├── .gitignore
├── LICENSE
├── README.md
├── ansible
├── README.md
├── ansible.cfg
├── playbooks
│ ├── splunk_server.yml
│ └── windows_dc.yml
├── roles
│ ├── common
│ │ ├── defaults
│ │ │ └── main.yml
│ │ ├── handlers
│ │ │ └── main.yml
│ │ ├── meta
│ │ │ └── main.yml
│ │ └── tasks
│ │ │ ├── chocolatey-components.yml
│ │ │ ├── main.yml
│ │ │ ├── windows-components.yml
│ │ │ └── windows-disable-defender.yml
│ ├── search_head
│ │ ├── README.md
│ │ ├── files
│ │ │ └── opt
│ │ │ │ └── splunk
│ │ │ │ └── etc
│ │ │ │ └── system
│ │ │ │ └── local
│ │ │ │ └── inputs.conf
│ │ ├── handlers
│ │ │ └── main.yml
│ │ └── tasks
│ │ │ ├── inputs.yml
│ │ │ ├── install_cim_app.yml
│ │ │ ├── install_es_app.yml
│ │ │ ├── install_escu_app.yml
│ │ │ ├── install_stream_app.yml
│ │ │ ├── install_sysmon_ta.yml
│ │ │ ├── install_windows_ta.yml
│ │ │ ├── main.yml
│ │ │ └── splunk.yml
│ ├── sysmon
│ │ ├── defaults
│ │ │ └── main.yml
│ │ ├── handlers
│ │ │ └── main.yml
│ │ ├── meta
│ │ │ └── main.yml
│ │ ├── tasks
│ │ │ ├── main.yml
│ │ │ ├── windows-logging-registry.yml
│ │ │ └── windows-sysmon.yml
│ │ └── templates
│ │ │ ├── SysmonConfig-Neo23x0-server.xml.j2
│ │ │ ├── SysmonConfig-Neo23x0-workstations.xml.j2
│ │ │ ├── SysmonConfig-TSwift.xml.j2
│ │ │ ├── SysmonConfig-Verbose.xml.j2
│ │ │ ├── SysmonConfig-moti.xml.j2
│ │ │ └── SysmonConfig.xml.j2
│ ├── universal_forwarder
│ │ ├── defaults
│ │ │ └── main.yml
│ │ ├── files
│ │ │ ├── inputs.conf
│ │ │ └── main.yml
│ │ ├── handlers
│ │ │ └── main.yml
│ │ ├── tasks
│ │ │ ├── install_splunk_stream.yml
│ │ │ ├── install_splunk_sysmon_ta.yml
│ │ │ ├── install_splunk_uf.yml
│ │ │ ├── install_splunk_windows_ta.yml
│ │ │ └── main.yaml
│ │ └── templates
│ │ │ └── inputs.conf.j2
│ ├── windows_dns_server
│ │ ├── defaults
│ │ │ └── main.yml
│ │ ├── handlers
│ │ │ └── main.yml
│ │ └── tasks
│ │ │ ├── features.yml
│ │ │ ├── main.yaml
│ │ │ └── reboot.yml
│ └── windows_domain_controller
│ │ ├── defaults
│ │ └── main.yml
│ │ ├── handlers
│ │ └── main.yml
│ │ └── tasks
│ │ ├── create.yml
│ │ ├── main.yaml
│ │ └── reboot.yml
└── vars
│ └── vars.yml
├── images
└── diagram.png
├── splunk_server
└── Vagrantfile
└── windows_dc_2016
└── Vagrantfile
/.gitignore:
--------------------------------------------------------------------------------
1 | # Byte-compiled / optimized / DLL files
2 | __pycache__/
3 | *.py[cod]
4 | *$py.class
5 |
6 | # C extensions
7 | *.so
8 |
9 | # Distribution / packaging
10 | .Python
11 | build/
12 | develop-eggs/
13 | dist/
14 | downloads/
15 | eggs/
16 | .eggs/
17 | lib/
18 | lib64/
19 | parts/
20 | sdist/
21 | var/
22 | wheels/
23 | *.egg-info/
24 | .installed.cfg
25 | *.egg
26 | MANIFEST
27 |
28 | # PyInstaller
29 | # Usually these files are written by a python script from a template
30 | # before PyInstaller builds the exe, so as to inject date/other infos into it.
31 | *.manifest
32 | *.spec
33 |
34 | # Installer logs
35 | pip-log.txt
36 | pip-delete-this-directory.txt
37 |
38 | # Unit test / coverage reports
39 | htmlcov/
40 | .tox/
41 | .coverage
42 | .coverage.*
43 | .cache
44 | nosetests.xml
45 | coverage.xml
46 | *.cover
47 | .hypothesis/
48 | .pytest_cache/
49 |
50 | # Translations
51 | *.mo
52 | *.pot
53 |
54 | # Django stuff:
55 | *.log
56 | local_settings.py
57 | db.sqlite3
58 |
59 | # Flask stuff:
60 | instance/
61 | .webassets-cache
62 |
63 | # Scrapy stuff:
64 | .scrapy
65 |
66 | # Sphinx documentation
67 | docs/_build/
68 |
69 | # PyBuilder
70 | target/
71 |
72 | # Jupyter Notebook
73 | .ipynb_checkpoints
74 |
75 | # pyenv
76 | .python-version
77 |
78 | # celery beat schedule file
79 | celerybeat-schedule
80 |
81 | # SageMath parsed files
82 | *.sage.py
83 |
84 | # Environments
85 | .env
86 | .venv
87 | env/
88 | venv/
89 | ENV/
90 | env.bak/
91 | venv.bak/
92 |
93 | # Spyder project settings
94 | .spyderproject
95 | .spyproject
96 |
97 | # Rope project settings
98 | .ropeproject
99 |
100 | # mkdocs documentation
101 | /site
102 |
103 | # mypy
104 | .mypy_cache/
105 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Apache License
2 | Version 2.0, January 2004
3 | http://www.apache.org/licenses/
4 |
5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
6 |
7 | 1. Definitions.
8 |
9 | "License" shall mean the terms and conditions for use, reproduction,
10 | and distribution as defined by Sections 1 through 9 of this document.
11 |
12 | "Licensor" shall mean the copyright owner or entity authorized by
13 | the copyright owner that is granting the License.
14 |
15 | "Legal Entity" shall mean the union of the acting entity and all
16 | other entities that control, are controlled by, or are under common
17 | control with that entity. For the purposes of this definition,
18 | "control" means (i) the power, direct or indirect, to cause the
19 | direction or management of such entity, whether by contract or
20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the
21 | outstanding shares, or (iii) beneficial ownership of such entity.
22 |
23 | "You" (or "Your") shall mean an individual or Legal Entity
24 | exercising permissions granted by this License.
25 |
26 | "Source" form shall mean the preferred form for making modifications,
27 | including but not limited to software source code, documentation
28 | source, and configuration files.
29 |
30 | "Object" form shall mean any form resulting from mechanical
31 | transformation or translation of a Source form, including but
32 | not limited to compiled object code, generated documentation,
33 | and conversions to other media types.
34 |
35 | "Work" shall mean the work of authorship, whether in Source or
36 | Object form, made available under the License, as indicated by a
37 | copyright notice that is included in or attached to the work
38 | (an example is provided in the Appendix below).
39 |
40 | "Derivative Works" shall mean any work, whether in Source or Object
41 | form, that is based on (or derived from) the Work and for which the
42 | editorial revisions, annotations, elaborations, or other modifications
43 | represent, as a whole, an original work of authorship. For the purposes
44 | of this License, Derivative Works shall not include works that remain
45 | separable from, or merely link (or bind by name) to the interfaces of,
46 | the Work and Derivative Works thereof.
47 |
48 | "Contribution" shall mean any work of authorship, including
49 | the original version of the Work and any modifications or additions
50 | to that Work or Derivative Works thereof, that is intentionally
51 | submitted to Licensor for inclusion in the Work by the copyright owner
52 | or by an individual or Legal Entity authorized to submit on behalf of
53 | the copyright owner. For the purposes of this definition, "submitted"
54 | means any form of electronic, verbal, or written communication sent
55 | to the Licensor or its representatives, including but not limited to
56 | communication on electronic mailing lists, source code control systems,
57 | and issue tracking systems that are managed by, or on behalf of, the
58 | Licensor for the purpose of discussing and improving the Work, but
59 | excluding communication that is conspicuously marked or otherwise
60 | designated in writing by the copyright owner as "Not a Contribution."
61 |
62 | "Contributor" shall mean Licensor and any individual or Legal Entity
63 | on behalf of whom a Contribution has been received by Licensor and
64 | subsequently incorporated within the Work.
65 |
66 | 2. Grant of Copyright License. Subject to the terms and conditions of
67 | this License, each Contributor hereby grants to You a perpetual,
68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
69 | copyright license to reproduce, prepare Derivative Works of,
70 | publicly display, publicly perform, sublicense, and distribute the
71 | Work and such Derivative Works in Source or Object form.
72 |
73 | 3. Grant of Patent License. Subject to the terms and conditions of
74 | this License, each Contributor hereby grants to You a perpetual,
75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
76 | (except as stated in this section) patent license to make, have made,
77 | use, offer to sell, sell, import, and otherwise transfer the Work,
78 | where such license applies only to those patent claims licensable
79 | by such Contributor that are necessarily infringed by their
80 | Contribution(s) alone or by combination of their Contribution(s)
81 | with the Work to which such Contribution(s) was submitted. If You
82 | institute patent litigation against any entity (including a
83 | cross-claim or counterclaim in a lawsuit) alleging that the Work
84 | or a Contribution incorporated within the Work constitutes direct
85 | or contributory patent infringement, then any patent licenses
86 | granted to You under this License for that Work shall terminate
87 | as of the date such litigation is filed.
88 |
89 | 4. Redistribution. You may reproduce and distribute copies of the
90 | Work or Derivative Works thereof in any medium, with or without
91 | modifications, and in Source or Object form, provided that You
92 | meet the following conditions:
93 |
94 | (a) You must give any other recipients of the Work or
95 | Derivative Works a copy of this License; and
96 |
97 | (b) You must cause any modified files to carry prominent notices
98 | stating that You changed the files; and
99 |
100 | (c) You must retain, in the Source form of any Derivative Works
101 | that You distribute, all copyright, patent, trademark, and
102 | attribution notices from the Source form of the Work,
103 | excluding those notices that do not pertain to any part of
104 | the Derivative Works; and
105 |
106 | (d) If the Work includes a "NOTICE" text file as part of its
107 | distribution, then any Derivative Works that You distribute must
108 | include a readable copy of the attribution notices contained
109 | within such NOTICE file, excluding those notices that do not
110 | pertain to any part of the Derivative Works, in at least one
111 | of the following places: within a NOTICE text file distributed
112 | as part of the Derivative Works; within the Source form or
113 | documentation, if provided along with the Derivative Works; or,
114 | within a display generated by the Derivative Works, if and
115 | wherever such third-party notices normally appear. The contents
116 | of the NOTICE file are for informational purposes only and
117 | do not modify the License. You may add Your own attribution
118 | notices within Derivative Works that You distribute, alongside
119 | or as an addendum to the NOTICE text from the Work, provided
120 | that such additional attribution notices cannot be construed
121 | as modifying the License.
122 |
123 | You may add Your own copyright statement to Your modifications and
124 | may provide additional or different license terms and conditions
125 | for use, reproduction, or distribution of Your modifications, or
126 | for any such Derivative Works as a whole, provided Your use,
127 | reproduction, and distribution of the Work otherwise complies with
128 | the conditions stated in this License.
129 |
130 | 5. Submission of Contributions. Unless You explicitly state otherwise,
131 | any Contribution intentionally submitted for inclusion in the Work
132 | by You to the Licensor shall be under the terms and conditions of
133 | this License, without any additional terms or conditions.
134 | Notwithstanding the above, nothing herein shall supersede or modify
135 | the terms of any separate license agreement you may have executed
136 | with Licensor regarding such Contributions.
137 |
138 | 6. Trademarks. This License does not grant permission to use the trade
139 | names, trademarks, service marks, or product names of the Licensor,
140 | except as required for reasonable and customary use in describing the
141 | origin of the Work and reproducing the content of the NOTICE file.
142 |
143 | 7. Disclaimer of Warranty. Unless required by applicable law or
144 | agreed to in writing, Licensor provides the Work (and each
145 | Contributor provides its Contributions) on an "AS IS" BASIS,
146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 | implied, including, without limitation, any warranties or conditions
148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 | PARTICULAR PURPOSE. You are solely responsible for determining the
150 | appropriateness of using or redistributing the Work and assume any
151 | risks associated with Your exercise of permissions under this License.
152 |
153 | 8. Limitation of Liability. In no event and under no legal theory,
154 | whether in tort (including negligence), contract, or otherwise,
155 | unless required by applicable law (such as deliberate and grossly
156 | negligent acts) or agreed to in writing, shall any Contributor be
157 | liable to You for damages, including any direct, indirect, special,
158 | incidental, or consequential damages of any character arising as a
159 | result of this License or out of the use or inability to use the
160 | Work (including but not limited to damages for loss of goodwill,
161 | work stoppage, computer failure or malfunction, or any and all
162 | other commercial damages or losses), even if such Contributor
163 | has been advised of the possibility of such damages.
164 |
165 | 9. Accepting Warranty or Additional Liability. While redistributing
166 | the Work or Derivative Works thereof, You may choose to offer,
167 | and charge a fee for, acceptance of support, warranty, indemnity,
168 | or other liability obligations and/or rights consistent with this
169 | License. However, in accepting such obligations, You may act only
170 | on Your own behalf and on Your sole responsibility, not on behalf
171 | of any other Contributor, and only if You agree to indemnify,
172 | defend, and hold each Contributor harmless for any liability
173 | incurred by, or claims asserted against, such Contributor by reason
174 | of your accepting any such warranty or additional liability.
175 |
176 | END OF TERMS AND CONDITIONS
177 |
178 | APPENDIX: How to apply the Apache License to your work.
179 |
180 | To apply the Apache License to your work, attach the following
181 | boilerplate notice, with the fields enclosed by brackets "[]"
182 | replaced with your own identifying information. (Don't include
183 | the brackets!) The text should be enclosed in the appropriate
184 | comment syntax for the file format. We also recommend that a
185 | file or class name and description of purpose be included on the
186 | same "printed page" as the copyright notice for easier
187 | identification within third-party archives.
188 |
189 | Copyright [yyyy] [name of copyright owner]
190 |
191 | Licensed under the Apache License, Version 2.0 (the "License");
192 | you may not use this file except in compliance with the License.
193 | You may obtain a copy of the License at
194 |
195 | http://www.apache.org/licenses/LICENSE-2.0
196 |
197 | Unless required by applicable law or agreed to in writing, software
198 | distributed under the License is distributed on an "AS IS" BASIS,
199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 | See the License for the specific language governing permissions and
201 | limitations under the License.
202 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Building a Windows Domain Controller
2 | A example repo that show how to build a windows 2016 domain controller for attack analsys using Vagrant and Ansible
3 |
4 | # Getting Started
5 | ##### 1. Bring up a windows domain controller
6 |
7 | ```
8 | cd windows_dc_2016
9 | vagrant up
10 | ```
11 |
12 | ##### 2. Bring up a Splunk instance
13 |
14 | ```
15 | cd ../splunk_server
16 | vagrant up
17 | ```
18 |
19 |
20 | # Logical Diagram
21 |
22 | 
23 |
24 | # Troubleshooting
25 |
26 | #### ssh into the splunk_server
27 | To log into the splunk_server box manually:
28 |
29 | ```
30 | cd splunk_server
31 | vagrant ssh splunk_server
32 | ```
--------------------------------------------------------------------------------
/ansible/README.md:
--------------------------------------------------------------------------------
1 | ### Getting Started
2 | * set variables edit `vars/vars.yml`
3 |
--------------------------------------------------------------------------------
/ansible/ansible.cfg:
--------------------------------------------------------------------------------
1 | [defaults]
2 | roles_path = roles
3 | retry_files_enabled = False # Do not create them
4 | deprecation_warnings=False
5 |
--------------------------------------------------------------------------------
/ansible/playbooks/splunk_server.yml:
--------------------------------------------------------------------------------
1 | - hosts: splunk-server
2 | gather_facts: False
3 | pre_tasks:
4 | - name: Install python for Ansible
5 | raw: test -e /usr/bin/python || (sudo apt -y update && sudo apt install -y python-minimal)
6 | changed_when: False
7 | - setup: # aka gather_facts
8 | become: true
9 | roles:
10 | - common
11 | - search_head
12 | vars_files:
13 | - ../vars/vars.yml
14 |
--------------------------------------------------------------------------------
/ansible/playbooks/windows_dc.yml:
--------------------------------------------------------------------------------
1 | - hosts: dc
2 | gather_facts: True
3 | roles:
4 | - common
5 | - windows_dns_server
6 | - windows_domain_controller
7 | - universal_forwarder
8 | - sysmon
9 | vars_files:
10 | - ../vars/vars.yml
11 |
--------------------------------------------------------------------------------
/ansible/roles/common/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 |
--------------------------------------------------------------------------------
/ansible/roles/common/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
--------------------------------------------------------------------------------
/ansible/roles/common/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | galaxy_info:
3 | role_name: install_misc_software
4 | author: Russ Nolen rnolen@splunk.com
5 | description: Install some basic software
6 | license: BSD
7 | min_ansible_version: 2.4
8 | platforms:
9 | - name: Windows
10 | versions:
11 | - 2012R2
12 | - Win10
13 | galaxy_tags:
14 | - system
15 | - security
16 | dependencies: []
17 |
--------------------------------------------------------------------------------
/ansible/roles/common/tasks/chocolatey-components.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Install Chocolately via Powershell
3 | win_shell: "iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))"
4 | - name: Install notepadplusplus
5 | win_chocolatey:
6 | name: notepadplusplus
--------------------------------------------------------------------------------
/ansible/roles/common/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # need to wrap an if statement around this one
3 | # make it windows specific
4 | - include: windows-disable-defender.yml
5 | when: ansible_distribution is search ('Microsoft')
6 |
--------------------------------------------------------------------------------
/ansible/roles/common/tasks/windows-components.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Install the Visual C++ Redistributable
3 | win_package:
4 | path: "https://download.microsoft.com/download/9/3/F/93FCF1E7-E6A4-478B-96E7-D4B285925B00/vc_redist.x64.exe"
5 | product_id: '{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}'
6 | arguments: /install /passive /norestart
7 |
--------------------------------------------------------------------------------
/ansible/roles/common/tasks/windows-disable-defender.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Disable Windows Defender
4 | win_regedit:
5 | key: "HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection"
6 | value: DisableRealTimeMonitoring
7 | datatype: dword
8 | data: 1
9 |
--------------------------------------------------------------------------------
/ansible/roles/search_head/README.md:
--------------------------------------------------------------------------------
1 | Role Name
2 | ========
3 |
4 | A brief description of the role goes here.
5 |
6 | Requirements
7 | ------------
8 |
9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
10 |
11 | Role Variables
12 | --------------
13 |
14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
15 |
16 | Dependencies
17 | ------------
18 |
19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
20 |
21 | Example Playbook
22 | -------------------------
23 |
24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
25 |
26 | - hosts: servers
27 | roles:
28 | - { role: username.rolename, x: 42 }
29 |
30 | License
31 | -------
32 |
33 | BSD
34 |
35 | Author Information
36 | ------------------
37 |
38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed).
39 |
--------------------------------------------------------------------------------
/ansible/roles/search_head/files/opt/splunk/etc/system/local/inputs.conf:
--------------------------------------------------------------------------------
1 | [default]
2 | host = splunk-server
3 |
4 | [splunktcp://9997]
5 | disabled = 0
6 |
--------------------------------------------------------------------------------
/ansible/roles/search_head/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: restart splunk
2 | service: name=Splunkd state=restarted
3 | become: yes
4 |
--------------------------------------------------------------------------------
/ansible/roles/search_head/tasks/inputs.yml:
--------------------------------------------------------------------------------
1 | - name: copy inputs.conf
2 | tags:
3 | - install
4 | - security
5 | copy: src=opt/splunk/etc/system/local/inputs.conf dest=/opt/splunk/etc/system/local owner=splunk group=splunk mode=755
6 | notify: restart splunk
7 |
--------------------------------------------------------------------------------
/ansible/roles/search_head/tasks/install_cim_app.yml:
--------------------------------------------------------------------------------
1 | - name: Check we have downloaded splunk cim app
2 | stat:
3 | path: /tmp/cim_app.tgz
4 | register: cim_app
5 |
6 | - name: Download cim app
7 | get_url:
8 | url: "{{ splunk_cim_app }}"
9 | dest: /tmp/cim_app.tgz
10 | owner: splunk
11 | group: splunk
12 | when: cim_app.stat.exists == False
13 |
14 | - name: install cim app
15 | unarchive:
16 | src: /tmp/cim_app.tgz
17 | dest: /opt/splunk/etc/apps
18 | remote_src: yes
19 | notify: restart splunk
20 | become: yes
21 | become_user: splunk
22 | when: cim_app.stat.exists == False
23 |
--------------------------------------------------------------------------------
/ansible/roles/search_head/tasks/install_es_app.yml:
--------------------------------------------------------------------------------
1 | - name: Check we have downloaded splunk es app
2 | stat:
3 | path: /tmp/es_app.tgz
4 | register: es_app
5 |
6 | - name: Download es app
7 | get_url:
8 | url: "{{ splunk_es_app }}"
9 | dest: /tmp/es_app.tgz
10 | owner: splunk
11 | group: splunk
12 | notify: restart splunk
13 | when: es_app.stat.exists == False
14 |
15 | - name: Install es app via REST
16 | uri:
17 | url: "https://127.0.0.1:8089/services/apps/local"
18 | method: POST
19 | user: "admin"
20 | password: "{{ splunk_pass }}"
21 | validate_certs: false
22 | body: "name=/tmp/es_app.tgz&update=true&filename=true"
23 | headers:
24 | Content-Type: "application/x-www-form-urlencoded"
25 | status_code: [ 200, 201 ]
26 | timeout: 30
27 | when: es_app.stat.exists == False
28 | notify: restart splunk
29 |
30 | - name: Run es post-install setup
31 | command: "/opt/splunk/bin/splunk search '| essinstall' -auth admin:{{ splunk_pass }}"
32 | become: yes
33 | become_user: splunk
34 | when: es_app.stat.exists == False
35 |
--------------------------------------------------------------------------------
/ansible/roles/search_head/tasks/install_escu_app.yml:
--------------------------------------------------------------------------------
1 | - name: Check we have downloaded splunk escu app
2 | stat:
3 | path: /tmp/escu_app.tgz
4 | register: escu_app
5 |
6 | - name: Download escu app
7 | get_url:
8 | url: "{{ splunk_escu_app }}"
9 | dest: /tmp/escu_app.tgz
10 | owner: splunk
11 | group: splunk
12 | notify: restart splunk
13 | when: escu_app.stat.exists == False
14 |
15 | - name: Install escu app via REST
16 | uri:
17 | url: "https://127.0.0.1:8089/services/apps/local"
18 | method: POST
19 | user: "admin"
20 | password: "{{ splunk_pass }}"
21 | validate_certs: false
22 | body: "name=/tmp/escu_app.tgz&update=true&filename=true"
23 | headers:
24 | Content-Type: "application/x-www-form-urlencoded"
25 | status_code: [ 200, 201 ]
26 | timeout: 30
27 | when: escu_app.stat.exists == False
28 | notify: restart splunk
29 |
--------------------------------------------------------------------------------
/ansible/roles/search_head/tasks/install_stream_app.yml:
--------------------------------------------------------------------------------
1 | - name: Check we have downloaded splunk stream app
2 | stat:
3 | path: /tmp/stream_app.tgz
4 | register: stream_app
5 |
6 | - name: Download stream app
7 | get_url:
8 | url: "{{ splunk_stream_app }}"
9 | dest: /tmp/stream_app.tgz
10 | owner: splunk
11 | group: splunk
12 | notify: restart splunk
13 | when: stream_app.stat.exists == False
14 |
15 | - name: Install stream app via REST
16 | uri:
17 | url: "https://127.0.0.1:8089/services/apps/local"
18 | method: POST
19 | user: "admin"
20 | password: "{{ splunk_pass }}"
21 | validate_certs: false
22 | body: "name=/tmp/stream_app.tgz&update=true&filename=true"
23 | headers:
24 | Content-Type: "application/x-www-form-urlencoded"
25 | status_code: [ 200, 201 ]
26 | timeout: 300
27 | when: stream_app.stat.exists == False
28 | notify: restart splunk
29 |
--------------------------------------------------------------------------------
/ansible/roles/search_head/tasks/install_sysmon_ta.yml:
--------------------------------------------------------------------------------
1 | - name: Check we have downloaded splunk sysmon ta
2 | stat:
3 | path: /tmp/sysmon_ta.tgz
4 | register: sysmon_ta
5 |
6 | - name: Download sysmon ta
7 | get_url:
8 | url: "{{ splunk_sysmon_ta }}"
9 | dest: /tmp/sysmon_ta.tgz
10 | owner: splunk
11 | group: splunk
12 | notify: restart splunk
13 | when: sysmon_ta.stat.exists == False
14 |
15 | - name: Install sysmon app via REST
16 | uri:
17 | url: "https://127.0.0.1:8089/services/apps/local"
18 | method: POST
19 | user: "admin"
20 | password: "{{ splunk_pass }}"
21 | validate_certs: false
22 | body: "name=/tmp/sysmon_ta.tgz&update=true&filename=true"
23 | headers:
24 | Content-Type: "application/x-www-form-urlencoded"
25 | status_code: [ 200, 201 ]
26 | timeout: 30
27 | when: sysmon_ta.stat.exists == False
28 | notify: restart splunk
29 |
--------------------------------------------------------------------------------
/ansible/roles/search_head/tasks/install_windows_ta.yml:
--------------------------------------------------------------------------------
1 | - name: Check we have downloaded splunk windows ta
2 | stat:
3 | path: /tmp/windows_ta.tgz
4 | register: windows_ta
5 |
6 | - name: Download windows ta
7 | get_url:
8 | url: "{{ splunk_windows_ta }}"
9 | dest: /tmp/windows_ta.tgz
10 | owner: splunk
11 | group: splunk
12 | notify: restart splunk
13 | when: windows_ta.stat.exists == False
14 |
15 | - name: Install windows app via REST
16 | uri:
17 | url: "https://127.0.0.1:8089/services/apps/local"
18 | method: POST
19 | user: "admin"
20 | password: "{{ splunk_pass }}"
21 | validate_certs: false
22 | body: "name=/tmp/windows_ta.tgz&update=true&filename=true"
23 | headers:
24 | Content-Type: "application/x-www-form-urlencoded"
25 | status_code: [ 200, 201 ]
26 | timeout: 30
27 | when: windows_ta.stat.exists == False
28 | notify: restart splunk
29 |
--------------------------------------------------------------------------------
/ansible/roles/search_head/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # This playbook contains common tasks in this role
3 |
4 | - include: splunk.yml
5 | - include: inputs.yml
6 | - include: install_escu_app.yml
7 | - include: install_windows_ta.yml
8 | - include: install_sysmon_ta.yml
9 | when: sysmon is defined
10 | - include: install_es_app.yml
11 | when: enterprise_security is defined
12 | - include: install_stream_app.yml
13 | when: stream is defined
14 | - name: Finished
15 | debug: msg="Access your freshly configure splunk instance at http://localhost:8000 with username admin and password {{ splunk_pass }}"
16 |
--------------------------------------------------------------------------------
/ansible/roles/search_head/tasks/splunk.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # This playbook install the apps required in a server
3 |
4 | - name: add splunk group
5 | tags:
6 | - install
7 | - security
8 | group: name=splunk state=present
9 |
10 | - name: add splunk user
11 | tags:
12 | - install
13 | - security
14 | user: name=splunk comment="Splunk service user" shell=/usr/sbin/nologin groups=splunk createhome=yes
15 |
16 | - name: make /opt writetable by splunk
17 | tags:
18 | - install
19 | file: path=/opt mode=777
20 |
21 | - name: checking if splunk is install
22 | tags: install
23 | stat: path=/opt/splunk
24 | register: splunk_path
25 |
26 | - name: is splunk installed?
27 | tags: install
28 | debug: msg='splunk is already installed under /opt/splunk'
29 | when: splunk_path.stat.exists
30 |
31 | - name: Download Splunk
32 | get_url:
33 | url: "{{ splunk_binary_url }}"
34 | dest: /opt/
35 | when: splunk_path.stat.exists == false
36 |
37 | - name: install splunk binary
38 | tags:
39 | - install
40 | unarchive: remote_src=yes src=/opt/{{splunk_binary}} dest=/opt/ owner=splunk group=splunk creates=yes
41 | become: yes
42 | become_user: splunk
43 | when: splunk_path.stat.exists == false
44 |
45 | - name: accept license and start splunk
46 | tags:
47 | - install
48 | shell: /opt/splunk/bin/splunk start --accept-license --answer-yes --no-prompt --seed-passwd {{splunk_pass}}
49 | become: yes
50 | become_user: splunk
51 | when: splunk_path.stat.exists == false
52 |
53 | - name: enable boot-start
54 | tags:
55 | - install
56 | shell: /opt/splunk/bin/splunk enable boot-start -user splunk
57 | when: splunk_path.stat.exists == false
58 |
59 | - name: restart splunk
60 | service:
61 | name: Splunkd
62 | state: restarted
63 | when: splunk_path.stat.exists == false
64 |
65 |
--------------------------------------------------------------------------------
/ansible/roles/sysmon/defaults/main.yml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/josehelps/building-a-windows-dc/7c914ed5005bc18ec545de7cb22d495c85d914be/ansible/roles/sysmon/defaults/main.yml
--------------------------------------------------------------------------------
/ansible/roles/sysmon/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: restart splunk
2 | win_command: C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe restart
3 |
4 |
--------------------------------------------------------------------------------
/ansible/roles/sysmon/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | galaxy_info:
3 | role_name: win_sysmon
4 | author: Russ Nolen ported from juju4
5 | description: setup Sysmon on Windows system
6 | license: BSD
7 | min_ansible_version: 2.4
8 | platforms:
9 | - name: Windows
10 | versions:
11 | - 2012R2
12 | - Win10
13 | galaxy_tags:
14 | - system
15 | - security
16 | dependencies: []
17 |
--------------------------------------------------------------------------------
/ansible/roles/sysmon/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Create ansible directories
4 | win_file:
5 | path: "{{ item }}"
6 | state: directory
7 | with_items:
8 | - "{{ win_temp_dir }}"
9 | - "{{ win_log_dir }}"
10 |
11 | - include: windows-sysmon.yml
12 | - include: windows-logging-registry.yml
13 |
--------------------------------------------------------------------------------
/ansible/roles/sysmon/tasks/windows-logging-registry.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: WINEVT Channels Event Log Enabled
4 | win_regedit:
5 | key: "HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\{{ item }}"
6 | value: Enabled
7 | datatype: dword
8 | data: 1
9 | with_items: "{{ win_sysmon_eventlog_channels }}"
10 |
11 | - debug: var=win_eventlog_maxsize
12 | - name: WINEVT Channels Event Log size review
13 | win_regedit:
14 | key: "HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\{{ item }}"
15 | value: MaxSize
16 | datatype: dword
17 | data: "{{ win_eventlog_maxsize }}"
18 | with_items: "{{ win_sysmon_eventlog_channels }}"
19 |
20 | - name: WINEVT Channels Event Log retention review
21 | win_regedit:
22 | key: "HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\{{ item }}"
23 | value: Retention
24 | datatype: dword
25 | data: "{{ win_eventlog_retention }}"
26 | with_items: "{{ win_sysmon_eventlog_channels }}"
27 |
28 | - name: Check Sysmon Logs channel registry entry
29 | win_reg_stat:
30 | path: "HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\{{ item }}"
31 | with_items: "{{ win_sysmon_eventlog_channels }}"
32 | register: logreg
33 |
--------------------------------------------------------------------------------
/ansible/roles/sysmon/tasks/windows-sysmon.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - block:
4 | - name: check if sysmon archive is present
5 | win_stat: path="{{ win_temp_dir }}\\{{ win_sysmon_url | basename }}"
6 | register: sysmondl
7 | - name: download sysmon
8 | win_get_url:
9 | url: "{{ win_sysmon_url }}"
10 | dest: "{{ win_temp_dir }}\\{{ win_sysmon_url | basename }}"
11 | when: not sysmondl.stat.exists
12 | - name: unzip sysmon
13 | win_unzip:
14 | src: "{{ win_temp_dir }}\\{{ win_sysmon_url | basename }}"
15 | dest: "{{ win_temp_dir }}\\sysmon"
16 | creates: "{{ win_temp_dir }}\\sysmon\\sysmon.exe"
17 | - set_fact:
18 | sysmon_path: "{{ win_temp_dir }}\\sysmon\\sysmon64.exe"
19 | - debug:
20 | msg: '{{ sysmon_path }}'
21 | when: win_sysmon_direct
22 |
23 | - block:
24 | - name: install sysmon with chocolatey
25 | win_chocolatey:
26 | name: sysmon
27 | state: present
28 | ignore_checksums: yes
29 | ## FIXME!
30 | #install_args: "--checksum {{ win_sysmon_sha256 }}"
31 | - set_fact:
32 | sysmon_path: "c:\\ProgramData\\chocolatey\\lib\\sysmon\\tools\\sysmon"
33 | when: not win_sysmon_direct
34 |
35 | - block:
36 | - name: Copy Sysmon template
37 | win_template:
38 | src: "{{ win_sysmon_template }}.j2"
39 | dest: "{{ win_temp_dir }}\\{{ win_sysmon_template }}"
40 | - debug:
41 | msg: '"{{ sysmon_path }}" -n -accepteula -i "{{ win_temp_dir }}\\{{ win_sysmon_template }}"'
42 | - name: install sysmon with defined config
43 | win_command: '"{{ sysmon_path }}" -n -accepteula -i "{{ win_temp_dir }}\\{{ win_sysmon_template }}"'
44 | ignore_errors: true
45 | notify: restart machine
46 | when: win_sysmon_template != ''
47 |
48 | - block:
49 | - name: install sysmon
50 | win_command: "{{ sysmon_path }} -i -n -accepteula"
51 | ignore_errors: true
52 | notify: restart machine
53 | when: win_sysmon_template == ''
54 |
--------------------------------------------------------------------------------
/ansible/roles/sysmon/templates/SysmonConfig-Neo23x0-server.xml.j2:
--------------------------------------------------------------------------------
1 | {{ ansible_managed | comment('xml') }}
2 |
15 |
16 |
17 | MD5,SHA1,SHA256,IMPHASH
18 |
19 |
20 |
21 |
22 | microsoft
23 | windows
24 |
25 |
26 |
27 | splunk
28 | btool.exe
29 | SnareCore
30 | nxlog
31 | Microsoft Monitoring Agent\Agent\MonitoringHost.exe
32 | ClearMyTracksByProcess
33 |
34 |
35 |
36 | lsass.exe
37 | winlogon.exe
38 | svchost.exe
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 | Windows\CurrentVersion\Run
49 | Windows\CurrentVersion\Image File Execution Options
50 | CurrentControlSet\Services
51 | Microsoft\Windows NT\CurrentVersion\Winlogon
52 | Microsoft\Windows\CurrentVersion\Policies\Explorer
53 | Microsoft\Windows\CurrentVersion\RunOnce
54 | System\CurrentControlSet\Services\Tcpip\parameters
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 | 80
63 | 443
64 | 8080
65 | 3389
66 | cmd.exe
67 | PsExe
68 | winexe
69 | powershell
70 | cscript
71 | mstsc
72 | RTS2App
73 | RTS3App
74 | wmic
75 |
76 |
77 |
78 |
79 |
80 | lsass.exe
81 |
82 |
83 | wmiprvse.exe
84 | GoogleUpdate.exe
85 | LTSVC.exe
86 | taskmgr.exe
87 | VBoxService.exe # Virtual Box
88 | vmtoolsd.exe
89 | taskmgr.exe
90 | \Citrix\System32\wfshell.exe #Citrix process in C:\Program Files (x86)\Citrix\System32\wfshell.exe
91 | C:\Windows\System32\lsm.exe # System process under C:\Windows\System32\lsm.exe
92 | Microsoft.Identity.AadConnect.Health.AadSync.Host.exe # Microsoft Azure AD Connect Health Sync Agent
93 | C:\Program Files (x86)\Symantec\Symantec Endpoint Protection # Symantec
94 |
95 |
99 |
100 |
101 | verclsid.exe
102 | svchost.exe
103 |
104 |
106 |
107 | 0x1F0FFF
108 | 0x1F1FFF
109 | 0x1F2FFF
110 | 0x1F3FFF
111 |
112 | 0x1FFFFF
113 | unknown
114 |
115 |
116 |
117 |
--------------------------------------------------------------------------------
/ansible/roles/sysmon/templates/SysmonConfig-Neo23x0-workstations.xml.j2:
--------------------------------------------------------------------------------
1 | {{ ansible_managed | comment('xml') }}
2 |
16 |
17 |
18 | MD5,SHA1,SHA256,IMPHASH
19 |
20 |
21 |
22 |
23 | microsoft
24 | windows
25 |
26 |
27 |
28 | System
29 |
30 |
31 |
32 | WmiPrvSE.exe
33 | FireSvc.exe
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 | Windows\CurrentVersion\Run
44 | Windows\CurrentVersion\Image File Execution Options
45 | CurrentControlSet\Services
46 | Microsoft\Windows NT\CurrentVersion\Winlogon
47 | Microsoft\Windows\CurrentVersion\Policies\Explorer
48 | Microsoft\Windows\CurrentVersion\RunOnce
49 | System\CurrentControlSet\Services\Tcpip\parameters
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 | chrome.exe
58 | iexplore.exe
59 | firefox.exe
60 | 8080
61 |
62 |
65 |
66 |
67 |
68 |
69 |
87 |
88 |
89 |
--------------------------------------------------------------------------------
/ansible/roles/sysmon/templates/SysmonConfig-TSwift.xml.j2:
--------------------------------------------------------------------------------
1 | {{ ansible_managed | comment('xml') }}
2 |
55 |
56 |
57 |
58 | md5,sha256
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
73 |
74 |
75 |
76 |
77 | C:\Windows\system32\DllHost.exe /Processid
78 | C:\Windows\system32\SearchIndexer.exe /Embedding
79 | C:\Windows\system32\CompatTelRunner.exe
80 | C:\Windows\system32\audiodg.exe
81 | C:\Windows\system32\conhost.exe
82 | C:\Windows\system32\musNotification.exe
83 | C:\Windows\system32\musNotificationUx.exe
84 | C:\Windows\system32\powercfg.exe
85 | C:\Windows\system32\sndVol.exe
86 | C:\Windows\system32\sppsvc.exe
87 | C:\Windows\system32\wbem\WmiApSrv.exe
88 | C:\Windows\System32\plasrv.exe
89 | C:\Windows\System32\wifitask.exe
90 | C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe
91 | C:\Windows\System32\TokenBrokerCookies.exe
92 | C:\windows\system32\wermgr.exe -queuereporting
93 | C:\windows\system32\wermgr.exe -queuereporting
94 | "C:\Windows\system32\wermgr.exe" "-queuereporting_svc"
95 | C:\WINDOWS\system32\wermgr.exe -upload
96 | \SystemRoot\System32\smss.exe
97 | \??\C:\WINDOWS\system32\autochk.exe *
98 | AppContainer
99 | %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows
100 | C:\Windows\system32\SearchIndexer.exe
101 | C:\Windows\system32\mobsync.exe
102 | C:\Windows\system32\wbem\wmiprvse.exe -Embedding
103 | C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
104 | C:\Windows\system32\SppExtComObj.Exe
105 | C:\Windows\system32\PrintIsolationHost.exe
106 |
107 | C:\Program Files\Windows Defender
108 | C:\Windows\system32\MpSigStub.exe
109 | C:\Windows\SoftwareDistribution\Download\Install\AM_
110 |
111 |
112 | C:\Windows\system32\svchost.exe -k appmodel -s StateRepository
113 | C:\Windows\system32\svchost.exe -k appmodel
114 | C:\WINDOWS\system32\svchost.exe -k appmodel -p -s tiledatamodelsvc
115 | C:\Windows\system32\svchost.exe -k camera -s FrameServer
116 | C:\Windows\system32\svchost.exe -k dcomlaunch -s LSM
117 | C:\Windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
118 | C:\Windows\system32\svchost.exe -k defragsvc
119 | C:\Windows\system32\svchost.exe -k devicesflow -s DevicesFlowUserSvc
120 | C:\Windows\system32\svchost.exe -k imgsvc
121 | C:\Windows\system32\svchost.exe -k localService -s EventSystem
122 | C:\Windows\system32\svchost.exe -k localService -s bthserv
123 | C:\Windows\system32\svchost.exe -k localService -s nsi
124 | C:\Windows\system32\svchost.exe -k localService -s w32Time
125 | C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation
126 | C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s Dhcp
127 | C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s EventLog
128 | C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s TimeBrokerSvc
129 | C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s WFDSConMgrSvc
130 | C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted
131 | C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SensrSvc
132 | C:\Windows\system32\svchost.exe -k localServiceNoNetwork
133 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s WPDBusEnum
134 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s fhsvc
135 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s DeviceAssociationService
136 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s NcbService
137 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s SensorService
138 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService
139 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService
140 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum
141 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WdiSystemHost
142 | C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
143 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted
144 | C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wlidsvc
145 | C:\Windows\system32\svchost.exe -k netsvcs -p -s ncaSvc
146 | C:\Windows\system32\svchost.exe -k netsvcs -s BDESVC
147 | C:\Windows\system32\svchost.exe -k netsvcs -s BITS
148 | C:\Windows\system32\svchost.exe -k netsvcs -s CertPropSvc
149 | C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
150 | C:\Windows\system32\svchost.exe -k netsvcs -s Gpsvc
151 | C:\Windows\system32\svchost.exe -k netsvcs -s ProfSvc
152 | C:\Windows\system32\svchost.exe -k netsvcs -s SENS
153 | C:\Windows\system32\svchost.exe -k netsvcs -s SessionEnv
154 | C:\Windows\system32\svchost.exe -k netsvcs -s Themes
155 | C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt
156 | C:\Windows\system32\svchost.exe -k netsvcs
157 | C:\Windows\system32\svchost.exe -k networkService -p -s DoSvc
158 | C:\Windows\system32\svchost.exe -k networkService -s Dnscache
159 | C:\Windows\system32\svchost.exe -k networkService -s LanmanWorkstation
160 | C:\Windows\system32\svchost.exe -k networkService -s NlaSvc
161 | C:\Windows\system32\svchost.exe -k networkService -s TermService
162 | C:\Windows\system32\svchost.exe -k networkService
163 | C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted
164 | C:\Windows\system32\svchost.exe -k rPCSS
165 | C:\Windows\system32\svchost.exe -k secsvcs
166 | C:\Windows\system32\svchost.exe -k swprv
167 | C:\Windows\system32\svchost.exe -k unistackSvcGroup
168 | C:\Windows\system32\svchost.exe -k utcsvc
169 | C:\Windows\system32\svchost.exe -k wbioSvcGroup
170 | C:\Windows\system32\svchost.exe -k werSvcGroup
171 | C:\WINDOWS\System32\svchost.exe -k wsappx -p -s ClipSVC
172 | C:\WINDOWS\system32\svchost.exe -k wsappx -p -s AppXSvc
173 | C:\Windows\system32\svchost.exe -k wsappx -s ClipSVC
174 | C:\Windows\system32\svchost.exe -k wsappx
175 | C:\Windows\system32\svchost.exe -k netsvcs
176 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted
177 |
178 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
179 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
180 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
181 | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
182 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
183 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
184 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
185 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
186 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
187 |
188 | C:\Program Files\Microsoft Office\Office16\MSOSYNC.EXE
189 | C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
190 | C:\Program Files\Microsoft Office\Office15\MSOSYNC.EXE
191 | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
192 | C:\Program Files\Microsoft Office\Office16\msoia.exe
193 | C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe
194 |
195 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
196 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
197 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
198 |
199 | C:\Program Files\Windows Media Player\wmpnscfg.exe
200 |
201 | "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=
202 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=
203 | C:\Program Files (x86)\Google\Update\
204 | C:\Program Files (x86)\Google\Update\
205 |
206 | "C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel
207 | "C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel
208 |
209 | AcroRd32.exe" /CR
210 | AcroRd32.exe" --channel=
211 | C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe
212 |
213 | C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
214 | C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
215 |
216 | C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\AcroCEF\AcroCEF.exe
217 | C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\LogTransport2.exe
218 |
219 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
220 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe
221 |
222 | C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
223 |
224 | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
225 | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
226 | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
227 |
228 | C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
229 | C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe
230 | C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe
231 | C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe
232 | C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe
233 | C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe
234 | C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
235 | C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
236 |
237 | C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
238 | C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
239 | C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe
240 | C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe
241 |
242 | C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
243 |
244 |
245 | "C:\Program Files\DellTPad\ApMsgFwd.exe" -s{
246 | C:\Windows\system32\igfxsrvc.exe -Embedding
247 | C:\Program Files\DellTPad\HidMonitorSvc.exe
248 | C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
249 |
250 | C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
251 | C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
252 |
253 | C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe
254 | C:\Program Files\Dell\SupportAssist\pcdrcui.exe
255 | C:\Program Files\Dell\SupportAssist\koala.exe
256 | "-outc=C:\ProgramData\Dell\CommandUpdate\inventory.xml" "-logc=C:\ProgramData\Dell\CommandUpdate\scanerrs.xml" "-lang=en" "-enc=UTF-16"
257 |
258 |
259 |
260 |
261 |
262 |
263 |
264 | C:\Users
265 |
266 |
267 |
268 | OneDrive.exe
269 | C:\Windows\system32\backgroundTaskHost.exe
270 | setup
271 | install
272 | Update\
273 | redist.exe
274 | msiexec.exe
275 | TrustedInstaller.exe
276 |
277 |
278 |
279 |
280 |
281 |
282 |
283 |
284 |
285 |
286 |
287 |
288 |
289 |
290 | C:\Users
291 | C:\ProgramData
292 | C:\Windows\Temp
293 |
294 | at.exe
295 | certutil.exe
296 | cmd.exe
297 | cmstp.exe
298 | cscript.exe
299 | driverquery.exe
300 | dsquery.exe
301 | hh.exe
302 | infDefaultInstall.exe
303 | java.exe
304 | javaw.exe
305 | javaws.exe
306 | mmc.exe
307 | msbuild.exe
308 | mshta.exe
309 | msiexec.exe
310 | nbtstat.exe
311 | net.exe
312 | net1.exe
313 | notepad.exe
314 | nslookup.exe
315 | powershell.exe
316 | qprocess.exe
317 | qwinsta.exe
318 | qwinsta.exe
319 | reg.exe
320 | regsvcs.exe
321 | regsvr32.exe
322 | rundll32.exe
323 | rwinsta.exe
324 | sc.exe
325 | schtasks.exe
326 | taskkill.exe
327 | tasklist.exe
328 | wmic.exe
329 | wscript.exe
330 |
331 | nc.exe
332 | ncat.exe
333 | psexec.exe
334 | psexesvc.exe
335 | tor.exe
336 | vnc.exe
337 | vncservice.exe
338 | vncviewer.exe
339 | winexesvc.exe
340 | nmap.exe
341 | psinfo.exe
342 |
343 | 22
344 | 23
345 | 25
346 | 142
347 | 3389
348 | 5800
349 | 5900
350 |
351 | 1080
352 | 3128
353 | 8080
354 |
355 | 1723
356 | 4500
357 | 9001
358 | 9030
359 |
360 |
361 |
362 |
363 | Spotify.exe
364 | AppData\Roaming\Dropbox\bin\Dropbox.exe
365 | g2ax_comm_expert.exe
366 | g2mcomm.exe
367 |
368 | OneDrive.exe
369 | OneDriveStandaloneUpdater.exe
370 | AppData\Local\Microsoft\Teams\current\Teams.exe
371 | microsoft.com
372 | microsoft.com.akadns.net
373 | microsoft.com.nsatc.net
374 |
375 |
376 |
377 |
378 |
379 |
380 |
381 |
382 |
383 |
384 |
385 |
386 | C:\Users
387 |
388 |
389 |
390 |
391 |
392 |
393 |
396 |
397 |
398 |
399 |
400 | microsoft
401 | windows
402 | Intel
403 |
404 |
405 |
406 |
407 |
408 |
409 |
410 |
411 |
412 |
413 |
414 |
416 |
417 |
418 |
419 |
420 | C:\Windows\system32\wbem\WmiPrvSE.exe
421 | C:\Windows\system32\svchost.exe
422 | C:\Windows\system32\wininit.exe
423 | C:\Windows\system32\csrss.exe
424 | C:\Windows\system32\services.exe
425 | C:\Windows\system32\winlogon.exe
426 | C:\Windows\system32\audiodg.exe
427 | C:\Windows\system32\kernel32.dll
428 | Google\Chrome\Application\chrome.exe
429 | C:\Program Files (x86)\Webroot\WRSA.exe
430 |
431 |
432 |
433 |
434 |
435 |
438 |
439 |
440 |
441 |
442 |
443 |
444 |
445 |
446 |
447 |
448 |
449 |
450 |
451 |
452 |
453 |
454 |
455 |
456 |
457 |
458 |
459 |
460 | \Start Menu
461 | \Startup\
462 | \Content.Outlook\
463 | \Downloads\
464 | .application
465 | .appref-ms
466 | .bat
467 | .chm
468 | .cmd
469 | .cmdline
470 | .docm
471 | .exe
472 | .jar
473 | .jnlp
474 | .jse
475 | .hta
476 | .pptm
477 | .ps1
478 | .sys
479 | .scr
480 | .vbe
481 | .vbs
482 | .xlsm
483 | proj
484 | .sln
485 | C:\Users\Default
486 | C:\Windows\system32\Drivers
487 | C:\Windows\SysWOW64\Drivers
488 | C:\Windows\system32\GroupPolicy\Machine\Scripts
489 | C:\Windows\system32\GroupPolicy\User\Scripts
490 | C:\Windows\system32\Wbem
491 | C:\Windows\SysWOW64\Wbem
492 | C:\Windows\system32\WindowsPowerShell
493 | C:\Windows\SysWOW64\WindowsPowerShell
494 | C:\Windows\Tasks\
495 | C:\Windows\system32\Tasks
496 |
497 | C:\Windows\AppPatch\Custom
498 | VirtualStore
499 |
500 | .xls
501 | .ppt
502 | .rft
503 |
504 |
505 |
506 |
507 | C:\Program Files (x86)\EMET 5.5\EMET_Service.exe
508 |
509 | C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask
510 |
511 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
512 |
513 | C:\Windows\system32\smss.exe
514 | C:\Windows\system32\CompatTelRunner.exe
515 | \\?\C:\Windows\system32\wbem\WMIADAP.EXE
516 | C:\Windows\system32\mobsync.exe
517 | C:\Windows\system32\DriverStore\Temp\
518 | C:\Windows\system32\wbem\Performance\
519 | WRITABLE.TST
520 | C:\Windows\Installer\
521 |
522 | C:\$WINDOWS.~BT\Sources\
523 | C:\Windows\winsxs\amd64_microsoft-windows
524 |
525 | C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe
526 |
527 | C:\Windows\system32\igfxCUIService.exe
528 |
529 | C:\Windows\System32\Tasks\Adobe Acrobat Update Task
530 | C:\Windows\System32\Tasks\Adobe Flash Player Updater
531 |
532 |
533 |
534 |
535 |
536 |
537 |
538 |
539 |
540 |
541 |
542 |
543 |
544 |
545 |
546 |
547 |
548 |
549 |
550 |
551 |
552 |
553 |
554 |
555 |
556 |
557 |
558 | CurrentVersion\Run
559 | Policies\Explorer\Run
560 | Group Policy\Scripts
561 | Windows\System\Scripts
562 | CurrentVersion\Windows\Load
563 | CurrentVersion\Windows\Run
564 | CurrentVersion\Winlogon\Shell
565 | CurrentVersion\Winlogon\System
566 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
567 | HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
568 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
569 | HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
570 | HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
571 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
572 | UserInitMprLogonScript
573 |
574 | \ServiceDll
575 | \ServiceManifest
576 | \ImagePath
577 | \Start
578 |
579 | shell\open\command\
580 | shell\open\ddeexec\
581 | shell\install\command\
582 | Explorer\FileExts\
583 | {86C86720-42A0-1069-A2E8-08002B30309D}
584 | exefile
585 |
586 | \InprocServer32\(Default)
587 |
588 | \Hidden
589 | \ShowSuperHidden
590 | \HideFileExt
591 |
592 | Classes\*\
593 | Classes\AllFilesystemObjects\
594 | Classes\Directory\
595 | Classes\Drive\
596 | Classes\Folder\
597 | ContextMenuHandlers\
598 | CurrentVersion\Shell
599 | HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks
600 | HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad
601 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers
602 |
603 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
604 |
605 | HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram
606 |
607 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\
608 |
609 | HKLM\SYSTEM\CurrentControlSet\Services\WinSock\
610 | \ProxyServer
611 |
612 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider
613 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
614 | HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders
615 | HKLM\SOFTWARE\Microsoft\Netsh
616 |
617 | HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\
618 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
619 | \EnableFirewall
620 | \DoNotAllowExceptions
621 | HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
622 | HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
623 |
624 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\
625 | HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\
626 | HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\
627 |
628 | Microsoft\Office\Outlook\Addins\
629 | Office Test\
630 | Security\Trusted Documents\TrustRecords
631 |
632 | Internet Explorer\Toolbar\
633 | Internet Explorer\Extensions\
634 | Browser Helper Objects\
635 | \DisableSecuritySettingsCheck
636 | \3\1206
637 | \3\2500
638 | \3\1809
639 |
640 | {AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\
641 |
642 | \UrlUpdateInfo
643 | \InstallSource
644 |
645 | HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
646 | HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
647 |
648 | HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled
649 | HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusOverride
650 | HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify
651 | HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring
652 | HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify
653 | HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride
654 | HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify
655 | HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify
656 | SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth
657 |
658 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom
659 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB
660 | VirtualStore
661 |
662 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
663 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\
664 | HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\
665 | HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\
666 | \FriendlyName
667 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)
668 | HKLM\SOFTWARE\Microsoft\Tracing\RASAPI32
669 |
670 |
671 |
672 |
673 |
674 | Office\root\integration\integrator.exe
675 | C:\Windows\system32\backgroundTaskHost.exe
676 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
677 | C:\Program Files\Windows Defender\MsMpEng.exe
678 | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
679 | C:\Program Files (x86)\EMET 5.5\EMET_Service.exe
680 |
681 | Toolbar\WebBrowser
682 | Toolbar\WebBrowser\ITBar7Height
683 | Toolbar\WebBrowser\ITBar7Layout
684 | Toolbar\ShellBrowser\ITBar7Layout
685 | Internet Explorer\Toolbar\Locked
686 | Toolbar\WebBrowser\{47833539-D0C5-4125-9FA8-0819E2EAAC93}
687 | ShellBrowser
688 | \CurrentVersion\Run
689 | \CurrentVersion\RunOnce
690 | \CurrentVersion\App Paths
691 | \CurrentVersion\Image File Execution Options
692 | \CurrentVersion\Shell Extensions\Cached
693 | \CurrentVersion\Shell Extensions\Approved
694 | }\PreviousPolicyAreas
695 | \Control\WMI\Autologger\
696 | HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start
697 | \Lsa\OfflineJoin\CurrentValue
698 | \Components\TrustedInstaller\Events
699 | \Components\TrustedInstaller
700 | \Components\Wlansvc
701 | \Components\Wlansvc\Events
702 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\
703 | \Directory\shellex
704 | \Directory\shellex\DragDropHandlers
705 | \Drive\shellex
706 | \Drive\shellex\DragDropHandlers
707 | _Classes\AppX
708 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\
709 | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
710 | C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
711 |
712 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit
713 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\AuditPolicy
714 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System
715 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LsaPid
716 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache
717 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains
718 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit
719 |
720 | \services\bits\Start
721 | \services\clr_optimization_v2.0.50727_32\Start
722 | \services\clr_optimization_v2.0.50727_64\Start
723 | \services\clr_optimization_v4.0.30319_32\Start
724 | \services\clr_optimization_v4.0.30319_64\Start
725 | \services\deviceAssociationService\Start
726 | \services\fhsvc\Start
727 | \services\nal\Start
728 | \services\trustedInstaller\Start
729 | \services\tunnel\Start
730 | \services\usoSvc\Start
731 |
732 | \OpenWithProgids
733 | \OpenWithList
734 | \UserChoice
735 | \UserChoice\ProgId
736 | \UserChoice\Hash
737 | \OpenWithList\MRUList
738 | } 0xFFFF
739 |
740 | HKLM\System\CurrentControlSet\Control\Lsa\Audit\SpecialGroups
741 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts
742 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup
743 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0
744 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\PSScriptOrder
745 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\SOM-ID
746 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\GPO-ID
747 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\IsPowershell
748 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\ExecTime
749 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown
750 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0
751 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\PSScriptOrder
752 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\SOM-ID
753 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\GPO-ID
754 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\IsPowershell
755 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\ExecTime
756 | \safer\codeidentifiers\0\HASHES\{
757 |
758 | C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
759 | HKCR\VLC.
760 | HKCR\iTunes.
761 |
762 |
763 |
764 |
765 |
769 |
770 |
771 |
772 |
773 | Downloads
774 | Temp\7z
775 | Startup
776 | .bat
777 | .cmd
778 | .hta
779 | .lnk
780 | .ps1
781 | .ps2
782 | .reg
783 | .jse
784 | .vb
785 | .vbe
786 | .vbs
787 |
788 |
789 |
790 |
791 |
792 |
793 |
794 |
795 |
796 |
797 |
798 |
799 |
800 |
801 |
802 |
803 |
804 |
805 |
806 |
807 |
808 |
809 |
810 |
811 |
812 |
813 |
814 |
815 |
816 |
817 |
818 |
819 |
820 |
821 |
822 |
823 |
826 |
827 |
828 |
829 |
830 |
--------------------------------------------------------------------------------
/ansible/roles/sysmon/templates/SysmonConfig-Verbose.xml.j2:
--------------------------------------------------------------------------------
1 | {{ ansible_managed | comment('xml') }}
2 |
5 |
6 |
7 |
8 | *
9 |
10 |
11 |
12 | splunk
13 | btool.exe
14 | SnareCore
15 | nxlog
16 | winlogbeat
17 | Microsoft Monitoring Agent\Agent\MonitoringHost.exe
18 | C:\Program Files\NVIDIA Corporation\Display\
19 | C:\Program Files\Dell\SupportAssist\pcdrcui.exe
20 | C:\Program Files\Dell\SupportAssist\koala.exe
21 | C:\Program Files\Windows Defender
22 | C:\Windows\System32\audiodg.exe
23 | C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
24 | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
25 | \Sysmon.exe
26 | C:\WIndows\System32\poqexec.exe /noreboot /transaction
27 |
28 |
29 |
30 |
31 |
32 | C:\Program Files\Microsoft Office\Office15\ONENOTE.EXE
33 | Spotify.exe
34 | OneDrive.exe
35 | AppData\Roaming\Dashlane\Dashlane.exe
36 | AppData\Roaming\Dashlane\DashlanePlugin.exe
37 | winlogbeat.exe
38 | C:\Windows\System32\spoolsv.exe
39 | C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
40 | C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe
41 | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
42 | C:\Windows\System32\CompatTelRunner.exe
43 | C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
44 | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
45 | C:\Windows\System32\mmc.exe
46 | C:\Program Files\Microsoft VS Code\Code.exe
47 |
48 |
49 |
50 |
51 |
52 | microsoft
53 | windows
54 | VMware
55 | Intel
56 |
57 |
58 |
59 | chrome.exe
60 | vmtoolsd.exe
61 | Sysmon.exe
62 | mmc.exe
63 | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
64 | C:\Windows\System32\taskeng.exe
65 | C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe
66 | C:\Program Files\Windows Defender\NisSrv.exe
67 | C:\Program Files\Windows Defender\MsMpEng.exe
68 |
69 |
70 |
71 |
72 |
73 | C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
74 | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
75 | \Sysmon.exe
76 |
77 |
78 |
79 | C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
80 | C:\Windows\system32\taskeng.exe
81 | C:\Windows\system32\lsass.exe
82 | Sysmon.exe
83 | GoogleUpdate.exe
84 | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
85 | C:\Program Files\Windows Defender\MsMpEng.exe
86 | C:\Program Files\Microsoft VS Code\Code.exe
87 | C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
88 | C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe
89 | C:\Windows\system32\mmc.exe
90 | C:\Program Files\Microsoft VS Code\Code.exe
91 | C:\Windows\system32\sihost.exe
92 | C:\Program Files\Windows Defender\MsMpEng.exe
93 | c:\Program Files\Microsoft VS Code\resources\app\out\vs\workbench\services\files\node\watcher\win32\CodeHelper.exe
94 | C:\Windows\system32\ApplicationFrameHost.exe
95 | C:\Windows\System32\taskhostw.exe
96 | C:\Windows\System32\RuntimeBroker.exe
97 |
98 |
99 |
100 | SearchIndexer.exe
101 | winlogbeat.exe
102 | C:\Windows\system32\mmc.exe
103 | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
104 | C:\Program Files\Microsoft VS Code\Code.exe
105 |
106 |
107 |
108 | C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
109 | C:\Windows\system32\mmc.exe
110 | C:\Windows\system32\taskeng.exe
111 | C:\Windows\System32\svchost.exe
112 | C:\Windows\system32\lsass.exe
113 | C:\Windows\Sysmon.exe
114 | GoogleUpdate.exe
115 | C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe
116 | C:\Program Files\Windows Defender\NisSrv.exe
117 | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Microsoft Print to PDF\PrinterDriverData
118 | LanguageList
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
128 |
--------------------------------------------------------------------------------
/ansible/roles/sysmon/templates/SysmonConfig-moti.xml.j2:
--------------------------------------------------------------------------------
1 | {{ ansible_managed | comment('xml') }}
2 |
14 |
15 | SHA256,IMPHASH
16 |
17 |
18 |
19 | \Startup\
20 |
21 |
22 |
23 | Software\Microsoft\Windows\CurrentVersion\Run
24 | CurrentControlSet\Control\Session Manager\BootExecute
25 | Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
26 | Software\Microsoft\Windows\CurrentVersion\RunServices
27 | SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
28 | Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
29 | Software\Microsoft\Windows NT\CurrentVersion\Winlogon
30 | SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
31 | Software\Microsoft\Windows\CurrentVersion\RunOnce
32 | Software\Microsoft\Windows\CurrentVersion\RunOnceEx
33 | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
34 | Software\Microsoft\Windows NT\CurrentVersion\Windows\load
35 | Software\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
36 | SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs
37 |
38 | System\CurrentControlSet\Control\Lsa\Security Packages
39 |
40 |
41 |
42 | False
43 |
44 |
45 | C:\Windows\assembly\NativeImages
46 |
47 |
48 | Microsoft Windows
49 | Microsoft Corporation
50 | NVIDIA Corporation
51 |
52 |
53 |
54 | C:\Windows\system32\lsass.exe
55 | C:\Windows\system32\winlogon.exe
56 | C:\Windows\system32\svchost.exe
57 | "C:\Program Files\Google\Chrome\Application\chrome.exe"
58 | "C:\Program Files\Internet Explorer\iexplore.exe"
59 | "C:\Program Files (x86)\Mozilla Firefox\firefox.exe"
60 |
61 |
62 |
63 | c:\Program Files\Windows Defender\MsMpEng.exe
64 | Program Files\Windows Defender\MsMpEng.exe
65 |
66 |
67 |
68 | System
69 | C:\Windows\CCM\CcmExec.exe
70 | C:\Windows\System32\svchost.exe
71 | C:\Program Files\Windows Defender\MsMpEng.exe
72 | C:\Windows\System32\SrTasks.exe
73 | C:\Windows\System32\MRT.exe
74 | C:\Windows\System32\SearchIndexer.exe
75 | C:\Windows\System32\winlogon.exe
76 | C:\Windows\System32\smss.exe
77 | C:\Windows\System32\autochk.exe
78 | C:\Windows\System32\CompatTelRunner.exe
79 | C:\Windows\System32\DeviceCensus.exe
80 | C:\Windows\System32\wininit.exe
81 | C:\Windows\System32\VSSVC.exe
82 | C:\Windows\System32\bcdedit.exe
83 | C:\Windows\System32\WinSAT.exe
84 | C:\Windows\SysWOW64\msiexec.exe
85 | C:\Windows\explorer.exe
86 | C:\Windows\System32\DiskSnapshot.exe
87 |
88 |
89 |
90 |
91 | C:\Windows\system32\lsass.exe
92 | C:\Windows\system32\winlogon.exe
93 | "C:\Program Files\Google\Chrome\Application\chrome.exe"
94 | "C:\Program Files\Internet Explorer\iexplore.exe"
95 | "C:\Program Files (x86)\Mozilla Firefox\firefox.exe"
96 |
97 |
98 |
99 | c:\windows\system32\svchost.exe
100 | C:\WINDOWS\system32\wbem\wmiprvse.exe
101 | C:\WINDOWS\System32\perfmon.exe
102 | C:\WINDOWS\system32\LogonUI.exe
103 | C:\WINDOWS\system32\MRT.exe
104 | C:\Windows\System32\MsiExec.exe
105 | C:\windows\CCM\CcmExec.exe
106 | C:\WINDOWS\system32\taskmgr.exe
107 | C:\WINDOWS\system32\lsass.exe
108 | C:\WINDOWS\system32\services.exe
109 | C:\WINDOWS\system32\wininit.exe
110 | C:\WINDOWS\system32\csrss.exe
111 | C:\WINDOWS\System32\smss.exe
112 | C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe
113 | C:\Windows\syswow64\MsiExec.exe
114 | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
115 | Program Files\Windows Defender\MsMpEng.exe
116 |
117 |
118 |
119 | AppContainer
120 |
121 | C:\Windows\System32\audiodg.exe
122 | System32\backgroundTaskHost.exe
123 | System32\BackgroundTransferHost.exe
124 | System32\dllhost.exe
125 | System32\smartscreen.exe
126 | System32\SearchFilterHost.exe
127 | System32\audiodg.exe
128 | System32\conhost.exe
129 | System32\SearchProtocolHost.exe
130 | SysWOW64\msiexec.exe
131 | system32\msiexec.exe
132 | microsoft shared\ClickToRun\OfficeClickToRun.exe
133 | System32\consent.exe
134 | System32\LogonUI.exe
135 | System32\taskhostw.exe
136 | System32\LockAppHost.exe
137 | Chrome\Application\chrome.exe
138 | Internet Explorer\iexplorer.exe
139 | Mozilla Firefox\firefox.exe
140 |
141 |
142 |
143 | C:\Windows\System32\RuntimeBroker.exe
144 | c:\windows\system32\svchost.exe
145 | C:\WINDOWS\system32\MpSigStub.exe
146 | C:\WINDOWS\System32\LogonUI.exe
147 | C:\WINDOWS\ImmersiveControlPanel\SystemSettings.exe
148 | C:\WINDOWS\system32\SettingSyncHost.exe
149 | C:\WINDOWS\explorer.exe
150 | C:\WINDOWS\system32\mmc.exe
151 | C:\windows\CCM\CcmExec.exe
152 | C:\WINDOWS\system32\msiexec.exe
153 | C:\WINDOWS\system32\taskmgr.exe
154 | WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe
155 | WINDOWS\system32\backgroundTaskHost.exe
156 | Mozilla Firefox\firefox.exe
157 | Google\Chrome\Application\chrome.exe
158 |
159 |
160 |
161 |
162 |
163 | C:\Users
164 | C:\ProgramData
165 | powershell.exe
166 | cmd.exe
167 | wmic.exe
168 | cscript.exe
169 | wscript.exe
170 | rundll32.exe
171 |
172 |
173 | chrome.exe
174 | iexplore.exe
175 | firefox.exe
176 | outlook.exe
177 | Skype.exe
178 | lync.exe
179 | GoogleUpdate.exe
180 | qbittorrent.exe
181 | OfficeClickToRun.exe
182 | Windows\SystemApps\Microsoft.Windows.Cortana
183 | OneDrive.exe
184 | Windows\System32\svchost.exe
185 | System32\backgroundTaskHost.exe
186 | Skype\Browser\SkypeBrowserHost.exe
187 | Free Download Manager\fdm.exe
188 | 172.
189 | 10.
190 | 192.
191 | 0.0.0.0
192 |
193 |
194 |
195 |
--------------------------------------------------------------------------------
/ansible/roles/sysmon/templates/SysmonConfig.xml.j2:
--------------------------------------------------------------------------------
1 | {{ ansible_managed | comment('xml') }}
2 |
9 |
10 | *
11 |
12 |
13 |
14 | microsoft
15 | windows
16 |
17 |
18 |
19 |
20 |
21 |
22 | chrome.exe
23 | iexplore.exe
24 | firefox.exe
25 | OUTLOOK.EXE
26 | Skype.exe
27 | lync.exe
28 | *internal domain servers
29 | proxy port
30 | proxy port
31 |
32 |
33 | 80
34 | 443
35 |
36 |
37 |
38 |
39 | C:\Windows
40 | C:\Users
41 | C:\temp
42 |
43 |
48 |
49 |
50 |
51 | 224.0.0.252
52 |
53 | .255
54 |
55 |
56 |
57 |
58 |
--------------------------------------------------------------------------------
/ansible/roles/universal_forwarder/defaults/main.yml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/josehelps/building-a-windows-dc/7c914ed5005bc18ec545de7cb22d495c85d914be/ansible/roles/universal_forwarder/defaults/main.yml
--------------------------------------------------------------------------------
/ansible/roles/universal_forwarder/files/inputs.conf:
--------------------------------------------------------------------------------
1 | [WinEventLog://Microsoft-Windows-Sysmon/Operational]
2 | index = sysmon
3 | disabled = false
4 | renderXml = true
5 |
6 | [monitor://c:\programdata\osquery\log\osqueryd.results.log]
7 | index = osquery
8 | disabled = false
9 | sourcetype = osquery:json
10 |
11 | [monitor://c:\programdata\osquery\log\osqueryd.snapshots.log]
12 | index = osquery
13 | disabled = false
14 | sourcetype = osquery:json
15 |
16 | [monitor://c:\programdata\osquery\log\osqueryd.INFO.*]
17 | index = osquery-status
18 | disabled = false
19 | sourcetype = osquery-info:syslog
20 |
21 | [monitor://c:\programdata\osquery\log\osqueryd.WARNING.*]
22 | index = osquery-status
23 | disabled = false
24 | sourcetype = osquery-warn:syslog
25 |
26 | [monitor://c:\programdata\osquery\log\osqueryd.ERROR.*]
27 | index = osquery-status
28 | disabled = false
29 | sourcetype = osquery-error:syslog
30 |
--------------------------------------------------------------------------------
/ansible/roles/universal_forwarder/files/main.yml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/josehelps/building-a-windows-dc/7c914ed5005bc18ec545de7cb22d495c85d914be/ansible/roles/universal_forwarder/files/main.yml
--------------------------------------------------------------------------------
/ansible/roles/universal_forwarder/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: restart splunk
2 | win_service:
3 | name: SplunkForwarder
4 | state: restarted
5 |
6 | - name: restart machine
7 | win_reboot:
8 |
--------------------------------------------------------------------------------
/ansible/roles/universal_forwarder/tasks/install_splunk_stream.yml:
--------------------------------------------------------------------------------
1 | - name: Check we have downloaded stream
2 | win_stat:
3 | path: C:\splunk-stream.zip
4 | register: stream_zip
5 |
6 | - name: Download Splunk Stream
7 | win_get_url:
8 | url: "{{ splunk_stream_zip }}"
9 | dest: C:\splunk-stream.zip
10 | when: stream_zip.stat.exists == False
11 |
12 | - name: Check we have unzip streams
13 | win_stat:
14 | path: "C:\\Program Files\\SplunkUniversalForwarder\\etc\\apps\\splunk_app_stream"
15 | register: stream_app
16 |
17 | - name: Unzip Stream App
18 | win_unzip:
19 | src: C:\splunk-stream.zip
20 | dest: "C:\\Program Files\\SplunkUniversalForwarder\\etc\\apps\\"
21 | when: stream_app.stat.exists == False
22 |
23 | - name: Copy Stream Config File
24 | win_template:
25 | src: inputs.conf.j2
26 | dest: "C:\\Program Files\\SplunkUniversalForwarder\\etc\\apps\\Splunk_TA_stream\\local\\inputs.conf"
27 |
--------------------------------------------------------------------------------
/ansible/roles/universal_forwarder/tasks/install_splunk_sysmon_ta.yml:
--------------------------------------------------------------------------------
1 | - name: Download Sysmon TA
2 | win_get_url:
3 | url: "{{ splunk_sysmon_ta }}"
4 | dest: C:\sysmon-ta.tgz
5 |
6 | - name: Add powershell module PSCX required by Ansible's win_unzip
7 | win_psmodule:
8 | name: Pscx
9 | state: present
10 | allow_clobber: True
11 |
12 | - name: untar Sysmon TA
13 | win_unzip:
14 | src: C:\sysmon-ta.tgz
15 | dest: C:\Program Files\SplunkUniversalForwarder\etc\apps\
16 |
17 | - name: Install Sysmon TA
18 | win_unzip:
19 | src: C:\Program Files\SplunkUniversalForwarder\etc\apps\sysmon-ta.tar
20 | dest: C:\Program Files\SplunkUniversalForwarder\etc\apps\
21 | delete_archive: yes
22 | notify: restart machine
23 |
--------------------------------------------------------------------------------
/ansible/roles/universal_forwarder/tasks/install_splunk_uf.yml:
--------------------------------------------------------------------------------
1 | - name: Download Splunk UF
2 | win_get_url:
3 | url: "{{ splunk_uf_msi }}"
4 | dest: C:\splunkuf.msi
5 |
6 | - name: Install Splunk_UF MSI
7 | win_package:
8 | path: C:\splunkuf.msi
9 | arguments: 'WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_APP_ENABLE=1 SPLUNKPASSWORD=changeme RECEIVING_INDEXER="{{ splunk_uf_indexer_ip }}:9997" AGREETOLICENSE=YES /quiet'
10 |
11 | - name: Start Splunk
12 | win_service:
13 | name: SplunkForwarder
14 | state: started
15 |
16 |
17 |
--------------------------------------------------------------------------------
/ansible/roles/universal_forwarder/tasks/install_splunk_windows_ta.yml:
--------------------------------------------------------------------------------
1 | - name: Download windows TA
2 | win_get_url:
3 | url: "{{ splunk_windows_ta }}"
4 | dest: C:\windows-ta.tgz
5 |
6 | - name: Add powershell module PSCX required by Ansible's win_unzip
7 | win_psmodule:
8 | name: Pscx
9 | state: present
10 | allow_clobber: True
11 |
12 | - name: untar windows TA
13 | win_unzip:
14 | src: C:\windows-ta.tgz
15 | dest: C:\Program Files\SplunkUniversalForwarder\etc\apps\
16 |
17 | - name: Install windows TA
18 | win_unzip:
19 | src: C:\Program Files\SplunkUniversalForwarder\etc\apps\windows-ta.tar
20 | dest: C:\Program Files\SplunkUniversalForwarder\etc\apps\
21 | delete_archive: yes
22 | notify: restart machine
23 |
--------------------------------------------------------------------------------
/ansible/roles/universal_forwarder/tasks/main.yaml:
--------------------------------------------------------------------------------
1 | - include: install_splunk_uf.yml
2 | - include: install_splunk_windows_ta.yml
3 | - include: install_splunk_sysmon_ta.yml
4 | when: sysmon is defined
5 | - include: install_splunk_stream.yml
6 | when: stream is defined
7 |
--------------------------------------------------------------------------------
/ansible/roles/universal_forwarder/templates/inputs.conf.j2:
--------------------------------------------------------------------------------
1 | [streamfwd://streamfwd]
2 | splunk_stream_app_location = https://{{ splunk_uf_indexer_ip }}:8000/en-us/custom/splunk_app_stream/
3 | stream_forwarder_id =
4 | disabled = 0
5 |
--------------------------------------------------------------------------------
/ansible/roles/windows_dns_server/defaults/main.yml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/josehelps/building-a-windows-dc/7c914ed5005bc18ec545de7cb22d495c85d914be/ansible/roles/windows_dns_server/defaults/main.yml
--------------------------------------------------------------------------------
/ansible/roles/windows_dns_server/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: restart splunk
2 | win_service:
3 | name: SplunkForwarder
4 | state: restarted
5 |
6 | - name: restart machine
7 | win_reboot:
8 |
--------------------------------------------------------------------------------
/ansible/roles/windows_dns_server/tasks/features.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: features | Installing Windows DNS Server
3 | win_feature:
4 | name: DNS
5 | state: present
6 | include_management_tools: yes
7 | include_sub_features: yes
8 | register: _windows_dns_server
9 |
--------------------------------------------------------------------------------
/ansible/roles/windows_dns_server/tasks/main.yaml:
--------------------------------------------------------------------------------
1 | - include: features.yml
2 | - include: reboot.yml
3 |
--------------------------------------------------------------------------------
/ansible/roles/windows_dns_server/tasks/reboot.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: reboot | Rebooting Server
3 | win_reboot:
4 | reboot_timeout_sec: 3600
5 | when: >
6 | _windows_dns_server['restart_needed'] is defined and
7 | _windows_dns_server['restart_needed']
8 |
--------------------------------------------------------------------------------
/ansible/roles/windows_domain_controller/defaults/main.yml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/josehelps/building-a-windows-dc/7c914ed5005bc18ec545de7cb22d495c85d914be/ansible/roles/windows_domain_controller/defaults/main.yml
--------------------------------------------------------------------------------
/ansible/roles/windows_domain_controller/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: restart splunk
2 | win_service:
3 | name: SplunkForwarder
4 | state: restarted
5 |
6 | - name: restart machine
7 | win_reboot:
8 |
--------------------------------------------------------------------------------
/ansible/roles/windows_domain_controller/tasks/create.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # tasks file for ansible-windows-domain-controller
3 | #
4 |
5 |
6 | - name: set local admin password
7 | win_user:
8 | name: Administrator
9 | password: "{{ windows_domain_controller_info['domain_admin_password'] }}"
10 | state: present
11 |
12 | - name: features | Installing RSAT AD Admin Center
13 | win_feature:
14 | name: RSAT-AD-AdminCenter
15 | state: present
16 |
17 | - name: features | Installing AD Domain Services
18 | win_feature:
19 | name: AD-Domain-Services
20 | include_management_tools: yes
21 | include_sub_features: yes
22 | state: present
23 |
24 | - name: Creating a windows domain
25 | win_domain:
26 | dns_domain_name: "{{ windows_domain_controller_info['dns_domain_name'] }}"
27 | safe_mode_password: "{{ windows_domain_controller_info['safe_mode_password'] }}"
28 |
29 | - name: Setting DNS Servers
30 | win_dns_client:
31 | adapter_names: "*"
32 | ipv4_addresses: "10.0.0.5"
33 |
34 | - name: Managing Domain Controller Membership
35 | win_domain_controller:
36 | dns_domain_name: "{{ windows_domain_controller_info['dns_domain_name'] }}"
37 | domain_admin_user: "{{ windows_domain_controller_info['domain_admin_user'] }}"
38 | domain_admin_password: "{{ windows_domain_controller_info['domain_admin_password'] }}"
39 | safe_mode_password: "{{ windows_domain_controller_info['safe_mode_password'] }}"
40 | state: "{{ windows_domain_controller_info['state'] }}"
41 | register: _windows_domain_controller
42 |
--------------------------------------------------------------------------------
/ansible/roles/windows_domain_controller/tasks/main.yaml:
--------------------------------------------------------------------------------
1 | - include: create.yml
2 | - include: reboot.yml
3 |
--------------------------------------------------------------------------------
/ansible/roles/windows_domain_controller/tasks/reboot.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: reboot | Rebooting Server
3 | win_reboot:
4 | reboot_timeout_sec: 3600
5 | shutdown_timeout_sec: 3600
6 | when: >
7 | _windows_domain_controller['reboot_required'] is defined and
8 | _windows_domain_controller['reboot_required']
9 |
--------------------------------------------------------------------------------
/ansible/vars/vars.yml:
--------------------------------------------------------------------------------
1 | ## Variables for Splunk Search Head
2 | splunk_binary_url: http://www.splunkresearch.com/splunk-7.2.6-c0bf0f679ce9-Linux-x86_64.tgz
3 | splunk_binary: splunk-7.2.6-c0bf0f679ce9-Linux-x86_64.tgz
4 | splunk_pass: changeme
5 |
6 | # Apps
7 | sysmon: true
8 | stream: true
9 | enterprise_security: true
10 |
11 | # Apps binaries
12 | splunk_stream_app: http://www.splunkresearch.com/splunk-stream_713.tgz
13 | splunk_escu_app: http://www.splunkresearch.com/splunk-es-content-update_1037.tgz
14 | splunk_es_app: http://www.splunkresearch.com/splunk-enterprise-security_530.spl
15 |
16 | ## Variables for Splunk Universal Forwarders
17 | splunk_uf_indexer_ip: 10.0.0.10
18 | splunk_uf_msi: http://www.splunkresearch.com/splunkforwarder-7.2.5-088f49762779-x64-release.msi
19 |
20 | # Universal Forwarder deploy binaries
21 | splunk_sysmon_ta: http://www.splunkresearch.com/add-on-for-microsoft-sysmon_800.tgz
22 | splunk_stream_zip: http://www.splunkresearch.com/Splunk_TA_stream.zip
23 | splunk_windows_ta: http://www.splunkresearch.com/splunk-add-on-for-microsoft-windows_600.tgz
24 |
25 | #Variables for Sysmon
26 | win_temp_dir: 'c:\Program Files\ansible'
27 | win_log_dir: 'c:\ProgramData\ansible\log'
28 |
29 | win_sysmon: true
30 | ## as sysmon link is updated and hash change, chocolatey install can fails
31 | ## ansible win_get_url currently does not support checksum option
32 | win_sysmon_direct: true
33 | win_sysmon_url: 'https://download.sysinternals.com/files/Sysmon.zip'
34 | win_sysmon_sha256: '848c3323324e8fa849024f87a2764f8575513463f339690056664861f99e4c5f'
35 | win_sysmon_template: SysmonConfig-Verbose.xml
36 |
37 | win_eventlog_maxsize: 315801600
38 | win_eventlog_retention: 0
39 | win_sysmon_eventlog_channels:
40 | - Microsoft-Windows-Sysmon/Operational
41 |
42 | # Domain Controller
43 | windows_domain_controller_info:
44 | dns_domain_name: splunkresearch.local
45 | domain_admin_password: a31557c9-4d4f
46 | domain_admin_user: administrator@splunkresearch.local
47 | safe_mode_password: a31557c9-4d4f
48 | state: domain_controller
49 |
--------------------------------------------------------------------------------
/images/diagram.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/josehelps/building-a-windows-dc/7c914ed5005bc18ec545de7cb22d495c85d914be/images/diagram.png
--------------------------------------------------------------------------------
/splunk_server/Vagrantfile:
--------------------------------------------------------------------------------
1 | VM_NAME= "splunk-server-#{SecureRandom.hex(2)}"
2 | Vagrant.configure("2") do |config|
3 | config.vm.define "splunk-server" do |config|
4 | config.vm.box = "generic/ubuntu1804"
5 | config.vm.hostname = "#{VM_NAME}"
6 | config.vm.boot_timeout = 600
7 | config.vm.network "forwarded_port", guest: 8000, host: 8000, protocol: "tcp"
8 | config.vm.network :private_network, ip: "10.0.0.10"
9 |
10 | config.vm.provision "ansible" do |ansible|
11 | ansible.playbook = "../ansible/playbooks/splunk_server.yml"
12 | ansible.config_file = "../ansible/ansible.cfg"
13 | ansible.compatibility_mode = "2.0"
14 | end
15 |
16 | config.vm.provider "virtualbox" do |vb, override|
17 | vb.gui = true
18 | vb.name = "#{VM_NAME}"
19 | vb.customize ["modifyvm", :id, "--memory", 6000]
20 | vb.customize ["modifyvm", :id, "--cpus", 4]
21 | end
22 | end
23 | end
24 |
--------------------------------------------------------------------------------
/windows_dc_2016/Vagrantfile:
--------------------------------------------------------------------------------
1 | VM_NAME= "windows-2016-dc-#{SecureRandom.hex(2)}"
2 | Vagrant.configure("2") do |config|
3 | config.vm.define "dc" do |config|
4 | config.vm.box = "d1vious/windows2016"
5 | config.vm.hostname = "#{VM_NAME}"
6 | config.vm.boot_timeout = 600
7 | config.winrm.transport = :plaintext
8 | config.vm.communicator = "winrm"
9 | config.winrm.basic_auth_only = true
10 | config.winrm.timeout = 300
11 | config.winrm.retry_limit = 20
12 | config.vm.network "forwarded_port", guest: 5985, host: 5985
13 | config.vm.network :private_network, ip: "10.0.0.5", gateway: "10.0.0.1"
14 |
15 | config.vm.provision "ansible" do |ansible|
16 | ansible.playbook = "../ansible/playbooks/windows_dc.yml"
17 | ansible.config_file = "../ansible/ansible.cfg"
18 | ansible.compatibility_mode = "2.0"
19 | end
20 |
21 |
22 | config.vm.provider "virtualbox" do |vb, override|
23 | vb.gui = true
24 | vb.name = "#{VM_NAME}"
25 | vb.default_nic_type = "82545EM"
26 | vb.customize ["modifyvm", :id, "--memory", 3072]
27 | vb.customize ["modifyvm", :id, "--cpus", 2]
28 | vb.customize ["modifyvm", :id, "--vram", "32"]
29 | vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
30 | vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
31 | end
32 | end
33 | end
34 |
--------------------------------------------------------------------------------