Wow! It’s been fairly some time since I’ve blogged. I’ve been engaged on CIPP, and the CyberDrainCTF not too long ago ended so all my time simply disappeared making an attempt to stability these two. Not that that’s over for a bit I’ve a while to show about PowerShell once more.
This time we’re going to make use of PowerShell to setup transferring your logs to a centralized logging engine. This might be Graylog, ELK, and so on, but it surely may be your exterior SIEM/SOC product that you just’re working. Storing your logs in a central location may help a lot with troubleshooting, safety points, or auditability and accountability, so let’s get began.
We’ve three separate scripts accessible proper now, as a result of there’s 3 completely different choices; all scripts are fairly easy and straight ahead and largely meant for instance on how you could possibly do that, not how it is best to. I’m utilizing some neighborhood examples in these scripts;
- NXLog config generated by Poshim by Blumira
- Winlogbeat config by jhochwald, however with edits because it’s now not maintained for newer variations
- Sysmon config by Olaf Hartong
First we set up Sysmon, which permits us to observe extra info within the occasion log and has talents to seek out stuff you wouldn’t usually discover. After we set up sysmon we get the selection to deploy both NXLog, or WinLogBeat. It is a case of private choice.
Deploying Sysmon
Sysmon is the simplest within the equation; we obtain Sysmon, obtain the configuration, and arrange the right bitness model. As all the time I like to recommend to host these information your self someplace.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
Invoke-WebRequest "https://uncooked.githubusercontent.com/olafhartong/sysmon-modular/grasp/sysmonconfig.xml" -OutFile sysmonlatest.xml -UseBasicParsing
Invoke-WebRequest "https://obtain.sysinternals.com/information/Sysmon.zip" -OutFile "sysmon.zip" -UseBasicParsing
Increase-Archive "sysmon.zip" -Pressure
if ([Environment]::Is64BitOperatingSystem) {
Copy-Merchandise ".sysmon64.exe" "C:windowssystem32sysmon64.exe"
Begin-Course of "C:Windowssystem32Sysmon64.exe" -ArgumentList "-accepteula -i sysmonlatest.xml"
Begin-Course of "C:Windowssystem32Sysmon64.exe" -ArgumentList "-accepteula -c sysmonlatest.xml"
}
else {
Copy-Merchandise ".sysmon.exe" "C:windowssystem32sysmon.exe"
Begin-Course of "C:Windowssystem32Sysmon.exe" -ArgumentList "-accepteula -i sysmonlatest.xml"
Begin-Course of "C:Windowssystem32Sysmon.exe" -ArgumentList "-accepteula -c sysmonlatest.xml"
}
|
Now that we’ve setup setup Sysmon, let’s transfer on to organising NxLog
Setup NxLog
NxLog is among the instruments that really ships the logs someplace, within the case of our instance we’ll setup a uncooked TCP connection to our goal host. We’ve used Poshim to generate a primary configuration that picks up most typical occasions, together with our model new setup of Sysmon.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
$LoggingServer = "1.1.1.1"
$LoggingServerPort = "514"
Invoke-WebRequest "https://nxlog.co/system/information/merchandise/information/348/nxlog-ce-3.0.2272.msi" -OutFile 'nxlog-ce-3.0.2272.msi' -UseBasicParsing
Invoke-WebRequest "https://cyberdrain.com/wp-content/uploads/2022/03/nxlog.conf" -OutFile ".nxlog.conf" -UseBasicParsing
#Script makes use of elements of Blumira's Poshim, with permission.
Begin-Course of -FilePath "msiexec.exe" -ArgumentList @("/i nxlog-ce-3.0.2272", "/qn") -Wait
$logList = @(
"Home windows PowerShell"
"System"
"Safety"
"Utility"
"Setup"
"Operational"
"Community Isolation Operational"
"Microsoft-Home windows-WinRM/Operational"
"Microsoft-Home windows-WindowsUpdateClient/Operational"
"Microsoft-Home windows-Home windows Defender/WHC"
"Microsoft-Home windows-Home windows Defender/Operational"
"Microsoft-Home windows-Person Profile Service/Operational"
"Microsoft-Home windows-TerminalServices-RDPClient/Operational"
"Microsoft-Home windows-TaskScheduler/Operational"
"Microsoft-Home windows-Sysmon/Operational"
"Microsoft-Home windows-PrintService/Operational"
"Microsoft-Home windows-PrintService/Admin"
"Microsoft-Home windows-PowerShell/Operational"
"Microsoft-Home windows-PowerShell/Admin"
"Microsoft-Home windows-NTLM/Operational"
"Microsoft-Home windows-NetworkProfile/Operational"
"Microsoft-Home windows-LSA/Operational"
"Microsoft-Home windows-Kernel-PnP/Configuration"
"Microsoft-Home windows-GroupPolicy/Operational"
"Microsoft-Home windows-CodeIntegrity/Operational"
"Microsoft-Home windows-CertificateServicesClient-Lifecycle-System/Operational"
"Microsoft-Home windows-CAPI2/Operational"
"Microsoft-Home windows-Bits-Consumer/Operational"
"Microsoft-Home windows-AppLocker/Packaged app-Execution"
"Microsoft-Home windows-AppLocker/Packaged app-Deployment"
"Microsoft-Home windows-AppLocker/MSI and Script"
"Microsoft-Home windows-AppLocker/EXE and DLL"
"Microsoft-Home windows-Utility-Expertise/Steps-Recorder"
"Microsoft-Home windows-Utility-Expertise/Program-Telemetry"
"Microsoft-Home windows-Utility-Expertise/Program-Stock"
"Microsoft-Home windows-Utility-Expertise/Program-Compatibility-Troubleshooter"
"Microsoft-Home windows-Utility-Expertise/Program-Compatibility-Assistant"
"Microsoft-Home windows-Hyper-V-Hypervisor-Operational"
"Microsoft-Home windows-Hyper-V-Hypervisor-Admin"
"Microsoft-Home windows-SMBServer/Safety"
"Microsoft-Home windows-SMBServer/Operational"
"Microsoft-Home windows-SMBServer/Connectivity"
"Microsoft-Home windows-SMBServer/Audit"
"Microsoft-Home windows-WinHttp/Operational"
"Microsoft-Home windows-WinHTTP-NDF/Diagnostic"
"Microsoft-Home windows-RRAS/Operational"
)
Write-Host "Enabling Home windows Firewall Logging for each allowed and blocked makes an attempt"
Set-NetFirewallProfile -LogFileName %SystemRoot%System32LogFilesFirewallpfirewall.log -LogMaxSizeKilobytes 4096 -LogBlocked True -LogAllowed true -LogIgnored False
Write-Host "Checking record of obtainable occasion logs, and enabling them with 64MB Round dimension."
$Logs = $LogList | ForEach-Object {
$logSource = Get-WinEvent -ListLog $_
if (!$logSource.IsEnabled) {
$logSource.MaximumSizeInBytes = 64MB
$logSource.LogMode = "Round"
$logSource.isEnabled = $true
$logSource.SaveChanges()
}
}
Write-Host "Setting NXLog config to $($LoggingServer) on port $($LoggingServerPort)"
(Get-Content material '.nxlog.conf') -Change 'A.B.C.D', $LoggingServer -replace "SIEMPORT", $LoggingServerPort | Set-Content material '.nxlog.conf'
Write-Host "Copying NXLog config to new location"
Copy-Merchandise -Path '.nxlog.conf' -Vacation spot "C:Program Recordsdata (x86)nxlogconfnxlog.conf" -Pressure
Restart-Service -Identify "nxlog"
|
NxLog is cool, however some instruments work higher with Beats, such because the ELK stack. Beats are log collectors that course of information in a particular manner. For our subsequent instance, we’ll use WinLogBeat.
Setup WinLogbeat
For WinLogBeat it’s the identical strategy we took because the NxLog configuration; the distinction being we’ve got extra output sorts as choices.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
$LoggingServer = "1.1.1.1"
$LoggingServerPort = "514"
$OutputType = "logstash" #allowed: logstash, kafka, redis, elasticsearch
Increase-Archive winlogbeat.zip -Pressure
Invoke-WebRequest "https://cyberdrain.com/wp-content/uploads/2022/03/winlogbeat.zip" -OutFile ".winlogbeat.zip" -UseBasicParsing
Write-Host "Enabling Home windows Firewall Logging for each allowed and blocked makes an attempt"
Set-NetFirewallProfile -LogFileName %SystemRoot%System32LogFilesFirewallpfirewall.log -LogMaxSizeKilobytes 4096 -LogBlocked True -LogAllowed true -LogIgnored False
Write-Host "Putting in Winlogbeat Service"
Increase-Archive -Path WinLogBeat.zip -DestinationPath "$($PROGRAMDATA)" -Pressure
# Create the brand new service.
New-Service -Identify winlogbeat-drmm ` -DisplayName Winlogbeat-drmm`
-BinaryPathName "`"C:Programdatawinlogbeatwinlogbeat.exe`" --environment=windows_service -c `"C:Programdatawinlogbeatwinlogbeat.yml`" --path.house `"C:Programdatawinlogbeat`" --path.information `"$PROGRAMDATAwinlogbeat`" --path.logs `"$PROGRAMDATAwinlogbeatlogs`" -E logging.information.redirect_stderr=true"
# Try to set the service to delayed begin utilizing sc config.
Attempt {
Begin-Course of -FilePath sc.exe -ArgumentList 'config winlogbeat begin= delayed-auto'
}
Catch {
Write-Host "An error occured setting the service to delayed begin."
}
Write-Host "Setting WinLogBeat config to $($LoggingServer) on port $($LoggingServerPort)"
(Get-Content material 'C:Programdatawinlogbeatwinlogbeat.yml') -Change 'A.B.C.D', "$($LoggingServer):$LoggingServerPort" -replace "outputtype", $OutputType | Set-Content material 'C:Programdatawinlogbeatwinlogbeat.yml'
Write-Host "Beginning WinLogBeat"
& C:Programdatawinlogbeatwinlogbeat.exe check config -c C:Programdatawinlogbeatwinlogbeat.yml -e
Begin-Service 'winlogbeat-drmm'
|
And that’s it! WinlogBeat is now configured and sending logs to your output service.
These are simply examples on how you could possibly configure log delivery, I’d advise anybody to ship their logs to a central location for all the explanations talked about above; even in the event you’re not tremendous safety targeted this could assist you in attending to the following degree. Whenever you set this up, you also needs to begin monitoring the providers concerned like Sysmon, Nxlog, or Winlogbeat.
As all the time, Blissful PowerShelling. 🙂
