This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
## Script developed by Jimmy Maple - Splunk Professional Services | |
## This script was designed to allow for quick deployment of THP, ulimit | |
## and Splunk user accounts for Splunk infrastructure. It was developed | |
## using RHEL 7 as the Splunk host. There may be issues using other | |
## Linux OS for this and should be altered and tested if necessary | |
## particularly using the find command for the THP changes and any | |
## additional commands for user and group creation. Confirm the | |
## commands before proceeding. There is some flexibility when it comes |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[WinEventLog://Security] | |
disabled = 0 | |
start_from = oldest | |
current_only = 0 | |
evt_resolve_ad_obj = 1 | |
checkpointInterval = 5 | |
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" | |
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)" | |
blacklist3 = EventCode="4688" Message="New Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)" | |
blacklist4 = EventCode="4689" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# Decode a base64 and compressed Powershell script. | |
# | |
# | |
# | |
# | |
$input = Read-Host -Prompt 'Base64 Text' | |
$decoded = $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream($(New-Object IO.MemoryStream(,$([Convert]::FromBase64String($input)))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd(); | |
Write-Host "----- Decoded -----" |