deruke

Keybase proof

I hereby claim:

• I am deruke on github.
• I am derekbanks (https://keybase.io/derekbanks) on keybase.
• I have a public key ASAOau90RIe9f3aw2svuIabRL7emSd9uVmtko-F05pmmWQo

To claim this, I am signing this object:

deruke

input {
       tcp {
              port => 3515
              codec => json
              }
      }
filter {
        mutate {
                 add_tag => "forwardedevtx"
               }

deruke

# define ROOT dir
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

#<Extension _syslog>

deruke

if not exist "C:\windows\sysmon_config.xml" (
copy /z /y "\\lab.local\SYSVOL\lab.local\scripts\sysmon\sysmon_config.xml" "C:\windows\"
)
 
sc query "Sysmon" | Find "RUNNING"
If "%ERRORLEVEL%" EQU "1" (
goto startsysmon
)
:startsysmon
net start Sysmon

deruke

# capture windows events over JSON
# expects to be sent by the NXLOG package
# author: Joff Thyer, 2017
input {
    tcp {
        port   => 3515
        codec  => json
    }
}

deruke

@echo off

:install_nxlog
sc query "nxlog" | Find "RUNNING" >NUL
If NOT "%ERRORLEVEL%" EQU "1" (
  goto install_sysmon
)
echo Installing NXLOG
\\domain.local\SYSVOL\software\nxlog-ce-2.9.1716.msi /quiet
copy /z /y “\\domain.local\SYSVOL\software\nxlog.conf" "C:\Program Files (x86)\nxlog\conf" 

deruke

# define ROOT dir
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

#<Extension _syslog>

deruke

*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic