Emlin Charly EatMoreChicken

## thp.sh
#!/bin/bash
## Script developed by Jimmy Maple - Splunk Professional Services

## This script was designed to allow for quick deployment of THP, ulimit
## and Splunk user accounts for Splunk infrastructure. It was developed
## using RHEL 7 as the Splunk host. There may be issues using other
## Linux OS for this and should be altered and tested if necessary
## particularly using the find command for the THP changes and any
## additional commands for user and group creation. Confirm the
## commands before proceeding. There is some flexibility when it comes

## inputs.conf
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="4688" Message="New Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)"
blacklist4 = EventCode="4689" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)"

## psdecode.ps1
#
# Decode a base64 and compressed Powershell script.
#
#
#
#
$input = Read-Host -Prompt 'Base64 Text'
$decoded = $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream($(New-Object IO.MemoryStream(,$([Convert]::FromBase64String($input)))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();

Write-Host "----- Decoded -----"
	#!/bin/bash
	## Script developed by Jimmy Maple - Splunk Professional Services

	## This script was designed to allow for quick deployment of THP, ulimit
	## and Splunk user accounts for Splunk infrastructure. It was developed
	## using RHEL 7 as the Splunk host. There may be issues using other
	## Linux OS for this and should be altered and tested if necessary
	## particularly using the find command for the THP changes and any
	## additional commands for user and group creation. Confirm the
	## commands before proceeding. There is some flexibility when it comes
	[WinEventLog://Security]
	disabled = 0
	start_from = oldest
	current_only = 0
	evt_resolve_ad_obj = 1
	checkpointInterval = 5
	blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
	blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
	blacklist3 = EventCode="4688" Message="New Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool\|splunkd\|splunk\|splunk\-(?:MonitorNoHandle\|admon\|netmon\|perfmon\|powershell\|regmon\|winevtlog\|winhostinfo\|winprintmon\|wmi\|optimize))\.exe)"
	blacklist4 = EventCode="4689" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool\|splunkd\|splunk\|splunk\-(?:MonitorNoHandle\|admon\|netmon\|perfmon\|powershell\|regmon\|winevtlog\|winhostinfo\|winprintmon\|wmi\|optimize))\.exe)"
	#
	# Decode a base64 and compressed Powershell script.
	#
	#
	#
	#
	$input = Read-Host -Prompt 'Base64 Text'
	$decoded = $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream($(New-Object IO.MemoryStream(,$([Convert]::FromBase64String($input)))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();

	Write-Host "----- Decoded -----"