlCDrtjkf15aamyjkUR6q3O/9MM7
+mRsUrMPm3ovHfzjnynby91oRXd+RdDnbhGtDxqYSrdHj0+kdjbY7RoORiEN0IQtt
+tqgHmFyzjnjSEtkQeNoeq6/xa711Jfxo+BxsTQIDAQABAoIBACil/G+pTLrtzyO4
+trZ3OWgzWJcZPM3zMI3voAniPZtC7p2F5FGAlGSccXdA7xuv5gbv6JzhU87hCT+g
+/2Uwiu8PPRcoJVtLwOHTAbW5kmJzr4h31DyqZmMqC7PVyBKkjdoqQKSsE1KOUxJF
+Gxoq9sPUlTzXuw5Mnk93Vfhxswd+WFaajrwnZWV+nWG436Y6QtrP241E5AS+SrPo
+CoaiXPNsvJjdGlF6yRYyUCYlZKQItPXjGgTI+TC3gfiZHwv6y86ylBHT5uObIDeu
+hvc1pVOf73vPLrpwvqmY/6y+RLzMqPByyuas/8V/RrZScDKgA0FQ1fL6IHxC6yim
+DFhL6cECgYEA8pTZ0VE2UdYuXTxvkiGsdgebkh3kxiy25PwjSzW18q7WThoZrErv
++ggzYY6DKLH430lbmVeDUl9yBasr8AeJMgI+lcxDkqUyUJiWJEQtW2pLVjcv3JHE
+0ixK5knzEEDsZUZa9DsCx3PVmylJw64qk+QnRjFXfxkTo+nWpbZrxTECgYEA2lsd
+tY0blBM9xpRHYu58C7muMLwm7hlgxpAlG7lFQAYr7XOghAx7r+sDoAzx0f7w5/mQ
+y2W9vKlJeaU0nzwohsSIt7/bU81+lx3MBtR2DEjsTRTF4zJ760HFf4raFZGEeiS4
+j2e5Z02lVXw+5J3m8DJkjxyNtIwPGHJEKiquAd0CgYB7baWOzaW36iTZJ+EVF7Eq
+tSBBLpizBRliVbCXmhKkErXUM4+QjOih7f5Gyz6NPFEHO8oxsceN6CaaH8hRb2Qt
+X9r8WVyghxGc1KbAeTgi5WjDy3y83CarUgIiPspAIOindy7cShJV7ehn9JAl0r6z
+VUlue7irYNUPd/HRi4o2YQKBgHrPXHpMDwLNf6U8qJngACyoFmyaplqsM136nKRn
+I6fK0NIQgmtCih57U+Kk5S1y8hPGrcV4R6rgm86rOFmHAFQsHakbY0RTA6wCuknt
+HSfzq9P+pv4N2tyKdYYylk4jNhtso9EkSYbsiNz3sHfsx4K5FQ3YxWqSi7r4KZZ9
+wriRAoGBAK6huxSeKGqwh/w/QNmdMQPgJU2nso4ZAQZ0hrvhq0frwMRzfrdVktCB
+KfxwCasNgyg7faVoAPlzAiraNkRnPHGRYqnXs2qX0rf3KU1VT6974dU2j8tOhBQ9
+qr+nDCPe9thRzkGZcRNIQllznWVo0iwi+yXew0jxBPLhxIMVbx1c
 -----END RSA PRIVATE KEY-----

Vagrant/resources/splunk_server/macros.conf

@@ -0,0 +1,71 @@
+[sysmon]
+definition = index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
+iseval = 0
+
+[windows-app]
+definition = index=wineventlog source="WinEventLog:Application"
+iseval = 0
+
+[powershell]
+definition = index=powershell OR (index=wineventlog source="WinEventLog:Windows PowerShell" OR source="WinEventLog:Microsoft-Windows-PowerShell/Operational")
+iseval = 0
+
+[windows-security]
+definition = index=wineventlog source="WinEventLog:Security"
+iseval = 0
+
+[pan_threat]
+definition = index=pan_logs sourcetype="pan:threat"
+iseval = 0
+
+[domain]
+definition = WINDOMAIN
+iseval = 0
+
+[windows]
+definition = index=wineventlog source="WinEventLog:System" OR source="WinEventLog:Security"
+iseval = 0
+
+[windows-system]
+definition = index=wineventlog source="WinEventLog:System"
+iseval = 0
+
+[no-domain]
+definition = "WINDOMAIN\\*"
+iseval = 0
+
+[process_create_whitelist]
+definition = search NOT [| inputlookup threathunting_process_create_whitelist.csv | fields mitre_technique_id host_fqdn user_name process_path process_parent_path process_command_line hash_sha256]
+iseval = 0
+
+[network_whitelist]
+definition = search NOT [| inputlookup threathunting_network_whitelist.csv | fields mitre_technique_id host_fqdn user_name dst_ip	dst_port src_ip process_path]
+iseval = 0
+
+[process_access_whitelist]
+definition = search NOT [| inputlookup threathunting_process_access_whitelist.csv | fields mitre_technique_id host_fqdn process_path target_process_path process_granted_access]
+iseval = 0
+
+[image_load_whitelist]
+definition = search NOT [| inputlookup threathunting_image_load_whitelist.csv | fields mitre_technique_id host_fqdn process_path driver_loaded driver_is_signed driver_signature driver_signatureStatus]
+iseval = 0
+
+[file_access_whitelist]
+definition = search NOT [| inputlookup threathunting_file_access_whitelist.csv | fields mitre_technique_id host_fqdn process_path file_path]
+iseval = 0
+
+[registry_whitelist]
+definition = search NOT [| inputlookup threathunting_registry_whitelist.csv | fields mitre_technique_id host_fqdn event_type process_path registry_key_path registry_key_details]
+iseval = 0
+
+[pipe_created_whitelist]
+definition = search NOT [| inputlookup threathunting_pipe_created_whitelist.csv | fields mitre_technique_id host_fqdn process_path pipe_name]
+iseval = 0
+
+[wmi_whitelist]
+definition = search NOT [| inputlookup threathunting_wmi_whitelist.csv | fields mitre_technique_id host_fqdn process_path pipe_name]
+iseval = 0
+
+[remote_thread_whitelist]
+definition = search NOT [| inputlookup threathunting_remote_thread_whitelist.csv | fields mitre_technique_id host_fqdn process_name target_process_path target_process_address]
+iseval = 0

Vagrant/scripts/install-sysinternals.ps1

@@ -41,11 +41,12 @@ Write-Host "Downloading Tcpview.exe..."
 (New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Tcpview.exe', $tcpviewPath)
 Copy-Item $sysmonPath $sysmonDir
 
-# Download SwiftOnSecurity's Sysmon config
-Write-Host "Downloading SwiftOnSecurity's Sysmon config..."
-(New-Object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml', "$sysmonConfigPath")
-# Alternative: Download Olaf Hartongs Sysmon config (more CPU intensive)
-# (New-Object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml, "$sysmonConfigPath"
+# Download Olaf Hartongs Sysmon config
+Write-Host "Downloading Olaf Hartong's Sysmon config..."
+(New-Object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml', "$sysmonConfigPath")
+# Alternative: Download SwiftOnSecurity's Sysmon config
+# Write-Host "Downloading SwiftOnSecurity's Sysmon config..."
+# (New-Object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml', "$sysmonConfigPath")
 
 # Start Sysmon
 Write-Host "Starting Sysmon..."

Vagrant/scripts/join-domain.ps1

@@ -27,3 +27,10 @@ If ($hostname -eq "wef") {
 Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -Value 1
 Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Value "vagrant"
 Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Value "vagrant"
+
+# Stop Windows Update
+Write-Host "Disabling Windows Updates and Windows Module Services"
+Set-Service wuauserv -StartupType Disabled
+Stop-Service wuauserv
+Set-Service TrustedInstaller -StartupType Disabled
+Stop-Service TrustedInstaller