matthew/DCO-SOGs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Upload files to "3 DC/Agents"

Browse Source
This commit is contained in:
Matthew Iverson
2024-10-27 00:02:18 -04:00
parent a27290cd4a
commit e295772926
3 changed files with 208 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
3 DC/Agents/1) DCO_GPO_CUSTOMER.md Normal file
View File

@ -0,0 +1,16 @@
[sysmon](https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon)
[sysmon config](https://github.com/olafhartong/sysmon-modular)
[inputs for splunk](https://github.com/mdecrevoisier/Splunk-input-windows-baseline/blob/main/splunk-windows-input/win_input.conf)
[splunk universal forwarder](https://www.splunk.com/en_us/download/universal-forwarder.html)
[elastic agent](https://www.elastic.co/downloads/elastic-agent)
## Event Logs
- process tracking #enables CMD logging
- enable wmi
- enable powershell remoting
- [Audit Policy](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations)

64
3 DC/Agents/2a) gpo deployment.md Normal file
View File

@ -0,0 +1,64 @@
# Created by Ben
1. Create a software deployment share on your DC
a. Create a folder on the desktop of your DC, name it software
i. Rclick > properties > sharing
ii. Click Share > share to authenticated users and administrators
iii. apply
b. Create a folder in the share for the splunk UF and drop necessary files
i. Rclick > New Folder > Rename: SplunkUF
ii. Drop files in the new SplunkUF folder
1) inputs.conf
2) DeploySplunk.bat
3) SplunkUninstall.bat
4) splunkuniversalforwarder.msi (rename the UF to this filename or the .bat files won't work)
iii. Edit the DeploySplunk.bat file to match your infrastructure
1) @echo off
SET FLAG=C:\SplunkFlag.txt
IF EXIST %FLAG% GOTO END
echo "SplunkUF Installed" > %FLAG%
msiexec.exe /i "\\DC01\Software\SplunkUF\splunkuniversalforwarder.msi" DEPLOYMENT_SERVER="192.168.5.20:8089" RECEIVING_INDEXER="192.168.5.20:9997" AGREETOLICENSE=Yes SERVICESTARTTYPE=AUTO LAUNCHSPLUNK=1 SPLUNKUSERNAME=splunk GENRANDOMPASSWORD=1 WINEVENTLOG_APP_ENABLE=1 WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_FWD_ENABLE=1 WINEVENTLOG_SET_ENABLE=1 PERFMON=network ENABLEADMON=1 /passive
copy "\\DC01\Software\SplunkUF\inputs.conf" "C:\Program Files\SplunkUniversalForwarder\etc\system\local\"
:END
2) The highlighted portions must be changed or else the file will not work. All filepaths must me changed to your share. all IP addresses must match your infrastructure.
2. Create an OU for the workstations you wish to add the UF to
a. open the Server Manager
i. Click Tools
1) Click the Active Directory Computers and Users
a) rclick your ad (example doge.AD in this instance)
i) Create a new Organizational Unit (OU) for your splunk Deployment (example RedDev)
b) Open the computers tab to view the AD computers on your domain
i) select the computers you want to add to this OU and drag/drop them into the OU
b. Open to Group Policy Management via the search bar
i. Navigate to your domain (doge.AD example) and view your OU (RedDev example) that you just created
1) Rclick > Create a GPO in this domain and link it here… (example SUF Installer)
a) Rclick the new GPO and edit
i) Computer Configuration > Policies > Windows Settings > Scripts > Startup (these scripts must be in this order)
1- Add > Name: [Full filepath to the share we made in step 1 (ex. \\DC01\Software\SplunkUF\SplunkUninstall.bat)]
2- Add > Name: [Full filepath to the share we made in step 1 (ex. \\DC01\Software\SplunkUF\DeploySplunk.bat)]
c. run this command in cmd (administrator)
i. gpupdate /force
d. restart the computers in your OU to apply the GPO
3. OPTIONAL ******************** Sysmon install
a. In your share make a new folder called SYSMON
b. put sysmon.exe in the folder as well as the DeploySysmon.bat
@echo off
SET FLAG=C:\SysmonFlag.txt
IF EXIST %FLAG% GOTO END
echo "Sysmon Installed" > %FLAG%
\\DC01\Software\Sysmon\sysmon.exe -i -accepteula
:END
c. change the filepath to point to your share and the sysmon.exe file
d. follow step 2b. but create a SYSMON installer with it as well
e. follow step 2c.

128
3 DC/Agents/2b) push_agents_SOG.md Normal file
View File

@ -0,0 +1,128 @@
https://youtu.be/39iVugb9Y0c?si=Ob3HDfruGSvRYO5x&t=396
create a share in DC that everyone can access
put all files in DC directory
### Only for Splunk
```
splunkUF.msi
inputs.conf
```
### Only for Security Onion
```
winlogbeat.yml - https://github.com/elastic/beats/blob/main/winlogbeat/winlogbeat.yml
winlogbeat.msi
```
### Only for sysmon
```
sysmon.exe
sysmonconfig.xml
```
## splunk UF
```
group policy management
(Your Organizational Unit) > new gpo
name:Install Splunk Universal Forwarder
source starter gpo: none
(right click) edit
Computer policies > software setting > software installation
(right click) new
specify splunk msi from netlogon share
preferences > windows settings > files
(right click) new > file
action: replace
source file(s): \\dc\NETLOGON\splunkUF\inputs.conf
destination file: \ProgramData\splunkUF\inputs.conf
preferences > control panel setttings > services
new > service
startup: automatic
service name: splunkUF.msi
service action: start service
Recovery
first failure: restart the service
second failure: restart the service
subsequent failures: restart the service
restart service every 5 minutes
```
# Splunk UF config
```
GPO setup
new gpo
startup scripts
DeploySplunk.bat
```
# sysmon
```
group policy management
all workstations > new gpo
name:Install Sysmon
edit
policies > software setting > software installation
specify msi from netlogon share
preferences > windows settings > files
new > file
action: replace
source file(s): \\dc\NETLOGON\sysmon\sysmonconfig.xml
destination file: \ProgramData\sysmon\sysmonconfig.xml
preferences > control panel setttings > services
new > service
startup: automatic
service name: sysmon.exe
service action: start service
Recovery
first failure: restart the service
second failure: restart the service
subsequent failures: restart the service
restart service every 5 minutes
```
# Sysmon config
```
GPO setup
new gpo
startup scripts
DeploySysmon.bat
```
## Winlogbeat
```
group policy management
(Your Organizational Unit) > new gpo
name:Install Winlogbeat
source starter gpo: none
(right click) edit
Computer policies > software setting > software installation
(right click) new
specify splunk msi from netlogon share
preferences > windows settings > files
(right click) new > file
action: replace
source file(s): \\dc\NETLOGON\winlogbeat\winlogbeat.yml
destination file: \ProgramData\Elastic\winlogbeat\winlogbeat.yml
preferences > control panel setttings > services
new > service
startup: automatic
service name: Elastic winlogbeat-Oss 7.#.#
service action: start service
Recovery
first failure: restart the service
second failure: restart the service
subsequent failures: restart the service
restart service every 5 minutes
```
```
the scripts both install splunk and sysmon, dropping a "flag.txt" file to confirm it's been run. if the flag file is there (it's a startup script) it won't run the installer again (it would be redundant)
so if the flag file is there it won't run the installer
if it is not ran, the installer will run and drop the flag file
good for troubleshooting too IMO cuz you can delete the file and run it again if you have changes
```