├── README.md ├── Endpoint-HELK-Winlog-Sysmon-Atomic ├── images │ ├── test.txt │ ├── Invoke-Test2.png │ ├── Invoke-mimi.png │ ├── Listing-Details.png │ ├── import-install.png │ ├── Install-Complete.png │ ├── Installing-NuGet.png │ ├── Starting-Install.png │ ├── Second-Script-UserPrompt.png │ ├── Invoke-AtomicRedTeam-Installed.png │ ├── HELK-Endpoint-Sysmon-Logs-Shipping.png │ └── HELK-Endpoint-Setup-Winlogbeat-Sysmon.png ├── ReadMe.md └── HELK-Endpoint-Atomic-Setup.ps1 └── Endpoints ├── Logs-2.png ├── EndPoint-Config.png ├── ReadMe.md ├── winlogbeat.yml └── Endpoint-HELK-Setup.ps1 /README.md: -------------------------------------------------------------------------------- 1 | # HomeLab -------------------------------------------------------------------------------- /Endpoint-HELK-Winlog-Sysmon-Atomic/images/test.txt: -------------------------------------------------------------------------------- 1 | Hi 2 | -------------------------------------------------------------------------------- /Endpoints/Logs-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ValcanK/HomeLab/HEAD/Endpoints/Logs-2.png -------------------------------------------------------------------------------- /Endpoints/EndPoint-Config.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ValcanK/HomeLab/HEAD/Endpoints/EndPoint-Config.png -------------------------------------------------------------------------------- /Endpoint-HELK-Winlog-Sysmon-Atomic/images/Invoke-Test2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ValcanK/HomeLab/HEAD/Endpoint-HELK-Winlog-Sysmon-Atomic/images/Invoke-Test2.png -------------------------------------------------------------------------------- /Endpoint-HELK-Winlog-Sysmon-Atomic/images/Invoke-mimi.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ValcanK/HomeLab/HEAD/Endpoint-HELK-Winlog-Sysmon-Atomic/images/Invoke-mimi.png -------------------------------------------------------------------------------- /Endpoint-HELK-Winlog-Sysmon-Atomic/images/Listing-Details.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ValcanK/HomeLab/HEAD/Endpoint-HELK-Winlog-Sysmon-Atomic/images/Listing-Details.png -------------------------------------------------------------------------------- /Endpoint-HELK-Winlog-Sysmon-Atomic/images/import-install.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ValcanK/HomeLab/HEAD/Endpoint-HELK-Winlog-Sysmon-Atomic/images/import-install.png -------------------------------------------------------------------------------- /Endpoint-HELK-Winlog-Sysmon-Atomic/images/Install-Complete.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ValcanK/HomeLab/HEAD/Endpoint-HELK-Winlog-Sysmon-Atomic/images/Install-Complete.png -------------------------------------------------------------------------------- /Endpoint-HELK-Winlog-Sysmon-Atomic/images/Installing-NuGet.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ValcanK/HomeLab/HEAD/Endpoint-HELK-Winlog-Sysmon-Atomic/images/Installing-NuGet.png -------------------------------------------------------------------------------- /Endpoint-HELK-Winlog-Sysmon-Atomic/images/Starting-Install.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ValcanK/HomeLab/HEAD/Endpoint-HELK-Winlog-Sysmon-Atomic/images/Starting-Install.png -------------------------------------------------------------------------------- /Endpoint-HELK-Winlog-Sysmon-Atomic/images/Second-Script-UserPrompt.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ValcanK/HomeLab/HEAD/Endpoint-HELK-Winlog-Sysmon-Atomic/images/Second-Script-UserPrompt.png -------------------------------------------------------------------------------- /Endpoint-HELK-Winlog-Sysmon-Atomic/images/Invoke-AtomicRedTeam-Installed.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ValcanK/HomeLab/HEAD/Endpoint-HELK-Winlog-Sysmon-Atomic/images/Invoke-AtomicRedTeam-Installed.png -------------------------------------------------------------------------------- /Endpoint-HELK-Winlog-Sysmon-Atomic/images/HELK-Endpoint-Sysmon-Logs-Shipping.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ValcanK/HomeLab/HEAD/Endpoint-HELK-Winlog-Sysmon-Atomic/images/HELK-Endpoint-Sysmon-Logs-Shipping.png -------------------------------------------------------------------------------- /Endpoint-HELK-Winlog-Sysmon-Atomic/images/HELK-Endpoint-Setup-Winlogbeat-Sysmon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ValcanK/HomeLab/HEAD/Endpoint-HELK-Winlog-Sysmon-Atomic/images/HELK-Endpoint-Setup-Winlogbeat-Sysmon.png -------------------------------------------------------------------------------- /Endpoints/ReadMe.md: -------------------------------------------------------------------------------- 1 | # Info: 2 | This script is designed to help you quickly start sending Windows and Sysmon event logs to HELK. 3 | 4 | Usage: 5 | - Run PowerShell as admin 6 | - Allow unsigned scripts to run 7 | - Execute the script 8 | ```.\Endpoint-HELK-Setup.ps1``` 9 | 10 | Example of what you'll see: 11 | 12 | ![Endpoint Setup](/Endpoints/EndPoint-Config.png "Example") 13 | 14 | Logs flowing to Kibana: 15 | 16 | ![Logs](/Endpoints/Logs-2.png "Logs") 17 | -------------------------------------------------------------------------------- /Endpoints/winlogbeat.yml: -------------------------------------------------------------------------------- 1 | ###################### Winlogbeat Configuration Example ######################### 2 | # Winlogbeat 6, 7, and 8 are currently supported! 3 | # You can download the latest stable version of winlogbeat here: 4 | # https://www.elastic.co/downloads/beats/winlogbeat 5 | 6 | # For simplicity/brevity we have only enabled the options necessary for sending windows logs to HELK. 7 | # Please visit the Elastic documentation for the complete details of each option and full reference config: 8 | # https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-reference-yml.html 9 | setup.template.name: "winlogbeat" 10 | setup.template.pattern: "winlogbeat-*" 11 | #-------------------------- Windows Logs To Collect ----------------------------- 12 | winlogbeat.event_logs: 13 | - name: Application 14 | ignore_older: 30m 15 | - name: Security 16 | ignore_older: 30m 17 | - name: System 18 | ignore_older: 30m 19 | - name: Microsoft-windows-sysmon/operational 20 | ignore_older: 30m 21 | - name: Microsoft-windows-PowerShell/Operational 22 | ignore_older: 30m 23 | event_id: 4103, 4104 24 | - name: Windows PowerShell 25 | event_id: 400,600 26 | ignore_older: 30m 27 | - name: Microsoft-Windows-WMI-Activity/Operational 28 | event_id: 5857,5858,5859,5860,5861 29 | 30 | #----------------------------- Kafka output -------------------------------- 31 | output.kafka: 32 | # initial brokers for reading cluster metadata 33 | # Place your HELK IP(s) here (keep the port). 34 | # If you only have one Kafka instance (default for HELK) then remove the 2nd IP that has port 9093 35 | hosts: [":9092",":9093"] 36 | topic: "winlogbeat" 37 | ############################# HELK Optimizing Latency ###################### 38 | max_retries: 2 39 | max_message_bytes: 1000000 40 | -------------------------------------------------------------------------------- /Endpoint-HELK-Winlog-Sysmon-Atomic/ReadMe.md: -------------------------------------------------------------------------------- 1 | # The HELK Endpoint + Atomic Script 2 | This script was created to help you automate the process of setting up a Windows endpoint when using HELK or an ELK stack. 3 | 4 | ## Usage: 5 | - Disable Windows Defender (You'll be downloading tools from Atomic Red Team, this will trigger some detections). 6 | - Run PowerShell as Admin 7 | - Allow unsigned scripts to run / change the execution policy ```powershell -exec bypass``` 8 | - Execute the script: ```.\HELK-Endpoint-Atomic-Setup.ps1``` 9 | 10 | ## Here's what it does: 11 | 1. Downloads winlogbeat from elastic. 12 | 2. Downloads a modified version of Cyb3rWard0g's winlogbeat.yml (feel free to point this to another yml file if needed). 13 | 3. Will prompt you for the HELK IP. 14 | 4. Downloads Sysmon, the config from SwiftOnSecurity, and installs Sysmon. 15 | 5. Restarts the services. 16 | 6. Starts shipping logs to your HELK/ELK stack. 17 | 7. Installs Atomic Red Team and Prereqs 18 | 19 | ### Screenshots: 20 | Starting the Script: 21 | 22 | ![Starting Script](/Endpoint-HELK-Winlog-Sysmon-Atomic/images/Starting-Install.png) 23 | 24 | Prompting you for HELK IP: 25 | 26 | ![Prompt](/Endpoint-HELK-Winlog-Sysmon-Atomic/images/Second-Script-UserPrompt.png) 27 | 28 | Shipping Logs to HELK: 29 | 30 | ![Shipping Logs](/Endpoint-HELK-Winlog-Sysmon-Atomic/images/HELK-Endpoint-Sysmon-Logs-Shipping.png) 31 | 32 | Installing NuGet: 33 | 34 | ![NuGet](/Endpoint-HELK-Winlog-Sysmon-Atomic/images/Installing-NuGet.png) 35 | 36 | Downloading and Installing Invoke-AtomicRedTeam and Atomics: 37 | 38 | ![Atomic](/Endpoint-HELK-Winlog-Sysmon-Atomic/images/Invoke-AtomicRedTeam-Installed.png) 39 | 40 | Importing Invoke-Atomic and the Prereqs for the Atomics: 41 | 42 | ![Import And Prereqs](/Endpoint-HELK-Winlog-Sysmon-Atomic/images/import-install.png) 43 | 44 | Listing Details for the installed Atomics: 45 | 46 | ![Details](/Endpoint-HELK-Winlog-Sysmon-Atomic/images/Listing-Details.png) 47 | 48 | Script Complete! 49 | 50 | ![Complete](/Endpoint-HELK-Winlog-Sysmon-Atomic/images/Install-Complete.png) 51 | 52 | Testing the ```Invoke-AtomicTest T1003``` 53 | 54 | ![Test](/Endpoint-HELK-Winlog-Sysmon-Atomic/images/Invoke-Test2.png) 55 | 56 | Logs! 57 | 58 | ![Logs](/Endpoint-HELK-Winlog-Sysmon-Atomic/images/Invoke-mimi.png) 59 | -------------------------------------------------------------------------------- /Endpoints/Endpoint-HELK-Setup.ps1: -------------------------------------------------------------------------------- 1 | function Config-Change { 2 | <# 3 | .Author 4 | 5 | https://twitter.com/Valcan_K 6 | 7 | .SYNOPSIS 8 | 9 | This script was made to help automate the setup of a Windows endpoint when using Cyb3rWard0g's HELK (https://github.com/Cyb3rWard0g/HELK). 10 | https://twitter.com/cyb3rward0g 11 | .PARAMETER HELKIP 12 | 13 | The HELKIP paramter will configure the winlogbeat.yml file with the IP address of your HELK system. 14 | 15 | .Example 16 | 17 | .\Endpoint-HELK-Setup.ps1 18 | You will be prompted for the HELKIP after files are downloaded and installed. 19 | 20 | .NOTES 21 | 22 | Before building/executing this script I used the 1st option when installing HELK 23 | "1. KAFKA + KSQL + ELK + NGNIX" 24 | 25 | What this script does: 26 | 1. Downloads winlogbeat from elastic. 27 | 2. Downloads a modified version Cyb3rWard0g's winlogbeat.yml, feel free to point this to another yml file if needed. 28 | 3. Will prompt you for the HELK IP. 29 | 4. Downloads Sysmon, the config from Cyber3rWard0g, and installs Sysmon. 30 | 5. Restarts the services 31 | 6. After a few moments logs should be showing up in Kibana (you may have to setup the winlogbeat index, but they will show up in the default log-endpoint* index). 32 | #> 33 | [CmdletBinding()] 34 | Param( 35 | [Parameter(Mandatory = $True, Position = 0)] 36 | [string]$HELKIP = $HELKIP 37 | # Prompting for HELK IP address 38 | ) 39 | Try { 40 | winlog-Install 41 | } 42 | Catch { 43 | Write-Host "Failed" 44 | } 45 | } 46 | function Download-Files { 47 | hostname 48 | Write-Host "Starting Winlog Download" 49 | # Downloading winlogbeat 50 | Invoke-WebRequest -URI https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-7.11.0-windows-x86_64.zip -OutFile $env:USERPROFILE\Downloads\winlogbeat.zip 51 | Write-Host "Extracting Winlog files to 'C:\Program Files\'" 52 | # Extracting contents of winlogbeat 53 | Expand-Archive -LiteralPath "$env:USERPROFILE\Downloads\winlogbeat.zip" -DestinationPath "C:\Program Files\" 54 | # Changing the Directory Name 55 | Rename-Item "C:\Program Files\winlogbeat-7.11.0-windows-x86_64" "C:\Program Files\winlogbeat" 56 | Write-Host "Downloading a version of Cyb3rWard0g's winlogbeat.yml config from my repo." 57 | # If you want to use a different winlogbeat.yml file, just change url below. 58 | Invoke-WebRequest -URI https://raw.githubusercontent.com/ValcanK/HomeLab/main/Endpoints/winlogbeat.yml -OutFile "C:\Program Files\winlogbeat\winlogbeat.yml" 59 | Write-Host "Starting Sysmon download" 60 | # Downloading sysmon 61 | Invoke-WebRequest -URI https://download.sysinternals.com/files/Sysmon.zip -OutFile $env:USERPROFILE\Downloads\Sysmon.zip 62 | Write-Host "Extracting Sysmon files to 'C:\Program Files\Sysmon'" 63 | # Extracting contents of sysmon to Program Files 64 | Expand-Archive -LiteralPath "$env:USERPROFILE\Downloads\Sysmon.zip" -DestinationPath "C:\Program Files\Sysmon" 65 | Sysmon-Function 66 | } 67 | function Sysmon-Function { 68 | # Setting sysmon up 69 | cd "C:\Program Files\Sysmon" 70 | Write-Host "Setting up Sysmon" 71 | .\sysmon.exe -i -accepteula -h md5,sha256,imphash -l -n 72 | .\sysmon.exe -c 73 | Write-Host "Downloading Cyb3rWard0g's Sysmon config file" 74 | Invoke-WebRequest -URI https://gist.githubusercontent.com/Cyb3rWard0g/136481552d8845e52962534d1a4b8664/raw/9a5011cd7609040fad446ff9970a379fd27cb2cf/StartLogging.xml -OutFile "C:\Program Files\Sysmon\StartLogging.xml" 75 | .\sysmon.exe -c .\StartLogging.xml 76 | Write-Host "Setting up Winlogbeat, you will be prompted for the HELK IP" 77 | Config-Change 78 | } 79 | function winlog-Install { 80 | # Setting winlogbeat up 81 | cd "C:\Program Files\winlogbeat\" 82 | .\install-service-winlogbeat.ps1 83 | (Get-Content -Path "C:\Program Files\winlogbeat\winlogbeat.yml" -Raw) -replace '',$HELKIP | Set-Content -Path "C:\Program Files\winlogbeat\winlogbeat.yml" 84 | .\winlogbeat.exe config test -c .\winlogbeat.yml -e 85 | .\winlogbeat.exe setup -e 86 | Restart-Service winlogbeat 87 | 88 | } 89 | 90 | Download-Files 91 | -------------------------------------------------------------------------------- /Endpoint-HELK-Winlog-Sysmon-Atomic/HELK-Endpoint-Atomic-Setup.ps1: -------------------------------------------------------------------------------- 1 | function Config-Change { 2 | <# 3 | .SYNOPSIS 4 | Author: https://twitter.com/Valcan_K 5 | This script was made to help automate the setup of a Windows endpoint when using Cyb3rWard0g's HELK (https://github.com/Cyb3rWard0g/HELK). 6 | https://twitter.com/cyb3rward0g 7 | This script uses SwiftOnSecurity's Sysmon Config (https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml) 8 | https://twitter.com/SwiftOnSecurity 9 | This script also installs "Invoke-AtomicRedTeam" and the Atomic tests from Red Canary. 10 | Invoke-atomicredteam: https://github.com/redcanaryco/invoke-atomicredteam 11 | Atomic Red Team Tests: https://github.com/redcanaryco/atomic-red-team 12 | Red Canary: https://twitter.com/redcanary 13 | .PARAMETER HELKIP 14 | 15 | The HELKIP paramter will configure the winlogbeat.yml file with the IP address of your HELK system. 16 | 17 | .Example 18 | 19 | .\HELK-Endpoint-Atomic-Setup.ps1 20 | You will be prompted for the HELKIP after files are downloaded and installed. 21 | 22 | .NOTES 23 | 24 | Before building/executing this script I used the 1st option when installing HELK 25 | "1. KAFKA + KSQL + ELK + NGNIX" 26 | 27 | What this script does: 28 | 1. Downloads winlogbeat from elastic. 29 | 2. Downloads a modified version of Cyb3rWard0g's winlogbeat.yml, feel free to point this to another yml file if needed. 30 | 3. Will prompt you for the HELK IP. 31 | 4. Downloads Sysmon, the config from SwiftOnSecurity, and installs Sysmon. 32 | 5. Restarts the services 33 | 6. Logs should be shipping to HELK at this point. 34 | 7. Installs Atomic Red Team and Prereqs 35 | #> 36 | [CmdletBinding()] 37 | Param( 38 | [Parameter(Mandatory = $True, Position = 0)] 39 | [string]$HELKIP = $HELKIP 40 | # Prompting for HELK IP address 41 | ) 42 | Try { 43 | winlog-Install 44 | } 45 | Catch { 46 | Write-Host "Failed" 47 | } 48 | } 49 | function Download-Files { 50 | hostname 51 | Write-Host "Starting Winlog Download" 52 | # Downloading winlogbeat 53 | Invoke-WebRequest -URI https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-7.11.0-windows-x86_64.zip -OutFile $env:USERPROFILE\Downloads\winlogbeat.zip 54 | Write-Host "Extracting Winlog files to 'C:\Program Files\'" 55 | # Extracting contents of winlogbeat 56 | Expand-Archive -LiteralPath "$env:USERPROFILE\Downloads\winlogbeat.zip" -DestinationPath "C:\Program Files\" 57 | # Changing the Directory Name 58 | Rename-Item "C:\Program Files\winlogbeat-7.11.0-windows-x86_64" "C:\Program Files\winlogbeat" 59 | Write-Host "Downloading a version of Cyb3rWard0g's winlogbeat.yml config from my repo." 60 | # If you want to use a different winlogbeat.yml file, just change url below. 61 | Invoke-WebRequest -URI https://raw.githubusercontent.com/ValcanK/HomeLab/main/Endpoints/winlogbeat.yml -OutFile "C:\Program Files\winlogbeat\winlogbeat.yml" 62 | Write-Host "Starting Sysmon download" 63 | # Downloading sysmon 64 | Invoke-WebRequest -URI https://download.sysinternals.com/files/Sysmon.zip -OutFile $env:USERPROFILE\Downloads\Sysmon.zip 65 | Write-Host "Extracting Sysmon files to 'C:\Program Files\Sysmon'" 66 | # Extracting contents of sysmon to Program Files 67 | Expand-Archive -LiteralPath "$env:USERPROFILE\Downloads\Sysmon.zip" -DestinationPath "C:\Program Files\Sysmon" 68 | Sysmon-Function 69 | } 70 | function Sysmon-Function { 71 | # Setting sysmon up 72 | cd "C:\Program Files\Sysmon" 73 | Write-Host "Setting up Sysmon" 74 | .\sysmon.exe -i -accepteula -h md5,sha256,imphash -l -n 75 | .\sysmon.exe -c 76 | Write-Host "Downloading SwiftOnSecurtiy's Sysmon config file" 77 | Invoke-WebRequest -URI https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml -OutFile "C:\Program Files\Sysmon\sysmonconfig-export.xml" 78 | .\sysmon.exe -c .\sysmonconfig-export.xml 79 | Write-Host "Setting up Winlogbeat, you will be prompted for the HELK IP" 80 | Config-Change 81 | } 82 | function winlog-Install { 83 | # Setting winlogbeat up 84 | cd "C:\Program Files\winlogbeat\" 85 | .\install-service-winlogbeat.ps1 86 | (Get-Content -Path "C:\Program Files\winlogbeat\winlogbeat.yml" -Raw) -replace '',$HELKIP | Set-Content -Path "C:\Program Files\winlogbeat\winlogbeat.yml" 87 | .\winlogbeat.exe config test -c .\winlogbeat.yml -e 88 | .\winlogbeat.exe setup -e 89 | Restart-Service winlogbeat 90 | InstallAtomic 91 | } 92 | function InstallAtomic { 93 | cd "$env:USERPROFILE\Documents" 94 | # Installing NuGet 95 | Write-Host "Installing NuGet" 96 | Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force 97 | # Downloading and Installing Invoke-AtomicRedTeam 98 | Write-Host "Downloading invoke-atomic and installing atomic tests." 99 | IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing); Install-AtomicRedTeam -getAtomics -Force 100 | # Importing the Atomic Module 101 | Write-Host "Importing the Invoke-Atomic Module" 102 | Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force 103 | # Installing all of the Invoke-AtomicTest Prereqs 104 | Write-Host "Installing Prereqs for the Atomic Tests... this will take a few minutes." 105 | Invoke-AtomicTest All -GetPrereqs 106 | # Showing the details for all Atomics 107 | Write-Host "Listing details for each Atomic test." 108 | Invoke-AtomicTest All -ShowDetailsBrief 109 | Write-Host "Invoke-AtomicTest and the Atomics have been installed." 110 | Write-Host "To execute tests, simply use 'Invoke-AtomicTest T####' or refer to: https://github.com/redcanaryco/invoke-atomicredteam/wiki/Execute-Atomic-Tests-(Local)" 111 | } 112 | Download-Files 113 | --------------------------------------------------------------------------------