log-forwarding-with-etw.ps1
· 7.7 KiB · PowerShell
Originalformat
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$wc = New-Object System.Net.WebClient
if (!(Test-Path "C:\Tools")) {
New-Item -Path "C:\" -Name "Tools" -ItemType "directory"
}
# SYSMON
# Download Sysmon
$SysmonDirectory = "C:\Tools\Sysmon\"
$SysmonLocalZip = "C:\Tools\Sysmon.zip"
$SysmonURL = "https://download.sysinternals.com/files/Sysmon.zip"
if (!(Test-Path $SysmonLocalZip)) {
$wc.DownloadFile($SysmonURL, $SysmonLocalZip)
Expand-Archive -LiteralPath $SysmonLocalZip -DestinationPath $SysmonDirectory
}
# Download Sysmon SwiftOnSecurity Config
$SysmonLocalConfig = $SysmonDirectory + "sysmon-config.xml"
$SysmonConfigURL = "https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml"
if (!(Test-Path $SysmonLocalConfig)) {
$wc.DownloadFile($SysmonConfigURL, $SysmonLocalConfig)
}
# Execute Sysmon
$ServiceName = 'Sysmon'
$SysmonService = Get-Service -Name $ServiceName -ErrorAction SilentlyContinue
if ($SysmonService.Status -ne 'Running')
{
$SysmonExe = $SysmonDirectory + "Sysmon.exe"
& $SysmonExe -i $SysmonLocalConfig -accepteula
}
# SilkService
$SilkServiceURL = "https://github.com/fireeye/SilkETW/releases/download/v0.8/SilkETW_SilkService_v8.zip"
$SilkServiceLocalZip = "C:\Tools\SilkService.zip"
$SilkServiceDirectory = "C:\Tools\SilkService"
if (!(Test-Path $SilkServiceLocalZip)) {
$wc.DownloadFile($SilkServiceURL, $SilkServiceLocalZip)
Expand-Archive -LiteralPath $SilkServiceLocalZip -DestinationPath $SilkServiceDirectory
}
$DotNetInstaller = $SilkServiceDirectory + "\v8\Dependencies\dotNetFx45_Full_setup.exe"
$vc2015Installer = $SilkServiceDirectory + "\v8\Dependencies\vc2015_redist.x86.exe"
& $DotNetInstaller /SILENT
& $vc2015Installer /SILENT
$SilkServiceConfigLocation = $SilkServiceDirectory + "\v8\SilkService\SilkServiceConfig.xml"
$SilkServiceConfig = @"
<!--
SilkService Config
Author: Roberto Rodriguez (@Cyb3rWard0g)
License: GPL-3.0
Version: 0.0.1
References: https://github.com/Cyb3rWard0g/mordor/blob/master/environments/windows/configs/erebor/erebor_SilkServiceConfig.xml
-->
<SilkServiceConfig>
<!--
Microsoft-Windows-LDAP-Client ETW Provider
-->
<ETWCollector>
<Guid>859efb51-6985-480f-8094-77192b2a7407</Guid>
<CollectorType>user</CollectorType>
<ProviderName>099614a5-5dd7-4788-8bc9-e29f43db28fc</ProviderName>
<UserKeywords>0x1</UserKeywords><!--Search-->
<OutputType>eventlog</OutputType>
</ETWCollector>
<!--
Microsoft-Windows-Crypto-DPAPI ETW Provider
-->
<ETWCollector>
<Guid>df7461c7-7c11-4429-806f-a6ec34d08c0c</Guid>
<CollectorType>user</CollectorType>
<ProviderName>89fe8f40-cdce-464e-8217-15ef97d4c7c3</ProviderName>
<UserKeywords>0xa</UserKeywords><!--ETW_TASK_MASTERKEY_OPERATION,ETW_TASK_CREDKEY_OPERATION-->
<OutputType>eventlog</OutputType>
</ETWCollector>
<!--
Microsoft-Windows-DNS-Client ETW Provider
-->
<ETWCollector>
<Guid>c96e5920-f384-49b7-be43-2b408b4f0d75</Guid>
<CollectorType>user</CollectorType>
<ProviderName>1c95126e-7eea-49a9-a3fe-a378b03ddb4d</ProviderName>
<OutputType>eventlog</OutputType>
</ETWCollector>
<!--
Microsoft-Windows-DotNETRuntime ETW Provider
-->
<ETWCollector>
<Guid>072e0373-213b-4e3d-881a-6430d6d9e369</Guid>
<CollectorType>user</CollectorType>
<ProviderName>e13c0d23-ccbc-4e12-931b-d9cc2eee27e4</ProviderName>
<UserKeywords>0x2038</UserKeywords><!--Loader,Jit,NGen,Interop"-->
<OutputType>eventlog</OutputType>
</ETWCollector>
<!--
Microsoft-Windows-SMBServer ETW Provider
-->
<ETWCollector>
<Guid>f7569862-691a-4a38-9f0e-e3ed815920ba</Guid>
<CollectorType>user</CollectorType>
<ProviderName>D48CE617-33A2-4BC3-A5C7-11AA4F29619E</ProviderName>
<UserKeywords>0x9</UserKeywords><!--Request,Operational"-->
<OutputType>eventlog</OutputType>
</ETWCollector>
<!--
Microsoft-Windows-WMI-Activity ETW Provider
-->
<ETWCollector>
<Guid>e58efae6-883b-4a05-95b5-ec2f697b2dc5</Guid>
<CollectorType>user</CollectorType>
<ProviderName>1418ef04-b0b4-4623-bf7e-d74ab47bbdaa</ProviderName>
<OutputType>eventlog</OutputType>
</ETWCollector>
<!--
Microsoft-Windows-TCPIP ETW Provider
-->
<ETWCollector>
<Guid>e58efae6-883b-4aaa-95b5-ec2f697b2dc5</Guid>
<CollectorType>user</CollectorType>
<ProviderName>2F07E2EE-15DB-40F1-90EF-9D7BA282188A</ProviderName>
<OutputType>eventlog</OutputType>
</ETWCollector>
<!--
This is a kernel collector (ImageLoad)
-->
<ETWCollector>
<Guid>870b50e1-04c2-43e4-82ac-817444a56364</Guid>
<CollectorType>kernel</CollectorType>
<KernelKeywords>ImageLoad</KernelKeywords>
<FilterValue>Image/Load</FilterValue>
<OutputType>eventlog</OutputType>
</ETWCollector>
</SilkServiceConfig>
"@
if (!(Test-Path $SilkServiceConfigLocation)) {
Set-Content -Path $SilkServiceConfigLocation -Value $SilkServiceConfig
}
$SilkService = Get-Service -Name "SilkService" -ErrorAction SilentlyContinue
if ($SilkService.Status -ne 'Running')
{
$params = @{
Name = "SilkService"
BinaryPathName = "C:\Tools\SilkService\v8\SilkService\SilkService.exe"
DependsOn = "NetLogon"
DisplayName = "SilkETW Service"
StartupType = "Automatic"
Description = "SilkService."
}
New-Service @params
}
# WINLOGBEAT
# https://cyberwardog.blogspot.com/2017/02/setting-up-pentesting-i-mean-threat_87.html
# Download Winlogbeat
$WinlogbeatDirectory = "C:\Tools\Winlogbeat\"
$WinlogbeatLocalZip = "C:\Tools\Winlogbeat.zip"
$WinlogbeatURL = "https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-7.6.2-windows-x86_64.zip"
$WinlogbeatLocalConfigLocation = "C:\Program Files\Winlogbeat\winlogbeat-7.6.2-windows-x86_64\winlogbeat.yml"
$WinlogbeatLocalConfig = @"
#======================= Winlogbeat specific options ==========================
winlogbeat.event_logs:
- name: Application
ignore_older: 30m
- name: Security
ignore_older: 30m
- name: System
ignore_older: 30m
- name: Microsoft-windows-sysmon/operational
ignore_older: 30m
- name: Microsoft-windows-PowerShell/Operational
ignore_older: 30m
event_id: 4103, 4104
- name: Windows PowerShell
event_id: 400,600
ignore_older: 30m
- name: Microsoft-Windows-WMI-Activity/Operational
event_id: 5857,5858,5859,5860,5861
- name: SilkService-Log
ignore_older: 72h
#----------------------------- Kafka output --------------------------------
output.kafka:
hosts: ["<HELK-IP>:9092","<HELK-IP>:9093"]
topic: "winlogbeat"
############################# HELK Optimizing Latency ######################
max_retries: 2
max_message_bytes: 1000000
"@
if (!(Test-Path $WinlogbeatLocalZip)) {
$wc.DownloadFile($WinlogbeatURL, $WinlogbeatLocalZip)
Expand-Archive -LiteralPath $WinlogbeatLocalZip -DestinationPath $WinlogbeatDirectory
Move-Item -Path $WinlogbeatDirectory.TrimEnd('/') -Destination "C:\Program Files\" -Force
Push-Location "C:\Program Files\Winlogbeat\winlogbeat-7.6.2-windows-x86_64"
# Install Winlogbeat service
.\install-service-winlogbeat.ps1
Pop-Location
Remove-Item -Path $WinlogbeatLocalConfigLocation -Force
Set-Content -Path $WinlogbeatLocalConfigLocation -Value $WinlogbeatLocalConfig
$stringToFind = '\["<HELK-IP>:9092","<HELK-IP>:9093"\]'
$stringToReplace = '["' + $env:HELK_IP + ':9092"]'
((Get-Content -path $WinlogbeatLocalConfigLocation) -replace $stringToFind,$stringToReplace) | Set-Content -Path $WinlogbeatLocalConfigLocation
Start-Service Winlogbeat
}
| 1 | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 |
| 2 | $wc = New-Object System.Net.WebClient |
| 3 | |
| 4 | if (!(Test-Path "C:\Tools")) { |
| 5 | New-Item -Path "C:\" -Name "Tools" -ItemType "directory" |
| 6 | } |
| 7 | |
| 8 | # SYSMON |
| 9 | # Download Sysmon |
| 10 | $SysmonDirectory = "C:\Tools\Sysmon\" |
| 11 | |
| 12 | $SysmonLocalZip = "C:\Tools\Sysmon.zip" |
| 13 | $SysmonURL = "https://download.sysinternals.com/files/Sysmon.zip" |
| 14 | |
| 15 | if (!(Test-Path $SysmonLocalZip)) { |
| 16 | $wc.DownloadFile($SysmonURL, $SysmonLocalZip) |
| 17 | Expand-Archive -LiteralPath $SysmonLocalZip -DestinationPath $SysmonDirectory |
| 18 | } |
| 19 | |
| 20 | # Download Sysmon SwiftOnSecurity Config |
| 21 | $SysmonLocalConfig = $SysmonDirectory + "sysmon-config.xml" |
| 22 | $SysmonConfigURL = "https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml" |
| 23 | |
| 24 | if (!(Test-Path $SysmonLocalConfig)) { |
| 25 | $wc.DownloadFile($SysmonConfigURL, $SysmonLocalConfig) |
| 26 | } |
| 27 | |
| 28 | # Execute Sysmon |
| 29 | $ServiceName = 'Sysmon' |
| 30 | $SysmonService = Get-Service -Name $ServiceName -ErrorAction SilentlyContinue |
| 31 | |
| 32 | if ($SysmonService.Status -ne 'Running') |
| 33 | { |
| 34 | $SysmonExe = $SysmonDirectory + "Sysmon.exe" |
| 35 | & $SysmonExe -i $SysmonLocalConfig -accepteula |
| 36 | } |
| 37 | |
| 38 | # SilkService |
| 39 | $SilkServiceURL = "https://github.com/fireeye/SilkETW/releases/download/v0.8/SilkETW_SilkService_v8.zip" |
| 40 | $SilkServiceLocalZip = "C:\Tools\SilkService.zip" |
| 41 | $SilkServiceDirectory = "C:\Tools\SilkService" |
| 42 | |
| 43 | if (!(Test-Path $SilkServiceLocalZip)) { |
| 44 | $wc.DownloadFile($SilkServiceURL, $SilkServiceLocalZip) |
| 45 | Expand-Archive -LiteralPath $SilkServiceLocalZip -DestinationPath $SilkServiceDirectory |
| 46 | } |
| 47 | |
| 48 | $DotNetInstaller = $SilkServiceDirectory + "\v8\Dependencies\dotNetFx45_Full_setup.exe" |
| 49 | $vc2015Installer = $SilkServiceDirectory + "\v8\Dependencies\vc2015_redist.x86.exe" |
| 50 | |
| 51 | & $DotNetInstaller /SILENT |
| 52 | & $vc2015Installer /SILENT |
| 53 | |
| 54 | $SilkServiceConfigLocation = $SilkServiceDirectory + "\v8\SilkService\SilkServiceConfig.xml" |
| 55 | $SilkServiceConfig = @" |
| 56 | <!-- |
| 57 | SilkService Config |
| 58 | Author: Roberto Rodriguez (@Cyb3rWard0g) |
| 59 | License: GPL-3.0 |
| 60 | Version: 0.0.1 |
| 61 | References: https://github.com/Cyb3rWard0g/mordor/blob/master/environments/windows/configs/erebor/erebor_SilkServiceConfig.xml |
| 62 | --> |
| 63 | <SilkServiceConfig> |
| 64 | <!-- |
| 65 | Microsoft-Windows-LDAP-Client ETW Provider |
| 66 | --> |
| 67 | <ETWCollector> |
| 68 | <Guid>859efb51-6985-480f-8094-77192b2a7407</Guid> |
| 69 | <CollectorType>user</CollectorType> |
| 70 | <ProviderName>099614a5-5dd7-4788-8bc9-e29f43db28fc</ProviderName> |
| 71 | <UserKeywords>0x1</UserKeywords><!--Search--> |
| 72 | <OutputType>eventlog</OutputType> |
| 73 | </ETWCollector> |
| 74 | <!-- |
| 75 | Microsoft-Windows-Crypto-DPAPI ETW Provider |
| 76 | --> |
| 77 | <ETWCollector> |
| 78 | <Guid>df7461c7-7c11-4429-806f-a6ec34d08c0c</Guid> |
| 79 | <CollectorType>user</CollectorType> |
| 80 | <ProviderName>89fe8f40-cdce-464e-8217-15ef97d4c7c3</ProviderName> |
| 81 | <UserKeywords>0xa</UserKeywords><!--ETW_TASK_MASTERKEY_OPERATION,ETW_TASK_CREDKEY_OPERATION--> |
| 82 | <OutputType>eventlog</OutputType> |
| 83 | </ETWCollector> |
| 84 | <!-- |
| 85 | Microsoft-Windows-DNS-Client ETW Provider |
| 86 | --> |
| 87 | <ETWCollector> |
| 88 | <Guid>c96e5920-f384-49b7-be43-2b408b4f0d75</Guid> |
| 89 | <CollectorType>user</CollectorType> |
| 90 | <ProviderName>1c95126e-7eea-49a9-a3fe-a378b03ddb4d</ProviderName> |
| 91 | <OutputType>eventlog</OutputType> |
| 92 | </ETWCollector> |
| 93 | <!-- |
| 94 | Microsoft-Windows-DotNETRuntime ETW Provider |
| 95 | --> |
| 96 | <ETWCollector> |
| 97 | <Guid>072e0373-213b-4e3d-881a-6430d6d9e369</Guid> |
| 98 | <CollectorType>user</CollectorType> |
| 99 | <ProviderName>e13c0d23-ccbc-4e12-931b-d9cc2eee27e4</ProviderName> |
| 100 | <UserKeywords>0x2038</UserKeywords><!--Loader,Jit,NGen,Interop"--> |
| 101 | <OutputType>eventlog</OutputType> |
| 102 | </ETWCollector> |
| 103 | <!-- |
| 104 | Microsoft-Windows-SMBServer ETW Provider |
| 105 | --> |
| 106 | <ETWCollector> |
| 107 | <Guid>f7569862-691a-4a38-9f0e-e3ed815920ba</Guid> |
| 108 | <CollectorType>user</CollectorType> |
| 109 | <ProviderName>D48CE617-33A2-4BC3-A5C7-11AA4F29619E</ProviderName> |
| 110 | <UserKeywords>0x9</UserKeywords><!--Request,Operational"--> |
| 111 | <OutputType>eventlog</OutputType> |
| 112 | </ETWCollector> |
| 113 | <!-- |
| 114 | Microsoft-Windows-WMI-Activity ETW Provider |
| 115 | --> |
| 116 | <ETWCollector> |
| 117 | <Guid>e58efae6-883b-4a05-95b5-ec2f697b2dc5</Guid> |
| 118 | <CollectorType>user</CollectorType> |
| 119 | <ProviderName>1418ef04-b0b4-4623-bf7e-d74ab47bbdaa</ProviderName> |
| 120 | <OutputType>eventlog</OutputType> |
| 121 | </ETWCollector> |
| 122 | <!-- |
| 123 | Microsoft-Windows-TCPIP ETW Provider |
| 124 | --> |
| 125 | <ETWCollector> |
| 126 | <Guid>e58efae6-883b-4aaa-95b5-ec2f697b2dc5</Guid> |
| 127 | <CollectorType>user</CollectorType> |
| 128 | <ProviderName>2F07E2EE-15DB-40F1-90EF-9D7BA282188A</ProviderName> |
| 129 | <OutputType>eventlog</OutputType> |
| 130 | </ETWCollector> |
| 131 | <!-- |
| 132 | This is a kernel collector (ImageLoad) |
| 133 | --> |
| 134 | <ETWCollector> |
| 135 | <Guid>870b50e1-04c2-43e4-82ac-817444a56364</Guid> |
| 136 | <CollectorType>kernel</CollectorType> |
| 137 | <KernelKeywords>ImageLoad</KernelKeywords> |
| 138 | <FilterValue>Image/Load</FilterValue> |
| 139 | <OutputType>eventlog</OutputType> |
| 140 | </ETWCollector> |
| 141 | </SilkServiceConfig> |
| 142 | "@ |
| 143 | |
| 144 | if (!(Test-Path $SilkServiceConfigLocation)) { |
| 145 | Set-Content -Path $SilkServiceConfigLocation -Value $SilkServiceConfig |
| 146 | } |
| 147 | |
| 148 | $SilkService = Get-Service -Name "SilkService" -ErrorAction SilentlyContinue |
| 149 | |
| 150 | if ($SilkService.Status -ne 'Running') |
| 151 | { |
| 152 | $params = @{ |
| 153 | Name = "SilkService" |
| 154 | BinaryPathName = "C:\Tools\SilkService\v8\SilkService\SilkService.exe" |
| 155 | DependsOn = "NetLogon" |
| 156 | DisplayName = "SilkETW Service" |
| 157 | StartupType = "Automatic" |
| 158 | Description = "SilkService." |
| 159 | } |
| 160 | New-Service @params |
| 161 | } |
| 162 | |
| 163 | |
| 164 | # WINLOGBEAT |
| 165 | # https://cyberwardog.blogspot.com/2017/02/setting-up-pentesting-i-mean-threat_87.html |
| 166 | |
| 167 | # Download Winlogbeat |
| 168 | |
| 169 | $WinlogbeatDirectory = "C:\Tools\Winlogbeat\" |
| 170 | $WinlogbeatLocalZip = "C:\Tools\Winlogbeat.zip" |
| 171 | $WinlogbeatURL = "https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-7.6.2-windows-x86_64.zip" |
| 172 | |
| 173 | $WinlogbeatLocalConfigLocation = "C:\Program Files\Winlogbeat\winlogbeat-7.6.2-windows-x86_64\winlogbeat.yml" |
| 174 | |
| 175 | $WinlogbeatLocalConfig = @" |
| 176 | #======================= Winlogbeat specific options ========================== |
| 177 | winlogbeat.event_logs: |
| 178 | - name: Application |
| 179 | ignore_older: 30m |
| 180 | - name: Security |
| 181 | ignore_older: 30m |
| 182 | - name: System |
| 183 | ignore_older: 30m |
| 184 | - name: Microsoft-windows-sysmon/operational |
| 185 | ignore_older: 30m |
| 186 | - name: Microsoft-windows-PowerShell/Operational |
| 187 | ignore_older: 30m |
| 188 | event_id: 4103, 4104 |
| 189 | - name: Windows PowerShell |
| 190 | event_id: 400,600 |
| 191 | ignore_older: 30m |
| 192 | - name: Microsoft-Windows-WMI-Activity/Operational |
| 193 | event_id: 5857,5858,5859,5860,5861 |
| 194 | - name: SilkService-Log |
| 195 | ignore_older: 72h |
| 196 | |
| 197 | #----------------------------- Kafka output -------------------------------- |
| 198 | output.kafka: |
| 199 | hosts: ["<HELK-IP>:9092","<HELK-IP>:9093"] |
| 200 | topic: "winlogbeat" |
| 201 | ############################# HELK Optimizing Latency ###################### |
| 202 | max_retries: 2 |
| 203 | max_message_bytes: 1000000 |
| 204 | "@ |
| 205 | |
| 206 | if (!(Test-Path $WinlogbeatLocalZip)) { |
| 207 | $wc.DownloadFile($WinlogbeatURL, $WinlogbeatLocalZip) |
| 208 | Expand-Archive -LiteralPath $WinlogbeatLocalZip -DestinationPath $WinlogbeatDirectory |
| 209 | |
| 210 | Move-Item -Path $WinlogbeatDirectory.TrimEnd('/') -Destination "C:\Program Files\" -Force |
| 211 | |
| 212 | Push-Location "C:\Program Files\Winlogbeat\winlogbeat-7.6.2-windows-x86_64" |
| 213 | |
| 214 | # Install Winlogbeat service |
| 215 | .\install-service-winlogbeat.ps1 |
| 216 | |
| 217 | Pop-Location |
| 218 | |
| 219 | Remove-Item -Path $WinlogbeatLocalConfigLocation -Force |
| 220 | |
| 221 | Set-Content -Path $WinlogbeatLocalConfigLocation -Value $WinlogbeatLocalConfig |
| 222 | |
| 223 | $stringToFind = '\["<HELK-IP>:9092","<HELK-IP>:9093"\]' |
| 224 | $stringToReplace = '["' + $env:HELK_IP + ':9092"]' |
| 225 | ((Get-Content -path $WinlogbeatLocalConfigLocation) -replace $stringToFind,$stringToReplace) | Set-Content -Path $WinlogbeatLocalConfigLocation |
| 226 | |
| 227 | Start-Service Winlogbeat |
| 228 | } |