matthew/DCO-SOGs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Upload files to "3 DC/Agents"

Browse Source
This commit is contained in:
Matthew Iverson
2024-10-27 00:02:18 -04:00
parent a27290cd4a
commit e295772926
3 changed files with 208 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

128
3 DC/Agents/2b) push_agents_SOG.md Normal file
View File

@ -0,0 +1,128 @@
https://youtu.be/39iVugb9Y0c?si=Ob3HDfruGSvRYO5x&t=396
create a share in DC that everyone can access
put all files in DC directory
### Only for Splunk
```
splunkUF.msi
inputs.conf
```
### Only for Security Onion
```
winlogbeat.yml - https://github.com/elastic/beats/blob/main/winlogbeat/winlogbeat.yml
winlogbeat.msi
```
### Only for sysmon
```
sysmon.exe
sysmonconfig.xml
```
## splunk UF
```
group policy management
(Your Organizational Unit) > new gpo
name:Install Splunk Universal Forwarder
source starter gpo: none
(right click) edit
Computer policies > software setting > software installation
(right click) new
specify splunk msi from netlogon share
preferences > windows settings > files
(right click) new > file
action: replace
source file(s): \\dc\NETLOGON\splunkUF\inputs.conf
destination file: \ProgramData\splunkUF\inputs.conf
preferences > control panel setttings > services
new > service
startup: automatic
service name: splunkUF.msi
service action: start service
Recovery
first failure: restart the service
second failure: restart the service
subsequent failures: restart the service
restart service every 5 minutes
```
# Splunk UF config
```
GPO setup
new gpo
startup scripts
DeploySplunk.bat
```
# sysmon
```
group policy management
all workstations > new gpo
name:Install Sysmon
edit
policies > software setting > software installation
specify msi from netlogon share
preferences > windows settings > files
new > file
action: replace
source file(s): \\dc\NETLOGON\sysmon\sysmonconfig.xml
destination file: \ProgramData\sysmon\sysmonconfig.xml
preferences > control panel setttings > services
new > service
startup: automatic
service name: sysmon.exe
service action: start service
Recovery
first failure: restart the service
second failure: restart the service
subsequent failures: restart the service
restart service every 5 minutes
```
# Sysmon config
```
GPO setup
new gpo
startup scripts
DeploySysmon.bat
```
## Winlogbeat
```
group policy management
(Your Organizational Unit) > new gpo
name:Install Winlogbeat
source starter gpo: none
(right click) edit
Computer policies > software setting > software installation
(right click) new
specify splunk msi from netlogon share
preferences > windows settings > files
(right click) new > file
action: replace
source file(s): \\dc\NETLOGON\winlogbeat\winlogbeat.yml
destination file: \ProgramData\Elastic\winlogbeat\winlogbeat.yml
preferences > control panel setttings > services
new > service
startup: automatic
service name: Elastic winlogbeat-Oss 7.#.#
service action: start service
Recovery
first failure: restart the service
second failure: restart the service
subsequent failures: restart the service
restart service every 5 minutes
```
```
the scripts both install splunk and sysmon, dropping a "flag.txt" file to confirm it's been run. if the flag file is there (it's a startup script) it won't run the installer again (it would be redundant)
so if the flag file is there it won't run the installer
if it is not ran, the installer will run and drop the flag file
good for troubleshooting too IMO cuz you can delete the file and run it again if you have changes
```