From 9c428057aca59f5d6406037647cbd183bb69037b Mon Sep 17 00:00:00 2001 From: Noah H <36604349+mon0pixel@users.noreply.github.com> Date: Fri, 5 Aug 2022 09:42:48 -0500 Subject: [PATCH 1/6] Update Sysmon Install To Prevent Insecure ACLs When the .zip file was being copied over to the C:\Program Files directory it was carrying a ACL rule allowing modify access to the folder for the NT AUTHORITY\Authenticated Users group. By doing it this way the only ACLs placed on the C:\Program Files\Sysmon directory will be the ones inherited by C:\Program Files. --- agent/install-sysmon-beats.ps1 | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/agent/install-sysmon-beats.ps1 b/agent/install-sysmon-beats.ps1 index 6122e5e..064bfad 100644 --- a/agent/install-sysmon-beats.ps1 +++ b/agent/install-sysmon-beats.ps1 @@ -74,8 +74,11 @@ if (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdenti if (-not (Test-Path "$Env:programfiles\Sysmon" -PathType Container)) { Invoke-WebRequest -OutFile Sysmon.zip https://download.sysinternals.com/files/Sysmon.zip Expand-Archive .\Sysmon.zip - rm .\Sysmon.zip - mv .\Sysmon\ "$Env:programfiles" + remove-item .\Sysmon.zip + new-item -path "$Env:ProgramFiles\Sysmon" -ItemType Directory + $SysmonFiles = Get-ChildItem .\Sysmon + foreach ($file in $SysmonFiles){copy-item -path "./Sysmon/$file" -Destination "$Env:programfiles\Sysmon"} + remove-item .\Sysmon -Recurse } echo @" From b70361b69fca4f148d0b89d5827d1f4685c2564f Mon Sep 17 00:00:00 2001 From: Noah H <36604349+mon0pixel@users.noreply.github.com> Date: Fri, 5 Aug 2022 09:59:18 -0500 Subject: [PATCH 2/6] Update WinlogBeat Install To Prevent Insecure ACLs When the .zip file was being copied over to the C:\Program Files directory it was carrying a ACL rule allowing modify access to the folder for the NT AUTHORITY\Authenticated Users group. By doing it this way the only ACLs placed on the C:\Program Files\winlogbeat* directory will be the ones inherited by C:\Program Files. --- agent/install-sysmon-beats.ps1 | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/agent/install-sysmon-beats.ps1 b/agent/install-sysmon-beats.ps1 index 064bfad..d7dc109 100644 --- a/agent/install-sysmon-beats.ps1 +++ b/agent/install-sysmon-beats.ps1 @@ -160,8 +160,12 @@ echo @" if (-not (Test-Path "$Env:programfiles\winlogbeat*" -PathType Container)) { Invoke-WebRequest -OutFile WinLogBeat.zip https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-7.5.2-windows-x86_64.zip Expand-Archive .\WinLogBeat.zip - rm .\WinLogBeat.zip - mv .\WinLogBeat\winlogbeat* "$Env:programfiles" + remove-item .\WinLogBeat.zip + $winlogbeatName = Get-ChildItem | where-object name -like winlogbeat* + new-item -path "$Env:ProgramFiles\$($winlogbeatName.Name)" -ItemType Directory + $WinlogBeatFiles = Get-ChildItem .\$winlogbeatName + foreach ($file in $WinlogBeatFiles){copy-item -path ".\$($winlogbeatName.Name)\$file" -Destination "$Env:ProgramFiles\$($winlogbeatName.Name)"} + remove-item .\$winlogbeatName -Recurse } cd "$Env:programfiles\winlogbeat*\" From 43cd554275808371d444a813deedc11a2bf258be Mon Sep 17 00:00:00 2001 From: Noah H <36604349+mon0pixel@users.noreply.github.com> Date: Fri, 5 Aug 2022 10:00:11 -0500 Subject: [PATCH 3/6] fixed slashes --- agent/install-sysmon-beats.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/agent/install-sysmon-beats.ps1 b/agent/install-sysmon-beats.ps1 index d7dc109..8aacf7e 100644 --- a/agent/install-sysmon-beats.ps1 +++ b/agent/install-sysmon-beats.ps1 @@ -77,7 +77,7 @@ if (-not (Test-Path "$Env:programfiles\Sysmon" -PathType Container)) { remove-item .\Sysmon.zip new-item -path "$Env:ProgramFiles\Sysmon" -ItemType Directory $SysmonFiles = Get-ChildItem .\Sysmon - foreach ($file in $SysmonFiles){copy-item -path "./Sysmon/$file" -Destination "$Env:programfiles\Sysmon"} + foreach ($file in $SysmonFiles){copy-item -path ".\Sysmon\$file" -Destination "$Env:programfiles\Sysmon"} remove-item .\Sysmon -Recurse } From 9f674c3b649ca5651cea09f9bd1402a697b1f79b Mon Sep 17 00:00:00 2001 From: Noah H <36604349+mon0pixel@users.noreply.github.com> Date: Fri, 5 Aug 2022 10:36:04 -0500 Subject: [PATCH 4/6] fix file paths related to winlogbeat install --- agent/install-sysmon-beats.ps1 | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/agent/install-sysmon-beats.ps1 b/agent/install-sysmon-beats.ps1 index 8aacf7e..f5e3cb2 100644 --- a/agent/install-sysmon-beats.ps1 +++ b/agent/install-sysmon-beats.ps1 @@ -161,11 +161,11 @@ if (-not (Test-Path "$Env:programfiles\winlogbeat*" -PathType Container)) { Invoke-WebRequest -OutFile WinLogBeat.zip https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-7.5.2-windows-x86_64.zip Expand-Archive .\WinLogBeat.zip remove-item .\WinLogBeat.zip - $winlogbeatName = Get-ChildItem | where-object name -like winlogbeat* + $winlogbeatName = Get-ChildItem -path .\WinlogBeat | where-object name -like winlogbeat* new-item -path "$Env:ProgramFiles\$($winlogbeatName.Name)" -ItemType Directory - $WinlogBeatFiles = Get-ChildItem .\$winlogbeatName - foreach ($file in $WinlogBeatFiles){copy-item -path ".\$($winlogbeatName.Name)\$file" -Destination "$Env:ProgramFiles\$($winlogbeatName.Name)"} - remove-item .\$winlogbeatName -Recurse + $WinlogBeatFiles = Get-ChildItem ".\WinLogBeat\$winlogbeatName" + foreach ($file in $WinlogBeatFiles){copy-item -path ".\WinLogBeat\$($winlogbeatName.Name)\$file" -Destination "$Env:ProgramFiles\$($winlogbeatName.Name)"} + remove-item .\WinLogBeat -Recurse } cd "$Env:programfiles\winlogbeat*\" @@ -211,5 +211,5 @@ output.elasticsearch: enabled: true verification_mode: none "@ > winlogbeat.yml -PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1 +PowerShell.exe -ExecutionPolicy UnRestricted -File "$Env:ProgramFiles\$($winlogbeatName.Name)\install-service-winlogbeat.ps1" Start-Service winlogbeat From 85a6b4c09305d7c279135a2164c3fcd8b374ffba Mon Sep 17 00:00:00 2001 From: Noah H <36604349+mon0pixel@users.noreply.github.com> Date: Fri, 5 Aug 2022 11:01:33 -0500 Subject: [PATCH 5/6] remove old ACL controls as they were not working. --- agent/install-sysmon-beats.ps1 | 4 ---- 1 file changed, 4 deletions(-) diff --git a/agent/install-sysmon-beats.ps1 b/agent/install-sysmon-beats.ps1 index f5e3cb2..99da954 100644 --- a/agent/install-sysmon-beats.ps1 +++ b/agent/install-sysmon-beats.ps1 @@ -181,10 +181,6 @@ if($ESPassword) { .\winlogbeat.exe --path.data "C:\ProgramData\winlogbeat" keystore add ES_PASSWORD } -# Set ACL's of the $Env:ProgramData\winlogbeat folder to be the same as $Env:ProgramFiles\winlogbeat* (the main install path) -# This helps ensure that "normal" users aren't able to access the $Env:ProgramData\winlogbeat folder -Get-ACL -Path "$Env:ProgramFiles\winlogbeat*" | Set-ACL -Path "$Env:ProgramData\winlogbeat" - rm .\winlogbeat.yml echo @" winlogbeat.event_logs: From a5e30a8d22d157a7ccb56d6a7789b8ca82758610 Mon Sep 17 00:00:00 2001 From: Noah H <36604349+mon0pixel@users.noreply.github.com> Date: Fri, 5 Aug 2022 11:21:41 -0500 Subject: [PATCH 6/6] Added -recuse option to copy files in subdirectories --- agent/install-sysmon-beats.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/agent/install-sysmon-beats.ps1 b/agent/install-sysmon-beats.ps1 index 99da954..fad24e5 100644 --- a/agent/install-sysmon-beats.ps1 +++ b/agent/install-sysmon-beats.ps1 @@ -164,7 +164,7 @@ if (-not (Test-Path "$Env:programfiles\winlogbeat*" -PathType Container)) { $winlogbeatName = Get-ChildItem -path .\WinlogBeat | where-object name -like winlogbeat* new-item -path "$Env:ProgramFiles\$($winlogbeatName.Name)" -ItemType Directory $WinlogBeatFiles = Get-ChildItem ".\WinLogBeat\$winlogbeatName" - foreach ($file in $WinlogBeatFiles){copy-item -path ".\WinLogBeat\$($winlogbeatName.Name)\$file" -Destination "$Env:ProgramFiles\$($winlogbeatName.Name)"} + foreach ($file in $WinlogBeatFiles){copy-item -path ".\WinLogBeat\$($winlogbeatName.Name)\$file" -Destination "$Env:ProgramFiles\$($winlogbeatName.Name)" -Recurse} remove-item .\WinLogBeat -Recurse }