Skip to content

Updated Agent Script to Prevent Insecure ACLs #69

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Updated Agent Script to Prevent Insecure ACLs #69

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
9c42805
Update Sysmon Install To Prevent Insecure ACLs
mon0pixel Aug 5, 2022
b70361b
Update WinlogBeat Install To Prevent Insecure ACLs
mon0pixel Aug 5, 2022
43cd554
fixed slashes
mon0pixel Aug 5, 2022
9f674c3
fix file paths related to winlogbeat install
mon0pixel Aug 5, 2022
85a6b4c
remove old ACL controls as they were not working.
mon0pixel Aug 5, 2022
a5e30a8
Added -recuse option to copy files in subdirectories
mon0pixel Aug 5, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 12 additions & 9 deletions agent/install-sysmon-beats.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,8 +74,11 @@ if (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdenti
if (-not (Test-Path "$Env:programfiles\Sysmon" -PathType Container)) {
Invoke-WebRequest -OutFile Sysmon.zip https://download.sysinternals.com/files/Sysmon.zip
Expand-Archive .\Sysmon.zip
rm .\Sysmon.zip
mv .\Sysmon\ "$Env:programfiles"
remove-item .\Sysmon.zip
new-item -path "$Env:ProgramFiles\Sysmon" -ItemType Directory
$SysmonFiles = Get-ChildItem .\Sysmon
foreach ($file in $SysmonFiles){copy-item -path ".\Sysmon\$file" -Destination "$Env:programfiles\Sysmon"}
remove-item .\Sysmon -Recurse
}

echo @"
Expand Down Expand Up @@ -157,8 +160,12 @@ echo @"
if (-not (Test-Path "$Env:programfiles\winlogbeat*" -PathType Container)) {
Invoke-WebRequest -OutFile WinLogBeat.zip https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-7.5.2-windows-x86_64.zip
Expand-Archive .\WinLogBeat.zip
rm .\WinLogBeat.zip
mv .\WinLogBeat\winlogbeat* "$Env:programfiles"
remove-item .\WinLogBeat.zip
$winlogbeatName = Get-ChildItem -path .\WinlogBeat | where-object name -like winlogbeat*
new-item -path "$Env:ProgramFiles\$($winlogbeatName.Name)" -ItemType Directory
$WinlogBeatFiles = Get-ChildItem ".\WinLogBeat\$winlogbeatName"
foreach ($file in $WinlogBeatFiles){copy-item -path ".\WinLogBeat\$($winlogbeatName.Name)\$file" -Destination "$Env:ProgramFiles\$($winlogbeatName.Name)" -Recurse}
remove-item .\WinLogBeat -Recurse
}

cd "$Env:programfiles\winlogbeat*\"
Expand All @@ -174,10 +181,6 @@ if($ESPassword) {
.\winlogbeat.exe --path.data "C:\ProgramData\winlogbeat" keystore add ES_PASSWORD
}

# Set ACL's of the $Env:ProgramData\winlogbeat folder to be the same as $Env:ProgramFiles\winlogbeat* (the main install path)
# This helps ensure that "normal" users aren't able to access the $Env:ProgramData\winlogbeat folder
Get-ACL -Path "$Env:ProgramFiles\winlogbeat*" | Set-ACL -Path "$Env:ProgramData\winlogbeat"

rm .\winlogbeat.yml
echo @"
winlogbeat.event_logs:
Expand All @@ -204,5 +207,5 @@ output.elasticsearch:
enabled: true
verification_mode: none
"@ > winlogbeat.yml
PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1
PowerShell.exe -ExecutionPolicy UnRestricted -File "$Env:ProgramFiles\$($winlogbeatName.Name)\install-service-winlogbeat.ps1"
Start-Service winlogbeat