From a9e3b3d5de530790c6dc457190787bd287b4e334 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Sat, 5 Dec 2020 09:16:42 -0800 Subject: [PATCH] Update Defender GPO, Update Splunk UF --- .../GPO/disable_windows_defender/manifest.xml | 1 - .../Backup.xml | 18 ------------------ .../DomainSysvol/GPO/Machine/registry.pol | Bin 368 -> 0 bytes .../bkupInfo.xml | 1 - .../Backup.xml | 18 ++++++++++++++++++ .../Machine/Preferences/Registry/Registry.xml | 3 +++ .../DomainSysvol/GPO/Machine/comment.cmtx | 0 .../DomainSysvol/GPO/Machine/registry.pol | Bin 0 -> 1560 bytes .../bkupInfo.xml | 1 + .../gpreport.xml | Bin 20188 -> 30544 bytes .../windows/Microsoft.PowerShell_profile.ps1 | 6 ++---- ...configure-disable-windows-defender-gpo.ps1 | 2 +- .../scripts/install-evtx-attack-samples.ps1 | 2 +- Vagrant/scripts/install-splunkuf.ps1 | 12 ++++++------ 14 files changed, 32 insertions(+), 32 deletions(-) delete mode 100755 Vagrant/resources/GPO/disable_windows_defender/manifest.xml delete mode 100755 Vagrant/resources/GPO/disable_windows_defender/{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}/Backup.xml delete mode 100755 Vagrant/resources/GPO/disable_windows_defender/{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}/DomainSysvol/GPO/Machine/registry.pol delete mode 100755 Vagrant/resources/GPO/disable_windows_defender/{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}/bkupInfo.xml create mode 100644 Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/Backup.xml create mode 100644 Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml rename Vagrant/resources/GPO/disable_windows_defender/{{A1B5F23F-DC23-4225-98D0-22FD4EAF312C} => {F2150233-4B8F-4347-8D70-23D3984D9B78}}/DomainSysvol/GPO/Machine/comment.cmtx (100%) mode change 100755 => 100644 create mode 100644 Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/DomainSysvol/GPO/Machine/registry.pol create mode 100644 Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/bkupInfo.xml rename Vagrant/resources/GPO/disable_windows_defender/{{A1B5F23F-DC23-4225-98D0-22FD4EAF312C} => {F2150233-4B8F-4347-8D70-23D3984D9B78}}/gpreport.xml (53%) mode change 100755 => 100644 diff --git a/Vagrant/resources/GPO/disable_windows_defender/manifest.xml b/Vagrant/resources/GPO/disable_windows_defender/manifest.xml deleted file mode 100755 index 2382df2a9..000000000 --- a/Vagrant/resources/GPO/disable_windows_defender/manifest.xml +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/Vagrant/resources/GPO/disable_windows_defender/{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}/Backup.xml b/Vagrant/resources/GPO/disable_windows_defender/{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}/Backup.xml deleted file mode 100755 index d5b772ce7..000000000 --- a/Vagrant/resources/GPO/disable_windows_defender/{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}/Backup.xml +++ /dev/null @@ -1,18 +0,0 @@ - - 01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 ab 78 eb 1f 41 dd b6 6b 45 1f 31 0d e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 ab 78 eb 1f 41 dd b6 6b 45 1f 31 0d 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 ab 78 eb 1f 41 dd b6 6b 45 1f 31 0d 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00 - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/Vagrant/resources/GPO/disable_windows_defender/{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}/DomainSysvol/GPO/Machine/registry.pol b/Vagrant/resources/GPO/disable_windows_defender/{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}/DomainSysvol/GPO/Machine/registry.pol deleted file mode 100755 index 08a48aaaf6574e78b346646024e202b73aa36481..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 368 zcmcJK%?iRW5QIO$2k8s=1fB%1h0+QhjE7j$QqWY|KN K>}eNHmVTa diff --git a/Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/Backup.xml b/Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/Backup.xml new file mode 100644 index 000000000..b376e3d03 --- /dev/null +++ b/Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/Backup.xml @@ -0,0 +1,18 @@ + + 01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 8b 9d fe a6 56 fa 03 32 ec ac 2c 5e e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 8b 9d fe a6 56 fa 03 32 ec ac 2c 5e 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 8b 9d fe a6 56 fa 03 32 ec ac 2c 5e 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00 + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml b/Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml new file mode 100644 index 000000000..2f2034cd8 --- /dev/null +++ b/Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml @@ -0,0 +1,3 @@ + + + diff --git a/Vagrant/resources/GPO/disable_windows_defender/{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}/DomainSysvol/GPO/Machine/comment.cmtx b/Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/DomainSysvol/GPO/Machine/comment.cmtx old mode 100755 new mode 100644 similarity index 100% rename from Vagrant/resources/GPO/disable_windows_defender/{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}/DomainSysvol/GPO/Machine/comment.cmtx rename to Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/DomainSysvol/GPO/Machine/comment.cmtx diff --git a/Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/DomainSysvol/GPO/Machine/registry.pol b/Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/DomainSysvol/GPO/Machine/registry.pol new file mode 100644 index 0000000000000000000000000000000000000000..dc337571fea5bcefe55075112f965c3c4d264604 GIT binary patch literal 1560 zcmdUv-EM+F5QUFPAH)~%33_EiO?qK9V(f)@L2>}r$gp1J;KiqPq&KisOV&rwt^#aVyoNbW zk{-df?8SQLJf}W;B}k|bov!~gyNBBP@-XtCO7upw`ohKd5)ltjXD8 Vdw^kejc8E!r3&18c|EsdeFk?N6QlqD literal 0 HcmV?d00001 diff --git a/Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/bkupInfo.xml b/Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/bkupInfo.xml new file mode 100644 index 000000000..6d0643d04 --- /dev/null +++ b/Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/bkupInfo.xml @@ -0,0 +1 @@ + diff --git a/Vagrant/resources/GPO/disable_windows_defender/{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}/gpreport.xml b/Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/gpreport.xml old mode 100755 new mode 100644 similarity index 53% rename from Vagrant/resources/GPO/disable_windows_defender/{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}/gpreport.xml rename to Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/gpreport.xml index 9a2740adc9809ca2e4aac7999bb31af012b13ee1..86dd38461ace4f136177648df1fafc5ea4d05275 GIT binary patch literal 30544 zcmeI5YfoE88pr4LO8XtGzS>Glz>p9iUMk0sG}6A!*lxi$_1*pd z=E-#CoHO=0CdSazvV7s3xjeUdZu89HfB)^cZ`?2L#2veq``I11b2o5D?#!LKf4Hw) z+ud;s`flmYsoT@_ece5EZ~Wa$ci|4*oLVib%{Ok{{nh=&b=+h3+-<3kjeDvQ*Yta! zzKr=+y)N8)U7OeIgMZ!8=aS|+)BJCAby2e}Xxw@CFZa}a=lYuatzbBDyB?bI$VU?y zdCucD5Olj9+k?_v!=XP>&pp9@CM?fHlMCSjwN8Y=V}Jcp7(dsQW8dkHXq&pk>?CSHOTNRHt)vxV-6Snh>@ZInf-Srfk7M>scZ2QT~ zcf`Xpad%hWK%PPsIaH5R$34>+C!*-O#yApPcin4^c_9A3{C(CBy57?L14#k$fK;6O zd1G%@U62S?>9M=??Rp++W z$E5lAcQrm3-4Sj}nsdoZ{i6G~pRqbxoQd_lCu*Mys|&3icsS4%{(i43=(;E`#=pK= zZAjluL%K}^r4X{Nw}fxsb97Erg{Q{Z6;Yur+!s6@pv0Uwyrgy9_HFL!*InQ5o?5Ny zwIZsuH3nLst$w^7YxE8GLhm(c!>(5S-!x;_J#an!=5t%0NZGC^b*S$Zea`89sI`HP zLDKg1p3~pxoqhdcOFonD2?__0^=Kr@miHM%Kg!ljj%020Z_qB;Hoef?BW!(Wv*;udR_75zcQ(#>0$TrCE#fz1F-}pYOF`V1?b+ zYTNbNVL|Kf;L{3cErP?Ya9a6vmvza?1a36Ps#-5z5pwjvRVg)T$gws-SC@78mVDV$ z;dy?8T0B@GtV*yfNaHl@3RYzDx+GW-qdd42>26pCpJ-ZmzSL@aCRn!Qd$9VSxmSv! zb``^%>l3dFcmq^Lh`AGGrF<_&4b#9S?+bi+QiMfX@;vE#Jz1ps?UA80rf5mK54=7Z z)JRj5nIc{tSs(NfQR+Z1i|+@zieJyzNb1eWSsIlzfwUQRH-}Gk-8>P6$zND3Fi;ds zuHZx**!4Vs{_C=?#FX#@-O#L0b*>$ac&Sl{)((bnzDPl{5o8^TeeQ zpmnDq2iUx4qFzf@;Dx@wm1f@-2Y2LWzLIy#y-n};a<#AD#Prc>wB#>t`BvNd{!TAi z_eZSvi08b&g2sz)1%ww z=Ac)ABM$|+vUGJ3J&s;W)*?S!SF!nfK}U@E?u5CvK6!De4GDZ_;c0dC482l`Pwa<|^lphRvPtSqH(9*Mnf0 z!)KsXaVqM{q8Ssk5L*3vw_X<36b0wNb`+{ni*5ysnNv&fM2z14c^VGoeyDO~0Luy#S0&#chQ z3Prge&z4+xf5*J!@p_hZPZ@&dcI3;pLYuNc>{|R?x|0kayHdmx{Cy(Nz;Mx>| zbPoYdFtb}R#vZN*Z@=A|%-#<>2u4xrUgnDM@W_E5`b}pAaY#R0D zEKJZx>;}$qn6{HPi`{0i+obB(t&$nPXjt7?v?I5{`mvu(w0Evr25OGT(o>r<%Vh>W zkq4Spmdq+k{ydc>GkZAN9-RX0cb0haP)iAsIGiu}yI_tZ|?TwTbDzP5EBA=P#bh>^@r6 zcA$2V76$dEDm&pxY@J5nYwjmeW3p$0sd-G#Fwg5u5^I9 zC^$AeJoi=o$f?Y(YV($Lea^$OsuNk98*S^&>FRsB3p_0^cbwG)*HqHFT31kkHgJX& zOwIVHcAWaqgV`RB$-2+Y+qB^SboCO!xo>kA!PaxGZ_hIPJFS zX@1w!gEQnSdfBPCd%ivQH`Jr6S5NnPHGHsjV!W^_m7;`gNk*x6LD!h(Xx4TZ-_!Z9 z5@*t8jE?0X-fxL^WR>F+7kZwmSeJpXL*CVzK^yPs3iLnrJTlq?DLVgBS1*$5Z`GD( zIl#?t-9JUeAKZ_k%?qusZT-cr(U1CzI`nNn-#fMb=-c;IY5Pd`Uy7o%eWjC4{UOSPyt#3vlzsEUuYZJ~$hVNl| zBDW^L|9vF*F)z-K=H~pTwVdN;U0;)?)DqUsiS^3sj{IE1+n0G!?N8sT4av0&G46Ur z5~yEJ^*v+8)+uH4v*qnuCj(c$rLDLs7G+Dg=w&PaEE4=g`h4V_DWw}dUHkefYwqC85<*D#lH!dhB&2ENIG&VZc)3_;Z1HUFk-MDVbYax}?{95E$M64715V*%F zEu@PoU(SB;yDXjG`}KvV7-#N_E9H^uX76bPW_{!5Cq^sJ6rw(O&)VYLQ#r1vu9gT@ zb%q>Fv3piF?>)j-^ib|_TQPZEQc^f6L(EQ;}zkD^`L*Yk_uUCO_r6)WrG zsAq2i_98SuALY9&V<}FP(|35w=RS&JwGq>{^_jEVE4ptIQPyPJ@=GGzw@F)?cgm`p zlU&;Kyr=;}3!$B3Od8?8eR`Fs6Ag+UHOaTU6DLK_bPd~Y{*LL})TU#Fux8{h;uF#$ zwtogK8hw|t2Avc=>$J|~_3HKGG)+x=6WGjjulYSyeOK1+SMyZA4BcDJ8xWtBEsFWI z!z{|xbnK=yeux{V?WgAQ2Tk!Nn#R5otrOEkfAyU(!uQ3Jm1A;jSdo5Jom!U54fRQ% z7Ham<^3Kc~G8Z3woS&Q3{25|I=C%_AW)qr4|ICPe<%zukTl40zG(?!e!VneVVe;gR z;73_Yi^J<9pDI0yo^8>_M86j7hGmL!eqNQT(c=#JnUuq1Nx+OJXM|V=yvemgpXg(8 z-{QM^?hnTHd%=kfqi7OrMr{#coi zW;7X3M~<&CsyTvYa81*fzA8jBe|Y8(r+K9`gBmqV>JOu<%)T68yCCGw9Rt(mZk9h-LeGT^Zo!^c|nB z!OOSo5uVu{Q9EJ+-;TxM=-0v93!h7>dhqa>{p7bAgIqS%8f2x+3uX@{%EITv${z0Y zwLSjqaG9@adDei{Pnz^WkFXv-p9b&?IZb7?7!wqAdb+DvwPZ~(3o!t8h823<7)C#* zyyjB8Q_U6jv2vN{u9w46JAi%RHOq*fCK>%|hA2n*$fx@K!@!~XmU%1G|72y@Lnm+W z!TZVYB#&WF%${On7X8m)C#rTgR6h)-5ZeBUUk_$yvCFpKYC8pCUx8c#`YUEsiuDVr zeIBl3>U34JQOH;f$Ed1-BVDj^bug6m46X3!S3Y8mRdwq`moR$cQnVaqe(yC6T! zYA86}W?pKf>uuI?tV=Qg)PjcpoU|_+W!0}=vZfXCS2OTSD-|l&TFoB>oBU*zEt{A)e|B^ zXilCzR6z&IHHG{-wDmYR2FWu|I6#di!p|?`n&(YRb>E{`w?$geiAbtg`!agYpG0ls z9=|BGjFQgNEEy3E8t>04P_X%vtJk}JTZ0Y5E3h4`aDJ*<8=d|iK4fmP)$2eJtT9jI zLPJLwI?`;mM-;D_XJ3C}?K)1j0c~;SNuO(DhAPe-{l^2e-#bxbM=P&P4Nj#zO{&(@ zSk&x%xkVa@@vL_G^WQeGlIyY+%!ap)736pNUmcOn80)6v#}SI-Z)$|#gN%2=@0noO z`ji300uWmiPYC8)g!!T8Fxrhv)t7?h-1ES)f_5q?#Xlc0j!)nEnf^GGh68q%Y~B4I DBOOu#G?24^5`4is}@aAhz6vn+rj zATbxPm<59ogCUUR%uqWyl396jfFsN1HB8eO6%D}#K(rVD6@>t`8#7ojm;z}lAU2tt z%;Jhwl_^l(7_7>W!D8}B7JGASW+7CW0v(_SR1dNXkpXY{jx$e|Q($wZAQ*u`3yLPo$s2iOCmRTHO}@a>viXLo3G3triDw|g zDRJTC7wX0i zOv?;~3_xSN^nnT(A%>ya!Zz6_Ob;lD%O->HdCUZDDgzk+wL@_-pNq+6fno<10QXbQ A5dZ)H diff --git a/Vagrant/resources/windows/Microsoft.PowerShell_profile.ps1 b/Vagrant/resources/windows/Microsoft.PowerShell_profile.ps1 index 0da238869..5d6b30db7 100644 --- a/Vagrant/resources/windows/Microsoft.PowerShell_profile.ps1 +++ b/Vagrant/resources/windows/Microsoft.PowerShell_profile.ps1 @@ -1,5 +1,3 @@ -Write-Host "Invoke-AtomicTest has been loaded." -Write-Host "Learn more about atomic tests here: https://git.io/Jed0L" -Write-Host "" Import-Module "C:\Tools\Atomic Red Team\atomic-red-team-master\execution-frameworks\Invoke-AtomicRedTeam\Invoke-AtomicRedTeam\Invoke-AtomicRedTeam.psm1" -$PSDefaultParameterValues = @{"Invoke-AtomicTest:PathToAtomicsFolder"="C:\Tools\Atomic Red Team\atomic-red-team-master\atomics"} \ No newline at end of file +$PSDefaultParameterValues = @{"Invoke-AtomicTest:PathToAtomicsFolder"="C:\Tools\Atomic Red Team\atomic-red-team-master\atomics"} +$env:Path += ";c:\Program Files\osquery" \ No newline at end of file diff --git a/Vagrant/scripts/configure-disable-windows-defender-gpo.ps1 b/Vagrant/scripts/configure-disable-windows-defender-gpo.ps1 index fd5cf8470..793974288 100644 --- a/Vagrant/scripts/configure-disable-windows-defender-gpo.ps1 +++ b/Vagrant/scripts/configure-disable-windows-defender-gpo.ps1 @@ -1,4 +1,4 @@ -# Purpose: Install the GPO that disables Windows Defender +# Purpose: Install the GPO that disables Windows Defender and AMSI Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Importing the GPO to disable Windows Defender..." Import-GPO -BackupGpoName 'Disable Windows Defender' -Path "c:\vagrant\resources\GPO\disable_windows_defender" -TargetName 'Disable Windows Defender' -CreateIfNeeded diff --git a/Vagrant/scripts/install-evtx-attack-samples.ps1 b/Vagrant/scripts/install-evtx-attack-samples.ps1 index 71d987036..ef1734db1 100644 --- a/Vagrant/scripts/install-evtx-attack-samples.ps1 +++ b/Vagrant/scripts/install-evtx-attack-samples.ps1 @@ -67,7 +67,7 @@ sourcetype = preprocess-winevt' } Catch { Start-Sleep 10 Stop-Service -Name SplunkForwarder -Force - Start-Service -Name SplunkForwarder -Force + Start-Service -Name SplunkForwarder } Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Done! Look in 'index=EVTX-ATTACK-SAMPLES' in Splunk to query these samples." } diff --git a/Vagrant/scripts/install-splunkuf.ps1 b/Vagrant/scripts/install-splunkuf.ps1 index ed9f15f5b..10659e044 100755 --- a/Vagrant/scripts/install-splunkuf.ps1 +++ b/Vagrant/scripts/install-splunkuf.ps1 @@ -2,17 +2,17 @@ If (-not (Test-Path "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe")) { Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Splunk Universal Forwarder..." - $msiFile = $env:Temp + "\splunkforwarder-7.1.0-2e75b3406c5b-x64-release.msi" + $msiFile = $env:Temp + "\splunkforwarder-8.1.0.1-24fd52428b5a-x64-release.msi" Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing & Starting Splunk" [Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls" - (New-Object System.Net.WebClient).DownloadFile('https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=windows&version=7.1.0&product=universalforwarder&filename=splunkforwarder-7.1.0-2e75b3406c5b-x64-release.msi&wget=true', $msiFile) - Start-Process -FilePath "c:\windows\system32\msiexec.exe" -ArgumentList '/i', "$msiFile", 'RECEIVING_INDEXER="192.168.38.105:9997" WINEVENTLOG_SEC_ENABLE=0 WINEVENTLOG_SYS_ENABLE=0 WINEVENTLOG_APP_ENABLE=0 AGREETOLICENSE=Yes SERVICESTARTTYPE=1 LAUNCHSPLUNK=1 SPLUNKPASSWORD=changeme /quiet' -Wait -} Else { + (New-Object System.Net.WebClient).DownloadFile('https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=windows&version=8.1.0.1&product=universalforwarder&filename=splunkforwarder-8.1.0.1-24fd52428b5a-x64-release.msi&wget=true', $msiFile) + Start-Process -FilePath "c:\windows\system32\msiexec.exe" -ArgumentList '/i', "$msiFile", 'RECEIVING_INDEXER="192.168.38.105:9997" WINEVENTLOG_SEC_ENABLE=0 WINEVENTLOG_SYS_ENABLE=0 WINEVENTLOG_APP_ENABLE=0 AGREETOLICENSE=Yes SERVICESTARTTYPE=AUTO LAUNCHSPLUNK=1 SPLUNKPASSWORD=changeme /quiet' -Wait +} +Else { Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Splunk is already installed. Moving on." } -If ((Get-Service -name splunkforwarder).Status -ne "Running") -{ +If ((Get-Service -name splunkforwarder).Status -ne "Running") { throw "Splunk forwarder service not running" } Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Splunk installation complete!"