GOALS of batch script

- upload splunkUF, sysmon, elastic agent
- rename sysmon ->
- add config to sysmon
- every hour send back report to DC of differences from baseline
    - processes, services, net connections, compare all to a baseline
- monitor that 3 agents are all still on the box




## create sysmon exclude list of baseline applications
install-module psgumshoe
Y
A 

get-sysmonfiletime | select image -unique | convertTo-sysmonrule

## grab these rules and put them into sysmon.xml

# put this inside of <EventFiltering>
<RuleGroup name="User Created" groupRelation="or">
      <FileCreateTime onmatch="exclude">
                            # if a area ia version add the ; for where the numbers will change
        <Image condition='contains all'>C:\Users\User\AppData\Local\Discord\app-;\Discord.exe</Image>
        <Image condition='is'>C:\Users\User\AppData\Local\Programs\signal-desktop\Signal.exe</Image>
      </FileCreateTime>

# Go to directory where sysmon is stored

.sysmon.exe -c sysmon.xml



### network conn (8)

# query net conn
get-sysmonnetworkconnect | out-gridview
get-sysmonnetworkconnect | select image,destinationport -unique | convertTo-SysmonRule


## Template network connection
<RuleGroup name="" gropuRelation="or">
  <NetworkConnect onmatch="include">
    <DestinationPort name="C2 Channels" condition="contains any">53;123;80;443</DestinationPort>
    <DestinationPort name="Directory Ports" condition="contains any">88;389;636;3268;3269</DestinationPort>
    <DestinationPort name="Management Ports" condition="contains any">21;22;23;135;138;139;445;3389;5985;5986;8089</DestinationPort>
  </NetworkConnect>
</RuleGroup>



### Drivers loaded (9)
Get-SysmonDriverLoadEvent

### Process Access (10)
# one process logs when it acceses another