-
Notifications
You must be signed in to change notification settings - Fork 70
/
Configure-WEC.ps1
162 lines (133 loc) · 5.68 KB
/
Configure-WEC.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
# Author: Roberto Rodriguez (@Cyb3rWard0g)
# License: GPL-3.0
# References:
# https://www.ultimatewindowssecurity.com/webinars/watch_get.aspx?Attach=1&Type=SlidesPDF&ID=1426
# https://community.softwaregrp.com/dcvta86296/attachments/dcvta86296/arcsight-discussions/24729/1/Protect2015-WindowsEventForwarding.pdf
# https://docs.microsoft.com/en-us/biztalk/technical-guides/settings-that-can-be-modified-to-improve-network-performance
[CmdletBinding()]
param (
[Parameter(Mandatory=$true)]
[string]$SubscriptionsUrl
)
# ********* Install Sysmon Manifest ***********
$URL = "https://live.sysinternals.com/Sysmon.exe"
Resolve-DnsName live.sysinternals.com
Resolve-DnsName raw.githubusercontent.com
$OutputFile = Split-Path $URL -leaf
$File = "C:\ProgramData\$OutputFile"
# Download File
write-Host "Downloading $OutputFile .."
$wc = new-object System.Net.WebClient
$wc.DownloadFile($URL, $File)
if (!(Test-Path $File)){ Write-Error "File $File does not exist" -ErrorAction Stop }
# Install Manifest
& $File -m
# ********* Setting WinRM Configs for WEC ***********
Write-host 'Enabling WinRM..'
winrm quickconfig -q
winrm quickconfig -transport:http
write-Host "Setting WinRM to start automatically.."
& sc.exe config WinRM start= auto
winrm set winrm/config '@{MaxEnvelopeSizekb="500"}'
winrm set winrm/config '@{MaxTimeoutms="60000"}'
winrm set winrm/config '@{MaxBatchItems="32000"}'
winrm set winrm/config/client '@{NetworkDelayms="5000"}'
winrm set winrm/config/service '@{MaxConcurrentOperations="4294967295"}'
winrm set winrm/config/service '@{MaxConcurrentOperationsPerUser="1500"}'
winrm set winrm/config/service '@{MaxConnections="500"}'
winrm set winrm/config/service '@{MaxPacketRetrievalTimeSeconds="120"}'
winrm set winrm/config/winrs '@{IdleTimeout="7200000"}'
winrm set winrm/config/winrs '@{MaxConcurrentUsers="10"}'
winrm set winrm/config/winrs '@{MaxShellRunTime="2147483647"}'
winrm set winrm/config/winrs '@{MaxProcessesPerShell="25"}'
winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="1024"}'
winrm set winrm/config/winrs '@{MaxShellsPerUser="30"}'
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
winrm set winrm/config/client '@{AllowUnencrypted="true"}'
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/client/auth '@{Basic="true"}'
winrm set winrm/config/listener?Address=*+Transport=HTTP '@{Port="5985"}'
Restart-Service WinRM
$ServiceName = 'WinRM'
$arrService = Get-Service -Name $ServiceName
while ($arrService.Status -ne 'Running')
{
Start-Service $ServiceName
write-host $arrService.status
write-host "$ServiceName Service starting"
Start-Sleep -seconds 5
$arrService.Refresh()
if ($arrService.Status -eq 'Running')
{
Write-Host "$ServiceName Service is now Running"
}
}
# ********** Updating ForwardedEvents log size *******
wevtutil sl ForwardedEvents /ms:8589934592
# ********** Starting WEC Service *************
Stop-Service wecsvc
Set-Service wecsvc -StartupType "Automatic"
# Stand-alone service instead of shared
# Powershell version of : sc config wecsvc type=own
$s = (Get-WmiObject win32_service -filter "Name='wecsvc'")
$s.Change($null, $null, 16)
Start-Service wecsvc
$ServiceName = 'wecsvc'
$arrService = Get-Service -Name $ServiceName
while ($arrService.Status -ne 'Running')
{
Start-Service $ServiceName
write-host $arrService.status
write-host "$ServiceName Service starting"
Start-Sleep -seconds 5
$arrService.Refresh()
if ($arrService.Status -eq 'Running')
{
Write-Host "$ServiceName Service is now Running"
}
}
# ******** Importing WEF subscriptions *******
$OutputFile = Split-Path $SubscriptionsUrl -leaf
$ZipFile = "C:\ProgramData\$outputFile"
# Download Zipped File
write-Host "Downloading $OutputFile .."
$wc = new-object System.Net.WebClient
$wc.DownloadFile($SubscriptionsUrl, $ZipFile)
if (!(Test-Path $ZipFile)){ Write-Error "File $ZipFile does not exist" -ErrorAction Stop }
# Unzip file
write-Host "Decompressing $ZipFile .."
$file = (Get-Item $ZipFile).Basename
expand-archive -path $Zipfile -DestinationPath "C:\ProgramData\"
# Importing Subscriptions
if (Test-Path "C:\ProgramData\$file")
{
write-Host "Importing WEF Subscriptions.. "
Get-ChildItem "C:\ProgramData\$file" | ForEach-Object { wecutil cs $_.FullName}
}
else {
Write-Error "File $ZipFile was not decompressed successfully" -ErrorAction Stop
}
# ********** Additional Tunning ***************
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-ForwardedEvents" -Name "BufferSize" -Type "DWORD" -Value "2048"
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-ForwardedEvents" -Name "FlushTimer" -Type "DWORD" -Value "0"
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-ForwardedEvents" -Name "MaximumBuffers" -Type "DWORD" -Value "8192"
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-ForwardedEvents" -Name "MinimumBuffers" -Type "DWORD" -Value "0"
# The TcpTimedWaitDelay value determines the length of time that a connection stays in the TIME_WAIT state when being closed
New-ItemProperty –Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" –Name "TcpTimedWaitDelay" –Type "Dword" –Value "30"
# Configure Event Collector
& wecutil qc -quiet
Restart-Service wecsvc
$ServiceName = 'wecsvc'
$arrService = Get-Service -Name $ServiceName
while ($arrService.Status -ne 'Running')
{
Start-Service $ServiceName
write-host $arrService.status
write-host "$ServiceName Service starting"
Start-Sleep -seconds 5
$arrService.Refresh()
if ($arrService.Status -eq 'Running')
{
Write-Host "$ServiceName Service is now Running"
}
}