From e2957729266e69e4cd202fa89cb6a5d58f067232 Mon Sep 17 00:00:00 2001
From: Matthew Iverson <matthew@noreply.localhost>
Date: Sun, 27 Oct 2024 00:02:18 -0400
Subject: [PATCH] Upload files to "3 DC/Agents"

---
 3 DC/Agents/1) DCO_GPO_CUSTOMER.md |  16 ++++
 3 DC/Agents/2a) gpo deployment.md  |  64 +++++++++++++++
 3 DC/Agents/2b) push_agents_SOG.md | 128 +++++++++++++++++++++++++++++
 3 files changed, 208 insertions(+)
 create mode 100644 3 DC/Agents/1) DCO_GPO_CUSTOMER.md
 create mode 100644 3 DC/Agents/2a) gpo deployment.md
 create mode 100644 3 DC/Agents/2b) push_agents_SOG.md

diff --git a/3 DC/Agents/1) DCO_GPO_CUSTOMER.md b/3 DC/Agents/1) DCO_GPO_CUSTOMER.md
new file mode 100644
index 0000000..fc7a9c1
--- /dev/null
+++ b/3 DC/Agents/1) DCO_GPO_CUSTOMER.md	
@@ -0,0 +1,16 @@
+[sysmon](https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon)
+
+[sysmon config](https://github.com/olafhartong/sysmon-modular)
+
+[inputs for splunk](https://github.com/mdecrevoisier/Splunk-input-windows-baseline/blob/main/splunk-windows-input/win_input.conf)
+
+[splunk universal forwarder](https://www.splunk.com/en_us/download/universal-forwarder.html)
+
+[elastic agent](https://www.elastic.co/downloads/elastic-agent)
+
+
+## Event Logs
+- process tracking #enables CMD logging
+- enable wmi
+- enable powershell remoting
+- [Audit Policy](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations)
\ No newline at end of file
diff --git a/3 DC/Agents/2a) gpo deployment.md b/3 DC/Agents/2a) gpo deployment.md
new file mode 100644
index 0000000..17f5be2
--- /dev/null
+++ b/3 DC/Agents/2a) gpo deployment.md	
@@ -0,0 +1,64 @@
+# Created by Ben
+	1. Create a software deployment share on your DC
+		a. Create a folder on the desktop of your DC, name it software
+			i. Rclick > properties > sharing
+			ii. Click Share > share to authenticated users and administrators
+			iii. apply
+		b. Create a folder in the share for the splunk UF and drop necessary files
+			i. Rclick > New Folder > Rename: SplunkUF
+			ii. Drop files in the new SplunkUF folder
+				1) inputs.conf
+				2) DeploySplunk.bat
+				3) SplunkUninstall.bat
+				4) splunkuniversalforwarder.msi (rename the UF to this filename or the .bat files won't work)
+
+			iii. Edit the DeploySplunk.bat file to match your infrastructure
+				1) @echo off
+				SET FLAG=C:\SplunkFlag.txt
+				IF EXIST %FLAG% GOTO END
+				echo "SplunkUF Installed" > %FLAG%
+				msiexec.exe /i "\\DC01\Software\SplunkUF\splunkuniversalforwarder.msi" DEPLOYMENT_SERVER="192.168.5.20:8089" RECEIVING_INDEXER="192.168.5.20:9997" AGREETOLICENSE=Yes SERVICESTARTTYPE=AUTO LAUNCHSPLUNK=1 SPLUNKUSERNAME=splunk GENRANDOMPASSWORD=1 WINEVENTLOG_APP_ENABLE=1 WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_FWD_ENABLE=1 WINEVENTLOG_SET_ENABLE=1 PERFMON=network ENABLEADMON=1 /passive
+				copy "\\DC01\Software\SplunkUF\inputs.conf" "C:\Program Files\SplunkUniversalForwarder\etc\system\local\"
+				:END
+
+				2) The highlighted portions must be changed or else the file will not work. All filepaths must me changed to your share. all IP addresses must match your infrastructure.
+
+	2. Create an OU for the workstations you wish to add the UF to
+		a. open the Server Manager
+			i. Click Tools
+				1) Click the Active Directory Computers and Users 
+					a) rclick your ad (example doge.AD in this instance)
+						i) Create a new Organizational Unit (OU) for your splunk Deployment (example RedDev)
+					b) Open the computers tab to view the AD computers on your domain
+						i) select the computers you want to add to this OU and drag/drop them into the OU
+
+		b. Open to Group Policy Management via the search bar
+			i. Navigate to your domain (doge.AD example) and view your OU (RedDev example) that you just created
+				1) Rclick > Create a GPO in this domain and link it here… (example SUF Installer)
+					a) Rclick the new GPO and edit
+						i) Computer Configuration > Policies > Windows Settings >  Scripts  > Startup (these scripts must be in this order)
+							1- Add > Name: [Full filepath to the share we made in step 1 (ex. \\DC01\Software\SplunkUF\SplunkUninstall.bat)]
+							2- Add > Name: [Full filepath to the share we made in step 1 (ex. \\DC01\Software\SplunkUF\DeploySplunk.bat)]
+
+
+		c. run this command in cmd (administrator)
+			i. gpupdate /force
+
+		d. restart the computers in your OU to apply the GPO
+
+
+	3. OPTIONAL ******************** Sysmon install
+		a. In your share make a new folder called SYSMON
+		b. put sysmon.exe in the folder as well as the DeploySysmon.bat
+			@echo off
+			SET FLAG=C:\SysmonFlag.txt
+			IF EXIST %FLAG% GOTO END
+			echo "Sysmon Installed" > %FLAG%
+			\\DC01\Software\Sysmon\sysmon.exe -i -accepteula
+			
+			:END
+
+		c. change the filepath to point to your share and the sysmon.exe file
+		d. follow step 2b. but create a SYSMON installer with it as well
+		e. follow step 2c.
+		
diff --git a/3 DC/Agents/2b) push_agents_SOG.md b/3 DC/Agents/2b) push_agents_SOG.md
new file mode 100644
index 0000000..40ae72d
--- /dev/null
+++ b/3 DC/Agents/2b) push_agents_SOG.md	
@@ -0,0 +1,128 @@
+https://youtu.be/39iVugb9Y0c?si=Ob3HDfruGSvRYO5x&t=396
+
+create a share in DC that everyone can access
+
+put all files in DC directory
+
+### Only for Splunk
+```
+splunkUF.msi
+inputs.conf
+```
+
+### Only for Security Onion
+```
+winlogbeat.yml - https://github.com/elastic/beats/blob/main/winlogbeat/winlogbeat.yml
+winlogbeat.msi
+```
+
+
+### Only for sysmon
+```
+sysmon.exe
+sysmonconfig.xml
+```
+
+## splunk UF
+```
+group policy management
+(Your Organizational Unit) > new gpo 
+    name:Install Splunk Universal Forwarder
+    source starter gpo: none
+        (right click) edit
+            Computer policies > software setting > software installation
+                (right click) new
+                specify splunk msi from netlogon share
+            preferences > windows settings > files
+                (right click) new > file
+                    action: replace 
+                    source file(s): \\dc\NETLOGON\splunkUF\inputs.conf
+                    destination file: \ProgramData\splunkUF\inputs.conf
+            preferences > control panel setttings > services
+                new > service
+                    startup: automatic
+                    service name: splunkUF.msi
+                    service action: start service
+                        Recovery
+                            first failure: restart the service
+                            second failure: restart the service
+                            subsequent failures: restart the service
+                            restart service every 5 minutes
+```
+
+# Splunk UF config
+```
+GPO setup
+    new gpo
+        startup scripts
+            DeploySplunk.bat
+```
+
+
+# sysmon
+```
+group policy management
+all workstations > new gpo 
+    name:Install Sysmon
+        edit
+            policies > software setting > software installation
+                specify msi from netlogon share
+            preferences > windows settings > files
+                new > file
+                    action: replace 
+                    source file(s): \\dc\NETLOGON\sysmon\sysmonconfig.xml
+                    destination file: \ProgramData\sysmon\sysmonconfig.xml
+            preferences > control panel setttings > services
+                new > service
+                    startup: automatic
+                    service name: sysmon.exe
+                    service action: start service
+                        Recovery
+                            first failure: restart the service
+                            second failure: restart the service
+                            subsequent failures: restart the service
+                            restart service every 5 minutes
+```
+
+# Sysmon config
+```
+GPO setup
+    new gpo
+        startup scripts
+            DeploySysmon.bat
+```
+
+## Winlogbeat
+```
+group policy management
+(Your Organizational Unit) > new gpo 
+    name:Install Winlogbeat
+    source starter gpo: none
+        (right click) edit
+            Computer policies > software setting > software installation
+                (right click) new
+                specify splunk msi from netlogon share
+            preferences > windows settings > files
+                (right click) new > file
+                    action: replace 
+                    source file(s): \\dc\NETLOGON\winlogbeat\winlogbeat.yml
+                    destination file: \ProgramData\Elastic\winlogbeat\winlogbeat.yml
+            preferences > control panel setttings > services
+                new > service
+                    startup: automatic
+                    service name: Elastic winlogbeat-Oss 7.#.#
+                    service action: start service
+                        Recovery
+                            first failure: restart the service
+                            second failure: restart the service
+                            subsequent failures: restart the service
+                            restart service every 5 minutes
+```
+
+
+```
+the scripts both install splunk and sysmon, dropping a "flag.txt" file to confirm it's been run. if the flag file is there (it's a startup script) it won't run the installer again (it would be redundant) 
+so if the flag file is there it won't run the installer
+if it is not ran, the installer will  run and drop the flag file
+good for troubleshooting too IMO cuz you can delete the file and run it again if you have changes
+```
\ No newline at end of file