taylorwalton’s gists

taylorwalton / uninstall_wazuh_sysmon.ps1

Created May 17, 2023 12:20

	# Check if WazuhSvc is installed
	$wazuhStatus = Get-Service \| Where-Object { $_.Name -eq "WazuhSvc" }

	if ($wazuhStatus -ne $null) {
	Write-Output "Wazuh-Agent (WazuhSvc) is installed. Attempting to stop (if running) and uninstall..."

	# Stop the service if it's running
	if ($wazuhStatus.Status -eq 'Running') {
	Stop-Service -Name "WazuhSvc" -Force
	}

taylorwalton / packetbeat_install.sh

Last active October 20, 2023 12:17

	#!/bin/bash
	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
	PACKETBEAT_YAML="https://raw.githubusercontent.com/socfortress/Wazuh-Rules/main/Packetbeat/packetbeat.yml"

	logger() {

	now=$(date +'%m/%d/%Y %H:%M:%S')
	case $1 in
	"-e")
	mtype="ERROR:"

taylorwalton / sysmon_install.ps1

Created October 22, 2022 13:34

	$sysinternals_repo = 'download.sysinternals.com'
	$sysinternals_downloadlink = 'https://download.sysinternals.com/files/SysinternalsSuite.zip'
	$sysinternals_folder = 'C:\Program Files\sysinternals'
	$sysinternals_zip = 'SysinternalsSuite.zip'
	$sysmonconfig_downloadlink = 'https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml'
	$sysmonconfig_file = 'sysmonconfig-export.xml'

	[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

	if (Test-Path -Path $sysinternals_folder) {

taylorwalton / advanced detection rules

Created October 13, 2022 14:21

curl -so ~/wazuh_socfortress_rules.sh https://raw.githubusercontent.com/socfortress/Wazuh-Rules/main/wazuh_socfortress_rules.sh && bash ~/wazuh_socfortress_rules.sh

taylorwalton / windows agent group

Created October 13, 2022 14:17

	<agent_config>
	<client_buffer>
	<!-- Agent buffer options -->
	<disabled>no</disabled>
	<queue_size>5000</queue_size>
	<events_per_second>500</events_per_second>
	</client_buffer>
	<!-- Policy monitoring -->
	<rootcheck>
	<disabled>no</disabled>

taylorwalton / linux agent group

Created October 13, 2022 14:15

	<agent_config>
	<client_buffer>
	<!-- Agent buffer options -->
	<disabled>no</disabled>
	<queue_size>5000</queue_size>
	<events_per_second>500</events_per_second>
	</client_buffer>
	<!-- Policy monitoring -->
	<rootcheck>
	<disabled>no</disabled>

taylorwalton / vuln_detection ossec.conf

Created October 13, 2022 14:04

	<vulnerability-detector>
	<enabled>yes</enabled>
	<interval>5m</interval>
	<min_full_scan_interval>6h</min_full_scan_interval>
	<run_on_start>yes</run_on_start>

	<!-- Ubuntu OS vulnerabilities -->
	<provider name="canonical">
	<enabled>yes</enabled>
	<os>trusty</os>

taylorwalton / fluent-bit.conf

Created October 13, 2022 13:37

	[SERVICE]
	flush 5
	daemon Off
	log_level info
	parsers_file parsers.conf
	plugins_file plugins.conf
	http_server Off
	http_listen 0.0.0.0
	http_port 2020
	storage.metrics on

taylorwalton / wazuh prerequisites

Created October 13, 2022 13:21

	apt-get install gnupg apt-transport-https
	curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH \| gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
	echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" \| tee -a /etc/apt/sources.list.d/wazuh.list
	apt-get update

taylorwalton / graylog_keystore

Created October 8, 2022 14:21

	mkdir /etc/graylog/server/certs
	cp -a /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts /etc/graylog/server/certs/cacerts
	keytool -importcert -keystore /etc/graylog/server/certs/cacerts -storepass changeit -alias root_ca -file /etc/graylog/server/certs/rootCA.crt

taylor_socfortress taylorwalton