Revision of log-forwarding-with-etw.ps1

1

+

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

2

+

$wc = New-Object System.Net.WebClient

3

+

4

+

if (!(Test-Path "C:\Tools")) {

5

+

New-Item -Path "C:\" -Name "Tools" -ItemType "directory"

6

+

}

7

+

8

+

# SYSMON

9

+

# Download Sysmon

10

+

$SysmonDirectory = "C:\Tools\Sysmon\"

11

+

12

+

$SysmonLocalZip = "C:\Tools\Sysmon.zip"

13

+

$SysmonURL = "https://download.sysinternals.com/files/Sysmon.zip"

14

+

15

+

if (!(Test-Path $SysmonLocalZip)) {

16

+

$wc.DownloadFile($SysmonURL, $SysmonLocalZip)

17

+

Expand-Archive -LiteralPath $SysmonLocalZip -DestinationPath $SysmonDirectory

18

+

}

19

+

20

+

# Download Sysmon SwiftOnSecurity Config

21

+

$SysmonLocalConfig = $SysmonDirectory + "sysmon-config.xml"

22

+

$SysmonConfigURL = "https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml"

23

+

24

+

if (!(Test-Path $SysmonLocalConfig)) {

25

+

$wc.DownloadFile($SysmonConfigURL, $SysmonLocalConfig)

26

+

}

27

+

28

+

# Execute Sysmon

29

+

$ServiceName = 'Sysmon'

30

+

$SysmonService = Get-Service -Name $ServiceName -ErrorAction SilentlyContinue

31

+

32

+

if ($SysmonService.Status -ne 'Running')

33

+

{

34

+

$SysmonExe = $SysmonDirectory + "Sysmon.exe"

35

+

& $SysmonExe -i $SysmonLocalConfig -accepteula

36

+

}

37

+

38

+

# SilkService

39

+

$SilkServiceURL = "https://github.com/fireeye/SilkETW/releases/download/v0.8/SilkETW_SilkService_v8.zip"

40

+

$SilkServiceLocalZip = "C:\Tools\SilkService.zip"

41

+

$SilkServiceDirectory = "C:\Tools\SilkService"

42

+

43

+

if (!(Test-Path $SilkServiceLocalZip)) {

44

+

$wc.DownloadFile($SilkServiceURL, $SilkServiceLocalZip)

45

+

Expand-Archive -LiteralPath $SilkServiceLocalZip -DestinationPath $SilkServiceDirectory

46

+

}

47

+

48

+

$DotNetInstaller = $SilkServiceDirectory + "\v8\Dependencies\dotNetFx45_Full_setup.exe"

49

+

$vc2015Installer = $SilkServiceDirectory + "\v8\Dependencies\vc2015_redist.x86.exe"

50

+

51

+

& $DotNetInstaller /SILENT

52

+

& $vc2015Installer /SILENT

53

+

54

+

$SilkServiceConfigLocation = $SilkServiceDirectory + "\v8\SilkService\SilkServiceConfig.xml"

55

+

$SilkServiceConfig = @"

56

+

<!--

57

+

SilkService Config

58

+

Author: Roberto Rodriguez (@Cyb3rWard0g)

59

+

License: GPL-3.0

60

+

Version: 0.0.1

61

+

References: https://github.com/Cyb3rWard0g/mordor/blob/master/environments/windows/configs/erebor/erebor_SilkServiceConfig.xml

62

+

-->

63

+

64

+

<!--

65

+

Microsoft-Windows-LDAP-Client ETW Provider

66

+

-->

67

+

68

+

69

+

70

+

71

+

72

+

<OutputType>eventlog</OutputType>

73

+

</ETWCollector>

74

+

<!--

75

+

Microsoft-Windows-Crypto-DPAPI ETW Provider

76

+

-->

77

+

78

+

79

+

80

+

81

+

82

+

<OutputType>eventlog</OutputType>

83

+

</ETWCollector>

84

+

<!--

85

+

Microsoft-Windows-DNS-Client ETW Provider

86

+

-->

87

+

88

+

89

+

90

+

91

+

<OutputType>eventlog</OutputType>

92

+

</ETWCollector>

93

+

<!--

94

+

Microsoft-Windows-DotNETRuntime ETW Provider

95

+

-->

96

+

97

+

98

+

99

+

100

+

101

+

<OutputType>eventlog</OutputType>

102

+

</ETWCollector>

103

+

<!--

104

+

Microsoft-Windows-SMBServer ETW Provider

105

+

-->

106

+

107

+

108

+

109

+

110

+

111

+

<OutputType>eventlog</OutputType>

112

+

</ETWCollector>

113

+

<!--

114

+

Microsoft-Windows-WMI-Activity ETW Provider

115

+

-->

116

+

117

+

118

+

119

+

<ProviderName>1418ef04-b0b4-4623-bf7e-d74ab47bbdaa</ProviderName>

120

+

<OutputType>eventlog</OutputType>

121

+

</ETWCollector>

122

+

<!--

123

+

Microsoft-Windows-TCPIP ETW Provider

124

+

-->

125

+

126

+

127

+

128

+

129

+

<OutputType>eventlog</OutputType>

130

+

</ETWCollector>

131

+

<!--

132

+

This is a kernel collector (ImageLoad)

133

+

-->

134

+

135

+

136

+

<CollectorType>kernel</CollectorType>

137

+

<KernelKeywords>ImageLoad</KernelKeywords>

138

+

<FilterValue>Image/Load</FilterValue>

139

+

<OutputType>eventlog</OutputType>

140

+

</ETWCollector>

141

+

</SilkServiceConfig>

142

+

"@

143

+

144

+

if (!(Test-Path $SilkServiceConfigLocation)) {

145

+

Set-Content -Path $SilkServiceConfigLocation -Value $SilkServiceConfig

146

+

}

147

+

148

+

$SilkService = Get-Service -Name "SilkService" -ErrorAction SilentlyContinue

149

+

150

+

if ($SilkService.Status -ne 'Running')

151

+

{

152

+

$params = @{

153

+

Name = "SilkService"

154

+

BinaryPathName = "C:\Tools\SilkService\v8\SilkService\SilkService.exe"

155

+

DependsOn = "NetLogon"

156

+

DisplayName = "SilkETW Service"

157

+

StartupType = "Automatic"

158

+

Description = "SilkService."

159

+

}

160

+

New-Service @params

161

+

}

162

+

163

+

164

+

# WINLOGBEAT

165

+

# https://cyberwardog.blogspot.com/2017/02/setting-up-pentesting-i-mean-threat_87.html

166

+

167

+

# Download Winlogbeat

168

+

169

+

$WinlogbeatDirectory = "C:\Tools\Winlogbeat\"

170

+

$WinlogbeatLocalZip = "C:\Tools\Winlogbeat.zip"

171

+

$WinlogbeatURL = "https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-7.6.2-windows-x86_64.zip"

172

+

173

+

$WinlogbeatLocalConfigLocation = "C:\Program Files\Winlogbeat\winlogbeat-7.6.2-windows-x86_64\winlogbeat.yml"

174

+

175

+

$WinlogbeatLocalConfig = @"

176

+

#======================= Winlogbeat specific options ==========================

177

+

winlogbeat.event_logs:

178

+

- name: Application

179

+

ignore_older: 30m

180

+

- name: Security

181

+

ignore_older: 30m

182

+

- name: System

183

+

ignore_older: 30m

184

+

- name: Microsoft-windows-sysmon/operational

185

+

ignore_older: 30m

186

+

- name: Microsoft-windows-PowerShell/Operational

187

+

ignore_older: 30m

188

+

event_id: 4103, 4104

189

+

- name: Windows PowerShell

190

+

event_id: 400,600

191

+

ignore_older: 30m

192

+

- name: Microsoft-Windows-WMI-Activity/Operational

193

+

event_id: 5857,5858,5859,5860,5861

194

+

- name: SilkService-Log

195

+

ignore_older: 72h

196

+

197

+

#----------------------------- Kafka output --------------------------------

198

+

output.kafka:

199

+

hosts: ["<HELK-IP>:9092","<HELK-IP>:9093"]

200

+

topic: "winlogbeat"

201

+

############################# HELK Optimizing Latency ######################

202

+

max_retries: 2

203

+

max_message_bytes: 1000000

204

+

"@

205

+

206

+

if (!(Test-Path $WinlogbeatLocalZip)) {

207

+

$wc.DownloadFile($WinlogbeatURL, $WinlogbeatLocalZip)

208

+

Expand-Archive -LiteralPath $WinlogbeatLocalZip -DestinationPath $WinlogbeatDirectory

209

+

210

+

Move-Item -Path $WinlogbeatDirectory.TrimEnd('/') -Destination "C:\Program Files\" -Force

211

+

212

+

Push-Location "C:\Program Files\Winlogbeat\winlogbeat-7.6.2-windows-x86_64"

213

+

214

+

# Install Winlogbeat service

215

+

.\install-service-winlogbeat.ps1

216

+

217

+

Pop-Location

218

+

219

+

Remove-Item -Path $WinlogbeatLocalConfigLocation -Force

220

+

221

+

Set-Content -Path $WinlogbeatLocalConfigLocation -Value $WinlogbeatLocalConfig

222

+

223

+

$stringToFind = '\["<HELK-IP>:9092","<HELK-IP>:9093"\]'

224

+

$stringToReplace = '["' + $env:HELK_IP + ':9092"]'

225

+

((Get-Content -path $WinlogbeatLocalConfigLocation) -replace $stringToFind,$stringToReplace) | Set-Content -Path $WinlogbeatLocalConfigLocation

226

+

227

+

Start-Service Winlogbeat

228

+

}

scusi / log-forwarding-with-etw.ps1

scusi revised this gist 6 months ago. Go to revision

ajpc500 revised this gist 4 years ago. Go to revision

ajpc500 revised this gist 4 years ago. Go to revision

		@@ -0,0 +1,228 @@
1	+	[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
2	+	$wc = New-Object System.Net.WebClient
3	+
4	+	if (!(Test-Path "C:\Tools")) {
5	+	New-Item -Path "C:\" -Name "Tools" -ItemType "directory"
6	+	}
7	+
8	+	# SYSMON
9	+	# Download Sysmon
10	+	$SysmonDirectory = "C:\Tools\Sysmon\"
11	+
12	+	$SysmonLocalZip = "C:\Tools\Sysmon.zip"
13	+	$SysmonURL = "https://download.sysinternals.com/files/Sysmon.zip"
14	+
15	+	if (!(Test-Path $SysmonLocalZip)) {
16	+	$wc.DownloadFile($SysmonURL, $SysmonLocalZip)
17	+	Expand-Archive -LiteralPath $SysmonLocalZip -DestinationPath $SysmonDirectory
18	+	}
19	+
20	+	# Download Sysmon SwiftOnSecurity Config
21	+	$SysmonLocalConfig = $SysmonDirectory + "sysmon-config.xml"
22	+	$SysmonConfigURL = "https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml"
23	+
24	+	if (!(Test-Path $SysmonLocalConfig)) {
25	+	$wc.DownloadFile($SysmonConfigURL, $SysmonLocalConfig)
26	+	}
27	+
28	+	# Execute Sysmon
29	+	$ServiceName = 'Sysmon'
30	+	$SysmonService = Get-Service -Name $ServiceName -ErrorAction SilentlyContinue
31	+
32	+	if ($SysmonService.Status -ne 'Running')
33	+	{
34	+	$SysmonExe = $SysmonDirectory + "Sysmon.exe"
35	+	& $SysmonExe -i $SysmonLocalConfig -accepteula
36	+	}
37	+
38	+	# SilkService
39	+	$SilkServiceURL = "https://github.com/fireeye/SilkETW/releases/download/v0.8/SilkETW_SilkService_v8.zip"
40	+	$SilkServiceLocalZip = "C:\Tools\SilkService.zip"
41	+	$SilkServiceDirectory = "C:\Tools\SilkService"
42	+
43	+	if (!(Test-Path $SilkServiceLocalZip)) {
44	+	$wc.DownloadFile($SilkServiceURL, $SilkServiceLocalZip)
45	+	Expand-Archive -LiteralPath $SilkServiceLocalZip -DestinationPath $SilkServiceDirectory
46	+	}
47	+
48	+	$DotNetInstaller = $SilkServiceDirectory + "\v8\Dependencies\dotNetFx45_Full_setup.exe"
49	+	$vc2015Installer = $SilkServiceDirectory + "\v8\Dependencies\vc2015_redist.x86.exe"
50	+
51	+	& $DotNetInstaller /SILENT
52	+	& $vc2015Installer /SILENT
53	+
54	+	$SilkServiceConfigLocation = $SilkServiceDirectory + "\v8\SilkService\SilkServiceConfig.xml"
55	+	$SilkServiceConfig = @"
56	+	<!--
57	+	SilkService Config
58	+	Author: Roberto Rodriguez (@Cyb3rWard0g)
59	+	License: GPL-3.0
60	+	Version: 0.0.1
61	+	References: https://github.com/Cyb3rWard0g/mordor/blob/master/environments/windows/configs/erebor/erebor_SilkServiceConfig.xml
62	+	-->
63	+	<SilkServiceConfig>
64	+	<!--
65	+	Microsoft-Windows-LDAP-Client ETW Provider
66	+	-->
67	+	<ETWCollector>
68	+	<Guid>859efb51-6985-480f-8094-77192b2a7407</Guid>
69	+	<CollectorType>user</CollectorType>
70	+	<ProviderName>099614a5-5dd7-4788-8bc9-e29f43db28fc</ProviderName>
71	+	<UserKeywords>0x1</UserKeywords><!--Search-->
72	+	<OutputType>eventlog</OutputType>
73	+	</ETWCollector>
74	+	<!--
75	+	Microsoft-Windows-Crypto-DPAPI ETW Provider
76	+	-->
77	+	<ETWCollector>
78	+	<Guid>df7461c7-7c11-4429-806f-a6ec34d08c0c</Guid>
79	+	<CollectorType>user</CollectorType>
80	+	<ProviderName>89fe8f40-cdce-464e-8217-15ef97d4c7c3</ProviderName>
81	+	<UserKeywords>0xa</UserKeywords><!--ETW_TASK_MASTERKEY_OPERATION,ETW_TASK_CREDKEY_OPERATION-->
82	+	<OutputType>eventlog</OutputType>
83	+	</ETWCollector>
84	+	<!--
85	+	Microsoft-Windows-DNS-Client ETW Provider
86	+	-->
87	+	<ETWCollector>
88	+	<Guid>c96e5920-f384-49b7-be43-2b408b4f0d75</Guid>
89	+	<CollectorType>user</CollectorType>
90	+	<ProviderName>1c95126e-7eea-49a9-a3fe-a378b03ddb4d</ProviderName>
91	+	<OutputType>eventlog</OutputType>
92	+	</ETWCollector>
93	+	<!--
94	+	Microsoft-Windows-DotNETRuntime ETW Provider
95	+	-->
96	+	<ETWCollector>
97	+	<Guid>072e0373-213b-4e3d-881a-6430d6d9e369</Guid>
98	+	<CollectorType>user</CollectorType>
99	+	<ProviderName>e13c0d23-ccbc-4e12-931b-d9cc2eee27e4</ProviderName>
100	+	<UserKeywords>0x2038</UserKeywords><!--Loader,Jit,NGen,Interop"-->
101	+	<OutputType>eventlog</OutputType>
102	+	</ETWCollector>
103	+	<!--
104	+	Microsoft-Windows-SMBServer ETW Provider
105	+	-->
106	+	<ETWCollector>
107	+	<Guid>f7569862-691a-4a38-9f0e-e3ed815920ba</Guid>
108	+	<CollectorType>user</CollectorType>
109	+	<ProviderName>D48CE617-33A2-4BC3-A5C7-11AA4F29619E</ProviderName>
110	+	<UserKeywords>0x9</UserKeywords><!--Request,Operational"-->
111	+	<OutputType>eventlog</OutputType>
112	+	</ETWCollector>
113	+	<!--
114	+	Microsoft-Windows-WMI-Activity ETW Provider
115	+	-->
116	+	<ETWCollector>
117	+	<Guid>e58efae6-883b-4a05-95b5-ec2f697b2dc5</Guid>
118	+	<CollectorType>user</CollectorType>
119	+	<ProviderName>1418ef04-b0b4-4623-bf7e-d74ab47bbdaa</ProviderName>
120	+	<OutputType>eventlog</OutputType>
121	+	</ETWCollector>
122	+	<!--
123	+	Microsoft-Windows-TCPIP ETW Provider
124	+	-->
125	+	<ETWCollector>
126	+	<Guid>e58efae6-883b-4aaa-95b5-ec2f697b2dc5</Guid>
127	+	<CollectorType>user</CollectorType>
128	+	<ProviderName>2F07E2EE-15DB-40F1-90EF-9D7BA282188A</ProviderName>
129	+	<OutputType>eventlog</OutputType>
130	+	</ETWCollector>
131	+	<!--
132	+	This is a kernel collector (ImageLoad)
133	+	-->
134	+	<ETWCollector>
135	+	<Guid>870b50e1-04c2-43e4-82ac-817444a56364</Guid>
136	+	<CollectorType>kernel</CollectorType>
137	+	<KernelKeywords>ImageLoad</KernelKeywords>
138	+	<FilterValue>Image/Load</FilterValue>
139	+	<OutputType>eventlog</OutputType>
140	+	</ETWCollector>
141	+	</SilkServiceConfig>
142	+	"@
143	+
144	+	if (!(Test-Path $SilkServiceConfigLocation)) {
145	+	Set-Content -Path $SilkServiceConfigLocation -Value $SilkServiceConfig
146	+	}
147	+
148	+	$SilkService = Get-Service -Name "SilkService" -ErrorAction SilentlyContinue
149	+
150	+	if ($SilkService.Status -ne 'Running')
151	+	{
152	+	$params = @{
153	+	Name = "SilkService"
154	+	BinaryPathName = "C:\Tools\SilkService\v8\SilkService\SilkService.exe"
155	+	DependsOn = "NetLogon"
156	+	DisplayName = "SilkETW Service"
157	+	StartupType = "Automatic"
158	+	Description = "SilkService."
159	+	}
160	+	New-Service @params
161	+	}
162	+
163	+
164	+	# WINLOGBEAT
165	+	# https://cyberwardog.blogspot.com/2017/02/setting-up-pentesting-i-mean-threat_87.html
166	+
167	+	# Download Winlogbeat
168	+
169	+	$WinlogbeatDirectory = "C:\Tools\Winlogbeat\"
170	+	$WinlogbeatLocalZip = "C:\Tools\Winlogbeat.zip"
171	+	$WinlogbeatURL = "https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-7.6.2-windows-x86_64.zip"
172	+
173	+	$WinlogbeatLocalConfigLocation = "C:\Program Files\Winlogbeat\winlogbeat-7.6.2-windows-x86_64\winlogbeat.yml"
174	+
175	+	$WinlogbeatLocalConfig = @"
176	+	#======================= Winlogbeat specific options ==========================
177	+	winlogbeat.event_logs:
178	+	- name: Application
179	+	ignore_older: 30m
180	+	- name: Security
181	+	ignore_older: 30m
182	+	- name: System
183	+	ignore_older: 30m
184	+	- name: Microsoft-windows-sysmon/operational
185	+	ignore_older: 30m
186	+	- name: Microsoft-windows-PowerShell/Operational
187	+	ignore_older: 30m
188	+	event_id: 4103, 4104
189	+	- name: Windows PowerShell
190	+	event_id: 400,600
191	+	ignore_older: 30m
192	+	- name: Microsoft-Windows-WMI-Activity/Operational
193	+	event_id: 5857,5858,5859,5860,5861
194	+	- name: SilkService-Log
195	+	ignore_older: 72h
196	+
197	+	#----------------------------- Kafka output --------------------------------
198	+	output.kafka:
199	+	hosts: ["<HELK-IP>:9092","<HELK-IP>:9093"]
200	+	topic: "winlogbeat"
201	+	############################# HELK Optimizing Latency ######################
202	+	max_retries: 2
203	+	max_message_bytes: 1000000
204	+	"@
205	+
206	+	if (!(Test-Path $WinlogbeatLocalZip)) {
207	+	$wc.DownloadFile($WinlogbeatURL, $WinlogbeatLocalZip)
208	+	Expand-Archive -LiteralPath $WinlogbeatLocalZip -DestinationPath $WinlogbeatDirectory
209	+
210	+	Move-Item -Path $WinlogbeatDirectory.TrimEnd('/') -Destination "C:\Program Files\" -Force
211	+
212	+	Push-Location "C:\Program Files\Winlogbeat\winlogbeat-7.6.2-windows-x86_64"
213	+
214	+	# Install Winlogbeat service
215	+	.\install-service-winlogbeat.ps1
216	+
217	+	Pop-Location
218	+
219	+	Remove-Item -Path $WinlogbeatLocalConfigLocation -Force
220	+
221	+	Set-Content -Path $WinlogbeatLocalConfigLocation -Value $WinlogbeatLocalConfig
222	+
223	+	$stringToFind = '\["<HELK-IP>:9092","<HELK-IP>:9093"\]'
224	+	$stringToReplace = '["' + $env:HELK_IP + ':9092"]'
225	+	((Get-Content -path $WinlogbeatLocalConfigLocation) -replace $stringToFind,$stringToReplace) \| Set-Content -Path $WinlogbeatLocalConfigLocation
226	+
227	+	Start-Service Winlogbeat
228	+	}