Upload files to "3 DC/Agents/Sysmon"

3 DC/Agents/Sysmon/DeploySysmon.bat

@@ -0,0 +1,7 @@
+@echo off
+SET FLAG=~\Documents\SysmonFlag.txt
+IF EXIST %FLAG% GOTO END
+echo "Sysmon Installed" > %FLAG%
+\\DC01\Software\SplunkUF\sysmon.exe -i -accepteula
+
+:END

3 DC/Agents/Sysmon/sysmon setup

@@ -0,0 +1,59 @@
+
+GOALS of batch script
+
+- upload splunkUF, sysmon, elastic agent
+- rename sysmon ->
+- add config to sysmon
+- every hour send back report to DC of differences from baseline
+    - processes, services, net connections, compare all to a baseline
+- monitor that 3 agents are all still on the box
+
+
+
+
+## create sysmon exclude list of baseline applications
+install-module psgumshoe
+Y
+A 
+
+get-sysmonfiletime | select image -unique | convertTo-sysmonrule
+
+## grab these rules and put them into sysmon.xml
+
+# put this inside of <EventFiltering>
+<RuleGroup name="User Created" groupRelation="or">
+      <FileCreateTime onmatch="exclude">
+                            # if a area ia version add the ; for where the numbers will change
+        <Image condition='contains all'>C:\Users\User\AppData\Local\Discord\app-;\Discord.exe</Image>
+        <Image condition='is'>C:\Users\User\AppData\Local\Programs\signal-desktop\Signal.exe</Image>
+      </FileCreateTime>
+
+# Go to directory where sysmon is stored
+
+.sysmon.exe -c sysmon.xml
+
+
+
+### network conn (8)
+
+# query net conn
+get-sysmonnetworkconnect | out-gridview
+get-sysmonnetworkconnect | select image,destinationport -unique | convertTo-SysmonRule
+
+
+## Template network connection
+<RuleGroup name="" gropuRelation="or">
+  <NetworkConnect onmatch="include">
+    <DestinationPort name="C2 Channels" condition="contains any">53;123;80;443</DestinationPort>
+    <DestinationPort name="Directory Ports" condition="contains any">88;389;636;3268;3269</DestinationPort>
+    <DestinationPort name="Management Ports" condition="contains any">21;22;23;135;138;139;445;3389;5985;5986;8089</DestinationPort>
+  </NetworkConnect>
+</RuleGroup>
+
+
+
+### Drivers loaded (9)
+Get-SysmonDriverLoadEvent
+
+### Process Access (10)
+# one process logs when it acceses another

3 DC/Agents/Sysmon/sysmonChecker.ps1

@@ -0,0 +1,37 @@
+# https://www.jamesgibbins.com/posts/sysmon-install/
+
+$log_file = 'sysmon-checks.log'
+
+$items = @(
+    "C:\Windows\Sysmon64.exe",
+    "C:\Windows\SysmonDrv.sys",
+    "HKLM:\SYSTEM\CurrentControlSet\Services\Sysmon64",
+    "HKLM:\SYSTEM\CurrentControlSet\Services\SysmonDrv",
+    "HKLM:\SYSTEM\ControlSet001\Services\Sysmon64",
+    "HKLM:\SYSTEM\ControlSet001\Services\SysmonDrv",
+    "HKLM:\SYSTEM\ControlSet002\Services\Sysmon64",
+    "HKLM:\SYSTEM\ControlSet002\Services\SysmonDrv",
+    "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational",
+    "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
+    "HKLM:\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational"
+)
+
+
+$services = @(
+    "Sysmon64",
+    "SysmonDrv"
+)
+
+foreach ( $i in $items ) {
+    If ( Test-Path $i ) {
+        $result = 'O'
+    } Else {
+        $result = 'X'
+    }
+    Write-Output "$result : $i".ToString() | Out-File -Filepath $log_file -Append -NoClobber -Encoding UTF8
+}
+
+foreach ( $s in $services ) {
+    $status = (Get-Service $s -ErrorAction SilentlyContinue).Status
+    Write-Output "$status : $s".ToString() | Out-File -Filepath $log_file -Append -NoClobber -Encoding UTF8
+}

3 DC/Agents/Sysmon/sysmonREADME.md

@@ -0,0 +1,19 @@
+# Windows
+
+### rename files to hide sysmon drivers
+
+## Example: `sysmon.exe -c sysmonconfig.xml -i <driver name>`
+```
+move.exe sysmon HPFilter.exe
+move sysmonconfig.xml HPFilterconfig.xml
+```
+## Move both to C:\Program Files\HPFilter
+
+```
+HPFilter.exe -c HPFilterconfig.xml -i HPFilt -accepteula
+```
+
+# Linux
+```
+https://github.com/Sysinternals/SysmonForLinux/blob/main/INSTALL.md
+```