├── ELK-stackv5.x ├── README.md ├── ansible.cfg ├── group_vars │ ├── all │ ├── elasticsearch │ └── logstash ├── hosts ├── install_elk.sh ├── roles │ ├── elastic.yml │ ├── elastic_cloud.yml │ ├── elastic_data.yml │ ├── elastic_data_cloud.yml │ ├── elastic_master.yml │ ├── elastic_master_cloud.yml │ ├── kibana.yml │ ├── kibana_security.yml │ └── logstash.yml ├── tasks │ └── main.yml └── vars │ └── main.yml ├── ELK-stackv6.x └── install_elk.sh ├── README.md ├── Sysmon-Deployment ├── Eula.txt ├── Sysmon.exe ├── Sysmon64.exe ├── Sysmon_deploy.ps1 ├── sysmon.conf └── sysmon_config.xml └── VirusTotal └── vtQuery.py /ELK-stackv5.x/README.md: -------------------------------------------------------------------------------- 1 | # ELK-stack Ansible 2 | 3 | This repo is whole dedicated to the installation of ELK-stack using ansible which automates the whole installation process. This repo will be kept updated for whole elkstack inventories. 4 | 5 | The install_elk.sh installs elkstack either as a single-node cluster or it can be used to install multi-node cluster as well. This file is independent of the whole ansible playbook. 6 | 7 | The playbook will also install the required plugins. You need to copy all the files in the ansible folder and execute the fullstack_playbook.yml file. New plugins can be inserted in the vars/main.yml file as variables. The IP Address needs to be changed in the hosts file for multi node cluster installation. Remember to change the heap size in the vars/main.yml else the elastic service will not work due to incorrect memory lock. 8 | 9 | SSH disconnection issue has been taken care of by modifying the ansible.cfg file. 10 | -------------------------------------------------------------------------------- /ELK-stackv5.x/ansible.cfg: -------------------------------------------------------------------------------- 1 | [defaults] 2 | 3 | retry_files_enabled = False 4 | 5 | [privilege_escalation] 6 | 7 | [paramiko_connection] 8 | 9 | [ssh_connection] 10 | 11 | ssh_args = -o ServerAliveInterval=20 12 | 13 | [selinux] 14 | 15 | [colors] 16 | -------------------------------------------------------------------------------- /ELK-stackv5.x/group_vars/all: -------------------------------------------------------------------------------- 1 | --- 2 | ansible_ssh_user: root 3 | -------------------------------------------------------------------------------- /ELK-stackv5.x/group_vars/elasticsearch: -------------------------------------------------------------------------------- 1 | --- 2 | ansible_ssh_user: root 3 | -------------------------------------------------------------------------------- /ELK-stackv5.x/group_vars/logstash: -------------------------------------------------------------------------------- 1 | --- 2 | ansible_ssh_user: root 3 | -------------------------------------------------------------------------------- /ELK-stackv5.x/hosts: -------------------------------------------------------------------------------- 1 | [elkstack] 2 | ELK ansible_ssh_host=192.168.58.103 3 | 4 | [elastic_all] 5 | ES1 ansible_ssh_host=192.168.58.121 6 | ES2 ansible_ssh_host=192.168.58.122 7 | ES3 ansible_ssh_host=192.168.58.123 8 | ES4 ansible_ssh_host=192.168.58.124 9 | ES5 ansible_ssh_host=192.168.58.125 10 | ES6 ansible_ssh_host=192.168.58.126 11 | 12 | [elastic_master] 13 | ES1 ansible_ssh_host=192.168.58.121 14 | ES2 ansible_ssh_host=192.168.58.122 15 | ES3 ansible_ssh_host=192.168.58.123 16 | 17 | [elastic_data] 18 | ES4 ansible_ssh_host=192.168.58.124 19 | ES5 ansible_ssh_host=192.168.58.125 20 | ES6 ansible_ssh_host=192.168.58.126 21 | 22 | [logstash] 23 | LS1 ansible_ssh_host=192.168.58.127 24 | LS2 ansible_ssh_host=192.168.58.128 25 | 26 | [kibana] 27 | ES1 ansible_ssh_host=192.168.58.121 28 | -------------------------------------------------------------------------------- /ELK-stackv5.x/install_elk.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ##This script with install ELK-stack 5.x(latest) in Ubuntu 16.04.1 3 | ##This file is independent of the ansible playbook 4 | ##Author : Paranoid Ninja 5 | ##Email : paranoidninja@protonmail.com 6 | 7 | set -e 8 | 9 | #Global Variables: 10 | #install_xpack=true 11 | install_geoip=true 12 | install_translate=true 13 | install_useragent=true 14 | disable_swap=true 15 | change_heap_size=true 16 | min_heap_size="-Xms4g" #Change Minumum Heap Size as per requirement 17 | max_heap_size="-Xmx4g" #Change Maximum Heap Size as per requirement 18 | 19 | Elastic() { 20 | echo -e "`tput setaf 3`\n[+] Installing Elasticsearch...\n`tput setaf 7`" 21 | wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - 22 | echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-5.x.list 23 | apt-get update && apt-get -y install elasticsearch apt-transport-https curl git wget openjdk-8-jre 24 | service elasticsearch stop 25 | 26 | #Changing Network Hosts 27 | echo -e "`tput setaf 3`\n[+] Modifying Network Details...\n`tput setaf 7`" 28 | sed -i "s/\#network.host: 192.168.0.1/network.host: 127.0.0.1/g" /etc/elasticsearch/elasticsearch.yml 29 | echo "http.host: 0.0.0.0" >> /etc/elasticsearch/elasticsearch.yml 30 | 31 | #Disabling Java Swap for Elasticsearch only 32 | if [ "$disable_swap" = true ]; then 33 | echo -e "`tput setaf 3`\n[+] Disabling JVM Swap...\n`tput setaf 7`" 34 | sed -i "s/\#bootstrap.memory_lock: true/bootstrap.memory_lock: true/g" /etc/elasticsearch/elasticsearch.yml 35 | sed -i "s/\#LimitMEMLOCK=infinity/LimitMEMLOCK=infinity/g" /usr/lib/systemd/system/elasticsearch.service 36 | sed -i "s/\#MAX_LOCKED_MEMORY=unlimited/MAX_LOCKED_MEMORY=unlimited/g" /etc/default/elasticsearch 37 | ulimit -l unlimited 38 | #Updating Services 39 | echo -e "`tput setaf 3`\n[+] Enabling Services on boot...\n`tput setaf 7`" 40 | update-rc.d elasticsearch defaults 95 10 41 | service elasticsearch restart 42 | sudo /bin/systemctl daemon-reload 43 | sudo /bin/systemctl enable elasticsearch.service 44 | echo -e "`tput setaf 3`\n[+] Waiting for Elastic Service to Start...\n`tput setaf 7`" 45 | sleep 5 46 | curl http://localhost:9200/_nodes?filter_path=**.mlockall | grep mlockall 47 | fi; 48 | 49 | #CHanging Heap Size 50 | if [ "$change_heap_size" = true ]; then 51 | echo -e "`tput setaf 3`\n[+] Modifying Heap Size to $min_heap_size and $max_heap_size ...\n`tput setaf 7`" 52 | sed -i "s/-Xms2g/$min_heap_size/g" /etc/elasticsearch/jvm.options 53 | sed -i "s/-Xmx2g/$max_heap_size/g" /etc/elasticsearch/jvm.options 54 | fi; 55 | 56 | #Install Xpack 57 | # if [ "$install_xpack" = true ]; then 58 | # echo -e "`tput setaf 3`\n[+] Installing Xpack plugin...\n`tput setaf 7`" 59 | # /usr/share/elasticsearch/bin/elasticsearch-plugin install x-pack 60 | # echo "xpack.security.enabled: false" >> /etc/elasticsearch/elasticsearch.yml 61 | # fi; 62 | 63 | #INSTALL CURATOR 64 | } 65 | 66 | Logstash() { 67 | echo -e "\n[+] Installing Logstash...\n" 68 | wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - 69 | echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-5.x.list 70 | apt-get update && apt-get -y install screen logstash apt-transport-https curl git wget openjdk-8-jre 71 | mkdir /usr/share/logstash/config 72 | cp -r /etc/logstash/* /usr/share/logstash/config/ 73 | 74 | #Installing PLugins 75 | # if [ "$install_xpack" = true ]; then 76 | # echo -e "`tput setaf 3`\n[+] Installing Xpack plugin...\n`tput setaf 7`" 77 | # /usr/share/logstash/bin/logstash-plugin install x-pack 78 | # fi; 79 | if [ "$install_geoip" = true ]; then 80 | echo -e "`tput setaf 3`\n[+] Installing Geoip plugin...\n`tput setaf 7`" 81 | /usr/share/logstash/bin/logstash-plugin install logstash-filter-geoip 82 | fi; 83 | if [ "$install_translate" = true ]; then 84 | echo -e "`tput setaf 3`\n[+] Installing Translate plugin...\n`tput setaf 7`" 85 | /usr/share/logstash/bin/logstash-plugin install logstash-filter-translate 86 | fi; 87 | if [ "$install_useragent" = true ]; then 88 | echo -e "`tput setaf 3`\n[+] Installing Translate plugin...\n`tput setaf 7`" 89 | /usr/share/logstash/bin/logstash-plugin install logstash-filter-useragent 90 | fi; 91 | } 92 | 93 | Kibana() { 94 | echo -e "`tput setaf 3`\n[+] Installing Kibana...\n`tput setaf 7`" 95 | wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - 96 | echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-5.x.list 97 | apt-get update && apt-get install -y kibana apt-transport-https curl git wget openjdk-8-jre 98 | 99 | #Changing Network Hosts 100 | echo -e "`tput setaf 3`\n[+] Modifying Network Details...\n`tput setaf 7`" 101 | sed -i 's/\#server.host: "localhost"/server.host: 0.0.0.0/g' /etc/kibana/kibana.yml 102 | 103 | #ADD KIBANA ELASTICSEARCH IP YAML FILE MODIFICATION 104 | 105 | #Updating Services 106 | echo -e "`tput setaf 3`\n[+] Enabling Services on boot...\n`tput setaf 7`" 107 | update-rc.d kibana defaults 95 10 108 | /bin/systemctl daemon-reload 109 | /bin/systemctl enable kibana.service 110 | service kibana restart 111 | 112 | # if [ "$install_xpack" = true ]; then 113 | # echo -e "`tput setaf 3`\n[+] Installing Xpack plugin...\n`tput setaf 7`" 114 | # /usr/share/kibana/bin/kibana-plugin install x-pack 115 | # echo "xpack.security.enabled: false" >> /etc/elasticsearch/elasticsearch.yml 116 | # fi; 117 | } 118 | 119 | Help() { 120 | echo -e "\n`tput setaf 3`[-]Help: Please specify command line parameters:\n-e\tInstall Elasticsearch\n-l\tInstall Logstash\n-k\tInstall Kibana\n-elk\t Install Full Elkstack\n[-] eg:- `tput setaf 2`$0 -e\n`tput setaf 7`" 121 | } 122 | 123 | #Check root access 124 | if [[ $UID != 0 ]]; then 125 | echo -e "\n`tput setaf 1`Your derp level is too high, I don't like you..!`tput setaf 7`\n" 126 | else 127 | if [ -z "$1" ]; then 128 | Help 129 | elif [[ $1 == '-e' ]]; then 130 | Elastic 131 | elif [[ $1 == '-k' ]]; then 132 | Kibana 133 | elif [[ $1 == '-l' ]]; then 134 | Logstash 135 | elif [[ $1 == '-elk' ]]; then 136 | Elastic 137 | Logstash 138 | Kibana 139 | else 140 | Help 141 | fi; 142 | fi; 143 | 144 | set +e 145 | -------------------------------------------------------------------------------- /ELK-stackv5.x/roles/elastic.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Checking whether https support for apt is installed 3 | apt: 4 | pkg: apt-transport-https 5 | update_cache: yes 6 | state: present 7 | 8 | - name: Checking whether gpg signing key for elkstack is installed 9 | apt_key: 10 | url: https://artifacts.elastic.co/GPG-KEY-elasticsearch 11 | state: present 12 | 13 | - name: Checking whether ELK-stack repo has been added 14 | apt_repository: 15 | repo: 'deb https://artifacts.elastic.co/packages/5.x/apt stable main' 16 | filename: 'elastic-5.x' 17 | update_cache: yes 18 | state: present 19 | 20 | - name: Installing Elasticsearch 21 | apt: 22 | name: 23 | - elasticsearch 24 | - openjdk-8-jre 25 | - git 26 | - wget 27 | - curl 28 | state: present 29 | 30 | - name: Stopping Elasticsearch Service and adding it on boot 31 | service: 32 | name: elasticsearch 33 | state: stopped 34 | enabled: yes 35 | 36 | - name: Checking IP Address 37 | shell: "ifconfig | grep {{ self_host_ip }} | cut -f2 -d':' | awk 'NR==1{print $1}'" 38 | register: elast_network_ip 39 | 40 | - name: Making network changes in Elastic yaml file 41 | lineinfile: 42 | dest: '/etc/elasticsearch/elasticsearch.yml' 43 | line: 'network.host: {{ elast_network_ip.stdout }}' 44 | state: present 45 | 46 | - name: Enabling memlock in Elastic yaml file 47 | lineinfile: 48 | dest: '/etc/elasticsearch/elasticsearch.yml' 49 | line: 'bootstrap.memory_lock: true' 50 | state: present 51 | 52 | - name: Removing all Comments 53 | lineinfile: 54 | dest: '/etc/elasticsearch/elasticsearch.yml' 55 | regexp: '^[#].*' 56 | state: absent 57 | 58 | - name: Setting memlock to infinite in Elastic service file 59 | replace: 60 | dest: '/usr/lib/systemd/system/elasticsearch.service' 61 | regexp: '#LimitMEMLOCK=infinity' 62 | replace: 'LimitMEMLOCK=infinity' 63 | 64 | - name: Changing locked memory state in Elastic service file 65 | lineinfile: 66 | dest: '/etc/default/elasticsearch' 67 | line: 'MAX_LOCKED_MEMORY=unlimited' 68 | state: present 69 | 70 | - name: Changing limit for open number of files(for swap) 71 | shell: "ulimit -l unlimited" 72 | 73 | - name: Changing Java minimum heap size for Elastic in jvm.options to {{min_heap_size}} 74 | replace: 75 | dest: '/etc/elasticsearch/jvm.options' 76 | regexp: '-Xms[0-9]g' 77 | replace: '{{min_heap_size}}' 78 | 79 | - name: Changing Java maximum heap size for Elastic in jvm.options to {{max_heap_size}} 80 | replace: 81 | dest: '/etc/elasticsearch/jvm.options' 82 | regexp: '-Xmx[0-9]g' 83 | replace: '{{max_heap_size}}' 84 | 85 | - name: Reload System Daemon to reread all config files 86 | systemd: 87 | name: elastic 88 | daemon_reload: yes 89 | 90 | - name: Starting Elasticsearch Service 91 | service: 92 | name: elasticsearch 93 | state: started 94 | -------------------------------------------------------------------------------- /ELK-stackv5.x/roles/elastic_cloud.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Checking whether https support for apt is installed 3 | apt: 4 | pkg: apt-transport-https 5 | update_cache: yes 6 | state: present 7 | 8 | - name: Checking whether gpg signing key for elkstack is installed 9 | apt_key: 10 | url: https://artifacts.elastic.co/GPG-KEY-elasticsearch 11 | state: present 12 | 13 | - name: Checking whether ELK-stack repo has been added 14 | apt_repository: 15 | repo: 'deb https://artifacts.elastic.co/packages/5.x/apt stable main' 16 | filename: 'elastic-5.x' 17 | update_cache: yes 18 | state: present 19 | 20 | - name: Installing Elasticsearch 21 | apt: 22 | name: 23 | - elasticsearch 24 | - openjdk-8-jre 25 | - git 26 | - wget 27 | - curl 28 | state: present 29 | 30 | - name: Stopping Elasticsearch Service and adding it on boot 31 | service: 32 | name: elasticsearch 33 | state: stopped 34 | enabled: yes 35 | 36 | - name: Changing Network Host in Elastic yaml file 37 | lineinfile: 38 | dest: '/etc/elasticsearch/elasticsearch.yml' 39 | line: '{{ network_host }}' 40 | state: present 41 | 42 | - name: Enabling memlock in Elastic yaml file 43 | lineinfile: 44 | dest: '/etc/elasticsearch/elasticsearch.yml' 45 | line: 'bootstrap.memory_lock: true' 46 | state: present 47 | 48 | - name: Removing all Comments 49 | lineinfile: 50 | dest: '/etc/elasticsearch/elasticsearch.yml' 51 | regexp: '^[#].*' 52 | state: absent 53 | 54 | - name: Setting memlock to infinite in Elastic service file 55 | replace: 56 | dest: '/usr/lib/systemd/system/elasticsearch.service' 57 | regexp: '#LimitMEMLOCK=infinity' 58 | replace: 'LimitMEMLOCK=infinity' 59 | 60 | - name: Changing locked memory state in Elastic service file 61 | lineinfile: 62 | dest: '/etc/default/elasticsearch' 63 | line: 'MAX_LOCKED_MEMORY=unlimited' 64 | state: present 65 | 66 | - name: Changing limit for open number of files(for swap) 67 | shell: "ulimit -l unlimited" 68 | 69 | - name: Changing Java minimum heap size for Elastic in jvm.options to- {{min_heap_size}} 70 | replace: 71 | dest: '/etc/elasticsearch/jvm.options' 72 | regexp: '-Xms[0-9]g' 73 | replace: '{{min_heap_size}}' 74 | 75 | - name: Changing Java maximum heap size for Elastic in jvm.options to- {{max_heap_size}} 76 | replace: 77 | dest: '/etc/elasticsearch/jvm.options' 78 | regexp: '-Xmx[0-9]g' 79 | replace: '{{max_heap_size}}' 80 | 81 | - name: Reload System Daemon to reread all config files 82 | systemd: 83 | name: elastic 84 | daemon_reload: yes 85 | 86 | - name: Starting Elasticsearch Service 87 | service: 88 | name: elasticsearch 89 | state: started 90 | -------------------------------------------------------------------------------- /ELK-stackv5.x/roles/elastic_data.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Adding Cluster Name 3 | lineinfile: 4 | dest: '/etc/elasticsearch/elasticsearch.yml' 5 | line: 'cluster.name: Anarchy' 6 | state: present 7 | 8 | - name: Changing Node Discoveries 9 | lineinfile: 10 | dest: '/etc/elasticsearch/elasticsearch.yml' 11 | line: '{{ discovery_hosts }}' 12 | state: present 13 | 14 | - name: Enabling Data node 15 | lineinfile: 16 | dest: '/etc/elasticsearch/elasticsearch.yml' 17 | line: 'node.data: true' 18 | state: present 19 | 20 | - name: Disabling Master node 21 | lineinfile: 22 | dest: '/etc/elasticsearch/elasticsearch.yml' 23 | line: 'node.master: false' 24 | state: present 25 | 26 | - name: Changing Minimum Master nodes 27 | lineinfile: 28 | dest: '/etc/elasticsearch/elasticsearch.yml' 29 | line: 'discovery.zen.minimum_master_nodes: 2' 30 | state: present 31 | 32 | - name: Removing all Comments 33 | lineinfile: 34 | dest: '/etc/elasticsearch/elasticsearch.yml' 35 | regexp: '^[#].*' 36 | state: absent 37 | 38 | - name: Stopping Elasticsearch Service 39 | service: 40 | name: elasticsearch 41 | state: stopped 42 | 43 | - name: Reload System Daemon to reread all config files 44 | systemd: 45 | name: elastic 46 | daemon_reload: yes 47 | 48 | - name: Starting Elasticsearch Service 49 | service: 50 | name: elasticsearch 51 | state: started 52 | 53 | -------------------------------------------------------------------------------- /ELK-stackv5.x/roles/elastic_data_cloud.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Checking Discovery plugin 3 | shell: "{{es_home}}/bin/elasticsearch-plugin list | grep 'discovery-ec2'" 4 | register: discovery_state 5 | ignore_errors: yes 6 | 7 | - name: Installing Discovery Plugin 8 | shell: "{{es_home}}/bin/elasticsearch-plugin install discovery-ec2" 9 | when: discovery_state.stdout == "" 10 | 11 | - name: Changing Network Host in Elastic yaml file 12 | lineinfile: 13 | dest: '/etc/elasticsearch/elasticsearch.yml' 14 | line: '{{ network_host }}' 15 | state: present 16 | 17 | - name: Changing Network Bind host in Elastic yaml file 18 | lineinfile: 19 | dest: '/etc/elasticsearch/elasticsearch.yml' 20 | line: '{{ network_bind_host }}' 21 | state: present 22 | 23 | - name: Changing Network Publish host in Elastic yaml file 24 | lineinfile: 25 | dest: '/etc/elasticsearch/elasticsearch.yml' 26 | line: '{{ network_publish_host }}' 27 | state: present 28 | 29 | - name: Changing Discovery type in Elastic yaml file 30 | lineinfile: 31 | dest: '/etc/elasticsearch/elasticsearch.yml' 32 | line: '{{ discovery_type }}' 33 | state: present 34 | 35 | - name: Changing Cloud Access Key in Elastic yaml file 36 | lineinfile: 37 | dest: '/etc/elasticsearch/elasticsearch.yml' 38 | line: '{{ cl_ac_key }}' 39 | state: present 40 | 41 | - name: Changing Cloud Secret Key in Elastic yaml file 42 | lineinfile: 43 | dest: '/etc/elasticsearch/elasticsearch.yml' 44 | line: '{{ cl_sc_key }}' 45 | state: present 46 | 47 | - name: Changing Cloud Region in Elastic yaml file 48 | lineinfile: 49 | dest: '/etc/elasticsearch/elasticsearch.yml' 50 | line: '{{ cl_region }}' 51 | state: present 52 | 53 | - name: Adding Cluster Name 54 | lineinfile: 55 | dest: '/etc/elasticsearch/elasticsearch.yml' 56 | line: 'cluster.name: Anarchy_cloud' 57 | state: present 58 | 59 | - name: Changing Node Discoveries 60 | lineinfile: 61 | dest: '/etc/elasticsearch/elasticsearch.yml' 62 | line: '{{ discovery_hosts }}' 63 | state: present 64 | 65 | - name: Disabling Data node 66 | lineinfile: 67 | dest: '/etc/elasticsearch/elasticsearch.yml' 68 | line: 'node.data: true' 69 | state: present 70 | 71 | - name: Enabling Master node 72 | lineinfile: 73 | dest: '/etc/elasticsearch/elasticsearch.yml' 74 | line: 'node.master: false' 75 | state: present 76 | 77 | - name: Changing Node Discoveries 78 | lineinfile: 79 | dest: '/etc/elasticsearch/elasticsearch.yml' 80 | line: '{{ discovery_hosts }}' 81 | state: present 82 | 83 | - name: Removing all Comments 84 | lineinfile: 85 | dest: '/etc/elasticsearch/elasticsearch.yml' 86 | regexp: '^[#].*' 87 | state: absent 88 | 89 | - name: Stopping Elasticsearch Service 90 | service: 91 | name: elasticsearch 92 | state: stopped 93 | 94 | - name: Reload System Daemon to reread all config files 95 | systemd: 96 | name: elastic 97 | daemon_reload: yes 98 | 99 | - name: Starting Elasticsearch Service 100 | service: 101 | name: elasticsearch 102 | state: started 103 | -------------------------------------------------------------------------------- /ELK-stackv5.x/roles/elastic_master.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Adding Cluster Name 3 | lineinfile: 4 | dest: '/etc/elasticsearch/elasticsearch.yml' 5 | line: 'cluster.name: Anarchy' 6 | state: present 7 | 8 | - name: Changing Node Discoveries 9 | lineinfile: 10 | dest: '/etc/elasticsearch/elasticsearch.yml' 11 | line: '{{ discovery_hosts }}' 12 | state: present 13 | 14 | - name: Disabling Data node 15 | lineinfile: 16 | dest: '/etc/elasticsearch/elasticsearch.yml' 17 | line: 'node.data: false' 18 | state: present 19 | 20 | - name: Enabling Master node 21 | lineinfile: 22 | dest: '/etc/elasticsearch/elasticsearch.yml' 23 | line: 'node.master: true' 24 | state: present 25 | 26 | - name: Changing Minimum Master nodes 27 | lineinfile: 28 | dest: '/etc/elasticsearch/elasticsearch.yml' 29 | line: 'discovery.zen.minimum_master_nodes: 2' 30 | state: present 31 | 32 | - name: Removing all Comments 33 | lineinfile: 34 | dest: '/etc/elasticsearch/elasticsearch.yml' 35 | regexp: '^[#].*' 36 | state: absent 37 | 38 | - name: Stopping Elasticsearch Service 39 | service: 40 | name: elasticsearch 41 | state: stopped 42 | 43 | - name: Reload System Daemon to reread all config files 44 | systemd: 45 | name: elastic 46 | daemon_reload: yes 47 | 48 | - name: Starting Elasticsearch Service 49 | service: 50 | name: elasticsearch 51 | state: started 52 | -------------------------------------------------------------------------------- /ELK-stackv5.x/roles/elastic_master_cloud.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Checking Discovery plugin 3 | shell: "{{es_home}}/bin/elasticsearch-plugin list | grep 'discovery-ec2'" 4 | register: discovery_state 5 | ignore_errors: yes 6 | 7 | - name: Installing Discovery Plugin 8 | shell: "{{es_home}}/bin/elasticsearch-plugin install discovery-ec2" 9 | when: discovery_state.stdout == "" 10 | 11 | - name: Changing Network Host in Elastic yaml file 12 | lineinfile: 13 | dest: '/etc/elasticsearch/elasticsearch.yml' 14 | line: '{{ network_host }}' 15 | state: present 16 | 17 | - name: Changing Network Bind host in Elastic yaml file 18 | lineinfile: 19 | dest: '/etc/elasticsearch/elasticsearch.yml' 20 | line: '{{ network_bind_host }}' 21 | state: present 22 | 23 | - name: Changing Network Publish host in Elastic yaml file 24 | lineinfile: 25 | dest: '/etc/elasticsearch/elasticsearch.yml' 26 | line: '{{ network_publish_host }}' 27 | state: present 28 | 29 | - name: Changing Discovery type in Elastic yaml file 30 | lineinfile: 31 | dest: '/etc/elasticsearch/elasticsearch.yml' 32 | line: '{{ discovery_type }}' 33 | state: present 34 | 35 | - name: Changing Cloud Access Key in Elastic yaml file 36 | lineinfile: 37 | dest: '/etc/elasticsearch/elasticsearch.yml' 38 | line: '{{ cl_ac_key }}' 39 | state: present 40 | 41 | - name: Changing Cloud Secret Key in Elastic yaml file 42 | lineinfile: 43 | dest: '/etc/elasticsearch/elasticsearch.yml' 44 | line: '{{ cl_sc_key }}' 45 | state: present 46 | 47 | - name: Changing Cloud Region in Elastic yaml file 48 | lineinfile: 49 | dest: '/etc/elasticsearch/elasticsearch.yml' 50 | line: '{{ cl_region }}' 51 | state: present 52 | 53 | - name: Adding Cluster Name 54 | lineinfile: 55 | dest: '/etc/elasticsearch/elasticsearch.yml' 56 | line: 'cluster.name: Anarchy_cloud' 57 | state: present 58 | 59 | - name: Changing Node Discoveries 60 | lineinfile: 61 | dest: '/etc/elasticsearch/elasticsearch.yml' 62 | line: '{{ discovery_hosts }}' 63 | state: present 64 | 65 | - name: Disabling Data node 66 | lineinfile: 67 | dest: '/etc/elasticsearch/elasticsearch.yml' 68 | line: 'node.data: false' 69 | state: present 70 | 71 | - name: Enabling Master node 72 | lineinfile: 73 | dest: '/etc/elasticsearch/elasticsearch.yml' 74 | line: 'node.master: true' 75 | state: present 76 | 77 | - name: Changing Minimum Master nodes 78 | lineinfile: 79 | dest: '/etc/elasticsearch/elasticsearch.yml' 80 | line: 'discovery.zen.minimum_master_nodes: 2' 81 | state: present 82 | 83 | - name: Removing all Comments 84 | lineinfile: 85 | dest: '/etc/elasticsearch/elasticsearch.yml' 86 | regexp: '^[#].*' 87 | state: absent 88 | 89 | - name: Stopping Elasticsearch Service 90 | service: 91 | name: elasticsearch 92 | state: stopped 93 | 94 | - name: Reload System Daemon to reread all config files 95 | systemd: 96 | name: elastic 97 | daemon_reload: yes 98 | 99 | - name: Starting Elasticsearch Service 100 | service: 101 | name: elasticsearch 102 | state: started 103 | -------------------------------------------------------------------------------- /ELK-stackv5.x/roles/kibana.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Checking whether https support for apt is installed 3 | apt: 4 | pkg: apt-transport-https 5 | update_cache: yes 6 | state: present 7 | 8 | - name: Checking whether gpg signing key for elkstack is installed 9 | apt_key: 10 | url: https://artifacts.elastic.co/GPG-KEY-elasticsearch 11 | state: present 12 | 13 | - name: Checking whether ELK-stack repo has been added 14 | apt_repository: 15 | repo: 'deb https://artifacts.elastic.co/packages/5.x/apt stable main' 16 | filename: 'elastic-5.x' 17 | update_cache: yes 18 | state: present 19 | 20 | - name: Installing Kibana 21 | apt: 22 | name: 23 | - kibana 24 | - openjdk-8-jre 25 | - git 26 | - wget 27 | - curl 28 | state: present 29 | 30 | - name: Stopping Kibana Service and adding in on boot 31 | service: 32 | name: kibana 33 | state: stopped 34 | enabled: yes 35 | 36 | - name: Changing Listening IP in Kibana yaml file 37 | replace: 38 | dest: '/etc/kibana/kibana.yml' 39 | regexp: '#server.host: "localhost"' 40 | replace: 'server.host: "0.0.0.0"' 41 | 42 | - name: Checking IP Address 43 | shell: "ifconfig | grep {{ self_host_ip }} | cut -f2 -d':' | awk 'NR==1{print $1}'" 44 | register: kibana_network_ip 45 | 46 | - name: Changing Elastic IP in Kibana yaml file 47 | replace: 48 | dest: '/etc/kibana/kibana.yml' 49 | regexp: '#elasticsearch.url: "http://localhost:9200"' 50 | replace: 'elasticsearch.url: "http://{{ kibana_network_ip.stdout }}:9200"' 51 | 52 | - name: Starting Kibana Service 53 | service: 54 | name: kibana 55 | state: started 56 | 57 | - name: Reload System Daemon to reread all config files 58 | systemd: 59 | name: elastic 60 | daemon_reload: yes 61 | -------------------------------------------------------------------------------- /ELK-stackv5.x/roles/kibana_security.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Installing Nginx 3 | apt: 4 | name: 5 | - nginx 6 | state: present 7 | 8 | - name: Creating Nginx SSL Private Key 9 | command: openssl genrsa -out /etc/ssl/nginx_server.pem 2048 10 | 11 | - name: Creating Nginx SSL Certificate 12 | command: openssl req -new -x509 -key /etc/ssl/nginx_server.pem -subj "/C={{ country_code}}/ST={{ state_full }}/L={{ locality_city }}/O={{ org_name }}/CN={{ server_fqdn }}" -out /etc/ssl/nginx_server.crt -days {{ valid_days }} 13 | 14 | - name: Removing Default Nginx Config file 15 | shell: echo '' > /etc/nginx/sites-available/default 16 | 17 | - name: Checking IP Address 18 | shell: "ifconfig | grep {{ self_host_ip }} | cut -f2 -d':' | awk 'NR==1{print $1}'" 19 | register: nginx_network_ip 20 | 21 | - name: Creating Blank htpasswd file 22 | file: path=/etc/nginx/htpasswd.users state=touch 23 | 24 | - name: Creating a default user 'kibanaAdmin' and password 'Zup3r@Dm!n' 25 | lineinfile: 26 | dest: '/etc/nginx/htpasswd.users' 27 | line: '{{ nginx_creds }}' 28 | state: present 29 | 30 | - name: Enabling Nginx Proxy on 5601 31 | blockinfile: 32 | dest: '/etc/nginx/sites-available/default' 33 | block: | 34 | server { 35 | listen 443; 36 | ssl on; 37 | ssl_certificate_key /etc/ssl/nginx_server.pem; 38 | ssl_certificate /etc/ssl/nginx_server.crt; 39 | 40 | auth_basic "Restricted Access"; 41 | auth_basic_user_file /etc/nginx/htpasswd.users; 42 | 43 | location / { 44 | proxy_pass http://{{ nginx_network_ip.stdout }}:5601; 45 | proxy_http_version 1.1; 46 | proxy_set_header Upgrade $http_upgrade; 47 | proxy_set_header Connection 'upgrade'; 48 | proxy_set_header Host $host; 49 | proxy_cache_bypass $http_upgrade; 50 | } 51 | } 52 | 53 | - name: Starting nginx Service 54 | service: 55 | name: nginx 56 | state: restarted 57 | 58 | - name: Starting Kibana Service 59 | service: 60 | name: kibana 61 | state: restarted 62 | 63 | - name: Reload System Daemon to reread all config files 64 | systemd: 65 | name: elastic 66 | daemon_reload: yes 67 | -------------------------------------------------------------------------------- /ELK-stackv5.x/roles/logstash.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Checking whether https support for apt is installed 3 | apt: 4 | pkg: apt-transport-https 5 | update_cache: yes 6 | state: present 7 | 8 | - name: Checking whether gpg signing key for elkstack is installed 9 | apt_key: 10 | url: https://artifacts.elastic.co/GPG-KEY-elasticsearch 11 | state: present 12 | 13 | - name: Checking whether ELK-stack repo has been added 14 | apt_repository: 15 | repo: 'deb https://artifacts.elastic.co/packages/5.x/apt stable main' 16 | filename: 'elastic-5.x' 17 | update_cache: yes 18 | state: present 19 | 20 | - name: Installing Logstash 21 | apt: 22 | name: 23 | - logstash 24 | - openjdk-8-jre 25 | - git 26 | - wget 27 | - curl 28 | state: present 29 | 30 | - name: Stopping Logstash Service 31 | service: 32 | name: logstash 33 | state: stopped 34 | 35 | - name: Changing Java minimum heap size for Logstash in jvm.options to- {{min_heap_size}} 36 | replace: 37 | dest: '/etc/logstash/jvm.options' 38 | regexp: '-Xms[0-9]g' 39 | replace: '{{min_heap_size}}' 40 | 41 | - name: Changing Java maximum heap size for Logstash in jvm.options to- {{max_heap_size}} 42 | replace: 43 | dest: '/etc/logstash/jvm.options' 44 | regexp: '-Xmx[0-9]g' 45 | replace: '{{max_heap_size}}' 46 | 47 | - name: Reload System Daemon to reread all config files 48 | systemd: 49 | name: logstash 50 | daemon_reload: yes 51 | 52 | - name: Checking Useragent plugin 53 | shell: "{{ls_home}}/bin/logstash-plugin list | grep useragent" 54 | register: useragent_state 55 | ignore_errors: yes 56 | 57 | - name: Installing Useragent Plugin 58 | shell: "{{ls_home}}/bin/logstash-plugin install logstash-filter-useragent" 59 | when: useragent_state.stdout == "" 60 | 61 | - name: Checking GeoIp plugin 62 | shell: "{{ls_home}}/bin/logstash-plugin list | grep geoip" 63 | register: geoip_state 64 | ignore_errors: yes 65 | 66 | - name: Installing GeoIp Plugin 67 | shell: "{{ls_home}}/bin/logstash-plugin install logstash-filter-geoip" 68 | when: geoip_state.stdout == "" 69 | 70 | - name: Checking Translate plugin 71 | shell: "{{ls_home}}/bin/logstash-plugin list | grep translate" 72 | register: translate_state 73 | ignore_errors: yes 74 | 75 | - name: Installing Translate Plugin 76 | shell: "{{ls_home}}/bin/logstash-plugin install logstash-filter-translate" 77 | when: translate_state.stdout == "" 78 | -------------------------------------------------------------------------------- /ELK-stackv5.x/tasks/main.yml: -------------------------------------------------------------------------------- 1 | #This file should not be edited. This file contains execution of roles based on 2 | #the boolean value of the variables in vars/main.yml 3 | --- 4 | - hosts: elkstack 5 | gather_facts: false 6 | tasks: 7 | - name: Including variables 8 | include_vars: 9 | file: '../vars/main.yml' 10 | 11 | - include: ../roles/elastic.yml 12 | when: elkstack_install 13 | 14 | - include: ../roles/logstash.yml 15 | when: elkstack_install 16 | 17 | - include: ../roles/kibana.yml 18 | when: elkstack_install 19 | 20 | - include: ../roles/kibana_security.yml 21 | when: elkstack_install 22 | 23 | - hosts: elastic_all 24 | gather_facts: false 25 | tasks: 26 | - name: Including variables 27 | include_vars: 28 | file: '../vars/main.yml' 29 | 30 | - name: Checking whether Elasticsearch is required 31 | include: ../roles/elastic.yml 32 | when: elastic_all_install 33 | 34 | - hosts: elastic_all 35 | gather_facts: false 36 | tasks: 37 | - name: Including variables 38 | include_vars: 39 | file: '../vars/main.yml' 40 | 41 | - name: Checking whether Elasticsearch is required 42 | include: ../roles/elastic_cloud.yml 43 | when: elastic_cloud_install 44 | 45 | - hosts: elastic_master 46 | gather_facts: false 47 | tasks: 48 | - name: Including variables 49 | include_vars: 50 | file: '../vars/main.yml' 51 | 52 | - name: Checking whether Elasticsearch Master Nodes are required 53 | include: ../roles/elastic_master.yml 54 | when: elastic_master_install 55 | 56 | - hosts: elastic_master 57 | gather_facts: false 58 | tasks: 59 | - name: Including variables 60 | include_vars: 61 | file: '../vars/main.yml' 62 | 63 | - name: Checking whether Elasticsearch Cloud Master Nodes are required 64 | include: ../roles/elastic_master_cloud.yml 65 | when: elastic_master_cloud_install 66 | 67 | - hosts: elastic_data 68 | gather_facts: false 69 | tasks: 70 | - name: Including variables 71 | include_vars: 72 | file: '../vars/main.yml' 73 | 74 | - name: Checking whether Elasticsearch Data Nodes are required 75 | include: ../roles/elastic_data.yml 76 | when: elastic_data_install 77 | 78 | - hosts: elastic_data 79 | gather_facts: false 80 | tasks: 81 | - name: Including variables 82 | include_vars: 83 | file: '../vars/main.yml' 84 | 85 | - name: Checking whether Elasticsearch Cloud Data Nodes are required 86 | include: ../roles/elastic_data_cloud.yml 87 | when: elastic_data_cloud_install 88 | 89 | - hosts: logstash 90 | gather_facts: false 91 | tasks: 92 | - name: Including variables 93 | include_vars: 94 | file: '../vars/main.yml' 95 | 96 | - name: Checking whether Logstash Node is required 97 | include: ../roles/logstash.yml 98 | when: logstash_install 99 | 100 | - hosts: kibana 101 | gather_facts: false 102 | tasks: 103 | - name: Including variables 104 | include_vars: 105 | file: '../vars/main.yml' 106 | 107 | - name: Checking whether Kibana Service is required 108 | include: ../roles/kibana.yml 109 | when: kibana_install 110 | 111 | - name: Checking whether Kibana Security needs to be installed 112 | include: ../roles/kibana_security.yml 113 | when: kibana_security_install 114 | -------------------------------------------------------------------------------- /ELK-stackv5.x/vars/main.yml: -------------------------------------------------------------------------------- 1 | #This file contains all the necessary things that need to be installed. 2 | #The value needs to be a boolean value as to what should be installed and what should be ignored. 3 | --- 4 | elkstack_install: false 5 | 6 | elastic_all_install: false 7 | 8 | elastic_cloud_install: false 9 | 10 | elastic_master_install: false 11 | 12 | elastic_master_cloud_install: false 13 | 14 | elastic_data_install: false 15 | 16 | elastic_data_cloud_install: false 17 | 18 | logstash_install: false 19 | 20 | kibana_install: true 21 | 22 | kibana_security_install: true 23 | 24 | es_home: '/usr/share/elasticsearch' 25 | 26 | kb_home: '/usr/share/kibana' 27 | 28 | ls_home: '/usr/share/logstash' 29 | 30 | min_heap_size: '-Xms1g' 31 | 32 | max_heap_size: '-Xmx1g' 33 | 34 | discovery_hosts: 'discovery.zen.ping.unicast.hosts: ["192.168.58.121", "192.168.58.122", "192.168.58.123", "192.168.58.124", "192.168.58.125", "192.168.58.126" ]' 35 | 36 | self_host_ip: '192.' 37 | 38 | #cloud config 39 | 40 | cl_ac_key: 'cloud.aws.access_key: AKIAIVII7RDQGYQT4KIQ' 41 | 42 | cl_sc_key: 'cloud.aws.secret_key: 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' 43 | 44 | cl_region: 'cloud.aws.region: us-east-1' 45 | 46 | network_host: 'network.host: [ "_ec2:privateIpv4_", "_local_" ]' 47 | 48 | network_bind_host: 'network.bind_host: _ec2:privateIpv4_' 49 | 50 | network_publish_host: 'network.publish_host: _ec2:privateIpv4_' 51 | 52 | discovery_type: 'discovery.type: ec2' 53 | 54 | 55 | #Nginx Certificate Start 56 | 57 | country_code: 'IN' 58 | state_full: 'Maharashtra' 59 | locality_city: 'Mumbai' 60 | org_name: 'Network Intelligence' 61 | server_fqdn: 'Kibana' 62 | valid_days: '3650' 63 | 64 | #Nginx Certificate End 65 | 66 | #Nginx Username and password 67 | nginx_creds: 'kibanaAdmin:$apr1$Z5ERJ1.y$YF31NBdA6Q6UhOr.53ggR1' 68 | -------------------------------------------------------------------------------- /ELK-stackv6.x/install_elk.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ##This script with install ELK-stack 6.x(latest) in Ubuntu 16.04.1 3 | ##This file is independent of the ansible playbook 4 | ##Author : Paranoid Ninja 5 | ##Email : paranoidninja@protonmail.com 6 | 7 | set -e 8 | 9 | #Global Variables: 10 | disable_swap=true 11 | change_heap_size=true 12 | min_heap_size="-Xms2g" #Change Minumum Heap Size as per requirement 13 | max_heap_size="-Xmx2g" #Change Maximum Heap Size as per requirement 14 | EIP="192.168.1.10" 15 | 16 | Elastic() { 17 | rm -rf /etc/apt/sources.list.d/elastic-* 18 | echo -e "`tput setaf 3`\n[+] Installing Elasticsearch...\n`tput setaf 7`" 19 | wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - 20 | echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list 21 | apt-get update && apt-get -y install elasticsearch apt-transport-https curl git wget openjdk-8-jre 22 | service elasticsearch stop 23 | 24 | #Changing Network Hosts 25 | echo -e "`tput setaf 3`\n[+] Modifying Network Details...\n`tput setaf 7`" 26 | echo "" > /etc/elasticsearch/elasticsearch.yml 27 | echo "cluster.name: ThreatHunting" >> /etc/elasticsearch/elasticsearch.yml 28 | echo "node.name: ATH-1" >> /etc/elasticsearch/elasticsearch.yml 29 | echo "path.data: /var/lib/elasticsearch" >> /etc/elasticsearch/elasticsearch.yml 30 | echo "path.logs: /var/log/elasticsearch" >> /etc/elasticsearch/elasticsearch.yml 31 | echo "http.host: $EIP" >> /etc/elasticsearch/elasticsearch.yml 32 | echo "network.host: $EIP" >> /etc/elasticsearch/elasticsearch.yml 33 | echo "http.port: 9200" >> /etc/elasticsearch/elasticsearch.yml 34 | 35 | #Disabling Java Swap for Elasticsearch only 36 | if [ "$disable_swap" = true ]; then 37 | #Updating Services 38 | echo -e "`tput setaf 3`\n[+] Enabling Services on boot...\n`tput setaf 7`" 39 | update-rc.d elasticsearch defaults 95 10 40 | service elasticsearch stop 41 | sudo /bin/systemctl daemon-reload 42 | sudo /bin/systemctl enable elasticsearch.service 43 | echo -e "`tput setaf 3`\n[+] Disabling JVM Swap...\n`tput setaf 7`" 44 | echo "bootstrap.memory_lock: true" >> /etc/elasticsearch/elasticsearch.yml 45 | echo -e "[Service]\nLimitMEMLOCK=infinity" >> /etc/systemd/system/elasticsearch.service.d/override.conf 46 | echo "MAX_LOCKED_MEMORY=unlimited" >> /etc/default/elasticsearch 47 | ulimit -l unlimited 48 | sudo /bin/systemctl daemon-reload 49 | echo -e "`tput setaf 3`\n[+] Waiting for Elastic Service to Start...\n`tput setaf 7`" 50 | sleep 5 51 | curl http://$EIP:9200/_nodes?filter_path=**.mlockall | grep mlockall 52 | fi; 53 | 54 | #Changing Heap Size 55 | if [ "$change_heap_size" = true ]; then 56 | echo -e "`tput setaf 3`\n[+] Modifying Heap Size to $min_heap_size and $max_heap_size ...\n`tput setaf 7`" 57 | sed -i "s/-Xms2g/$min_heap_size/g" /etc/elasticsearch/jvm.options 58 | sed -i "s/-Xmx2g/$max_heap_size/g" /etc/elasticsearch/jvm.options 59 | fi; 60 | } 61 | 62 | Logstash() { 63 | echo -e "\n[+] Installing Logstash...\n" 64 | wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - 65 | echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list 66 | apt-get update && apt-get -y install screen logstash apt-transport-https curl git wget openjdk-8-jre 67 | } 68 | 69 | Kibana() { 70 | echo -e "`tput setaf 3`\n[+] Installing Kibana...\n`tput setaf 7`" 71 | wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - 72 | echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list 73 | apt-get update && apt-get install -y kibana apt-transport-https curl git wget openjdk-8-jre 74 | 75 | #Changing Network Hosts 76 | echo -e "`tput setaf 3`\n[+] Modifying Network Details...\n`tput setaf 7`" 77 | sed -i 's/\#server.host: "localhost"/server.host: 0.0.0.0/g' /etc/kibana/kibana.yml 78 | 79 | #Updating Services 80 | echo -e "`tput setaf 3`\n[+] Enabling Services on boot...\n`tput setaf 7`" 81 | update-rc.d kibana defaults 95 10 82 | /bin/systemctl daemon-reload 83 | /bin/systemctl enable kibana.service 84 | service kibana restart 85 | } 86 | 87 | Help() { 88 | echo -e "\n`tput setaf 3`[-] Help: Please specify command line parameters:\n-e\tInstall Elasticsearch\n-l\tInstall Logstash\n-k\tInstall Kibana\n-elk\t Install Full Elkstack\n[-] eg:- `tput setaf 2`$0 -e\n`tput setaf 3`[!] Also, don't forget to modify the Elastic IP as EIP in script`tput setaf 7`" 89 | } 90 | 91 | #Check root access 92 | if [[ $UID != 0 ]]; then 93 | echo -e "\n`tput setaf 1`Your derp level is too high, I don't like you..!`tput setaf 7`\n" 94 | else 95 | if [ -z "$1" ]; then 96 | Help 97 | elif [[ $1 == '-e' ]]; then 98 | Elastic 99 | elif [[ $1 == '-k' ]]; then 100 | Kibana 101 | elif [[ $1 == '-l' ]]; then 102 | Logstash 103 | elif [[ $1 == '-elk' ]]; then 104 | Elastic 105 | Logstash 106 | Kibana 107 | else 108 | Help 109 | fi; 110 | fi; 111 | 112 | set +e 113 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Threat-Hunting 2 | This repo is dedicated to all my tricks, tweaks and modules for testing and hunting threats. This repo contains multiple directories which are in their own, different modules required for threat hunting. This repo will be updated as and when new changes are made. 3 | 4 | # ELK-stack Ansible 5 | 6 | This sub-repo is whole dedicated to the installation of ELK-stack using ansible which automates the whole installation process. This repo will be kept updated for whole elkstack inventories. 7 | 8 | The install_elk.sh installs elkstack either as a single-node cluster or it can be used to install multi-node cluster as well. This file is independent of the whole ansible playbook. 9 | 10 | The playbook will also install the required plugins. You need to copy all the files in the ansible folder and execute the fullstack_playbook.yml file. New plugins can be inserted in the vars/main.yml file as variables. The IP Address needs to be changed in the hosts file for multi node cluster installation. Remember to change the heap size in the vars/main.yml else the elastic service will not work due to incorrect memory lock. 11 | 12 | SSH disconnection issue has been taken care of by modifying the ansible.cfg file. 13 | 14 | # VirusTotal 15 | 16 | This sub-repo contains a python file that queries VirusTotal with all the SHA1 hashes found in the Elasticsearch database and reports back the infection result 17 | 18 | # Sysmon-Deployment 19 | 20 | This sub-repo contains the deployment of Sysmon via powershell and winrm on multiple sets of machine for analysis. The Sysmon Config file is a modified version from Swift On Security. 21 | -------------------------------------------------------------------------------- /Sysmon-Deployment/Eula.txt: -------------------------------------------------------------------------------- 1 | Sysinternals Software License Terms 2 | These license terms are an agreement between Sysinternals (a wholly owned subsidiary of Microsoft Corporation) and you. Please read them. They apply to the software you are downloading from technet.microsoft.com/sysinternals, which includes the media on which you received it, if any. The terms also apply to any Sysinternals 3 | * updates, 4 | * supplements, 5 | * Internet-based services, 6 | * and support services 7 | for this software, unless other terms accompany those items. If so, those terms apply. 8 | BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT USE THE SOFTWARE. 9 | If you comply with these license terms, you have the rights below. 10 | 11 | Installation and User Rights 12 | 13 | You may install and use any number of copies of the software on your devices. 14 | 15 | Scope of License 16 | 17 | The software is licensed, not sold. This agreement only gives you some rights to use the software. Sysinternals reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the software only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not 18 | * work around any technical limitations in the software; 19 | * reverse engineer, decompile or disassemble the software, except and only to the extent that applicable law expressly permits, despite this limitation; 20 | * make more copies of the software than specified in this agreement or allowed by applicable law, despite this limitation; 21 | * publish the software for others to copy; 22 | * rent, lease or lend the software; 23 | * transfer the software or this agreement to any third party; or 24 | * use the software for commercial software hosting services. 25 | 26 | Sensitive Information 27 | 28 | Please be aware that, similar to other debug tools that capture “process state” information, files saved by Sysinternals tools may include personally identifiable or other sensitive information (such as usernames, passwords, paths to files accessed, and paths to registry accessed). By using this software, you acknowledge that you are aware of this and take sole responsibility for any personally identifiable or other sensitive information provided to Microsoft or any other party through your use of the software. 29 | 30 | Documentation 31 | 32 | Any person that has valid access to your computer or internal network may copy and use the documentation for your internal, reference purposes. 33 | 34 | Export Restrictions 35 | 36 | The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations, end users and end use. For additional information, see www.microsoft.com/exporting . 37 | 38 | Support Services 39 | 40 | Because this software is "as is," we may not provide support services for it. 41 | 42 | Entire Agreement 43 | 44 | This agreement, and the terms for supplements, updates, Internet-based services and support services that you use, are the entire agreement for the software and support services. 45 | 46 | Applicable Law 47 | 48 | United States . If you acquired the software in the United States , Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort. 49 | Outside the United States . If you acquired the software in any other country, the laws of that country apply. 50 | 51 | Legal Effect 52 | 53 | This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the software. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so. 54 | 55 | Disclaimer of Warranty 56 | 57 | The software is licensed "as-is." You bear the risk of using it. Sysinternals gives no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws which this agreement cannot change. To the extent permitted under your local laws, sysinternals excludes the implied warranties of merchantability, fitness for a particular purpose and non-infringement. 58 | 59 | Limitation on and Exclusion of Remedies and Damages 60 | 61 | You can recover from sysinternals and its suppliers only direct damages up to U.S. $5.00. You cannot recover any other damages, including consequential, lost profits, special, indirect or incidental damages. 62 | This limitation applies to 63 | * anything related to the software, services, content (including code) on third party Internet sites, or third party programs; and 64 | * claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law. 65 | 66 | It also applies even if Sysinternals knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages. 67 | Please note: As this software is distributed in Quebec , Canada , some of the clauses in this agreement are provided below in French. 68 | Remarque : Ce logiciel étant distribué au Québec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en français. 69 | EXONÉRATION DE GARANTIE. Le logiciel visé par une licence est offert « tel quel ». Toute utilisation de ce logiciel est à votre seule risque et péril. Sysinternals n'accorde aucune autre garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualité marchande, d'adéquation à un usage particulier et d'absence de contrefaçon sont exclues. 70 | LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES. Vous pouvez obtenir de Sysinternals et de ses fournisseurs une indemnisation en cas de dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices. 71 | Cette limitation concerne : 72 | tout ce qui est relié au logiciel, aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers ; et 73 | les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de négligence ou d'une autre faute dans la limite autorisée par la loi en vigueur. 74 | Elle s'applique également, même si Sysinternals connaissait ou devrait connaître l'éventualité d'un tel dommage. Si votre pays n'autorise pas l'exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l'exclusion ci-dessus ne s'appliquera pas à votre égard. 75 | EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d'autres droits prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays si celles-ci ne le permettent pas. 76 | -------------------------------------------------------------------------------- /Sysmon-Deployment/Sysmon.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paranoidninja/Threat-Hunting/6c0d7219cee9e63a89b6c7d045bad5b34a397235/Sysmon-Deployment/Sysmon.exe -------------------------------------------------------------------------------- /Sysmon-Deployment/Sysmon64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paranoidninja/Threat-Hunting/6c0d7219cee9e63a89b6c7d045bad5b34a397235/Sysmon-Deployment/Sysmon64.exe -------------------------------------------------------------------------------- /Sysmon-Deployment/Sysmon_deploy.ps1: -------------------------------------------------------------------------------- 1 | ##Author : Paranoid Ninja 2 | ##Email : paranoidninja@protonmail.com 3 | ##Desc : Simple Powershell Script to deploy Sysmon via winrm. Change the shared folder path in SourceFolder and add all computer names in the CompName Variable text file/path 4 | 5 | $SourceFolder = "\\VBOXSVR\shared_box\Sysmon_testing\" 6 | $CompName = Get-Content "C:\Users\Administrator\Desktop\machine.txt" 7 | 8 | foreach ($computer in $CompName) 9 | { 10 | $DestinationFolder = "\\$CompName\C$\sysmon" 11 | 12 | if(!(Test-Path -path $DestinationFolder)) 13 | { 14 | New-Item $DestinationFolder -Type Directory 15 | } 16 | 17 | robocopy $SourceFolder $DestinationFolder 18 | Invoke-Command -ComputerName $computer -ScriptBlock { & cmd /c "C:\Sysmon_testing\Sysmon64.exe -i C:\Sysmon_testing\sysmon_config.xml -accepteula"} 19 | 20 | #Use the below command to uninstall the service in all the computers 21 | 22 | #Invoke-Command -ComputerName $computer -ScriptBlock { & cmd /c "C:\sysmon\Sysmon64.exe -u"} 23 | } 24 | -------------------------------------------------------------------------------- /Sysmon-Deployment/sysmon.conf: -------------------------------------------------------------------------------- 1 | ##Author : Paranoid Ninja 2 | ##Email : paranoidninja@protonmail.com 3 | ##Desc : Sysmon Logstash Configuration File 4 | 5 | input { 6 | beats { 7 | port => 5044 8 | } 9 | } 10 | 11 | 12 | filter { 13 | 14 | #Extracting the exact executable out of the full Image Path 15 | 16 | if "Image" in [message] and "Image: System" not in [message] and "Image: " not in [message] { 17 | if "ImageLoaded: " in [message] { 18 | grok { 19 | match => [ "[event_data][ImageLoaded]", ".*\\%{GREEDYDATA:executable}" ] 20 | } 21 | } 22 | if "TargetImage" in [message] { 23 | grok { 24 | match => [ "[event_data][TargetImage]", ".*\\%{GREEDYDATA:executable}" ] 25 | } 26 | grok { 27 | match => [ "[event_data][SourceImage]", ".*\\%{GREEDYDATA:injected_executable}" ] 28 | } 29 | grok { 30 | match => [ "injected_executable", "\.%{GREEDYDATA:file_format}"] 31 | } 32 | } 33 | else { 34 | grok { 35 | match => [ "[event_data][Image]", ".*\\%{GREEDYDATA:executable}" ] 36 | } 37 | } 38 | grok { 39 | match => [ "executable", "\.%{GREEDYDATA:file_format}"] 40 | } 41 | } 42 | 43 | #Mapping Ip Addresses to proper Keywords 44 | 45 | if "DestinationIp" in [message] { 46 | mutate { 47 | add_field => { 48 | "src_port" => "%{[event_data][SourcePort]}" 49 | "dst_port" => "%{[event_data][DestinationPort]}" 50 | "src_addr" => "%{[event_data][SourceIp]}" 51 | "dst_addr" => "%{[event_data][DestinationIp]}" 52 | } 53 | convert => ["src_port","integer"] 54 | convert => ["dst_port","integer"] 55 | remove_field => [ "[event_data][SourcePort]", "[event_data][DestinationPort]" ] 56 | } 57 | } 58 | 59 | #Removing 'SHA1=' from the event_data.Hashes field 60 | 61 | if "Hashes" in [message] { 62 | grok { 63 | match => [ "[event_data][Hashes]", "SHA1=%{DATA:SHA1hash},SHA256=%{WORD:SHA256hash}" ] 64 | } 65 | } 66 | 67 | #Remove this commented part during the final analysis stage 68 | #Removing unnecessary fields 69 | 70 | mutate { 71 | remove_field => [ "[event_data][Hashes]", "message", "beat" ] 72 | } 73 | } 74 | 75 | 76 | output { 77 | elasticsearch { 78 | hosts => "192.168.58.103:9200" 79 | index => "logstash-sysmon-%{+YYYY.MM.dd}" 80 | } 81 | stdout { 82 | codec => rubydebug 83 | } 84 | } 85 | -------------------------------------------------------------------------------- /Sysmon-Deployment/sysmon_config.xml: -------------------------------------------------------------------------------- 1 | 22 | 23 | 24 | md5,sha256 25 | 26 | 27 | 28 | 29 | 30 | 33 | 34 | C:\Windows\system32\DllHost.exe /Processid 35 | C:\Windows\system32\SearchIndexer.exe /Embedding 36 | C:\Windows\System32\CompatTelRunner.exe 37 | C:\Windows\System32\MusNotification.exe 38 | C:\Windows\System32\MusNotificationUx.exe 39 | C:\Windows\System32\audiodg.exe 40 | C:\Windows\System32\conhost.exe 41 | C:\Windows\System32\powercfg.exe 42 | C:\Windows\System32\wbem\WmiApSrv.exe 43 | C:\Windows\System32\wermgr.exe 44 | C:\Windows\SysWOW64\wermgr.exe 45 | C:\Windows\system32\sppsvc.exe 46 | AppContainer 47 | %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows 48 | C:\Windows\system32\SearchIndexer.exe 49 | 50 | C:\Program Files\Windows Defender 51 | C:\Windows\System32\MpSigStub.exe 52 | C:\Windows\SoftwareDistribution\Download\Install\AM_Base 53 | C:\Windows\SoftwareDistribution\Download\Install\AM_Delta 54 | C:\Windows\SoftwareDistribution\Download\Install\AM_Engine 55 | 56 | C:\Windows\System32\svchost.exe -k appmodel 57 | C:\Windows\System32\svchost.exe -k dcomLaunch 58 | C:\Windows\System32\svchost.exe -k defragsvc 59 | C:\Windows\System32\svchost.exe -k imgsvc 60 | C:\Windows\System32\svchost.exe -k localServiceAndNoImpersonation 61 | C:\Windows\System32\svchost.exe -k localServiceNetworkRestricted 62 | C:\Windows\System32\svchost.exe -k localSystemNetworkRestricted 63 | C:\Windows\System32\svchost.exe -k netsvcs 64 | C:\Windows\System32\svchost.exe -k networkServiceNetworkRestricted 65 | C:\Windows\System32\svchost.exe -k rPCSS 66 | C:\Windows\System32\svchost.exe -k swprv 67 | C:\Windows\System32\svchost.exe -k unistackSvcGroup 68 | C:\Windows\System32\svchost.exe -k utcsvc 69 | C:\Windows\System32\svchost.exe -k wbioSvcGroup 70 | C:\Windows\System32\svchost.exe -k wsappx 71 | C:\Windows\system32\svchost.exe -k networkService 72 | C:\windows\System32\svchost.exe -k werSvcGroup 73 | C:\Windows\System32\svchost.exe -k netsvcs 74 | C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted 75 | 76 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe 77 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 78 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 79 | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 80 | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 81 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe 82 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 83 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe 84 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 85 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe 86 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe 87 | 88 | C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE 89 | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE 90 | 91 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe 92 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 93 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe 94 | 95 | "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type= 96 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type= 97 | C:\Program Files (x86)\Google\Update\ 98 | C:\Program Files (x86)\Google\Update\ 99 | 100 | "C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel 101 | "C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel 102 | 103 | AcroRd32.exe" /CR 104 | AcroRd32.exe" --channel= 105 | C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe 106 | C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe 107 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 108 | C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe 109 | 110 | C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe 111 | 112 | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 113 | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 114 | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe 115 | 116 | C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe 117 | C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe 118 | C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe 119 | C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe 120 | C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe 121 | C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe 122 | C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe 123 | C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe 124 | 125 | C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe 126 | C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe 127 | C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe 128 | C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe 129 | 130 | "C:\Program Files\DellTPad\ApMsgFwd.exe" -s{ 131 | C:\Program Files\NVIDIA Corporation\ 132 | C:\Program Files\Realtek\ 133 | C:\Program Files\DellTPad\HidMonitorSvc.exe 134 | C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe 135 | 136 | C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe 137 | C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe 138 | 139 | C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe 140 | 141 | 142 | 143 | 144 | 145 | C:\Users 146 | 147 | 148 | OneDrive.exe 149 | setup 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | C:\Users 160 | C:\ProgramData 161 | C:\Windows\Temp 162 | 163 | at.exe 164 | certutil.exe 165 | cmd.exe 166 | cscript.exe 167 | java.exe 168 | mshta.exe 169 | msiexec.exe 170 | net.exe 171 | notepad.exe 172 | powershell.exe 173 | qwinsta.exe 174 | reg.exe 175 | regsvr32.exe 176 | rundll32.exe 177 | sc.exe 178 | wmic.exe 179 | wscript.exe 180 | 181 | psexec.exe 182 | psexesvc.exe 183 | vnc.exe 184 | vncviewer.exe 185 | vncservice.exe 186 | winexesvc.exe 187 | \AA_v 188 | 189 | omniinet.exe 190 | hpsmhd.exe 191 | 192 | tor.exe 193 | 194 | 22 195 | 23 196 | 25 197 | 3389 198 | 5800 199 | 5900 200 | 201 | 1080 202 | 3128 203 | 8080 204 | 205 | 1723 206 | 4500 207 | 9001 208 | 9030 209 | 210 | 211 | OneDrive.exe 212 | Spotify.exe 213 | AppData\Roaming\Dropbox\bin\Dropbox.exe 214 | 215 | OneDriveStandaloneUpdater.exe 216 | microsoft.com 217 | microsoft.com.akadns.net 218 | microsoft.com.nsatc.net 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | 228 | 229 | C:\Users 230 | 231 | 232 | 233 | 234 | 235 | 237 | microsoft 238 | windows 239 | Intel 240 | 241 | 242 | 243 | 244 | 245 | 246 | 247 | 248 | 249 | 250 | 251 | 253 | C:\Windows\System32\wbem\WmiPrvSE.exe 254 | C:\Windows\System32\svchost.exe 255 | C:\Windows\System32\wininit.exe 256 | C:\Windows\System32\csrss.exe 257 | C:\Windows\System32\services.exe 258 | C:\Windows\System32\winlogon.exe 259 | C:\Windows\System32\audiodg.exe 260 | C:\windows\system32\kernel32.dll 261 | Google\Chrome\Application\chrome.exe 262 | 263 | 264 | 265 | 266 | 267 | 270 | 271 | 272 | 273 | 274 | 275 | 276 | 277 | 278 | 279 | 280 | 281 | 282 | \Start Menu 283 | \Startup 284 | \Content.Outlook\ 285 | \Downloads\ 286 | .application 287 | .appref-ms 288 | .bat 289 | .cmd 290 | .cmdline 291 | .docm 292 | .exe 293 | .hta 294 | .pptm 295 | .ps1 296 | .sys 297 | .vbs 298 | .xlsm 299 | C:\Users\Default 300 | C:\Windows\System32\Drivers 301 | C:\Windows\SysWOW64\Drivers 302 | C:\Windows\System32\GroupPolicy\Machine\Scripts 303 | C:\Windows\System32\GroupPolicy\User\Scripts 304 | C:\Windows\System32\Tasks 305 | C:\Windows\System32\Wbem 306 | C:\Windows\SysWOW64\Wbem 307 | C:\Windows\System32\WindowsPowerShell 308 | C:\Windows\SysWOW64\WindowsPowerShell 309 | C:\Windows\Tasks\ 310 | 311 | 312 | 313 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe 314 | 315 | C:\Windows\System32\smss.exe 316 | C:\Windows\system32\CompatTelRunner.exe 317 | \\?\C:\Windows\system32\wbem\WMIADAP.EXE 318 | C:\Windows\System32\DriverStore\Temp\ 319 | C:\Windows\System32\wbem\Performance\ 320 | WRITABLE.TST 321 | 322 | C:\$WINDOWS.~BT\Sources\SafeOS\SafeOS.Mount\ 323 | C:\WINDOWS\winsxs\amd64_microsoft-windows 324 | 325 | C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe 326 | 327 | C:\Windows\system32\igfxCUIService.exe 328 | 329 | 330 | 331 | 332 | 333 | 334 | 335 | 336 | 337 | 338 | 339 | 340 | 341 | 342 | 343 | 344 | 345 | \CurrentVersion\Run 346 | \Group Policy\Scripts 347 | \Windows\System\Scripts 348 | \Policies\Explorer\Run 349 | \ServiceDll 350 | \ImagePath 351 | \Start 352 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ 353 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\ 354 | HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 355 | HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute 356 | 357 | \Explorer\FileExts\ 358 | \shell\install\command\ 359 | \shell\open\command\ 360 | \shell\open\ddeexec\ 361 | 362 | \InprocServer32\(Default) 363 | 364 | \Classes\*\ 365 | \Classes\AllFilesystemObjects\ 366 | \Classes\Directory\ 367 | \Classes\Drive\ 368 | \Classes\Folder\ 369 | \ContextMenuHandlers\ 370 | \CurrentVersion\Shell 371 | HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks 372 | HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad 373 | 374 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ 375 | HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\ 376 | 377 | HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram 378 | 379 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\ 380 | 381 | HKLM\SYSTEM\CurrentControlSet\Services\WinSock\ 382 | \ProxyServer 383 | 384 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider 385 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ 386 | HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders 387 | 388 | HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ 389 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles 390 | 391 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\ 392 | HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\ 393 | 394 | \Microsoft\Office\Outlook\Addins\ 395 | 396 | \Internet Explorer\Toolbar\ 397 | \Internet Explorer\Extensions\ 398 | \Browser Helper Objects\ 399 | 400 | {AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\ 401 | 402 | \UrlUpdateInfo 403 | \InstallSource 404 | 405 | HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 406 | HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy 407 | 408 | HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List 409 | 410 | HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled 411 | HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify 412 | HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring 413 | HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify 414 | HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride 415 | HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify 416 | HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify 417 | 418 | HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware 419 | HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus 420 | HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring 421 | HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection 422 | HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable 423 | HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting 424 | 425 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ 426 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ 427 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\ 428 | HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\ 429 | HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\ 430 | HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\ 431 | \FriendlyName 432 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default) 433 | 434 | 435 | 436 | 437 | Office\root\integration\integrator.exe 438 | C:\WINDOWS\system32\backgroundTaskHost.exe 439 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 440 | C:\Program Files\Windows Defender\MsMpEng.exe 441 | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe 442 | 443 | Toolbar\WebBrowser 444 | Toolbar\WebBrowser\ITBar7Height 445 | Toolbar\ShellBrowser\ITBar7Layout 446 | Internet Explorer\Toolbar\Locked 447 | ShellBrowser 448 | \CurrentVersion\Run 449 | \CurrentVersion\RunOnce 450 | \CurrentVersion\App Paths 451 | \CurrentVersion\Image File Execution Options 452 | \CurrentVersion\Shell Extensions\Cached 453 | \CurrentVersion\Shell Extensions\Approved 454 | }\PreviousPolicyAreas 455 | \Control\WMI\Autologger\ 456 | HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start 457 | \Lsa\OfflineJoin\CurrentValue 458 | \Components\TrustedInstaller\Events 459 | \Components\TrustedInstaller 460 | \Components\Wlansvc 461 | \Components\Wlansvc\Events 462 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\ 463 | \Directory\shellex 464 | \Directory\shellex\DragDropHandlers 465 | \Drive\shellex 466 | \Drive\shellex\DragDropHandlers 467 | _Classes\AppX 468 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\ 469 | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe 470 | 471 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit 472 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\AuditPolicy 473 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System 474 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache 475 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains 476 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit 477 | 478 | \services\clr_optimization_v2.0.50727_32\Start 479 | \services\clr_optimization_v2.0.50727_64\Start 480 | \services\clr_optimization_v4.0.30319_32\Start 481 | \services\clr_optimization_v4.0.30319_64\Start 482 | \services\DeviceAssociationService\Start 483 | \services\BITS\Start 484 | \services\TrustedInstaller\Start 485 | \services\tunnel\Start 486 | \services\UsoSvc\Start 487 | 488 | \OpenWithProgids 489 | \OpenWithList 490 | \UserChoice 491 | \UserChoice\ProgId 492 | \UserChoice\Hash 493 | \OpenWithList\MRUList 494 | } 0xFFFF 495 | 496 | C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe 497 | C:\Program Files (x86)\Webroot\WRSA.exe 498 | 499 | 500 | 501 | 502 | 503 | 507 | Content.Outlook 508 | Downloads 509 | Temp\7z 510 | .bat 511 | .cmd 512 | .hta 513 | .lnk 514 | .ps1 515 | .ps2 516 | .reg 517 | .vb 518 | .vbe 519 | .vbs 520 | 521 | 522 | 523 | 524 | 525 | 526 | 527 | 528 | 529 | 530 | 531 | 532 | 533 | 534 | 535 | -------------------------------------------------------------------------------- /VirusTotal/vtQuery.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | ##Author : Paranoid Ninja 4 | ##Email : paranoidninja@protonmail.com 5 | ##Descr : Scans a given input file or a single hash, scans it on virustotal and writes the hit count in a output file 6 | 7 | import requests 8 | import argparse 9 | import os 10 | import time 11 | 12 | def filecheck(filepath): 13 | try: 14 | if os.path.isfile(filepath): 15 | return filepath 16 | else: 17 | print "There is no file at:" + filepath 18 | exit() 19 | except Exception, e: 20 | print e 21 | 22 | def main(): 23 | parser = argparse.ArgumentParser(description="[+] This tool queries hashes against Virus Total database.") 24 | parser.add_argument('-i', '--input', type=filecheck, required=False, help='Enter the full path of input file to be scanned ') 25 | parser.add_argument('-o', '--output', required=True, help='Enter the full path of the output file ') 26 | parser.add_argument('-H', '--hash', required=False, help='Insert single hash to be scanned') 27 | parser.add_argument('-k', '--key', required=True, help='Enter the VirusTotal API key') 28 | args = parser.parse_args() 29 | 30 | #Run for a single hash + key 31 | if args.hash and args.key: 32 | file = open(args.output,'w+') 33 | file.write('Below is the identified malicious file.\n\n') 34 | file.close() 35 | VT_Request(args.key, args.hash.rstrip(), args.output) 36 | #Run for an input file + key 37 | elif args.input and args.key: 38 | file = open(args.output,'w+') 39 | file.write('Below are the identified malicious files.\n\n') 40 | file.close() 41 | with open(args.input) as o: 42 | for line in o.readlines(): 43 | VT_Request(args.key, line.rstrip(), args.output) 44 | time.sleep(15) 45 | 46 | def VT_Request(key, hash, output): 47 | params = {'apikey': key, 'resource': hash} 48 | url = requests.get('https://www.virustotal.com/vtapi/v2/file/report', params=params) 49 | json_response = url.json() 50 | #print json_response 51 | response = int(json_response.get('response_code')) 52 | if response == 0: 53 | print hash + ' is not in Virus Total' 54 | file = open(output,'a') 55 | file.write(hash + ' is not in Virus Total') 56 | file.write('\n') 57 | file.close() 58 | elif response == 1: 59 | positives = int(json_response.get('positives')) 60 | if positives == 0: 61 | print hash + ' is not malicious' 62 | file = open(output,'a') 63 | file.write(hash + ' is not malicious') 64 | file.write('\n') 65 | file.close() 66 | else: 67 | print hash + ' is malicious' 68 | file = open(output,'a') 69 | file.write(hash + ' is malicious. Hit Count:' + str(positives)) 70 | file.write('\n') 71 | file.close() 72 | else: 73 | print hash + ' could not be searched. Please try again later.' 74 | # execute the program 75 | if __name__ == '__main__': 76 | main() 77 | --------------------------------------------------------------------------------