duzvik · June 21, 2019 12:51
diff --git a/evtx-import-to-elk.ps1 b/evtx-import-to-elk.ps1
 #Requirements:
 #1) choco install git.install

 $evtx_samples_path = "C:\EVTX-ATTACK-SAMPLES"
 $winlogbeat_url = "https://storage.googleapis.com/beats-ci-artifacts/snapshots/winlogbeat/winlogbeat-oss-8.0.0-SNAPSHOT-windows-x86_64.zip"
 $winlogbeat_path = "C:\winlogbeat-8.0.0-SNAPSHOT-windows-x86_64"

 #get evtx repo
 if (-not (Test-Path $evtx_samples_path)) {
   Git clone  https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES.git $evtx_samples_path

 } else {
    Write-Host "Skipping download of EVTX-ATTACK-SAMPLES, directory already exists"
 }

 #get winlogbeat with evtx support
 if (-not (Test-Path $winlogbeat_path)) {
   (New-Object System.Net.WebClient).DownloadFile($winlogbeat_url, "$env:TEMP\winlogbeat.zip")
   Expand-Archive "$env:TEMP\winlogbeat.zip" -DestinationPath "C:\" -Force
 } else {
    Write-Host "Skipping download winlogbeat, directory already exists"
 }

 #create winlobeat config
 $config = @"
 winlogbeat.event_logs:
  - name: `${EVTX_FILE}
    no_more_events: stop

 winlogbeat.shutdown_timeout: 30s
 fields:
  label: `${CODE}

 output.logstash:
  hosts: ["LOGSTASH_IP_HERE:443"]
 "@

 Set-Content "$winlogbeat_path\winlogbeat-evtx.yml" $config


 Write-Host "Found following tactics:"
 Get-ChildItem -Path $evtx_samples_path -Directory |
 Foreach-Object {
     $tactic = $_;
 
     Get-ChildItem -Path "$evtx_samples_path\$tactic" -File -Filter "*.evtx" | 
     Foreach-Object {
        $fileName = $_
        #clean-up read position of winlogbeat
        Remove-Item -Path "$winlogbeat_path\data\.winlogbeat.yml"

        $cmd  = "$winlogbeat_path\winlogbeat.exe -e -c $winlogbeat_path\winlogbeat-evtx.yml -E CODE='$tactic-$fileName' -E EVTX_FILE='$evtx_samples_path\$tactic\$fileName'"
        Write-Host $cmd
        Invoke-Expression $cmd
        
        sleep 5
     }
 }
	#Requirements:
	#1) choco install git.install

	$evtx_samples_path = "C:\EVTX-ATTACK-SAMPLES"
	$winlogbeat_url = "https://storage.googleapis.com/beats-ci-artifacts/snapshots/winlogbeat/winlogbeat-oss-8.0.0-SNAPSHOT-windows-x86_64.zip"
	$winlogbeat_path = "C:\winlogbeat-8.0.0-SNAPSHOT-windows-x86_64"

	#get evtx repo
	if (-not (Test-Path $evtx_samples_path)) {
	Git clone https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES.git $evtx_samples_path

	} else {
	Write-Host "Skipping download of EVTX-ATTACK-SAMPLES, directory already exists"
	}

	#get winlogbeat with evtx support
	if (-not (Test-Path $winlogbeat_path)) {
	(New-Object System.Net.WebClient).DownloadFile($winlogbeat_url, "$env:TEMP\winlogbeat.zip")
	Expand-Archive "$env:TEMP\winlogbeat.zip" -DestinationPath "C:\" -Force
	} else {
	Write-Host "Skipping download winlogbeat, directory already exists"
	}

	#create winlobeat config
	$config = @"
	winlogbeat.event_logs:
	- name: `${EVTX_FILE}
	no_more_events: stop

	winlogbeat.shutdown_timeout: 30s
	fields:
	label: `${CODE}

	output.logstash:
	hosts: ["LOGSTASH_IP_HERE:443"]
	"@

	Set-Content "$winlogbeat_path\winlogbeat-evtx.yml" $config


	Write-Host "Found following tactics:"
	Get-ChildItem -Path $evtx_samples_path -Directory \|
	Foreach-Object {
	$tactic = $_;

	Get-ChildItem -Path "$evtx_samples_path\$tactic" -File -Filter "*.evtx" \|
	Foreach-Object {
	$fileName = $_
	#clean-up read position of winlogbeat
	Remove-Item -Path "$winlogbeat_path\data\.winlogbeat.yml"

	$cmd = "$winlogbeat_path\winlogbeat.exe -e -c $winlogbeat_path\winlogbeat-evtx.yml -E CODE='$tactic-$fileName' -E EVTX_FILE='$evtx_samples_path\$tactic\$fileName'"
	Write-Host $cmd
	Invoke-Expression $cmd

	sleep 5
	}
	}