diff --git a/ESXi/README.md b/ESXi/README.md index 2fe6151..ca916a0 100644 --- a/ESXi/README.md +++ b/ESXi/README.md @@ -47,6 +47,21 @@ These commands can be run in parallel from three separate terminal sessions. If you run into any issues along the way, please open an issue on Github and I'll do my best to find a solution. +## Configuring Windows 10 with WSL as a Provisioning Host + +Note: Run the following commands as a root user or with sudo + +1. In Windows 10 install WSL (version 1 or 2) +2. Install Ubuntu 18.04 app from the Microsoft Store +3. Update repositories and upgrade the distro: apt update && upgrade +4. Ensure you will install the most recent Ansible version: apt-add-repository --yes --update ppa:ansible/ansible +5. Install the following packages: apt install python python-pip ansible unzip sshpass libffi-dev libssl-dev +6. Install PyWinRM using: pip install pywinrm +7. Install Terraform and Packer by downloading the 64-bit Linux binaries and moving them to /usr/local/bin +8. Install VMWare OVF tool by downloading 64-bit Linux binary from my.vmware.com and running it with "--eulas-agreed" option +9. Download the Linux binary for the Terraform ESXi Provider from https://github.com/josenk/terraform-provider-esxi/releases and move it to /usr/local/bin +10. From "DetectionLab/ESXi/ansible" directory, run: "ansible --version" and ensure that the config file used is "DetectionLab/ESXi/ansible/ansible.cfg". If not, implement the Ansible "world-writtable directory" fix by going to running: "chmod o-w ." from "DetectionLab/ESXi/ansible" directory. + ## Future work required * It probably makes sense to abstract all of the logic in `bootstrap.sh` into individual Ansible tasks * There's a lot of areas to make reliability improvements diff --git a/ESXi/ansible/roles/logger/tasks/main.yml b/ESXi/ansible/roles/logger/tasks/main.yml index e141330..0650158 100644 --- a/ESXi/ansible/roles/logger/tasks/main.yml +++ b/ESXi/ansible/roles/logger/tasks/main.yml @@ -217,7 +217,7 @@ /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/punchcard-custom-visualization_130.tgz -auth 'admin:changeme' /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/sankey-diagram-custom-visualization_130.tgz -auth 'admin:changeme' /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/link-analysis-app-for-splunk_161.tgz -auth 'admin:changeme' - /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_143.tgz -auth 'admin:changeme' + /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_144.tgz -auth 'admin:changeme' ## Fix a bug with the ThreatHunting App (https://github.com/olafhartong/ThreatHunting/pull/57) mv /opt/splunk/etc/apps/ThreatHunting/lookups/sysmonevencodes.csv /opt/splunk/etc/apps/ThreatHunting/lookups/sysmoneventcodes.csv @@ -404,7 +404,9 @@ LATEST_VELOCIRAPTOR_LINUX_URL=$(curl -sL https://github.com/Velocidex/velociraptor/releases/latest | grep 'linux-amd64' | grep -Eo "/(?[^\"]+)" | grep amd | sed 's#^#https://github.com#g') echo "[$(date +%H:%M:%S)]: The URL for the latest release was extracted as $LATEST_VELOCIRAPTOR_LINUX_URL" echo "[$(date +%H:%M:%S)]: Attempting to download..." - wget -P /opt/velociraptor --progress=bar:force "$LATEST_VELOCIRAPTOR_LINUX_URL" + #wget -P /opt/velociraptor --progress=bar:force "$LATEST_VELOCIRAPTOR_LINUX_URL" + # Harcoding until the release after v0.4.7 + wget -P /opt/velociraptor --progress=bar:force "https://github.com/Velocidex/velociraptor/releases/download/v0.4.7/velociraptor-v0.4.7-1-linux-amd64" if [ "$(file /opt/velociraptor/velociraptor*linux-amd64 | grep -c 'ELF 64-bit LSB executable')" -eq 1 ]; then echo "[$(date +%H:%M:%S)]: Velociraptor successfully downloaded!" else diff --git a/ESXi/main.tf b/ESXi/main.tf index 1b0d673..442c586 100644 --- a/ESXi/main.tf +++ b/ESXi/main.tf @@ -30,8 +30,8 @@ resource "esxi_guest" "logger" { provisioner "remote-exec" { inline = [ - "sudo ifconfig up eth1 || echo 'eth1 up'", - "sudo ifconfig up eth2 || echo 'eth2 up'", + "sudo ifconfig eth1 up || echo 'eth1 up'", + "sudo ifconfig eth2 up || echo 'eth2 up'", "sudo route add default gw 192.168.76.1 || echo 'route exists'" ] diff --git a/README.md b/README.md index 4f4da35..5a1fc87 100644 --- a/README.md +++ b/README.md @@ -111,3 +111,30 @@ A sizable percentage of this code was borrowed and adapted from [Stefan Scherer] * [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team) * [Hunting for Beacons](http://findingbad.blogspot.com/2020/05/hunting-for-beacons-part-2.html) * [BadBlood](https://github.com/davidprowe/BadBlood) + +# DetectionLab Sponsors +#### Lated updated: 8/8/2020 +I would like to extend thanks to the following sponsors for funding DetectionLab development. If you are interested in becoming a sponsor, please visit the [sponsors page](https://github.com/sponsors/clong). + +### Diamond Sponsors: +* [Veramine](https://github.com/veramine) +* [Thinkst](https://github.com/ThinkstAppliedResearch) + +### Premium Sponsors: +* [CyDefUnicorn](https://github.com/CyDefUnicorn) +* [dlee35](https://github.com/dlee35) +* [chrissanders](https://github.com/chrissanders) +* [punchdrunktux](https://github.com/punchdrunktux) +* [jaredhaight](https://github.com/jaredhaight) +* [iamfuntime](https://github.com/iamfuntime) +* +1 private sponsor + +### Standard Sponsors: +* [dtonomy](https://github.com/dtonomy) +* [braimee](https://github.com/braimee) +* [iLoC0dez](https://github.com/iLoC0dez) +* [defensivedepth](https://github.com/defensivedepth) +* [elreydetoda](https://github.com/elreydetoda) +* [kafkaesqu3](https://github.com/kafkaesqu3) +* [anthonysecurity](https://github.com/anthonysecurity) +* +2 private sponsors \ No newline at end of file diff --git a/Vagrant/Vagrantfile b/Vagrant/Vagrantfile index 2b61768..3601edb 100644 --- a/Vagrant/Vagrantfile +++ b/Vagrant/Vagrantfile @@ -188,7 +188,7 @@ Vagrant.configure("2") do |config| cfg.winrm.retry_limit = 20 cfg.vm.network :private_network, ip: "192.168.38.104", gateway: "192.168.38.1", dns: "192.168.38.102" - cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: true, args: "-ip 192.168.38.104 -dns 8.8.8.8 -gateway 192.168.38.1" + cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.104 -dns 8.8.8.8 -gateway 192.168.38.1" cfg.vm.provision "shell", path: "scripts/MakeWindows10GreatAgain.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false cfg.vm.provision "reload" diff --git a/Vagrant/bootstrap.sh b/Vagrant/bootstrap.sh index 96efbb9..1039269 100644 --- a/Vagrant/bootstrap.sh +++ b/Vagrant/bootstrap.sh @@ -163,12 +163,7 @@ install_splunk() { /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/punchcard-custom-visualization_130.tgz -auth 'admin:changeme' /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/sankey-diagram-custom-visualization_130.tgz -auth 'admin:changeme' /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/link-analysis-app-for-splunk_161.tgz -auth 'admin:changeme' - /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_143.tgz -auth 'admin:changeme' - - ## Fix a bug with the ThreatHunting App (https://github.com/olafhartong/ThreatHunting/pull/57) - mv /opt/splunk/etc/apps/ThreatHunting/lookups/sysmonevencodes.csv /opt/splunk/etc/apps/ThreatHunting/lookups/sysmoneventcodes.csv - sed -i 's/= sysmoneventcode /= sysmoneventcodes.csv /g' /opt/splunk/etc/apps/ThreatHunting/default/props.conf - sed -i 's/sysmoneventcode.csv/sysmoneventcodes.csv/g' /opt/splunk/etc/apps/ThreatHunting/default/props.conf + /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_144.tgz -auth 'admin:changeme' # Install the Maxmind license key for the ASNgen App if [ -n "$MAXMIND_LICENSE" ]; then @@ -177,8 +172,17 @@ install_splunk() { sed -i "s/license_key =/license_key = $MAXMIND_LICENSE/g" /opt/splunk/etc/apps/TA-asngen/local/asngen.conf fi + # Replace the props.conf for Sysmon TA and Windows TA + # Removed all the 'rename = xmlwineventlog' directives + # I know youre not supposed to modify files in "default", + # but for some reason adding them to "local" wasnt working + cp /vagrant/resources/splunk_server/windows_ta_props.conf /opt/splunk/etc/apps/Splunk_TA_windows/default/props.conf + cp /vagrant/resources/splunk_server/sysmon_ta_props.conf /opt/splunk/etc/apps/TA-microsoft-sysmon/default/props.conf + # Add custom Macro definitions for ThreatHunting App cp /vagrant/resources/splunk_server/macros.conf /opt/splunk/etc/apps/ThreatHunting/default/macros.conf + # Fix props.conf in ThreatHunting App + sed -i 's/EVAL-host_fqdn = Computer/EVAL-host_fqdn = ComputerName/g' /opt/splunk/etc/apps/ThreatHunting/default/props.conf # Fix Windows TA macros mkdir /opt/splunk/etc/apps/Splunk_TA_windows/local cp /opt/splunk/etc/apps/Splunk_TA_windows/default/macros.conf /opt/splunk/etc/apps/Splunk_TA_windows/local @@ -398,7 +402,9 @@ install_velociraptor() { LATEST_VELOCIRAPTOR_LINUX_URL=$(curl -sL https://github.com/Velocidex/velociraptor/releases/latest | grep 'linux-amd64' | grep -Eo "/(?[^\"]+)" | grep amd | sed 's#^#https://github.com#g') echo "[$(date +%H:%M:%S)]: The URL for the latest release was extracted as $LATEST_VELOCIRAPTOR_LINUX_URL" echo "[$(date +%H:%M:%S)]: Attempting to download..." - wget -P /opt/velociraptor --progress=bar:force "$LATEST_VELOCIRAPTOR_LINUX_URL" + #wget -P /opt/velociraptor --progress=bar:force "$LATEST_VELOCIRAPTOR_LINUX_URL" + # Harcoding until the release after v0.4.7 + wget -P /opt/velociraptor --progress=bar:force "https://github.com/Velocidex/velociraptor/releases/download/v0.4.7/velociraptor-v0.4.7-1-linux-amd64" if [ "$(file /opt/velociraptor/velociraptor*linux-amd64 | grep -c 'ELF 64-bit LSB executable')" -eq 1 ]; then echo "[$(date +%H:%M:%S)]: Velociraptor successfully downloaded!" else diff --git a/Vagrant/resources/splunk_forwarder/wef_inputs.conf b/Vagrant/resources/splunk_forwarder/wef_inputs.conf index 7690af9..0b6c195 100755 --- a/Vagrant/resources/splunk_forwarder/wef_inputs.conf +++ b/Vagrant/resources/splunk_forwarder/wef_inputs.conf @@ -323,7 +323,7 @@ current_only = 0 checkpointInterval = 5 [WinEventLog://WEC6-Sysmon] -sourcetype = "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" +sourcetype = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational source = WinEventLog:Sysmon index=sysmon disabled = 0 diff --git a/Vagrant/resources/splunk_server/sysmon_ta_props.conf b/Vagrant/resources/splunk_server/sysmon_ta_props.conf new file mode 100644 index 0000000..0175611 --- /dev/null +++ b/Vagrant/resources/splunk_server/sysmon_ta_props.conf @@ -0,0 +1,67 @@ +##Below fields extractions have been moved from [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational] +[source::XmlWinEventLog:Microsoft-Windows-Sysmon/Operational] +#SEDCMD-pwd_rule1 = s/ -pw ([^\s\<])+/ -pw ***MASK***/g +REPORT-sysmon = sysmon-eventid,sysmon-version,sysmon-level,sysmon-task,sysmon-opcode,sysmon-keywords,sysmon-created,sysmon-record,sysmon-correlation,sysmon-channel,sysmon-computer,sysmon-sid,sysmon-data,sysmon-md5,sysmon-sha1,sysmon-sha256,sysmon-imphash,sysmon-hashes,sysmon-filename,sysmon-registry,sysmon-dns-record-data,sysmon-dns-ip-data + +FIELDALIAS-src_ip = SourceIp AS src_ip +FIELDALIAS-src_host = SourceHostname AS src_host +EVAL-src = if(isnotnull(SourceHostname),SourceHostname,SourceIp) +FIELDALIAS-src_port = SourcePort AS src_port +FIELDALIAS-app = Image AS app +FIELDALIAS-dest_ip = DestinationIp AS dest_ip +FIELDALIAS-dest_host = DestinationHostname AS dest_host +EVAL-dest = case(EventCode=="3" AND isnotnull(DestinationHostname),DestinationHostname,EventCode=="3",DestinationIp,EventCode=="1" OR EventCode == "11" OR EventCode == "12" OR EventCode == "13" OR EventCode == "14", Computer) +FIELDALIAS-dest_port = DestinationPort AS dest_port +EVAL-direction = if(Initiated=="true","outbound","inbound") +FIELDALIAS-dvc = Computer AS dvc +FIELDALIAS-transport = Protocol AS transport +EVAL-protocol = if(Initiated=="true",DestinationPortName,SourcePortName) +FIELDALIAS-session_id = ProcessGuid AS session_id +EVAL-vendor_product = "Microsoft Sysmon" +FIELDALIAS-cmdline = CommandLine AS cmdline + +#Common fieldnames for Registry, Process, FileSystem Node in Endpoint Datamodel +EVAL-action = case(EventCode=="1","allowed",EventCode=="12" AND EventType=="CreateKey","created",EventCode=="12" AND (EventType=="DeleteKey" OR EventType=="DeleteValue") ,"deleted",EventCode=="13" AND EventType=="SetValue","modified",EventCode=="11" AND EventDescription=="File Created","created") + +#Ports Node +EVAL-creation_time = case(EventCode=="3",UtcTime) +EVAL-state = case(EventCode=="3", "listening") + +#Processes Node +EVAL-parent_process_exec = case(EventCode=="1" OR EventCode=="2" OR EventCode=="3" OR EventCode=="5" OR EventCode=="7" OR EventCode=="9" OR EventCode=="11" OR EventCode=="12" OR EventCode=="13" OR EventCode=="14" OR EventCode=="15" OR EventCode=="17" OR EventCode=="18", replace(ParentImage,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)",""),1==1,"") +FIELDALIAS-parent_process_id = ParentProcessId AS parent_process_id +FIELDALIAS-parent_process_guid = ParentProcessGuid AS parent_process_guid +FIELDALIAS-parent_process_path = ParentImage AS parent_process_path +FIELDALIAS-process_current_directory = CurrentDirectory AS process_current_directory +EVAL-process_exec = case(EventCode=="1" OR EventCode=="2" OR EventCode=="3" OR EventCode=="5" OR EventCode=="7" OR EventCode=="9" OR EventCode=="11" OR EventCode=="12" OR EventCode=="13" OR EventCode=="14" OR EventCode=="15" OR EventCode=="17" OR EventCode=="18" OR EventCode="22", replace(Image,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)",""),EventCode=="6","System",EventCode=="8" OR EventCode=="10",replace(SourceImage,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)",""),1==1,"") +FIELDALIAS-process_hash = Hashes AS process_hash +FIELDALIAS-process_guid = ProcessGuid AS process_guid +FIELDALIAS-process_id = ProcessId AS process_id +FIELDALIAS-process_integrity_level = IntegrityLevel AS process_integrity_level +FIELDALIAS-process_path = Image AS process_path +FIELDALIAS-user_id = UserID AS user_id +REPORT-user_for_sysmon = User_as_user +FIELDALIAS-parent_process = ParentCommandLine AS parent_process +EVAL-parent_process_name = case(EventCode=="1" OR EventCode=="2" OR EventCode=="3" OR EventCode=="5" OR EventCode=="7" OR EventCode=="9" OR EventCode=="11" OR EventCode=="12" OR EventCode=="13" OR EventCode=="14" OR EventCode=="15" OR EventCode=="17" OR EventCode=="18", replace(ParentImage,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)",""),1==1,"") +FIELDALIAS-process = CommandLine AS process +EVAL-process_name = case(EventCode=="1" OR EventCode=="2" OR EventCode=="3" OR EventCode=="5" OR EventCode=="7" OR EventCode=="9" OR EventCode=="11" OR EventCode=="12" OR EventCode=="13" OR EventCode=="14" OR EventCode=="15" OR EventCode=="17" OR EventCode=="18" OR EventCode="22", replace(Image,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)",""),EventCode=="6","System",EventCode=="8" OR EventCode=="10",replace(SourceImage,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)",""),1==1,"") + +#Filesystem Node +FIELDALIAS-file_path = TargetFilename AS file_path +FIELDALIAS-file_create_time = CreationUtcTime AS file_create_time + +#Fields for ChangeAnalysis DM (old field names) +EVAL-object_category = case(EventCode=="11" OR EventCode=="2", "file", EventCode=="12" OR EventCode=="13" OR EventCode="14", "registry", EventCode=="19" OR EventCode=="20" OR EventCode="21", "wmi") +EVAL-object_path = case(EventCode=="12" OR EventCode=="13", TargetObject, EventCode=="14", NewName) +LOOKUP-eventcode = eventcode EventCode OUTPUTNEW EventDescription EventDescription AS signature +FIELDALIAS-signature_id = EventCode AS signature_id +FIELDALIAS-eventid = EventCode AS EventID + +#Registry Node +EVAL-registry_path = case(EventCode=="12" OR EventCode=="13" OR EventCode=="14", TargetObject) +EVAL-registry_value_name = case(EventCode=="13", Details) +EVAL-registry_key_name = case(EventCode=="12" OR EventCode=="13" OR EventCode=="14",replace(TargetObject,".+\\\\","")) + +#DNS Node +FIELDALIAS-query = QueryName AS query +FIELDALIAS-replycode = QueryStatus AS reply_code_id \ No newline at end of file diff --git a/Vagrant/resources/splunk_server/threathunting_143.tgz b/Vagrant/resources/splunk_server/threathunting_143.tgz deleted file mode 100644 index 304e163..0000000 Binary files a/Vagrant/resources/splunk_server/threathunting_143.tgz and /dev/null differ diff --git a/Vagrant/resources/splunk_server/threathunting_144.tgz b/Vagrant/resources/splunk_server/threathunting_144.tgz new file mode 100644 index 0000000..c2035c0 Binary files /dev/null and b/Vagrant/resources/splunk_server/threathunting_144.tgz differ diff --git a/Vagrant/resources/splunk_server/windows_ta_props.conf b/Vagrant/resources/splunk_server/windows_ta_props.conf new file mode 100644 index 0000000..7a66913 --- /dev/null +++ b/Vagrant/resources/splunk_server/windows_ta_props.conf @@ -0,0 +1,1495 @@ +# Copyright (C) 2019 Splunk Inc. All Rights Reserved. +# DO NOT EDIT THIS FILE! +# Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local. +# To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default +# into ../local and edit there. +# +########################### +## Active Directory +########################### + +[ActiveDirectory] +LOOKUP-user_account_control_property = user_account_control_property userAccountControl OUTPUT userAccountPropertyFlag + + +########################### +## DHCP +########################### + +[DhcpSrvLog] +SHOULD_LINEMERGE = false +EVENT_BREAKER_ENABLE = true +TRANSFORMS-0dhcp_discard_headers = dhcp_discard_headers +REPORT-0auto_kv_for_microsoft_dhcp = auto_kv_for_microsoft_dhcp +LOOKUP-signature_for_microsoft_dhcp = msdhcp_signature_lookup msdhcp_id OUTPUTNEW signature +FIELDALIAS-windows-dhcp = ip AS dest_ip, mac AS raw_mac, nt_host AS dest_nt_host + +EVAL-vendor = "Microsoft" +EVAL-product = "Windows" +EVAL-dest_mac = lower(case(match(raw_mac, "^\w{12}$"), rtrim(replace(raw_mac, "^(\w{2})", "\1:"), ":"), 1==1, replace(raw_mac, "-|\.|\s", ":"))) +EVAL-dest = coalesce(nt_host, ip, lower(case(match(raw_mac, "^\w{12}$"), rtrim(replace(raw_mac, "^(\w{2})", "\1:"), ":"), 1==1, replace(raw_mac, "-|\.|\s", ":")))) + +########################### +## Splunk Windows Event Log +########################### + +## Host override for WinEventLog events collected using WEF +[host::WinEventLogForwardHost] +TRANSFORMS-change_host_for_windows_wef = WinEventHostOverride +TRANSFORMS-change_xml_host_for_windows_wef = WinEventXmlHostOverride + +## consistent sourcetypes for common extractions XmlWinEventLog or WinEventLog +## format source using sourcetype value, so we know whether its XML or not +## this stanza will ensure the new extractions are backwards compatible; we will know what to do regardless of what source/sourcetype +## the mod input sets and new sources will be accommodated as well +[(?::){0}WinEventLog:*] +TRANSFORMS-Fixup = ta-windows-fix-classic-source,ta-windows-fix-sourcetype + +[(?::){0}XmlWinEventLog:*] +TRANSFORMS-XmlFixup = ta-windows-fix-xml-source,ta-windows-fix-sourcetype + + +## Fields common to all WinEventLogs +[WinEventLog] +LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result +FIELDALIAS-category_for_windows = TaskCategory as category +FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc +FIELDALIAS-event_id_for_windows = RecordNumber AS event_id +LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity +FIELDALIAS-severity_id_for_windows = EventType AS severity_id +FIELDALIAS-id_for_windows = RecordNumber AS id +REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows + +## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" ) +LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject + +## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values +EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode) + +FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id + +[XmlWinEventLog] +KV_MODE = none +REPORT-0xml_block_extract = system_xml_block,eventdata_xml_block,userdata_xml_block,debugdata_xml_block,renderinginfo_xml_block +REPORT-0xml_kv_extract = system_props_xml_kv,system_props_xml_attributes,eventdata_xml_data,rendering_info_xml_data + +REPORT-RecordNumber_from_xml = EventRecordID_as_RecordNumber +REPORT-EventCode_from_xml = EventID_as_EventCode,EventID2_as_EventCode +REPORT-Sub_Status_from_xml = SubStatus_as_Sub_Status + +LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result +FIELDALIAS-category_for_windows = TaskCategory as category +FIELDALIAS-dvc_for_windows = host AS dvc_nt_host,Computer AS dvc +FIELDALIAS-event_id_for_windows = RecordNumber AS event_id +LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity +FIELDALIAS-severity_id_for_windows = EventType AS severity_id +FIELDALIAS-id_for_windows = RecordNumber AS id +REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows + +## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" ) +LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject + +## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values +EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode) + +FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id + + +##Below fields extractions have been moved from [source::WinEventLog:System], [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...] and [source::*:System] +## windows system sub-sourcetyping +[source::WinEventLog:System] +TRANSFORMS-force_source_system_ias_for_wineventlog = force_source_system_ias_for_wineventlog + +REPORT-bestmatch_for_windows_system = ComputerName_as_dest +REPORT-0signature_message_for_windows_system_update = signature_message_for_windows_system_update +REPORT-signature_for_windows_system_update = signature_for_windows_system_timesync,signature_for_windows_system_update,signature_for_windows_system_update2 +REPORT-signature_id_for_windows_system_update = signature_id_for_windowsupdatelog +LOOKUP-status_for_windows_system_update = windows_update_status_lookup EventCode OUTPUTNEW status +REPORT-user_for_windows_system = user_for_windows_system_ias,User_as_user +FIELDALIAS-body_for_windows_system = signature_message AS body, Message AS body + +EVAL-vendor = "Microsoft" +EVAL-product = "Windows" + +# Legacy field aliases to support ES 2.0.2, Winfra +FIELDALIAS-package_for_windows = signature_id AS package +FIELDALIAS-package_title_for_windows = signature AS package_title + + +## Below Extractions are for XmlWinEventLog:System and have been kept for backward compatibility +# Extractions to add fields used by generic system extraction +REPORT-signature_message_from_xml = updatelist_from_user_data +REPORT-signature_from_xml = updatetitle_from_user_data +FIELDALIAS-updateTitle_as_signature = updateTitle AS signature + +FIELDALIAS-Status_as_Error_Code = Status AS Error_Code +EVAL-Error_Code = if(isnull(Error_Code), "-", Error_Code) +# LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status +# LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status +LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status + +REPORT-bestmatch_for_windows_system_xml = Computer_as_dest + + +## Below Extractions are for WinEventLog:System:IAS and have been kept for backward compatibility +REPORT-0auto_kv_for_windows_system_ias = auto_kv_for_windows_system_ias + +EVAL-app = if(SourceName="IAS","ias",null()) + + +##### Explanation for SEDCMD Extractions ##### +## clean_info_text_from_winsystem_events_this_event: This will delete all the infomation text at the end of event starting from "This event is generated..." before indexing + + +##### SEDCMD Extractions ##### +#SEDCMD-clean_info_text_from_winsystem_events_this_event = s/This event is generated[\S\s\r\n]+$//g + +## Apply the following properties to all WinEventLog events +## In addition to WinEventLog properties located in $SPLUNK_HOME/etc/system/default/props.conf +[source::(WMI:WinEventLog|WinEventLog)...] + +## Override default REPORT-MESSAGE with REPORT-0MESSAGE to force alphanumeric precedence +REPORT-0MESSAGE = wel-message, wel-eq-kv, wel-col-kv +REPORT-MESSAGE = + +########################### +## Windows XML Event Log +########################### +##Below fields extractions have been moved from [(?::){0}XmlWinEventLog:*],[source::*:System], [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...] +[source::XmlWinEventLog:System] + +# Extractions to add fields used by generic system extraction +REPORT-signature_message_from_xml = updatelist_from_user_data +REPORT-signature_from_xml = updatetitle_from_user_data +FIELDALIAS-updateTitle_as_signature = updateTitle AS signature + +FIELDALIAS-Status_as_Error_Code = Status AS Error_Code +EVAL-Error_Code = if(isnull(Error_Code), "-", Error_Code) +# LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status +# LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status +LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status + + +REPORT-bestmatch_for_windows_system_xml = Computer_as_dest +REPORT-0signature_message_for_windows_system_update = signature_message_for_windows_system_update +REPORT-signature_for_windows_system_update = signature_for_windows_system_timesync,signature_for_windows_system_update,signature_for_windows_system_update2 +REPORT-signature_id_for_windows_system_update = signature_id_for_windowsupdatelog +LOOKUP-status_for_windows_system_update = windows_update_status_lookup EventCode OUTPUTNEW status +REPORT-user_for_windows_system = user_for_windows_system_ias,User_as_user +EVAL-body = coalesce('signature_message','Message') + +EVAL-vendor = "Microsoft" +EVAL-product = "Windows" + +# Legacy field aliases to support ES 2.0.2, Winfra +FIELDALIAS-package_title_for_windows = signature AS package_title +FIELDALIAS-package_for_windows = signature_id AS package + +##Below fields extractions have been moved from [(?::){0}XmlWinEventLog:*],[source::*:Security], [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...] +[source::XmlWinEventLog:Security] + +## privilege +REPORT-0privilege_for_windows_security_xml= PrivilegeList_as_vendor_privilege + +# Extractions to add fields used by generic security extraction +REPORT-Source_Port_from_xml = IpPort_as_Source_Port +REPORT-Token_Elevation_Type_from_xml = TokenElevationType_as_Token_Elevation_Type +REPORT-Target_Server_Name_from_xml = TargetServerName_as_Target_Server_Name +REPORT-Logon_Type_from_xml = LogonType_as_Logon_Type +REPORT-Logon_ID_from_xml = SubjectLogonId_as_Logon_ID +REPORT-Caller_Domain_from_xml = SubjectDomainName_as_Caller_Domain +REPORT-Target_Domain_from_xml = TargetDomainName_as_Target_Domain +REPORT-Caller_User_Name_from_xml = SubjectUserName_as_Caller_User_Name +REPORT-Target_User_Name_from_xml = TargetUserName_as_Target_User_Name +REPORT-Source_Workstation_from_xml = Workstation_as_Source_Workstation,WorkstationName_as_Source_Workstation,IpAddress_as_Source_Workstation + +FIELDALIAS-Status_as_Error_Code = Status AS Error_Code +FIELDALIAS-Target_User_Name_as_Group_Name = TargetUserName AS Group_Name +FIELDALIAS-Target_Domain_as_Group_Domain = TargetDomainName AS Group_Domain +EVAL-Error_Code = if(isnull(Error_Code), "-", Error_Code) +# LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status +# LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status +LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status + +## action, status +## Override action to allow audit log changes to correspond to Change Analysis data model +LOOKUP-action_for_windows0_security = windows_audit_changes_lookup EventCode OUTPUTNEW action,change_type,object_category +LOOKUP-action_for_windows1_security = windows_action_lookup Type OUTPUTNEW action, action AS status +LOOKUP-action_for_windows2_security = windows_action_lookup Type AS Keywords OUTPUTNEW action, action AS status + +## auditing +FIELDALIAS-object_for_windows_security = sourcetype AS object + +## privilege +REPORT-0vendor_privilege_for_windows_security = vendor_privilege_sv_for_windows_security,vendor_privilege_mv_for_windows_security +REPORT-privilege_id_for_windows_security = privilege_id_for_windows_security +LOOKUP-privilege_for_windows_security = windows_privilege_lookup privilege_id OUTPUT privilege + +FIELDALIAS-src_port_for_windows_security = Source_Port AS src_port +REPORT-Token_Elevation_Type_id_for_windows_security = Token_Elevation_Type_id_for_windows_security + +EVAL-vendor = "Microsoft" +EVAL-product = "Windows" + +FIELDALIAS-body_for_windows_security = Message AS body +FIELDALIAS-Status_as_ta_windows_status =Status AS ta_windows_status +EVAL-ta_windows_action = case(upper(Status) == "0XC000006F", "denied", upper(Status) == "0XC0000070", "denied", upper(Status) == "0XC000015B", "denied", upper(Status) == "0XC0000234", "denied", upper(Status) == "0XC0000064", "unknown", upper(Status) == "0XC0000133", "error", upper(Status) == "0XC0000225", "error", 1=1 , "failure") + +## Set the app field to "win:remote" or "win:local" based on EventCode, Source_Network_Address, Target_Server_Name or Logon_Type +LOOKUP-app0_for_windows_security = windows_app_lookup EventCode OUTPUTNEW app +LOOKUP-app1_for_windows_security = windows_app_lookup Source_Network_Address OUTPUTNEW app +LOOKUP-app2_for_windows_security = windows_app_lookup Target_Server_Name OUTPUTNEW app +LOOKUP-app3_for_windows_security = windows_app_lookup Logon_Type OUTPUTNEW app +LOOKUP-app4_for_windows_security = windows_app_lookup source OUTPUTNEW app + +## Set the following fields based on order of operations +REPORT-session_id_for_windows_security = Logon_ID_as_session_id,Client_Logon_ID_as_session_id,Caller_Logon_ID_as_session_id +REPORT-dest_for_windows_security = Target_Server_Name_as_dest,Computer_as_dest +REPORT-dest_nt_domain_for_windows_security = Target_Domain_as_dest_nt_domain,Primary_Domain_as_dest_nt_domain,Group_Domain_as_dest_nt_domain,Account_Domain_as_dest_nt_domain,New_Domain_as_dest_nt_domain,Domain_as_dest_nt_domain,User_ID_as_dest_nt_domain,Security_ID_as_dest_nt_domain,Supplied_Realm_Name_as_dest_nt_domain,Target_Account_ID_as_dest_nt_domain +REPORT-dest_nt_host_for_windows_security = Target_Server_Name_as_dest_nt_host,ComputerName_as_dest_nt_host +REPORT-src_for_windows_security = Source_Workstation_as_src,Workstation_Name_as_src,Caller_Machine_Name_as_src,Client_Machine_Name_as_src,Source_Network_Address_as_src,Client_Address_as_src +REPORT-src_ip_for_windows_security = Source_Network_Address_as_src_ip,Client_Address_as_src_ip +REPORT-src_nt_domain_for_windows_security = Caller_Domain_as_src_nt_domain,Client_Domain_as_src_nt_domain,Account_Domain_as_src_nt_domain,Security_ID_as_src_nt_domain +REPORT-src_nt_host_for_windows_security = Source_Workstation_as_src_nt_host,Workstation_Name_as_src_nt_host,Caller_Machine_Name_as_src_nt_host,Client_Machine_Name_as_src_nt_host,Caller_Computer_Name_as_src_nt_host +REPORT-src_user_for_windows_security = Caller_User_Name_as_src_user,Client_User_Name_as_src_user,Account_Name_as_src_user,User_Name_as_src_user +REPORT-user_for_windows_security = Logon_Account_as_user,Logon_account_as_user,Target_User_Name_as_user,Primary_User_Name_as_user,Target_Account_Name_as_user,New_Account_Name_as_user,Account_Name_as_user,User_Name_as_user,User_as_user,Security_ID_as_user +EVAL-user_group = coalesce(Group_Name,New_Account_Name,Target_Account_Name) +REPORT-member_id_for_windows_security = Member_ID_as_member_id,Security_ID_as_member_id +REPORT-member_dn_for_windows_security = Member_Name_as_member_dn,Account_Name_as_member_dn +REPORT-member_nt_domain_for_windows_security = Member_ID_as_member_nt_domain,Security_ID_as_member_nt_domain +REPORT-msad_actions_for_windows_security = msad_action_from_Group_Type_Change,msad_action_from_Change_Type,msad_action_from_Description1,msad_action_from_Description2,msad_action_from_Description3,msad_action_from_raw1,msad_action_from_raw2,msad_action_from_raw3,msad_action_from_raw4 +REPORT-msad_attribute_changes_for_windows_security = msad_attribute_changes_from_raw1,msad_attribute_changes_from_raw2,msad_attribute_changes_from_raw3,msad_attribute_changes_from_raw4,msad_attribute_changes_from_raw5,msad_attribute_changes_from_raw6 +LOOKUP-msadgroupclass = MSADGroupType MSADGroupClassID OUTPUTNEW MSADGroupClass +EVAL-dest_nt_domain = nullif(dest_nt_domain,"-") + +LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity + +##Attempt to map EventCodes that have sub statii ( i.e. EventCode=4625 + SubStatus=0xC0000064 = "User name does not exist" ) +LOOKUP-signature_for_windows = windows_signature_lookup2 signature_id,Sub_Status OUTPUTNEW signature,signature AS name, signature as subject + +EXTRACT-dest_port_for_windows_security_from_xml = (?[^<]+)<\/Data> +EXTRACT-object_attrs_for_windows_security_from_xml = (?[^<]+)<\/Data> +EXTRACT-1IpAddress_for_windows_security_from_xml =\(?!\:\:1)(?!127\.0\.0\.1)(?[^\<]+)\<\/Data\> +EXTRACT-process_for_windows_security_from_xml = (?[^<]+)<\/Data> +EXTRACT-process_id_for_windows_security_from_xml = \S+).*?(?:(?:\r*\n){2}) +EXTRACT-object_attrs_for_windows_security = Rule Name:\s+(?[^$]+)$ +EXTRACT-process_for_windows_security = (?s)Application Information:.*?Process Name:\s+(?\S+).*?(?:(?:\r*\n){2}) +EXTRACT-0process_id_for_windows_security = (?s)Application Information:.*?Process ID:\s+(?\S+).*?(?:(?:\r*\n){2}) +EXTRACT-process_id_for_windows_security = (?s)Process Information:.*?Process ID:\s+(?\S+).*?(?:(?:\r*\n){2}) +EXTRACT-group_change_groupname = (?ms)EventCode=4756(?:\n|\r).*Group:(?:\n|\r).*Security ID:\s*(?.*)\\(?[^(?:\n|\r)]+) + +## Below Extractions are for XmlWinEventLog:Security and have been kept for backward compatibility +## privilege +REPORT-0privilege_for_windows_security_xml= PrivilegeList_as_vendor_privilege + +# Extractions to add fields used by generic security extraction +REPORT-Source_Port_from_xml = IpPort_as_Source_Port +REPORT-Token_Elevation_Type_from_xml = TokenElevationType_as_Token_Elevation_Type +REPORT-Target_Server_Name_from_xml = TargetServerName_as_Target_Server_Name +REPORT-Logon_Type_from_xml = LogonType_as_Logon_Type +REPORT-Logon_ID_from_xml = SubjectLogonId_as_Logon_ID +REPORT-Caller_Domain_from_xml = SubjectDomainName_as_Caller_Domain +REPORT-Target_Domain_from_xml = TargetDomainName_as_Target_Domain +REPORT-Caller_User_Name_from_xml = SubjectUserName_as_Caller_User_Name +REPORT-Target_User_Name_from_xml = TargetUserName_as_Target_User_Name +REPORT-Source_Workstation_from_xml = Workstation_as_Source_Workstation,WorkstationName_as_Source_Workstation,IpAddress_as_Source_Workstation + +FIELDALIAS-Status_as_Error_Code = Status AS Error_Code +EVAL-Error_Code = if(isnull(Error_Code), "-", Error_Code) +# LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status +# LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status +LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status + + +REPORT-dest_for_windows_xml_security = Target_Server_Name_as_dest,Computer_as_dest + +EXTRACT-dest_port_for_windows_security_from_xml = (?[^<]+)<\/Data> +EXTRACT-object_attrs_for_windows_security_from_xml = (?[^<]+)<\/Data> +EXTRACT-1IpAddress_for_windows_security_from_xml =\(?!\:\:1)(?!127\.0\.0\.1)(?[^\<]+)\<\/Data\> +EXTRACT-process_for_windows_security_from_xml = (?[^<]+)<\/Data> +EXTRACT-process_id_for_windows_security_from_xml = 0<\/Data> to <\/Data> in XmlWinEventLog:Security +## cleanxmlsrcip: This will replace all values like ::1<\/Data> or 127.0.0.1<\/Data> to <\/Data> in XmlWinEventLog:Security + + +##### SEDCMD Extractions ##### +#SEDCMD-windows_security_event_formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g +#SEDCMD-windows_security_event_formater_null_sid_id = s/(?m)(:)(\s+NULL SID)$/\1/g s/(?m)(ID:)(\s+0x0)$/\1/g +#SEDCMD-cleansrcip = s/(Source Network Address: (\:\:1|127\.0\.0\.1))/Source Network Address:/ +#SEDCMD-cleansrcport = s/(Source Port:\s*0)/Source Port:/ +#SEDCMD-remove_ffff = s/::ffff://g +#SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only[\S\s\r\n]+$//g +#SEDCMD-clean_info_text_from_winsecurity_events_token_elevation_type = s/Token Elevation Type indicates[\S\s\r\n]+$//g +#SEDCMD-clean_info_text_from_winsecurity_events_this_event = s/This event is generated[\S\s\r\n]+$//g + +## For XmlWinEventLog:Security +#SEDCMD-cleanxmlsrcport = s/0<\/Data>/<\/Data>/ +#SEDCMD-cleanxmlsrcip = s/(\:\:1|127\.0\.0\.1)<\/Data>/<\/Data>/ + + +## IAS (Currently WinEventLog Support Only) +[source::WinEventLog:System:IAS] +REPORT-0auto_kv_for_windows_system_ias = auto_kv_for_windows_system_ias + +EVAL-app = "ias" + + +[source::WinEventLog:ForwardedEvents] +##### Explanation for SEDCMD Extractions ##### +## remove_ffff: This will replace all values like "Client Address: ::ffff:10.x.x.x" to "Client Address:10.x.x.x" which Addresses most of the Ipv6 log event issues +## cleanxmlsrcport: This will replace all values like 0<\/Data> to <\/Data> in XmlWinEventLog:Security +## cleanxmlsrcip: This will replace all values like ::1<\/Data> or 127.0.0.1<\/Data> to <\/Data> in XmlWinEventLog:Security +## clean_rendering_info_block: This will eliminate the entire extra block from all the events that indexes when using WEF before indexing + + +##### SEDCMD Extractions ##### +#SEDCMD-remove_ffff = s/::ffff://g +#SEDCMD-cleansrcipxml = s/(\:\:1|127\.0\.0\.1)<\/Data>/<\/Data>/ +#SEDCMD-cleansrcportxml=s/0<\/Data>/<\/Data>/ +#SEDCMD-clean_rendering_info_block = s/(?s)(.*)<\/RenderingInfo>// + + +###### WindowsUpdateLog ###### +[source::...WindowsUpdate.Log] +sourcetype = WindowsUpdateLog + +[WindowsUpdateLog] +SHOULD_LINEMERGE = false +EVENT_BREAKER_ENABLE = true +FIELDALIAS-dest_for_windowsupdatelog = host AS dest +REPORT-0signature_message_for_windowsupdatelog = signature_message_for_windowsupdatelog +REPORT-1signature_for_windowsupdatelog = signature_for_windowsupdatelog,signature_for_windowsupdatelog_restartrequired,signature_for_windowsupdatelog_signature_message +REPORT-signature_id_for_windowsupdatelog = signature_id_for_windowsupdatelog +REPORT-pid-tid-component_for_windowsupdatelog = pid-tid-component_for_windowsupdatelog +LOOKUP-status_for_windowsupdatelog = windows_update_status_lookup vendor_status OUTPUTNEW status + +EVAL-vendor = "Microsoft" +EVAL-product = "Windows" + +FIELDALIAS-process_id_for_windowsupdatelog = pid as process_id + +# Legacy field aliases to support ES 2.0.2, Winfra +FIELDALIAS-package_for_windows = signature_id AS package +FIELDALIAS-package_title_for_windows = signature AS package_title + +##################### +## Endpoint Changes +##################### +## fs_notification endpoint changes +## Required fields: action,dest,object,object_category,object_path,status,user +## Optional fields: object_id,object_attrs,user_type,msg,data,severity +[fs_notification] +REPORT-object_object_path_for_fs_notification = object_object_path_for_fs_notification +REPORT-vendor_object_category_for_fs_notification = vendor_object_category_for_fs_notification + +FIELDALIAS-vendor_action_for_fs_notification = action AS vendor_action +FIELDALIAS-dest_for_fs_notification = host AS dest +FIELDALIAS-user_for_fs_notification = uid AS user +FIELDALIAS-object_attrs_for_fs_notification = chgs AS object_attrs + +# Field aliases for conformance to Change_Analysis::Filesystem_Changes object +FIELDALIAS-file_acl_for_fs_notification = mode AS file_acl +FIELDALIAS-file_hash_for_fs_notification = hash AS file_hash +EVAL-file_modify_time = strptime(modtime, "%a %b %d %H:%M:%S %Y") +FIELDALIAS-file_name_for_fs_notification = object AS file_name +FIELDALIAS-file_path_for_fs_notification = object_path AS file_path +FIELDALIAS-file_size_for_fs_notification = size AS file_size + +# Legacy change_type lookup to support ES 2.0.2 +LOOKUP-change_type_for_fs_notification = fs_notification_change_type_lookup sourcetype OUTPUTNEW change_type +LOOKUP-action_for_fs_notification = endpoint_change_vendor_action_lookup vendor_action OUTPUT action +LOOKUP-object_category_for_fs_notification = endpoint_change_object_category_lookup object AS vendor_object_category OUTPUT object_category +# Any fs_notification event indicates a successful change; vendor_status in the lookup is overloaded to accommodate this. +LOOKUP-object_status_for_fs_notification = endpoint_change_status_lookup vendor_status AS sourcetype OUTPUTNEW status + +[WinRegistry] + +## Registry Extractions + +## registry_path, registry_key_name, registry_value_name +REPORT-registry_path_parser = registry_key_for_WinRegistry,registry_key-registry_value_for_WinRegistry +REPORT-registry_value_data = registry_value_data_for_WinRegistry +FIELDALIAS-registry_value_type = data_type AS registry_value_type + +## Endpoint Change Extractions +## Required fields: action,dest,object,object_category,object_path,status,user +## Optional fields: object_id,object_attrs,user_type,msg,data,severity +FIELDALIAS-vendor_action_for_WinRegistry = registry_type AS vendor_action +LOOKUP-action_for_WinRegistry = endpoint_change_vendor_action_lookup vendor_action OUTPUT action +FIELDALIAS-dest_for_WinRegistry = host AS dest +REPORT-object_for_WinRegistry = object_as_registry_key_for_WinRegistry,object_as_registry_value_for_WinRegistry +LOOKUP-object_category_for_WinRegistry = endpoint_change_object_category_lookup object as sourcetype OUTPUT object_category +REPORT-vendor_status_msg_for_WinRegistry = vendor_status_msg_for_WinRegistry +LOOKUP-status_for_WinRegistry = endpoint_change_status_lookup vendor_status OUTPUT status +REPORT-user_for_WinRegistry = user_for_WinRegistry +LOOKUP-user_type_for_WinRegistry = endpoint_change_user_type_lookup sourcetype OUTPUT user_type + + +##################### +## Splunk Perfmon/WMI +##################### + +## Apply the following properties to all WMI events +[source::WMI...] +## Override default REPORT-MESSAGE with REPORT-0MESSAGE to force alphanumeric precedence +REPORT-0MESSAGE = wel-message, wel-eq-kv, wel-col-kv +REPORT-MESSAGE = + +[wmi] +LINE_BREAKER = ([\r\n]---splunk-wmi-end-of-event---[\r\n]+) +## Override default TRANSFORMS-FIELDS with TRANSFORMS-0FIELDS to force alphanumeric precedence +## Override default wmi-host, wmi-source, wmi-sourcetype with the following transforms to strip "WinEventLog" +TRANSFORMS-0FIELDS = wmi-host, wmi-override-host, wmi-source, wmi-wineventlog-source, wmi-sourcetype, wmi-wineventlog-sourcetype +TRANSFORMS-FIELDS = + +###### ComputerSystem ###### +[WMI:ComputerSystem] +FIELDALIAS-mem_for_wmi_computersystem = TotalPhysicalMemory AS mem + +FIELDALIAS-dest_for_wmi = host AS dest +FIELDALIAS-pid_for_wmi = IDProcess AS pid +FIELDALIAS-src_for_wmi = host AS src + + +[Perfmon:Processor] +EVAL-cpu_user_percent = if(counter=="% User Time",Value,null()) +EVAL-cpu_load_percent = if(counter=="% Processor Time",Value,null()) +FIELDALIAS-cpu_instance = instance AS cpu_instance +EVAL-cpu_interrupts = if(counter=="Interrupts/sec" AND instance=="_Total",Value,null()) + +## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 +EVAL-windows_cpu_load_percent = if(counter=="% Processor Time",Value,null()) + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store +TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store +TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store +TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store +TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store +EVAL-metric_type = "gauge" + +[PerfmonMk:Processor] +FIELDALIAS-cpu_user_percent = %_User_Time AS cpu_user_percent +EVAL-cpu_interrupts = if(instance=="_Total", 'Interrupts/sec', null()) +FIELDALIAS-cpu_instance = instance AS cpu_instance +FIELDALIAS-cpu_load_percent = %_Processor_Time AS cpu_load_percent + +## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 +FIELDALIAS-windows_cpu_load_percent = %_Processor_Time AS windows_cpu_load_percent + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +[Perfmon:Network_Interface] +EVAL-bytes = if(counter=="Bytes Total/sec",Value,null()) +EVAL-bytes_in = if(counter=="Bytes Received/sec",Value,null()) +EVAL-bytes_out = if(counter=="Bytes Sent/sec",Value,null()) +EVAL-packets = if(counter=="Packets/sec",Value,null()) +EVAL-packets_in = if(counter=="Packets Received/sec",Value,null()) +EVAL-packets_out = if(counter=="Packets Sent/sec",Value,null()) +EVAL-thruput = if(counter=="Bytes Total/sec",Value,null()) +EVAL-thruput_max = if(counter=="Current Bandwidth",Value,null()) + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store +TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store +TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store +TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store +TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store +EVAL-metric_type = "gauge" + +[PerfmonMk:Network_Interface] +FIELDALIAS-bytes = Bytes_Total/sec as bytes +FIELDALIAS-bytes_in = Bytes_Received/sec as bytes_in +FIELDALIAS-bytes_out = Bytes_Sent/sec as bytes_out +FIELDALIAS-packets = Packets/sec as packets +FIELDALIAS-packets_in = Packets_Received/sec as packets_in +FIELDALIAS-packets_out = Packets_Sent/sec as packets_out +FIELDALIAS-thruput = Bytes_Total/sec as thruput +FIELDALIAS-thruput_max = Current_Bandwidth as thruput_max + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +[Perfmon:DFS_Replicated_Folders] +TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store +TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store +TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store +TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store +TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store +EVAL-metric_type = "gauge" + +[Perfmon:NTDS] +TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store +TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store +TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store +TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store +TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store +EVAL-metric_type = "gauge" + +[Perfmon:DNS] +TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store +TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store +TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store +TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store +TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store +EVAL-metric_type = "gauge" + +[Perfmon:CPU] +EVAL-cpu_user_percent = if(counter=="% User Time",Value,null()) +EVAL-cpu_load_percent = if(counter=="% Processor Time",Value,null()) +FIELDALIAS-cpu_instance = instance AS cpu_instance +EVAL-cpu_interrupts = if(counter=="Interrupts/sec" AND instance=="_Total",Value,null()) + +## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 +EVAL-windows_cpu_load_percent = if(counter=="% Processor Time",Value,null()) + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store +TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store +TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store +TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store +TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store +EVAL-metric_type = "gauge" + +[PerfmonMk:CPU] +FIELDALIAS-cpu_user_percent = %_User_Time AS cpu_user_percent +EVAL-cpu_interrupts = if(instance=="_Total", 'Interrupts/sec', null()) +FIELDALIAS-cpu_instance = instance AS cpu_instance +FIELDALIAS-cpu_load_percent = %_Processor_Time AS cpu_load_percent + +## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 +FIELDALIAS-windows_cpu_load_percent = %_Processor_Time AS windows_cpu_load_percent + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +[Perfmon:System] +EVAL-wait_threads_count = if(counter=="Processor Queue Length",Value,null()) +EVAL-system_threads_count = if(counter=="Threads",Value,null()) + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store +TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store +TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store +TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store +TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store +EVAL-metric_type = "gauge" + +[PerfmonMk:System] +FIELDALIAS-wait_threads_count = Processor_Queue_Length as wait_threads_count +FIELDALIAS-system_threads_count = Threads as system_threads_count + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +[Perfmon:ProcessorInformation] +SEDCMD-instance_replace_for_perfmon_processorInformation = y/,/_/ +EVAL-cpu_load_mhz = if(counter=="Processor Frequency" AND instance=="_Total",Value,null()) +EVAL-cpu_load_percent = if(counter=="% Processor Time" AND instance=="_Total",Value,null()) +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store +TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store +TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store +TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store +TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store +EVAL-metric_type = "gauge" + +[PerfmonMk:ProcessorInformation] +EVAL-cpu_load_mhz = if(instance=="_Total", 'Processor_Frequency', null()) +EVAL-cpu_load_percent = if(instance=="_Total", '%_Processor_Time', null()) +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +[WMI:CPUTime] +REPORT-report_field_extract_wmi_cputime_anomalous = field_extract_wmi_cputime_anomalous + +FIELDALIAS-cpu_load_percent = PercentProcessorTime AS cpu_load_percent +FIELDALIAS-cpu_user_percent = PercentUserTime AS cpu_user_percent +FIELDALIAS-cpu_instance = Name AS cpu_instance + +FIELDALIAS-dest_for_wmi = host AS dest +FIELDALIAS-pid_for_wmi = IDProcess AS pid +FIELDALIAS-src_for_wmi = host AS src + +###### Disk ###### +[Perfmon:LogicalDisk] +EVAL-mount = if(instance=="_Total", null(), instance) +# Keeping this field in ms +EVAL-latency = if(counter=="Avg. Disk sec/Transfer",Value*1000,null()) +EVAL-read_latency = if(counter=="Avg. Disk sec/Read",Value,null()) +EVAL-write_latency = if(counter=="Avg. Disk sec/Write",Value,null()) +EVAL-storage_free_percent = if(counter=="% Free Space",Value,null()) +EVAL-read_ops = if(counter=="Disk Reads/sec",Value,null()) +EVAL-write_ops = if(counter=="Disk Writes/sec",Value,null()) +EVAL-total_ops = if(counter=="Disk Transfers/sec",Value,null()) + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store +TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store +TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store +TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store +TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store +EVAL-metric_type = "gauge" + +[PerfmonMk:LogicalDisk] +EVAL-mount = if(instance=="_Total", null(), instance) +# Keeping this field in ms +EVAL-latency = 'Avg._Disk_sec/Transfer' * 1000 +FIELDALIAS-read_latency = Avg._Disk_sec/Read as read_latency +FIELDALIAS-write_latency = Avg._Disk_sec/Write as write_latency +FIELDALIAS-storage_free_percent = %_Free_Space as storage_free_percent +FIELDALIAS-read_ops = Disk_Reads/sec as read_ops +FIELDALIAS-write_ops = Disk_Writes/sec as write_ops +FIELDALIAS-total_ops = Disk_Transfers/sec as total_ops + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +[Perfmon:PhysicalDisk] +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store +TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store +TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store +TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store +TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store +EVAL-metric_type = "gauge" + +[PerfmonMk:PhysicalDisk] +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +[WMI:FreeDiskSpace] +REPORT-report_field_extract_wmi_freediskspace_anomalous = field_extract_wmi_freediskspace_anomalous + +FIELDALIAS-mount_for_wmi_freediskspace = Name AS mount +EVAL-storage = if(isnotnull(FreeMBytes) AND isnotnull(PercentFreeSpace),(FreeMegabytes*1048576)*(1-(PercentFreeSpace/100)),null()) +EVAL-storage_free = if(isnotnull(FreeMegabytes),FreeMegabytes*1048576,null()) +FIELDALIAS-storage_free_percent = PercentFreeSpace AS storage_free_percent +EVAL-storage_used = if(isnotnull(FreeMegabytes) AND isnotnull(PercentFreeSpace),((FreeMegabytes*1048576)*(1-(PercentFreeSpace/100)))-FreeMegabytes,null()) +EVAL-storage_used_percent = if(isnotnull(PercentFreeSpace),100-PercentFreeSpace,null()) + +FIELDALIAS-dest_for_wmi = host AS dest +FIELDALIAS-pid_for_wmi = IDProcess AS pid +FIELDALIAS-src_for_wmi = host AS src + + +[WMI:LogicalDisk] +FIELDALIAS-for_wmi_latency = AvgDisksecPerTransfer AS latency +FIELDALIAS-for_wmi_read_latency = AvgDisksecPerRead AS read_latency +FIELDALIAS-for_wmi_write_latency = AvgDisksecPerWrite AS write_latency +FIELDALIAS-for_wmi_read_ops = DiskReadsPersec AS read_ops +FIELDALIAS-for_wmi_write_ops = DiskWritesPersec AS write_ops + +FIELDALIAS-dest_for_wmi = host AS dest +FIELDALIAS-pid_for_wmi = IDProcess AS pid +FIELDALIAS-src_for_wmi = host AS src + +[WMI:LocalPhysicalDisk] +REPORT-report_field_extract_name = field_extract_wmi_localphysicaldisk_name +FIELDALIAS-dest_for_wmi = host AS dest +FIELDALIAS-src_for_wmi = host AS src + +###### Network ###### +[WMI:LocalNetwork] +FIELDALIAS-bytestotalpersec_as_thruput = BytesTotalPersec AS thruput +FIELDALIAS-currentbandwidth_as_thruput_max = CurrentBandwidth AS thruput_max + +FIELDALIAS-dest_for_wmi = host AS dest +FIELDALIAS-pid_for_wmi = IDProcess AS pid +FIELDALIAS-src_for_wmi = host AS src + +###### Process ###### +[Perfmon:Process] +EVAL-process_name = if(instance!="_Total" AND instance!="Idle",instance,null()) +EVAL-process_cpu_used_percent = if(instance!="_Total" AND instance!="Idle" AND counter=="% Processor Time", Value, null()) +EVAL-process_mem_used = if(instance!="_Total" AND instance!="Idle" AND counter=="Working Set - Private", Value, null()) + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store +TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store +TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store +TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store +TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store +EVAL-metric_type = "gauge" + +[PerfmonMk:Process] +EVAL-process_name = if(instance!="_Total" AND instance!="Idle", instance,null()) +EVAL-process_cpu_used_percent = if(instance!="_Total" AND instance!="Idle", '%_Processor_Time', null()) +EVAL-process_mem_used = if(instance!="_Total" AND instance!="Idle", 'Working_Set_-_Private', null()) + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +###### Installed Apps ###### +[Script:InstalledApps] +SHOULD_LINEMERGE = false +TRUNCATE = 0 +LINE_BREAKER = ([\r\n]+)\d{4}\-\d{2}\-\d{2}\s+\d{1,2}:\d{2}:\d{2}.\d{3} + +KV_MODE = none + +REPORT-AuthorizedCDFPrefix_for_win_installed_apps = AuthorizedCDFPrefix_for_win_installed_apps +REPORT-Comments_for_win_installed_apps = Comments_for_win_installed_apps +REPORT-Contact_for_win_installed_apps = Contact_for_win_installed_apps +REPORT-DisplayVersion_for_win_installed_apps = DisplayVersion_for_win_installed_apps +REPORT-HelpLink_for_win_installed_apps = HelpLink_for_win_installed_apps +REPORT-HelpTelephone_for_win_installed_apps = HelpTelephone_for_win_installed_apps +REPORT-InstallDate_for_win_installed_apps = InstallDate_for_win_installed_apps +REPORT-InstallLocation_for_win_installed_apps = InstallLocation_for_win_installed_apps +REPORT-InstallSource_for_win_installed_apps = InstallSource_for_win_installed_apps +REPORT-ModifyPath_for_win_installed_apps = ModifyPath_for_win_installed_apps +REPORT-NoModify_for_win_installed_apps = NoModify_for_win_installed_apps +REPORT-NoRepair_for_win_installed_apps = NoRepair_for_win_installed_apps +REPORT-Publisher_for_win_installed_apps = Publisher_for_win_installed_apps +REPORT-Readme_for_win_installed_apps = Readme_for_win_installed_apps +REPORT-Size_for_win_installed_apps = Size_for_win_installed_apps +REPORT-EstimatedSize_for_win_installed_apps = EstimatedSize_for_win_installed_apps +REPORT-UninstallString_for_win_installed_apps = UninstallString_for_win_installed_apps +REPORT-URLInfoAbout_for_win_installed_apps = URLInfoAbout_for_win_installed_apps +REPORT-URLUpdateInfo_for_win_installed_apps = URLUpdateInfo_for_win_installed_apps +REPORT-VersionMajor_for_win_installed_apps = VersionMajor_for_win_installed_apps +REPORT-VersionMinor_for_win_installed_apps = VersionMinor_for_win_installed_apps +REPORT-WindowsInstaller_for_win_installed_apps = WindowsInstaller_for_win_installed_apps +REPORT-Version_for_win_installed_apps = Version_for_win_installed_apps +REPORT-Language_for_win_installed_apps = Language_for_win_installed_apps +REPORT-DisplayName_for_win_installed_apps = DisplayName_for_win_installed_apps + +###### Installed Updates ###### +[WMI:InstalledUpdates] +REPORT-00Description_for_installedupdates = Description_for_installedupdates +FIELDALIAS-signature_id_for_installedupdates = HotFixID AS signature_id +EVAL-signature = case(isnotnull(Description) AND isnotnull(HotFixID),Description." (".HotFixID.")",isnotnull(Description),Description,isnotnull(HotFixID),HotFixID,1=1,null()) +LOOKUP-status_for_installedupdates = windows_update_status_lookup sourcetype OUTPUTNEW status + +EVAL-vendor = "Microsoft" +EVAL-product = "Windows" + +FIELDALIAS-dest_for_wmi = host AS dest +FIELDALIAS-pid_for_wmi = IDProcess AS pid +FIELDALIAS-src_for_wmi = host AS src + +###### Listening Ports ###### +[Script:ListeningPorts] +SHOULD_LINEMERGE = false + +KV_MODE = None +REPORT-0dest_ip_for_listeningports = dest_ip_for_listeningports +REPORT-1kv_for_listeningports = kv_for_listeningports +FIELDALIAS-dest_for_listeningports = dest_ip AS dest +FIELDALIAS-process_id_for_listeningports = pid AS process_id + +###### Local Processes ###### +[WMI:LocalProcesses] +REPORT-rep_field_extract_wmi_localprocesses_anomalous = field_extract_wmi_localprocesses_anomalous + +FIELDALIAS-cpu_load_percent_for_wmi_localprocesses = PercentProcessorTime AS cpu_load_percent +FIELDALIAS-mem_used_for_wmi_localprocesses = PrivateBytes AS UsedBytes +FIELDALIAS-process_for_wmi_localprocesses = Name AS app,Name AS process +FIELDALIAS-process_id_for_wmi_localprocesses = IDProcess AS process_id + +FIELDALIAS-dest_for_wmi = host AS dest +FIELDALIAS-pid_for_wmi = IDProcess AS pid +FIELDALIAS-src_for_wmi = host AS src + +###### Memory ###### +## Used memory unavailable in Perfmon Memory object and WMI Win32_PerfFormattedData_PerfOS_Memory +## Total memory available in WMI:ComputerSystem +[Perfmon:Memory] +EVAL-mem_committed = if(counter=="Committed Bytes",Value,null()) +EVAL-mem_free = case(counter=="Available MBytes",Value,counter=="Available Bytes",Value/1048576,1=1,null()) +EVAL-swap_free = if(counter=="Pool Nonpaged Bytes",Value,null()) +EVAL-swap_used = if(counter=="Pool Paged Bytes",Value,null()) +EVAL-mem_page_ops = if(counter=="Pages/sec",Value,null()) +EVAL-mem_page_in = if(counter=="Pages Input/sec",Value,null()) +EVAL-mem_page_out = if(counter=="Pages Output/sec",Value,null()) + +## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 +EVAL-windows_mem_free = case(counter=="Available MBytes",Value,counter=="Available Bytes",Value/1048576,1=1,null()) + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store +TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store +TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store +TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store +TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store +EVAL-metric_type = "gauge" + +[PerfmonMk:Memory] +FIELDALIAS-mem_committed = Committed_Bytes as mem_committed +FIELDALIAS-mem_free = Available_MBytes as mem_free +FIELDALIAS-swap_free = Pool_Nonpaged_Bytes as swap_free +FIELDALIAS-swap_used = Pool_Paged_Bytes as swap_used +FIELDALIAS-mem_page_ops = Pages/sec as mem_page_ops +EVAL-swap_percent = (swap_used/(swap_used+swap_free))*100 + +## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 +FIELDALIAS-windows_mem_free = Available_MBytes as windows_mem_free + +FIELDALIAS-mem_page_in = Pages_Input/sec as mem_page_in +FIELDALIAS-mem_page_out = Pages_Output/sec as mem_page_out +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +[Perfmon:Network] +EVAL-bytes = if(counter=="Bytes Total/sec",Value,null()) +EVAL-bytes_in = if(counter=="Bytes Received/sec",Value,null()) +EVAL-bytes_out = if(counter=="Bytes Sent/sec",Value,null()) +EVAL-packets = if(counter=="Packets/sec",Value,null()) +EVAL-packets_in = if(counter=="Packets Received/sec",Value,null()) +EVAL-packets_out = if(counter=="Packets Sent/sec",Value,null()) +EVAL-thruput = if(counter=="Bytes Total/sec",Value,null()) +EVAL-thruput_max = if(counter=="Current Bandwidth",Value,null()) + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store +TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store +TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store +TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store +TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store +EVAL-metric_type = "gauge" + +[PerfmonMk:Network] +FIELDALIAS-bytes = Bytes_Total/sec as bytes +FIELDALIAS-bytes_in = Bytes_Received/sec as bytes_in +FIELDALIAS-bytes_out = Bytes_Sent/sec as bytes_out +FIELDALIAS-packets = Packets/sec as packets +FIELDALIAS-packets_in = Packets_Received/sec as packets_in +FIELDALIAS-packets_out = Packets_Sent/sec as packets_out +FIELDALIAS-thruput = Bytes_Total/sec as thruput +FIELDALIAS-thruput_max = Current_Bandwidth as thruput_max + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +[WMI:Memory] +REPORT-report_field_extract_wmi_memory_anomalous = field_extract_wmi_memory_anomalous + +FIELDALIAS-mem_committed_for_wmi_memory = CommittedBytes AS mem_committed +FIELDALIAS-swap_free = PoolNonpagedBytes AS swap_free +FIELDALIAS-swap_used = PoolPagedBytes AS swap_used +EVAL-swap_percent = (swap_used/(swap_used+swap_free))*100 +FIELDALIAS-mem_page_in = PagesInputPersec AS mem_page_in +FIELDALIAS-mem_page_out = PagesOutputPersec AS mem_page_out +FIELDALIAS-mem_page_ops = PagesPersec AS mem_page_ops + + +EVAL-mem_free = case(isnotnull(AvailableMBytes),AvailableMBytes,isnotnull(windows_available_bytes),windows_available_bytes/1048576,1=1,null()) +## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 +EVAL-windows_mem_free = case(isnotnull(AvailableMBytes),AvailableMBytes,isnotnull(windows_available_bytes),windows_available_bytes/1048576,1=1,null()) + +FIELDALIAS-dest_for_wmi = host AS dest +FIELDALIAS-pid_for_wmi = IDProcess AS pid +FIELDALIAS-src_for_wmi = host AS src + +###### Service ###### +[WMI:Service] +REPORT-report_field_extract_wmi_service_state_anomalous = field_extract_wmi_service_state_anomalous +REPORT-report_field_extract_wmi_service_state_full = field_extract_wmi_service_caption_description_pathname + +FIELDALIAS-file_path_for_wmi_service = PathName AS file_path +FIELDALIAS-service_for_wmi_service = Name AS app,Name AS service +FIELDALIAS-start_mode_for_wmi_service = StartMode AS start_mode +FIELDALIAS-status_for_wmi_service = State AS status + +FIELDALIAS-dest_for_wmi = host AS dest +FIELDALIAS-pid_for_wmi = IDProcess AS pid +FIELDALIAS-src_for_wmi = host AS src + +###### Time Configuration ###### +[Script:TimesyncConfiguration] +DATETIME_CONFIG = CURRENT +LINE_BREAKER = ([\r\n]+)Current time: + +KV_MODE = None + +REPORT-Current_time_for_win_timesync_configuration = Current_time_for_win_timesync +REPORT-EventLogFlags_for_win_timesync_configuration = EventLogFlags_for_win_timesync_configuration +REPORT-AnnounceFlags_for_win_timesync_configuration = AnnounceFlags_for_win_timesync_configuration +REPORT-TimeJumpAuditOffset_for_win_timesync_configuration = TimeJumpAuditOffset_for_win_timesync_configuration +REPORT-MinPollInterval_for_win_timesync_configuration = MinPollInterval_for_win_timesync_configuration +REPORT-MaxPollInterval_for_win_timesync_configuration = MaxPollInterval_for_win_timesync_configuration +REPORT-MaxNegPhaseCorrection_for_win_timesync_configuration = MaxNegPhaseCorrection_for_win_timesync_configuration +REPORT-MaxPosPhaseCorrection_for_win_timesync_configuration = MaxPosPhaseCorrection_for_win_timesync_configuration +REPORT-MaxAllowedPhaseOffset_for_win_timesync_configuration = MaxAllowedPhaseOffset_for_win_timesync_configuration +REPORT-FrequencyCorrectRate_for_win_timesync_configuration = FrequencyCorrectRate_for_win_timesync_configuration +REPORT-PollAdjustFactor_for_win_timesync_configuration = PollAdjustFactor_for_win_timesync_configuration +REPORT-LargePhaseOffset_for_win_timesync_configuration = LargePhaseOffset_for_win_timesync_configuration +REPORT-SpikeWatchPeriod_for_win_timesync_configuration = SpikeWatchPeriod_for_win_timesync_configuration +REPORT-LocalClockDispersion_for_win_timesync_configuration = LocalClockDispersion_for_win_timesync_configuration +REPORT-HoldPeriod_for_win_timesync_configuration = HoldPeriod_for_win_timesync_configuration +REPORT-PhaseCorrectRate_for_win_timesync_configuration = PhaseCorrectRate_for_win_timesync_configuration +REPORT-UpdateInterval_for_win_timesync_configuration = UpdateInterval_for_win_timesync_configuration +REPORT-FileLogName_for_win_timesync_configuration = FileLogName_for_win_timesync_configuration +REPORT-FileLogEntries_for_win_timesync_configuration = FileLogEntries_for_win_timesync_configuration +REPORT-FileLogSize_for_win_timesync_configuration = FileLogSize_for_win_timesync_configuration +REPORT-FileLogFlags_for_win_timesync_configuration = FileLogFlags_for_win_timesync_configuration +REPORT-Time_zone_for_win_timesync_configuration = Time_zone_for_win_timesync + +###### Time Synchronization ###### +[Script:TimesyncStatus] +DATETIME_CONFIG = CURRENT +LINE_BREAKER = ([\r\n]+)Current time: + +KV_MODE = None + +REPORT-Current_time_for_win_timesync_status = Current_time_for_win_timesync +REPORT-Leap_Indicator_for_win_timesync_status = Leap_Indicator_for_win_timesync_status +REPORT-Stratum_for_win_timesync_status = Stratum_for_win_timesync_status +REPORT-Precision_for_win_timesync_status = Precision_for_win_timesync_status +REPORT-Root_Delay_for_win_timesync_status = Root_Delay_for_win_timesync_status +REPORT-Root_Dispersion_for_win_timesync_status = Root_Dispersion_for_win_timesync_status +REPORT-ReferenceId_for_win_timesync_status = ReferenceId_for_win_timesync_status +REPORT-Last_Successful_Sync_Time_for_win_timesync_status = Last_Successful_Sync_Time_for_win_timesync_status +REPORT-Source_for_win_timesync_status = Source_for_win_timesync_status +REPORT-Poll_Interval_for_win_timesync_status = Poll_Interval_for_win_timesync_status +REPORT-Phase_Offset_for_win_timesync_status = Phase_Offset_for_win_timesync_status +REPORT-ClockRate_for_win_timesync_status = ClockRate_for_win_timesync_status +REPORT-State_Machine_for_win_timesync_status = State_Machine_for_win_timesync_status +REPORT-Time_Source_Flags_for_win_timesync_status = Time_Source_Flags_for_win_timesync_status +REPORT-Server_Role_for_win_timesync_status = Server_Role_for_win_timesync_status +REPORT-Last_Sync_Error_for_win_timesync_status = Last_Sync_Error_for_win_timesync_status +REPORT-Time_since_Last_Good_Sync_Time_for_win_timesync_status = Time_since_Last_Good_Sync_Time_for_win_timesync_status +REPORT-Time_zone_for_win_timesync_status = Time_zone_for_win_timesync + +LOOKUP-action_for_win_timesync_status = windows_timesync_action_lookup Last_Sync_Error OUTPUT windows_action, windows_action AS action +EVAL-last_sync_time = strptime(Last_Successful_Sync_Time, "%m/%d/%Y %I:%M:%S %p") +###### Uptime ###### +[WMI:Uptime] +REPORT-report_field_extract_wmi_uptime_anomalous = field_extract_wmi_uptime_anomalous + +FIELDALIAS-uptime_for_wmi_uptime = SystemUpTime AS uptime + +FIELDALIAS-dest_for_wmi = host AS dest +FIELDALIAS-pid_for_wmi = IDProcess AS pid +FIELDALIAS-src_for_wmi = host AS src + +TRANSFORMS-_value_for_wmi_uptime_metrics_store = value_for_wmi_uptime_metrics_store +TRANSFORMS-metric_name_for_wmi_uptime_metrics_store = metric_name_for_wmi_uptime_metrics_store +EVAL-metric_type = "gauge" + +###### User Accounts ###### +[WMI:UserAccounts] +REPORT-report_field_extract_description = field_extract_wmi_useraccounts_caption_description_name +FIELDALIAS-dest_nt_domain_for_wmi_useraccounts = Domain AS dest_nt_domain +FIELDALIAS-status_for_wmi_useraccounts = Status AS status +FIELDALIAS-user_for_wmi_useraccounts = Name AS user +FIELDALIAS-user_id_for_wmi_useraccounts = SID AS user_id +LOOKUP-action_for_wmi_user_account_status = wmi_user_account_status_lookup status OUTPUTNEW enabled +FIELDALIAS-description_for_wmi_user_account_status = Description AS description + +FIELDALIAS-dest_for_wmi = host AS dest +FIELDALIAS-pid_for_wmi = IDProcess AS pid +FIELDALIAS-src_for_wmi = host AS src + +###### Version ###### +[WMI:Version] +REPORT-0Caption_for_wmi_version = Caption_for_wmi_version +LOOKUP-range_for_wmi_version = wmi_version_range_lookup sourcetype OUTPUTNEW range +FIELDALIAS-os_name_for_wmi_version = Caption AS os_name,Caption AS family +FIELDALIAS-os_version_for_wmi_version = Version AS kernel_release,Version AS os_release,Version AS version +EVAL-os = if(isnotnull(Caption) AND isnotnull(Version),Caption." ".Version,null()) +FIELDALIAS-description = Caption as description + +FIELDALIAS-dest_for_wmi = host AS dest +FIELDALIAS-pid_for_wmi = IDProcess AS pid +FIELDALIAS-src_for_wmi = host AS src + +###### Scheduled Jobs ###### +[WMI:ScheduledJobs] +FIELDALIAS-dest_for_wmi = host AS dest +FIELDALIAS-src_for_wmi = host AS src + +###### Host Inventory ###### +[WinHostMon] +EVAL-mem_free_percent = if(Type=="OperatingSystem", if(isNull(TotalPhysicalMemoryKB), null(), if(isNull(FreePhysicalMemoryKB), null(), FreePhysicalMemoryKB/TotalPhysicalMemoryKB * 100)), null()) +EVAL-mem_used = if(Type=="OperatingSystem", if(isNull(TotalPhysicalMemoryKB), null(), if(isNull(FreePhysicalMemoryKB), null(), (TotalPhysicalMemoryKB - FreePhysicalMemoryKB)/1024)), null()) +EVAL-mem_used_percent = if(Type=="OperatingSystem", if(isNull(TotalPhysicalMemoryKB), null(), if(isNull(FreePhysicalMemoryKB), null(), (TotalPhysicalMemoryKB - FreePhysicalMemoryKB)/TotalPhysicalMemoryKB * 100)), null()) +EVAL-os = if(Type=="OperatingSystem", OS, null()) +EVAL-family = if(Type=="Processor", Architecture, null()) +EVAL-version = if(Type=="OperatingSystem", Version, null()) +EVAL-cpu_cores = if(Type=="Processor", NumberOfCores, null()) +EVAL-cpu_count = if(Type=="Processor", NumberOfProcessors, null()) +EVAL-cpu_mhz = if(Type=="Processor", ClockSpeedMHz, null()) +EVAL-mem = if(Type=="OperatingSystem", TotalPhysicalMemoryKB/1024, null()) +EVAL-vendor_product = if(Type=="OperatingSystem", OS, null()) +EVAL-mount = if (Type=="Disk", Name, null()) +EVAL-storage = if (Type=="Disk", TotalSpaceKB/1024, null()) +EVAL-storage_free = if (Type=="Disk", FreeSpaceKB/1024, null()) +EVAL-storage_used = if (Type=="Disk", (TotalSpaceKB-FreeSpaceKB)/1024, null()) +EVAL-storage_free_percent = if (Type=="Disk", (FreeSpaceKB*100)/TotalSpaceKB, null()) +EVAL-storage_used_percent = if (Type=="Disk", ((TotalSpaceKB-FreeSpaceKB)*100)/TotalSpaceKB, null()) +EVAL-status = case(Type=="OperatingSystem", Status, Type=="Service", State, 1=1, null()) +EVAL-serial = if(Type=="OperatingSystem", SerialNumber, null()) +EVAL-description = if(Type=="Processor", Name, null()) +EVAL-mem_free = if(Type=="OperatingSystem",if(isNull(FreePhysicalMemoryKB), null(), (FreePhysicalMemoryKB)/1024), null()) +EVAL-cpu_architecture = if(Type=="Processor", Architecture, null()) +REPORT-System_Type_for_WinHostMon_computer = System_Type_for_WinHostMon_computer +REPORT-Processor_Id_for_WinHostMon_processor = Processor_Id_for_WinHostMon_processor +REPORT-Path_for_WinHostMon_service = Path_for_WinHostMon_service + +FIELDALIAS-dest_for_winhostmon = host as dest +EXTRACT-process_for_winhostmon = Type=Process.*?Name="(?[^"}}\{\{]+)" +EXTRACT-service_for_winhostmon = DisplayName="(?[^"}}\{\{]+)" +EVAL-start_mode = lower(StartMode) + + +####WMI:WinEventLog#### +##Below fields extractions have been moved from [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...],[source::WMI...],[source::*:System] +[WMI:WinEventLog:System] +LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result +FIELDALIAS-category_for_windows = TaskCategory as category +FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc +FIELDALIAS-event_id_for_windows = RecordNumber AS event_id +LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity +LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity +FIELDALIAS-severity_id_for_windows = EventType AS severity_id +FIELDALIAS-id_for_windows = RecordNumber AS id +REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows + +## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" ) +LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject + +## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values +EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode) + +FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id + +FIELDALIAS-pid_for_wmi = IDProcess AS pid + +REPORT-bestmatch_for_windows_system = ComputerName_as_dest +REPORT-0signature_message_for_windows_system_update = signature_message_for_windows_system_update +REPORT-signature_for_windows_system_update = signature_for_windows_system_timesync,signature_for_windows_system_update,signature_for_windows_system_update2 +REPORT-signature_id_for_windows_system_update = signature_id_for_windowsupdatelog +LOOKUP-status_for_windows_system_update = windows_update_status_lookup EventCode OUTPUTNEW status +REPORT-user_for_windows_system = user_for_windows_system_ias,User_as_user + +EVAL-vendor = "Microsoft" +EVAL-product = "Windows" + +FIELDALIAS-body_for_windows_system = signature_message AS body, Message AS body + +# Legacy field aliases to support ES 2.0.2, Winfra +FIELDALIAS-package_for_windows = signature_id AS package +FIELDALIAS-package_title_for_windows = signature AS package_title + + +##### Explanation for SEDCMD Extractions ##### +## clean_info_text_from_winsystem_events_this_event: This will delete all the infomation text at the end of event starting from "This event is generated..." before indexing + + +##### SEDCMD Extractions ##### +#SEDCMD-clean_info_text_from_winsystem_events_this_event = s/This event is generated[\S\s\r\n]+$//g + +##Below fields extractions have been moved from [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...],[source::WMI...],[source::*:Security] +[WMI:WinEventLog:Security] +LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result,CategoryString as ta_windows_security_CategoryString +FIELDALIAS-category_for_windows = TaskCategory as category +FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc +FIELDALIAS-event_id_for_windows = RecordNumber AS event_id +LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity +LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity +FIELDALIAS-severity_id_for_windows = EventType AS severity_id +FIELDALIAS-id_for_windows = RecordNumber AS id +REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows +EXTRACT-group_change_groupname = (?ms)EventCode=4756(?:\n|\r).*Group:(?:\n|\r).*Account Name:\s*(?.*)(?:\n|\r).*Account Domain:\s*(?[^(?:\n|\r)]+) + +## Attempt to map EventCodes that have sub statii ( i.e. EventCode=4625 + SubStatus=0xC0000064 = "User name does not exist" ) +LOOKUP-signature_for_windows = windows_signature_lookup2 signature_id,Sub_Status OUTPUTNEW signature,signature AS name, signature as subject + +## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" ) +LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject + +## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values +EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode) + +FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id + +FIELDALIAS-dest_for_wmi = host AS dest +FIELDALIAS-pid_for_wmi = IDProcess AS pid + +## action, status +## Override action to allow audit log changes to correspond to Change Analysis data model +LOOKUP-action_for_windows0_security = windows_audit_changes_lookup EventCode OUTPUTNEW action,change_type,object_category +LOOKUP-action_for_windows1_security = windows_action_lookup Type OUTPUTNEW action, action AS status +LOOKUP-action_for_windows2_security = windows_action_lookup Type AS Keywords OUTPUTNEW action, action AS status + +## auditing +FIELDALIAS-object_for_windows_security = sourcetype AS object + +## privilege +REPORT-0vendor_privilege_for_windows_security = vendor_privilege_sv_for_windows_security,vendor_privilege_mv_for_windows_security +REPORT-privilege_id_for_windows_security = privilege_id_for_windows_security +LOOKUP-privilege_for_windows_security = windows_privilege_lookup privilege_id OUTPUT privilege + +FIELDALIAS-src_port_for_windows_security = Source_Port AS src_port +REPORT-Token_Elevation_Type_id_for_windows_security = Token_Elevation_Type_id_for_windows_security + +EVAL-vendor = "Microsoft" +EVAL-product = "Windows" + +FIELDALIAS-body_for_windows_security = Message AS body +FIELDALIAS-Status_as_ta_windows_status =Status AS ta_windows_status +EVAL-ta_windows_action = case(upper(Status) == "0XC000006F", "denied", upper(Status) == "0XC0000070", "denied", upper(Status) == "0XC000015B", "denied", upper(Status) == "0XC0000234", "denied", upper(Status) == "0XC0000064", "unknown", upper(Status) == "0XC0000133", "error", upper(Status) == "0XC0000225", "error", 1=1 , "failure") + +## Set the app field to "win:remote" or "win:local" based on EventCode, Source_Network_Address, Target_Server_Name or Logon_Type +LOOKUP-app0_for_windows_security = windows_app_lookup EventCode OUTPUTNEW app +LOOKUP-app1_for_windows_security = windows_app_lookup Source_Network_Address OUTPUTNEW app +LOOKUP-app2_for_windows_security = windows_app_lookup Target_Server_Name OUTPUTNEW app +LOOKUP-app3_for_windows_security = windows_app_lookup Logon_Type OUTPUTNEW app +LOOKUP-app4_for_windows_security = windows_app_lookup source OUTPUTNEW app + +## Set the following fields based on order of operations +REPORT-session_id_for_windows_security = Logon_ID_as_session_id,Client_Logon_ID_as_session_id,Caller_Logon_ID_as_session_id +REPORT-dest_for_windows_security = Target_Server_Name_as_dest,ComputerName_as_dest +REPORT-dest_nt_domain_for_windows_security = Target_Domain_as_dest_nt_domain,Primary_Domain_as_dest_nt_domain,Group_Domain_as_dest_nt_domain,Account_Domain_as_dest_nt_domain,New_Domain_as_dest_nt_domain,Domain_as_dest_nt_domain,User_ID_as_dest_nt_domain,Security_ID_as_dest_nt_domain,Supplied_Realm_Name_as_dest_nt_domain,Target_Account_ID_as_dest_nt_domain +REPORT-dest_nt_host_for_windows_security = Target_Server_Name_as_dest_nt_host,ComputerName_as_dest_nt_host +REPORT-src_for_windows_security = Source_Workstation_as_src,Workstation_Name_as_src,Caller_Machine_Name_as_src,Client_Machine_Name_as_src,Source_Network_Address_as_src,Client_Address_as_src +REPORT-src_ip_for_windows_security = Source_Network_Address_as_src_ip,Client_Address_as_src_ip +REPORT-src_nt_domain_for_windows_security = Caller_Domain_as_src_nt_domain,Client_Domain_as_src_nt_domain,Account_Domain_as_src_nt_domain,Security_ID_as_src_nt_domain +REPORT-src_nt_host_for_windows_security = Source_Workstation_as_src_nt_host,Workstation_Name_as_src_nt_host,Caller_Machine_Name_as_src_nt_host,Client_Machine_Name_as_src_nt_host,Caller_Computer_Name_as_src_nt_host +REPORT-src_user_for_windows_security = Caller_User_Name_as_src_user,Client_User_Name_as_src_user,Account_Name_as_src_user,User_Name_as_src_user +REPORT-user_for_windows_security = Logon_Account_as_user,Logon_account_as_user,Target_User_Name_as_user,Primary_User_Name_as_user,Target_Account_Name_as_user,New_Account_Name_as_user,Account_Name_as_user,User_Name_as_user,User_as_user,Security_ID_as_user +EVAL-user_group = coalesce(Group_Name,New_Account_Name,Target_Account_Name) +REPORT-member_id_for_windows_security = Member_ID_as_member_id,Security_ID_as_member_id +REPORT-member_dn_for_windows_security = Member_Name_as_member_dn,Account_Name_as_member_dn +REPORT-member_nt_domain_for_windows_security = Member_ID_as_member_nt_domain,Security_ID_as_member_nt_domain +REPORT-msad_actions_for_windows_security = msad_action_from_Group_Type_Change,msad_action_from_Change_Type,msad_action_from_Description1,msad_action_from_Description2,msad_action_from_Description3,msad_action_from_raw1,msad_action_from_raw2,msad_action_from_raw3,msad_action_from_raw4 +REPORT-msad_attribute_changes_for_windows_security = msad_attribute_changes_from_raw1,msad_attribute_changes_from_raw2,msad_attribute_changes_from_raw3,msad_attribute_changes_from_raw4,msad_attribute_changes_from_raw5,msad_attribute_changes_from_raw6 +LOOKUP-msadgroupclass = MSADGroupType MSADGroupClassID OUTPUTNEW MSADGroupClass +EVAL-dest_nt_domain = nullif(dest_nt_domain,"-") + + +##### Explanation for SEDCMD Extractions ##### +## windows_security_event_formater: This will replace all values like "Account Name:-" to "Account Name:" +## windows_security_event_formater_null_sid_id: This will replace all values like "Security ID:NULL SID" to "Security ID:" and all values like "Logon ID:0x0" to "Logon ID:" +## cleansrcip: This will replace all values like "Source Network Address: ::1" or "Source Network Address:127.0.0.1" to "Source Network Address:" +## cleansrcport: This will replace all values like "Source Port:0" to "Source Port:" +## remove_ffff: This will replace all values like "Client Address: ::ffff:10.x.x.x" to "Client Address:10.x.x.x" which Addresses most of the Ipv6 log event issues +## clean_info_text_from_winsecurity_events_certificate_information: This will delete all the infomation text at the end of event starting from "Certificate information is..." before indexing +## clean_info_text_from_winsecurity_events_token_elevation_type: This will delete all the infomation text at the end of event starting from "Token Elevation Type indicates..." before indexing +## clean_info_text_from_winsecurity_events_this_event: This will delete all the infomation text at the end of event starting from "This event is generated..." before indexing + + +##### SEDCMD Extractions ##### +#SEDCMD-windows_security_event_formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g +#SEDCMD-windows_security_event_formater_null_sid_id = s/(?m)(:)(\s+NULL SID)$/\1/g s/(?m)(ID:)(\s+0x0)$/\1/g +#SEDCMD-cleansrcip = s/(Source Network Address: (\:\:1|127\.0\.0\.1))/Source Network Address:/ +#SEDCMD-cleansrcport = s/(Source Port:\s*0)/Source Port:/ +#SEDCMD-remove_ffff = s/::ffff://g +#SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only[\S\s\r\n]+$//g +#SEDCMD-clean_info_text_from_winsecurity_events_token_elevation_type = s/Token Elevation Type indicates[\S\s\r\n]+$//g +#SEDCMD-clean_info_text_from_winsecurity_events_this_event = s/This event is generated[\S\s\r\n]+$//g + +##Below fields extractions have been moved from [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...],[source::WMI...] +[WMI:WinEventLog:Application] +LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result +FIELDALIAS-category_for_windows = TaskCategory as category +FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc +FIELDALIAS-event_id_for_windows = RecordNumber AS event_id +LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity +LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity +FIELDALIAS-severity_id_for_windows = EventType AS severity_id +FIELDALIAS-id_for_windows = RecordNumber AS id +REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows + + +## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" ) +LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject + +## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values +EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode) + +FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id + +FIELDALIAS-dest_for_wmi = ComputerName AS dest +FIELDALIAS-pid_for_wmi = IDProcess AS pid + + +###### Backward Compatibility ###### + +## Perfmon Disk Space +# "Perfmon:FreeDiskSpace" sourcetype is created from perfmon.conf. +# The perfmon.conf file was removed from add-on version 4.8.0 and so its events won't be generated. +# The below stanza is provided for backward compatibility of field extractions for already indexed data from add-on version less than 4.8.0. +[Perfmon:FreeDiskSpace] +FIELDALIAS-mount_for_perfmon_freediskspace = instance AS mount +EVAL-storage_free = if(counter=="Free Megabytes",Value*1048576,null()) +EVAL-storage_used_percent = if(counter=="% Free Space",100-Value,null()) +EVAL-storage_free_percent = if(counter=="% Free Space",Value,null()) + +## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 +EVAL-windows_storage_free_percent = if(counter=="% Free Space",Value,null()) + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +## Perfmon CPUTime +# "Perfmon:CPUTime" sourcetype is created from perfmon.conf. +# The perfmon.conf file was removed from add-on version 4.8.0 and so its events won't be generated. +# The below stanza is provided for backward compatibility of field extractions for already indexed data from add-on version less 4.8.0. +[Perfmon:CPUTime] +EVAL-cpu_load_mhz = if(counter=="Processor Frequency",Value,null()) +EVAL-cpu_load_percent = if(counter=="% Processor Time",Value,null()) +EVAL-cpu_user_percent = if(counter=="% User Time",Value,null()) +EVAL-cpu_interrupts = if(counter=="Interrupts/sec",Value,null()) + +## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 +EVAL-windows_cpu_load_percent = if(counter=="% Processor Time",Value,null()) + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + + +## Perfmon LocalNetwork +# "Perfmon:LocalNetwork" sourcetype is created from perfmon.conf. +# The perfmon.conf file was removed from add-on version 4.8.0 and so its events won't be generated. +# The below stanza is provided for backward compatibility of field extractions for already indexed data from add-on version less than 4.8.0. +[Perfmon:LocalNetwork] +EVAL-thruput = if(counter=="Bytes Total/sec",Value,null()) +EVAL-thruput_max = if(counter=="Current Bandwidth",Value,null()) + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +## Below two stanzas have been kept for backward compatibility for already indexed events before Splunk Addon For Microsoft Windows 5.0.0. +## Stanzas are exactly similar to [WinEventLog] and [XmlWinEventLog] respectively. +## These will be deprecated in future +[wineventlog] +LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result +FIELDALIAS-category_for_windows = TaskCategory as category +FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc +FIELDALIAS-event_id_for_windows = RecordNumber AS event_id +LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity +FIELDALIAS-severity_id_for_windows = EventType AS severity_id +FIELDALIAS-id_for_windows = RecordNumber AS id +REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows + +## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" ) +LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject + +## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values +EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode) + +FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id + + +[xmlwineventlog] +KV_MODE = none +REPORT-0xml_block_extract = system_xml_block,eventdata_xml_block,userdata_xml_block,debugdata_xml_block,renderinginfo_xml_block +REPORT-0xml_kv_extract = system_props_xml_kv,system_props_xml_attributes,eventdata_xml_data,rendering_info_xml_data + +REPORT-RecordNumber_from_xml = EventRecordID_as_RecordNumber +REPORT-EventCode_from_xml = EventID_as_EventCode,EventID2_as_EventCode +REPORT-Sub_Status_from_xml = SubStatus_as_Sub_Status + +LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result +FIELDALIAS-category_for_windows = TaskCategory as category +FIELDALIAS-dvc_for_windows = host AS dvc_nt_host,Computer AS dvc +FIELDALIAS-event_id_for_windows = RecordNumber AS event_id +LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity +FIELDALIAS-severity_id_for_windows = EventType AS severity_id +FIELDALIAS-id_for_windows = RecordNumber AS id +REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows + +## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" ) +LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject + +## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values +EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode) + +FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id + + +## Scripted input for collecting local ip config +[Script:NetworkConfiguration] +SHOULD_LINEMERGE = false +LINE_BREAKER = ([\r\n]+)(Configuration for interface ) +KV_MODE = none +TRUNCATE = 0 + +EXTRACT-netshaddressif=Configuration for interface \"(?[^\"]+) +EXTRACT-netshaddressdhcp=DHCP enabled\:\s+(?(Yes|No)) +EXTRACT-netshaddressip=IP Address\:\s+(?[\d\.]+) +EXTRACT-netshaddresscidr=Subnet Prefix\:\s+(?[^\s]+) +EXTRACT-netshaddressmask=mask (?[^\)]+) +EXTRACT-netshaddressgw=Gateway\:\s+(?[\d\.]+) +EXTRACT-netshaddressmetric=InterfaceMetric\:\s+(?\d+) + + +###### Extractions moved from TA-AD ###### +[MSAD:NT6:Health] +SHOULD_LINEMERGE = false +CHECK_FOR_HEADER = false + +[MSAD:NT6:SiteInfo] +SHOULD_LINEMERGE = false +CHECK_FOR_HEADER = false +REPORT-extractions = MSAD-SiteInfo-AdjacentSites, MSAD-SiteInfo-Sites, MSAD-SiteInfo-SiteLinks, MSAD-SiteInfo-Subnets + +[MSAD:NT6:Replication] +SHOULD_LINEMERGE = false +CHECK_FOR_HEADER = false + +[MSAD:NT6:Netlogon] +SHOULD_LINEMERGE = false +CHECK_FOR_HEADER = false +LINE_BREAKER = ([\r\n]+(?=\d{2}\/\d{2} \d{2}:\d{2}:\d{2} \[)) +EXTRACT-subnetaffinity = \s(?[^:]+): (?NO_CLIENT_SITE): (?[^\s]+) (?[0-9A-Fa-f:\.]+) + +[MSAD:SubnetAffinity] +EXTRACT-subnetaffinity = (?\w+): NO_CLIENT_SITE: (?\w+) (?[0-9\.]+) + + +###### Extractions moved from TA-DNS ###### +[MSAD:NT6:DNS-Zone-Information] +SHOULD_LINEMERGE = false +CHECK_FOR_HEADER = false + +[MSAD:NT6:DNS-Health] +SHOULD_LINEMERGE = false +CHECK_FOR_HEADER = false +TRUNCATE = 0 +REPORT-mvcheck = DNSHealth_ServerAddress_MV, DNSHealth_ListenAddress_MV, DNSHealth_Forwarder_MV, DNSHealth_LogIPFilterList_MV + +[MSAD:NT6:DNS] +KV_MODE = none +SHOULD_LINEMERGE = false +CHECK_FOR_HEADER = false +EXTRACT-threadid = (?[0-9A-Fa-f]+)\s+(?PACKET) +EXTRACT-protocol = (?[0-9A-Fa-f]*) (?UDP|TCP) (?\w+) (?[0-9A-Fa-f\.\:]+)\s+ +EXTRACT-opcode = (?[ R]) (?.) \[(?[0-9A-Fa-f]+) (?....) (?[^\]]+)\] +EXTRACT-question1 = \] (?\w+)\s+(?.*) +EXTRACT-question2 = \] (?[^\s]*)$ +FIELDALIAS-query = questionname AS query +FIELDALIAS-reply_code = response AS reply_code +FIELDALIAS-transaction_id = packetid AS transaction_id +FIELDALIAS-transport = protocol AS transport +FIELDALIAS-vendor_query_type = opcode AS vendor_query_type +REPORT_KV_for_microsoft_dns_web = KV_for_port,KV_for_Domain,KV_for_RecvdIP,KV_for_microsoftdns_action,KV_for_Record_type,KV_for_Record_Class +LOOKUP-dns_action_lookup = dns_action_lookup vendor_dns_action OUTPUT action +LOOKUP-dns_vendor_lookup = dns_vendor_lookup sourcetype OUTPUT vendor,product,app +LOOKUP-dns_recordclass_lookup = dns_recordclass_lookup record_class_number OUTPUT record_class \ No newline at end of file diff --git a/Vagrant/scripts/configure-AuditingPolicyGPOs.ps1 b/Vagrant/scripts/configure-AuditingPolicyGPOs.ps1 index fa0ac69..e3254d5 100644 --- a/Vagrant/scripts/configure-AuditingPolicyGPOs.ps1 +++ b/Vagrant/scripts/configure-AuditingPolicyGPOs.ps1 @@ -2,7 +2,7 @@ Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Configuring auditing policy GPOs..." $GPOName = 'Domain Controllers Enhanced Auditing Policy' $OU = "ou=Domain Controllers,dc=windomain,dc=local" -Write-Host "Importing $GPOName..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Importing $GPOName..." Import-GPO -BackupGpoName $GPOName -Path "c:\vagrant\resources\GPO\Domain_Controllers_Enhanced_Auditing_Policy" -TargetName $GPOName -CreateIfNeeded $gpLinks = $null $gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions @@ -13,7 +13,7 @@ If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path) } else { - Write-Host "GpLink $GPOName already linked on $OU. Moving On." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) GpLink $GPOName already linked on $OU. Moving On." } $GPOName = 'Servers Enhanced Auditing Policy' $OU = "ou=Servers,dc=windomain,dc=local" @@ -28,7 +28,7 @@ If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path) } else { - Write-Host "GpLink $GPOName already linked on $OU. Moving On." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) GpLink $GPOName already linked on $OU. Moving On." } $GPOName = 'Workstations Enhanced Auditing Policy' @@ -44,5 +44,5 @@ If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path) } else { - Write-Host "GpLink $GPOName already linked on $OU. Moving On." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) GpLink $GPOName already linked on $OU. Moving On." } diff --git a/Vagrant/scripts/configure-disable-windows-defender-gpo.ps1 b/Vagrant/scripts/configure-disable-windows-defender-gpo.ps1 index bcd8348..fd5cf84 100644 --- a/Vagrant/scripts/configure-disable-windows-defender-gpo.ps1 +++ b/Vagrant/scripts/configure-disable-windows-defender-gpo.ps1 @@ -12,7 +12,7 @@ If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path) } else { - Write-Host "Disable Windows Defender GPO was already linked at $OU. Moving On." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Disable Windows Defender GPO was already linked at $OU. Moving On." } $OU = "ou=Servers,dc=windomain,dc=local" $gPLinks = $null @@ -24,6 +24,6 @@ If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path) } else { - Write-Host "Disable Windows Defender GPO was already linked at $OU. Moving On." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Disable Windows Defender GPO was already linked at $OU. Moving On." } gpupdate /force diff --git a/Vagrant/scripts/configure-ou.ps1 b/Vagrant/scripts/configure-ou.ps1 index 6d6f869..41a1c12 100644 --- a/Vagrant/scripts/configure-ou.ps1 +++ b/Vagrant/scripts/configure-ou.ps1 @@ -10,7 +10,7 @@ while ($servers_ou_created -ne 1) { Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Server OU..." try { Get-ADOrganizationalUnit -Identity 'OU=Servers,DC=windomain,DC=local' | Out-Null - Write-Host "Servers OU already exists. Moving On." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Servers OU already exists. Moving On." $servers_ou_created = 1 } catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] { @@ -19,11 +19,11 @@ while ($servers_ou_created -ne 1) { $servers_ou_created = 1 } catch [Microsoft.ActiveDirectory.Management.ADServerDownException] { - Write-Host "Unable to reach Active Directory. Sleeping for 5 and trying again..." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Unable to reach Active Directory. Sleeping for 5 and trying again..." Start-Sleep 5 } catch { - Write-Host "Something went wrong attempting to reach AD or create the OU." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Something went wrong attempting to reach AD or create the OU." } } @@ -33,7 +33,7 @@ while ($workstations_ou_created -ne 1) { Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Workstations OU..." try { Get-ADOrganizationalUnit -Identity 'OU=Workstations,DC=windomain,DC=local' | Out-Null - Write-Host "Workstations OU already exists. Moving On." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Workstations OU already exists. Moving On." $workstations_ou_created = 1 } catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] { @@ -42,11 +42,11 @@ Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Workstations OU..." $workstations_ou_created = 1 } catch [Microsoft.ActiveDirectory.Management.ADServerDownException] { - Write-Host "Unable to reach Active Directory. Sleeping for 5 and trying again..." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Unable to reach Active Directory. Sleeping for 5 and trying again..." Start-Sleep 5 } catch { - Write-Host "Something went wrong attempting to reach AD or create the OU." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Something went wrong attempting to reach AD or create the OU." } } diff --git a/Vagrant/scripts/configure-powershelllogging.ps1 b/Vagrant/scripts/configure-powershelllogging.ps1 index f4a47d2..ed7580e 100755 --- a/Vagrant/scripts/configure-powershelllogging.ps1 +++ b/Vagrant/scripts/configure-powershelllogging.ps1 @@ -11,7 +11,7 @@ If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path) } else { - Write-Host "Powershell Logging was already linked at $OU. Moving On." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Powershell Logging was already linked at $OU. Moving On." } $OU = "ou=Servers,dc=windomain,dc=local" $gPLinks = $null @@ -23,7 +23,7 @@ If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path) } else { - Write-Host "Powershell Logging was already linked at $OU. Moving On." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Powershell Logging was already linked at $OU. Moving On." } $OU = "ou=Domain Controllers,dc=windomain,dc=local" $gPLinks = $null @@ -34,6 +34,6 @@ If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path) } else { - Write-Host "Powershell Logging was already linked at $OU. Moving On." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Powershell Logging was already linked at $OU. Moving On." } gpupdate /force diff --git a/Vagrant/scripts/configure-rdp-user-gpo.ps1 b/Vagrant/scripts/configure-rdp-user-gpo.ps1 index bb28168..1fbea02 100644 --- a/Vagrant/scripts/configure-rdp-user-gpo.ps1 +++ b/Vagrant/scripts/configure-rdp-user-gpo.ps1 @@ -12,7 +12,7 @@ If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path) } else { - Write-Host "Allow Domain Users RDP GPO was already linked at $OU. Moving On." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Allow Domain Users RDP GPO was already linked at $OU. Moving On." } $OU = "ou=Servers,dc=windomain,dc=local" $gPLinks = $null @@ -24,6 +24,6 @@ If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path) } else { - Write-Host "Allow Domain Users RDP GPO was already linked at $OU. Moving On." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Allow Domain Users RDP GPO was already linked at $OU. Moving On." } gpupdate /force diff --git a/Vagrant/scripts/configure-wef-gpo.ps1 b/Vagrant/scripts/configure-wef-gpo.ps1 index f7d1486..72ac12a 100644 --- a/Vagrant/scripts/configure-wef-gpo.ps1 +++ b/Vagrant/scripts/configure-wef-gpo.ps1 @@ -11,7 +11,7 @@ If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path) { New-GPLink -Name $GPOName -Target $OU -Enforced yes } else { - Write-Host "GpLink $GPOName already linked on $OU. Moving On." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) GpLink $GPOName already linked on $OU. Moving On." } $OU = "ou=Domain Controllers,dc=windomain,dc=local" $gpLinks = $null @@ -21,7 +21,7 @@ If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path) { New-GPLink -Name $GPOName -Target $OU -Enforced yes } else { - Write-Host "GpLink $GPOName already linked on $OU. Moving On." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) GpLink $GPOName already linked on $OU. Moving On." } $OU = "ou=Workstations,dc=windomain,dc=local" $gpLinks = $null @@ -31,7 +31,7 @@ If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path) { New-GPLink -Name $GPOName -Target $OU -Enforced yes } else { - Write-Host "GpLink $GPOName already linked on $OU. Moving On." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) GpLink $GPOName already linked on $OU. Moving On." } Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Importing the GPO to modify ACLs on Custom Event Channels" @@ -48,7 +48,7 @@ If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path) } else { - Write-Host "GpLink $GPOName already linked on $OU. Moving On." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) GpLink $GPOName already linked on $OU. Moving On." } $OU = "ou=Domain Controllers,dc=windomain,dc=local" $gPLinks = Get-ADOrganizationalUnit -Server "dc.windomain.local" -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions @@ -59,7 +59,7 @@ If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path) } else { - Write-Host "GpLink $GPOName already linked on $OU. Moving On." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) GpLink $GPOName already linked on $OU. Moving On." } $OU = "ou=Workstations,dc=windomain,dc=local" $gPLinks = Get-ADOrganizationalUnit -Server "dc.windomain.local" -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions @@ -70,7 +70,7 @@ If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path) } else { - Write-Host "GpLink $GPOName already linked on $OU. Moving On." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) GpLink $GPOName already linked on $OU. Moving On." } gpupdate /force diff --git a/Vagrant/scripts/create-domain.ps1 b/Vagrant/scripts/create-domain.ps1 index 01220c7..7256732 100644 --- a/Vagrant/scripts/create-domain.ps1 +++ b/Vagrant/scripts/create-domain.ps1 @@ -63,24 +63,29 @@ if ((gwmi win32_computersystem).partofdomain -eq $false) { dnscmd /ResetListenAddresses $dnslistenip $nics=Get-WmiObject "Win32_NetworkAdapterConfiguration where IPEnabled='TRUE'" |? { $_.IPAddress[0] -ilike "10.*" } - foreach($nic in $nics) - { + foreach($nic in $nics) { $nic.DomainDNSRegistrationEnabled = $false $nic.SetDynamicDNSRegistration($false) |Out-Null - } - - - #Get-DnsServerResourceRecord -ZoneName $domain -type 1 -Name "@" |Select-Object HostName,RecordType -ExpandProperty RecordData |Where-Object {$_.IPv4Address -ilike "10.*"}|Remove-DnsServerResourceRecord - $RRs= Get-DnsServerResourceRecord -ZoneName $domain -type 1 -Name "@" - - foreach($RR in $RRs) - { - if ( (Select-Object -InputObject $RR HostName,RecordType -ExpandProperty RecordData).IPv4Address -ilike "10.*") - { - Remove-DnsServerResourceRecord -ZoneName $domain -RRType A -Name "@" -RecordData $RR.RecordData.IPv4Address -Confirm } - } + $RRs= Get-DnsServerResourceRecord -ZoneName $domain -type 1 -Name "@" + foreach($RR in $RRs) { + if ( (Select-Object -InputObject $RR HostName,RecordType -ExpandProperty RecordData).IPv4Address -ilike "10.*") { + Remove-DnsServerResourceRecord -ZoneName $domain -RRType A -Name "@" -RecordData $RR.RecordData.IPv4Address -Confirm + } + } Restart-Service DNS - +} + +# Uninstall Windows Defender +If ((Get-Service -Name WinDefend -ErrorAction SilentlyContinue).status -eq 'Running') { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Uninstalling Windows Defender..." + Try { + Uninstall-WindowsFeature Windows-Defender -ErrorAction Stop + Uninstall-WindowsFeature Windows-Defender-Features -ErrorAction Stop + } + Catch { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Windows Defender did not uninstall successfully..." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) We'll try again during install-red-team.ps1" + } } diff --git a/Vagrant/scripts/download_palantir_wef.ps1 b/Vagrant/scripts/download_palantir_wef.ps1 index a5a3c3c..3744cf2 100644 --- a/Vagrant/scripts/download_palantir_wef.ps1 +++ b/Vagrant/scripts/download_palantir_wef.ps1 @@ -13,6 +13,6 @@ If (-not (Test-Path $wefRepoPath)) } else { - Write-Host "$wefRepoPath already exists. Moving On." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $wefRepoPath already exists. Moving On." } Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Palantir WEF download complete!" diff --git a/Vagrant/scripts/fix-second-network.ps1 b/Vagrant/scripts/fix-second-network.ps1 index d38f7fe..79126df 100755 --- a/Vagrant/scripts/fix-second-network.ps1 +++ b/Vagrant/scripts/fix-second-network.ps1 @@ -1,32 +1,34 @@ # Source: https://github.com/StefanScherer/adfs2 param ([String] $ip, [String] $dns, [String] $gateway) +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Running fix-second-network.ps1..." + if ( (Get-NetAdapter | Select-Object -First 1 | Select-Object -ExpandProperty InterfaceDescription).Contains('Red Hat VirtIO')) { - Write-Host "Setting Network Configuration for LibVirt interface" + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Setting Network Configuration for LibVirt interface" $subnet = $ip -replace "\.\d+$", "" $name = (Get-NetIPAddress -AddressFamily IPv4 ` | Where-Object -FilterScript { ($_.IPAddress).StartsWith("$subnet") } ` ).InterfaceAlias if ($name) { - Write-Host "Set IP address to $ip of interface $name" + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Set IP address to $ip of interface $name" & netsh.exe int ip set address "$name" static $ip 255.255.255.0 "$gateway" if ($dns) { - Write-Host "Set DNS server address to $dns of interface $name" + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Set DNS server address to $dns of interface $name" & netsh.exe interface ipv4 add dnsserver "$name" address=$dns index=1 } } else { Write-Error "Could not find a interface with subnet $subnet.xx" } - exit 0 +} Else { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) No VirtIO adapters, moving on..." } if (! (Test-Path 'C:\Program Files\VMware\VMware Tools') ) { - Write-Host "Nothing to do for other providers than VMware." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) VMware Tools not found, no need to continue. Exiting." exit 0 } - Write-Host "$('[{0:HH:mm}]' -f (Get-Date))" Write-Host "Setting IP address and DNS information for the Ethernet1 interface" Write-Host "If this step times out, it's because vagrant is connecting to the VM on the wrong interface" @@ -42,12 +44,12 @@ if (!$name) { ).InterfaceAlias } if ($name) { - Write-Host "Set IP address to $ip of interface $name" + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Set IP address to $ip of interface $name" & netsh.exe int ip set address "$name" static $ip 255.255.255.0 "$subnet.1" if ($dns) { - Write-Host "Set DNS server address to $dns of interface $name" + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Set DNS server address to $dns of interface $name" & netsh.exe interface ipv4 add dnsserver "$name" address=$dns index=1 } } else { - Write-Error "Could not find a interface with subnet $subnet.xx" + Write-Error "$('[{0:HH:mm}]' -f (Get-Date)) Could not find a interface with subnet $subnet.xx" } diff --git a/Vagrant/scripts/fix-windows-expiration.ps1 b/Vagrant/scripts/fix-windows-expiration.ps1 index f5247b2..7810d40 100644 --- a/Vagrant/scripts/fix-windows-expiration.ps1 +++ b/Vagrant/scripts/fix-windows-expiration.ps1 @@ -20,7 +20,7 @@ Elseif ($regex.Matches.Value -eq "0xC004FC07") { Try { cscript c:\windows\system32\slmgr.vbs /rearm } Catch { - Write-Host "Something went wrong trying to re-arm the image..." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Something went wrong trying to re-arm the image..." } } @@ -48,7 +48,7 @@ If ($days_left -as [int] -lt 30) { Try { cscript c:\windows\system32\slmgr.vbs /rearm } Catch { - Write-Host "Something went wrong trying to re-arm the image..." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Something went wrong trying to re-arm the image..." } } } diff --git a/Vagrant/scripts/install-autorunstowineventlog.ps1 b/Vagrant/scripts/install-autorunstowineventlog.ps1 index fd36469..e11d332 100644 --- a/Vagrant/scripts/install-autorunstowineventlog.ps1 +++ b/Vagrant/scripts/install-autorunstowineventlog.ps1 @@ -4,7 +4,7 @@ Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing AutorunsToWinEventLog..." If ((Get-ScheduledTask -TaskName "AutorunsToWinEventLog" -ea silent) -eq $null) { . c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\AutorunsToWinEventLog\Install.ps1 - Write-Host "AutorunsToWinEventLog installed. Starting the scheduled task. Future runs will begin at 11am" + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) AutorunsToWinEventLog installed. Starting the scheduled task. Future runs will begin at 11am" Start-ScheduledTask -TaskName "AutorunsToWinEventLog" # https://mcpmag.com/articles/2018/03/16/wait-action-function-powershell.aspx # Wait 30 seconds for the scheduled task to enter the "Running" state @@ -12,7 +12,7 @@ If ((Get-ScheduledTask -TaskName "AutorunsToWinEventLog" -ea silent) -eq $null) $timer = [Diagnostics.Stopwatch]::StartNew() while (($timer.Elapsed.TotalSeconds -lt $Timeout) -and ((Get-ScheduledTask -TaskName "AutorunsToWinEventLog").State -ne "Running")) { Start-Sleep -Seconds 3 - Write-Host "Still waiting for scheduled task to start after "$timer.Elapsed.Seconds" seconds..." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Still waiting for scheduled task to start after "$timer.Elapsed.Seconds" seconds..." } $timer.Stop() $Tsk = Get-ScheduledTask -TaskName "AutorunsToWinEventLog" @@ -23,5 +23,5 @@ If ((Get-ScheduledTask -TaskName "AutorunsToWinEventLog" -ea silent) -eq $null) } else { - Write-Host "AutorunsToWinEventLog already installed. Moving On." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) AutorunsToWinEventLog already installed. Moving On." } diff --git a/Vagrant/scripts/install-choco-extras.ps1 b/Vagrant/scripts/install-choco-extras.ps1 index cbc14fe..4912c21 100644 --- a/Vagrant/scripts/install-choco-extras.ps1 +++ b/Vagrant/scripts/install-choco-extras.ps1 @@ -3,13 +3,13 @@ Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing additional Choco packages..." If (-not (Test-Path "C:\ProgramData\chocolatey")) { - Write-Host "Installing Chocolatey" + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing Chocolatey" iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1')) } else { - Write-Host "Chocolatey is already installed." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Chocolatey is already installed." } -Write-Host "Installing Chocolatey extras..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing Chocolatey extras..." choco install -y --limit-output --no-progress wireshark winpcap Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Choco addons complete!" diff --git a/Vagrant/scripts/install-inputsconf.ps1 b/Vagrant/scripts/install-inputsconf.ps1 deleted file mode 100755 index b061168..0000000 --- a/Vagrant/scripts/install-inputsconf.ps1 +++ /dev/null @@ -1,37 +0,0 @@ -# Purpose: Configures the inputs.conf for the Splunk forwarders on the Windows hosts - -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Setting up Splunk Inputs for Sysmon & osquery" - -$inputsPath = "C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf" -$currentContent = get-content $inputsPath -$targetContent = get-content c:\vagrant\resources\splunk_forwarder\inputs.conf - -if ($currentContent -ne $targetContent) -{ - Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Stopping the Splunk forwarder" - try { - Stop-Service splunkforwarder -ErrorAction Stop - } catch { - Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Failed to stop SplunkForwarder. Trying again..." - Set-Location "C:\Program Files\SplunkUniversalForwarder\bin" - & ".\splunk.exe" "stop" - } - - Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Deleting the default configuration" - Remove-Item $inputsPath - - Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Copying over the custom configuration" - Copy-Item c:\vagrant\resources\splunk_forwarder\inputs.conf $inputsPath - - Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Starting the Splunk forwarder" - Start-Service splunkforwarder -} -else -{ - Write-Host "Splunk forwarder already configured. Moving on." -} -If ((Get-Service -name splunkforwarder).Status -ne "Running") -{ - throw "splunkforwarder service was not running." -} -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Splunk forwarder installation complete!" diff --git a/Vagrant/scripts/install-microsoft-ata.ps1 b/Vagrant/scripts/install-microsoft-ata.ps1 index ffae058..022fb15 100644 --- a/Vagrant/scripts/install-microsoft-ata.ps1 +++ b/Vagrant/scripts/install-microsoft-ata.ps1 @@ -61,7 +61,7 @@ If (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center } $Mount = Mount-DiskImage -ImagePath "$env:temp\$title.iso" -StorageType ISO -Access ReadOnly -PassThru $Volume = $Mount | Get-Volume - Write-Host "Installing $title" + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing $title" $Install = Start-Process -Wait -FilePath ($Volume.DriveLetter + ":\Microsoft ATA Center Setup.exe") -ArgumentList "/q --LicenseAccepted NetFrameworkCommandLineArguments=`"/q`" --EnableMicrosoftUpdate" -PassThru $Install $Mount | Dismount-DiskImage -Confirm:$false @@ -110,7 +110,7 @@ Invoke-Command -computername dc -Credential (new-object pscredential("windomain\ [System.Net.ServicePointManager]::ServerCertificateValidationCallback = [SSLValidator]::GetDelegate() If (-not (Test-Path "$env:temp\gatewaysetup.zip")) { - Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Downloading Microsoft ATA now..." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Downloading ATA Lightweight Gateway from WEF now..." Invoke-WebRequest -uri https://wef/api/management/softwareUpdates/gateways/deploymentPackage -UseBasicParsing -OutFile "$env:temp\gatewaysetup.zip" -Credential (new-object pscredential("wef\vagrant", (convertto-securestring -AsPlainText -Force -String "vagrant"))) Expand-Archive -Path "$env:temp\gatewaysetup.zip" -DestinationPath "$env:temp\gatewaysetup" -Force } diff --git a/Vagrant/scripts/install-osquery.ps1 b/Vagrant/scripts/install-osquery.ps1 index e151c81..fcf7cfe 100755 --- a/Vagrant/scripts/install-osquery.ps1 +++ b/Vagrant/scripts/install-osquery.ps1 @@ -5,7 +5,7 @@ $flagfile = "c:\Program Files\osquery\osquery.flags" choco install -y --limit-output --no-progress osquery | Out-String # Apparently Out-String makes the process wait $service = Get-WmiObject -Class Win32_Service -Filter "Name='osqueryd'" If (-not ($service)) { - Write-Host "Setting osquery to run as a service" + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Setting osquery to run as a service" New-Service -Name "osqueryd" -BinaryPathName "C:\Program Files\osquery\osqueryd\osqueryd.exe --flagfile=`"C:\Program Files\osquery\osquery.flags`"" # Download the flags file from the Palantir osquery-configuration Github @@ -38,7 +38,7 @@ If (-not ($service)) { Start-Service osqueryd } else { - Write-Host "osquery is already installed. Moving On." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) osquery is already installed. Moving On." } If ((Get-Service -name osqueryd).Status -ne "Running") { diff --git a/Vagrant/scripts/install-redteam.ps1 b/Vagrant/scripts/install-redteam.ps1 index ed3865d..b5df981 100644 --- a/Vagrant/scripts/install-redteam.ps1 +++ b/Vagrant/scripts/install-redteam.ps1 @@ -11,13 +11,22 @@ If ($hostname -eq "win10") { Set-MpPreference -DisableRealtimeMonitoring $true } -# Windows Defender should be disabled already by the GPO, sometimes it doesnt work +# Windows Defender should be disabled by the GPO or uninstalled already, but we'll keep this just in case If ($hostname -ne "win10" -And (Get-Service -Name WinDefend -ErrorAction SilentlyContinue).status -eq 'Running') { # Uninstalling Windows Defender (https://github.com/StefanScherer/packer-windows/issues/201) - Uninstall-WindowsFeature Windows-Defender - Uninstall-WindowsFeature Windows-Defender-Features + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Uninstalling Windows Defender..." + Try { + Uninstall-WindowsFeature Windows-Defender -ErrorAction Stop + Uninstall-WindowsFeature Windows-Defender-Features -ErrorAction Stop + } + Catch { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Windows Defender did not uninstall successfully..." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) We'll try again during install-red-team.ps1" + } +} +Else { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Windows Defender has already been disabled or uninstalled." } - # Purpose: Downloads and unzips a copy of the latest Mimikatz trunk Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Determining latest release of Mimikatz..." # GitHub requires TLS 1.2 as of 2/27 @@ -30,7 +39,7 @@ if (-not (Test-Path $mimikatzRepoPath)) { Expand-Archive -path "$mimikatzRepoPath" -destinationpath 'c:\Tools\Mimikatz' -Force } else { - Write-Host "Mimikatz was already installed. Moving On." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Mimikatz was already installed. Moving On." } # Download and unzip a copy of PowerSploit @@ -45,7 +54,7 @@ if (-not (Test-Path $powersploitRepoPath)) { Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" -Recurse -Force } else { - Write-Host "PowerSploit was already installed. Moving On." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) PowerSploit was already installed. Moving On." } # Download and unzip a copy of Atomic Red Team @@ -59,7 +68,7 @@ if (-not (Test-Path $atomicRedTeamRepoPath)) { Expand-Archive -path "$atomicRedTeamRepoPath" -destinationpath 'c:\Tools\Atomic Red Team' -Force } else { - Write-Host "Atomic Red Team was already installed. Moving On." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Atomic Red Team was already installed. Moving On." } # Download and unzip a copy of BadBlood @@ -76,7 +85,7 @@ if (-not (Test-Path $badbloodRepoPath)) { ((Get-Content -path $invokeBadBloodPath -Raw) -replace '1000..5000','500..1500') | Set-Content -Path $invokeBadBloodPath } else { - Write-Host "BadBlood was already installed. Moving On." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) BadBlood was already installed. Moving On." } Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Red Team tooling installation complete!" diff --git a/Vagrant/scripts/install-splunkuf.ps1 b/Vagrant/scripts/install-splunkuf.ps1 index 0e76820..ed9f15f 100755 --- a/Vagrant/scripts/install-splunkuf.ps1 +++ b/Vagrant/scripts/install-splunkuf.ps1 @@ -1,7 +1,7 @@ # Purpose: Installs a Splunk Universal Forwader on the host If (-not (Test-Path "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe")) { - Write-Host "Downloading Splunk Universal Forwarder" + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Splunk Universal Forwarder..." $msiFile = $env:Temp + "\splunkforwarder-7.1.0-2e75b3406c5b-x64-release.msi" Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing & Starting Splunk" @@ -9,7 +9,7 @@ If (-not (Test-Path "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe")) (New-Object System.Net.WebClient).DownloadFile('https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=windows&version=7.1.0&product=universalforwarder&filename=splunkforwarder-7.1.0-2e75b3406c5b-x64-release.msi&wget=true', $msiFile) Start-Process -FilePath "c:\windows\system32\msiexec.exe" -ArgumentList '/i', "$msiFile", 'RECEIVING_INDEXER="192.168.38.105:9997" WINEVENTLOG_SEC_ENABLE=0 WINEVENTLOG_SYS_ENABLE=0 WINEVENTLOG_APP_ENABLE=0 AGREETOLICENSE=Yes SERVICESTARTTYPE=1 LAUNCHSPLUNK=1 SPLUNKPASSWORD=changeme /quiet' -Wait } Else { - Write-Host "Splunk is already installed. Moving on." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Splunk is already installed. Moving on." } If ((Get-Service -name splunkforwarder).Status -ne "Running") { diff --git a/Vagrant/scripts/install-sysinternals.ps1 b/Vagrant/scripts/install-sysinternals.ps1 index a761de1..79dab0f 100755 --- a/Vagrant/scripts/install-sysinternals.ps1 +++ b/Vagrant/scripts/install-sysinternals.ps1 @@ -1,4 +1,5 @@ # Purpose: Installs a handful of SysInternals tools on the host into c:\Tools\Sysinternals +# Also installs Sysmon and Olaf Harton's Sysmon config Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing SysInternals Tooling..." $sysinternalsDir = "C:\Tools\Sysinternals" @@ -6,14 +7,14 @@ $sysmonDir = "C:\ProgramData\Sysmon" If(!(test-path $sysinternalsDir)) { New-Item -ItemType Directory -Force -Path $sysinternalsDir } Else { - Write-Host "Tools directory exists. Exiting." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Tools directory exists, no need to re-install. Exiting." exit } If(!(test-path $sysmonDir)) { New-Item -ItemType Directory -Force -Path $sysmonDir } Else { - Write-Host "Sysmon directory exists. Exiting." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Sysmon directory exists, no need to re-install. Exiting." exit } diff --git a/Vagrant/scripts/install-utilities.ps1 b/Vagrant/scripts/install-utilities.ps1 index 930bf85..5859699 100755 --- a/Vagrant/scripts/install-utilities.ps1 +++ b/Vagrant/scripts/install-utilities.ps1 @@ -2,10 +2,10 @@ If (-not (Test-Path "C:\ProgramData\chocolatey")) { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - Write-Host "Installing Chocolatey" + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing Chocolatey" iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1')) } else { - Write-Host "Chocolatey is already installed." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Chocolatey is already installed." } Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing utilities..." @@ -17,4 +17,4 @@ If ($(hostname) -eq "win10") { } choco install -y --limit-output --no-progress NotepadPlusPlus GoogleChrome WinRar -Write-Host "Utilties installation complete!" +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Utilties installation complete!" diff --git a/Vagrant/scripts/install-velociraptor.ps1 b/Vagrant/scripts/install-velociraptor.ps1 index 2e71b76..22aca9c 100644 --- a/Vagrant/scripts/install-velociraptor.ps1 +++ b/Vagrant/scripts/install-velociraptor.ps1 @@ -13,7 +13,9 @@ Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Determining latest release of Velocir # GitHub requires TLS 1.2 as of 2/27 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $tag = (Invoke-WebRequest "https://api.github.com/repos/Velocidex/velociraptor/releases" -UseBasicParsing | ConvertFrom-Json)[0].tag_name -$velociraptorDownloadUrl = "https://github.com/Velocidex/velociraptor/releases/download/$tag/velociraptor-$tag-windows-amd64.msi" +# Workaround hardcoded URL until this issue gets fixed: https://github.com/Velocidex/velociraptor/issues/528 +$velociraptorDownloadUrl = "https://github.com/Velocidex/velociraptor/releases/download/v0.4.7/velociraptor-v0.4.7-1-windows-amd64.msi" +#$velociraptorDownloadUrl = "https://github.com/Velocidex/velociraptor/releases/download/$tag/velociraptor-$tag-windows-amd64.msi" $velociraptorMSIPath = 'C:\Users\vagrant\AppData\Local\Temp\velociraptor.msi' $velociraptorLogFile = 'c:\Users\vagrant\AppData\Local\Temp\velociraptor_install.log' If (-not (Test-Path $velociraptorLogFile)) { @@ -25,7 +27,7 @@ If (-not (Test-Path $velociraptorLogFile)) { Restart-Service Velociraptor Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Velociraptor successfully installed!" } Else { - Write-Host "Velociraptor was already installed. Moving On." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Velociraptor was already installed. Moving On." } If ((Get-Service -name Velociraptor).Status -ne "Running") { diff --git a/Vagrant/scripts/install-wefsubscriptions.ps1 b/Vagrant/scripts/install-wefsubscriptions.ps1 index 7d74e2f..b56766b 100644 --- a/Vagrant/scripts/install-wefsubscriptions.ps1 +++ b/Vagrant/scripts/install-wefsubscriptions.ps1 @@ -11,7 +11,7 @@ if (-not (Test-Path "$env:windir\system32\CustomEventChannels.dll")) Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing Custom Event Channels Manifest..." wevtutil im "c:\windows\system32\CustomEventChannels.man" - Write-Host "Resizing Channels to 4GB..." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Resizing Channels to 4GB..." $xml = wevtutil el | select-string -pattern "WEC" foreach ($subscription in $xml) { wevtutil sl $subscription /ms:4294967296 } @@ -30,7 +30,7 @@ if (-not (Test-Path "$env:windir\system32\CustomEventChannels.dll")) } else { - Write-Host "WEF Subscriptions are already installed, moving on..." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) WEF Subscriptions are already installed, moving on..." if ((Get-Service -Name wecsvc).Status -ne "Running") { net start wecsvc diff --git a/Vagrant/scripts/install-windows_ta.ps1 b/Vagrant/scripts/install-windows_ta.ps1 index baf74b9..0493d1a 100755 --- a/Vagrant/scripts/install-windows_ta.ps1 +++ b/Vagrant/scripts/install-windows_ta.ps1 @@ -3,9 +3,9 @@ Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing the Windows TA for Splunk" -If (test-path "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default") { - Write-Host "Windows TA is already installed. Moving on." - Exit +If (Test-Path "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default") { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Windows TA is already installed. Moving on." + Exit 0 } # Install Windows TA (this only needs to be done on the WEF server) @@ -16,14 +16,14 @@ Start-Process -FilePath "C:\Program Files\SplunkUniversalForwarder\bin\splunk.ex # Create local directory New-Item -ItemType Directory -Force -Path "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local" -Copy-Item c:\vagrant\resources\splunk_forwarder\wef_inputs.conf $inputsPath +Copy-Item c:\vagrant\resources\splunk_forwarder\wef_inputs.conf $inputsPath -Force # Add a check here to make sure the TA was installed correctly Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Sleeping for 15 seconds" -start-sleep -s 15 -If (test-path "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default") { +Start-Sleep -s 15 +If (Test-Path "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default") { Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Windows TA installed successfully." } Else { - Write-Host "Something went wrong during installation." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Something went wrong during installation." exit 1 } diff --git a/Vagrant/scripts/join-domain.ps1 b/Vagrant/scripts/join-domain.ps1 index 3e36631..30822b8 100755 --- a/Vagrant/scripts/join-domain.ps1 +++ b/Vagrant/scripts/join-domain.ps1 @@ -19,7 +19,7 @@ $DomainCred = New-Object System.Management.Automation.PSCredential $user, $pass If ($hostname -eq "wef") { Add-Computer -DomainName "windomain.local" -credential $DomainCred -OUPath "ou=Servers,dc=windomain,dc=local" -PassThru } ElseIf ($hostname -eq "win10") { - Write-Host "Adding Win10 to the domain. Sometimes this step times out. If that happens, just run 'vagrant reload win10 --provision'" #debug + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Adding Win10 to the domain. Sometimes this step times out. If that happens, just run 'vagrant reload win10 --provision'" #debug Add-Computer -DomainName "windomain.local" -credential $DomainCred -OUPath "ou=Workstations,dc=windomain,dc=local" } Else { Add-Computer -DomainName "windomain.local" -credential $DomainCred -PassThru @@ -30,8 +30,24 @@ Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" - Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Value "vagrant" # Stop Windows Update -Write-Host "Disabling Windows Updates and Windows Module Services" +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Disabling Windows Updates and Windows Module Services" Set-Service wuauserv -StartupType Disabled Stop-Service wuauserv Set-Service TrustedInstaller -StartupType Disabled Stop-Service TrustedInstaller + + + +# Uninstall Windows Defender from WEF +# This command isn't supported on WIN10 +If ($hostname -ne "win10" -And (Get-Service -Name WinDefend -ErrorAction SilentlyContinue).status -eq 'Running') { + # Uninstalling Windows Defender (https://github.com/StefanScherer/packer-windows/issues/201) + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Uninstalling Windows Defender..." + Try { + Uninstall-WindowsFeature Windows-Defender -ErrorAction Stop + Uninstall-WindowsFeature Windows-Defender-Features -ErrorAction Stop + } Catch { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Windows Defender did not uninstall successfully..." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) We'll try again during install-red-team.ps1" + } +} \ No newline at end of file diff --git a/Vagrant/scripts/provision.ps1 b/Vagrant/scripts/provision.ps1 index c631b8b..db8a277 100644 --- a/Vagrant/scripts/provision.ps1 +++ b/Vagrant/scripts/provision.ps1 @@ -13,7 +13,7 @@ Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Checking if Windows evaluation is exp # Ping DetectionLab server for usage statistics curl -userAgent "DetectionLab-$box" "https://detectionlab.network/$box" -UseBasicParsing | out-null -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Disable IPv6 on all network adatpers..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Disabling IPv6 on all network adatpers..." Get-NetAdapterBinding -ComponentID ms_tcpip6 | ForEach-Object {Disable-NetAdapterBinding -Name $_.Name -ComponentID ms_tcpip6} Get-NetAdapterBinding -ComponentID ms_tcpip6 # https://support.microsoft.com/en-gb/help/929852/guidance-for-configuring-ipv6-in-windows-for-advanced-users @@ -26,14 +26,12 @@ if ($env:COMPUTERNAME -imatch 'vagrant') { Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing bginfo..." . c:\vagrant\scripts\install-bginfo.ps1 - Write-Host -fore red 'Hint: vagrant reload' $box '--provision' - } elseif ((gwmi win32_computersystem).partofdomain -eq $false) { - Write-Host -fore red "$('[{0:HH:mm}]' -f (Get-Date)) Current domain is set to 'workgroup'. Time to join the domain!" + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Current domain is set to 'workgroup'. Time to join the domain!" if (!(Test-Path 'c:\Program Files\sysinternals\bginfo.exe')) { - Write-Host 'Install bginfo' + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing bginfo..." . c:\vagrant\scripts\install-bginfo.ps1 # Set background to be "fitted" instead of "tiled" Set-ItemProperty 'HKCU:\Control Panel\Desktop' -Name TileWallpaper -Value '0' @@ -48,13 +46,10 @@ if ($env:COMPUTERNAME -imatch 'vagrant') { . c:\vagrant\scripts\join-domain.ps1 } } else { - Write-Host -fore green "$('[{0:HH:mm}]' -f (Get-Date)) I am domain joined!" - if (!(Test-Path 'c:\Program Files\sysinternals\bginfo.exe')) { - Write-Host 'Installing bginfo...' + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing bginfo..." . c:\vagrant\scripts\install-bginfo.ps1 } - Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Provisioning after joining domain..." } diff --git a/ci/manual_machine_bootstrap_vmware.sh b/ci/manual_machine_bootstrap_vmware.sh index 741b87d..ed5ceec 100644 --- a/ci/manual_machine_bootstrap_vmware.sh +++ b/ci/manual_machine_bootstrap_vmware.sh @@ -10,7 +10,7 @@ sed -i 's#http://archive.ubuntu.com#http://us.archive.ubuntu.com#g' /etc/apt/sou # Install VMWare Workstation 15 apt-get update -apt-get install -y linux-headers-"$(uname -r)" build-essential unzip git ufw apache2 python-pip ubuntu-desktop python-pip +apt-get install -y linux-headers-"$(uname -r)" build-essential unzip git ufw apache2 python-pip ubuntu-desktop python-pip libxtst6 pip install awscli --upgrade --user cp /root/.local/bin/aws /usr/local/bin/aws && chmod +x /usr/local/bin/aws diff --git a/img/badblood.png b/img/badblood.png new file mode 100644 index 0000000..e96ae30 Binary files /dev/null and b/img/badblood.png differ