59 lines
1.7 KiB
Plaintext
59 lines
1.7 KiB
Plaintext
|
|
GOALS of batch script
|
|
|
|
- upload splunkUF, sysmon, elastic agent
|
|
- rename sysmon ->
|
|
- add config to sysmon
|
|
- every hour send back report to DC of differences from baseline
|
|
- processes, services, net connections, compare all to a baseline
|
|
- monitor that 3 agents are all still on the box
|
|
|
|
|
|
|
|
|
|
## create sysmon exclude list of baseline applications
|
|
install-module psgumshoe
|
|
Y
|
|
A
|
|
|
|
get-sysmonfiletime | select image -unique | convertTo-sysmonrule
|
|
|
|
## grab these rules and put them into sysmon.xml
|
|
|
|
# put this inside of <EventFiltering>
|
|
<RuleGroup name="User Created" groupRelation="or">
|
|
<FileCreateTime onmatch="exclude">
|
|
# if a area ia version add the ; for where the numbers will change
|
|
<Image condition='contains all'>C:\Users\User\AppData\Local\Discord\app-;\Discord.exe</Image>
|
|
<Image condition='is'>C:\Users\User\AppData\Local\Programs\signal-desktop\Signal.exe</Image>
|
|
</FileCreateTime>
|
|
|
|
# Go to directory where sysmon is stored
|
|
|
|
.sysmon.exe -c sysmon.xml
|
|
|
|
|
|
|
|
### network conn (8)
|
|
|
|
# query net conn
|
|
get-sysmonnetworkconnect | out-gridview
|
|
get-sysmonnetworkconnect | select image,destinationport -unique | convertTo-SysmonRule
|
|
|
|
|
|
## Template network connection
|
|
<RuleGroup name="" gropuRelation="or">
|
|
<NetworkConnect onmatch="include">
|
|
<DestinationPort name="C2 Channels" condition="contains any">53;123;80;443</DestinationPort>
|
|
<DestinationPort name="Directory Ports" condition="contains any">88;389;636;3268;3269</DestinationPort>
|
|
<DestinationPort name="Management Ports" condition="contains any">21;22;23;135;138;139;445;3389;5985;5986;8089</DestinationPort>
|
|
</NetworkConnect>
|
|
</RuleGroup>
|
|
|
|
|
|
|
|
### Drivers loaded (9)
|
|
Get-SysmonDriverLoadEvent
|
|
|
|
### Process Access (10)
|
|
# one process logs when it acceses another |