-
Notifications
You must be signed in to change notification settings - Fork 5
Reference Architecture
1) Generation & Collection of Logs
From the system designated as the Collector, logs are generated with the following batch file with the list.txt file containing hostnames of the target systems:
for /f %%a in (list.txt) do (
psexec -accepteula \\%%a -c autorunsc.exe -accepteula -a * -s -m -t -h -ct * > Logs\%%a.csv
)
This batch file loops through the each hostname in list.txt using psexec to remotely connect and run autorunsc. It saves the results under a local folder called Logs. Each resulting csv is named according to the hostname of the target system (as specified in list.txt)
The following is a rundown of the flags in use:
- -a * --> List out all autostart entries
- -h --> Show file hashes
- -m --> Hide Microsoft entries (verified)
- -s --> Verify digital signatures
- -ct --> Output to CSV, Tab delimited
-
- --> Scan all user profiles on system
2) Normalization for Security Onion
A Powershell script normalizes the logs and appends them to the file, ar-normalized.log. The Powershell script can be found here: https://github.com/defensivedepth/Pertinax/tree/master/normalize
3) Importation into Security Onion
The OSSEC agent on the Collector system has been set to read the normalized log file, with the following configuration:
<localfile>
<location>C:\Workspace\Logs\ar-normalized.log</location>
<log_format>syslog</log_format>
</localfile>
The following parsers are being used for OSSEC & ELSA:
ELSA: https://github.com/defensivedepth/Pertinax/tree/master/parsers/elsa
OSSEC: https://github.com/defensivedepth/Pertinax/tree/master/parsers/ossec