Created
August 1, 2020 13:53
-
-
Save olamotte/85c904320e2e3eb4689a346b99ca9836 to your computer and use it in GitHub Desktop.
Crawl and hash SYSVOL on all DCs and ship to Splunk HEC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # GPO-inspector is a script to run on a regular basis to crawl all the different domain controllers of the current domain, looking for replication issues or tampering. | |
| # If you pass the Switch "Debug", the script will pick a single random DC and only process 3 files | |
| # | |
| # 2019-02-12 - Version 0.1 | |
| # author olamotte | |
| # | |
| param ( | |
| [switch] $Debug = $false | |
| ) | |
| if ($Debug) { | |
| Write-Host "Debug Mode enabled - processing only 3 files on a random domain controller of the current domain" | |
| } | |
| #CONSTANTS | |
| #Splunk HTTP Event Collector configuration | |
| $SPLUNK_HEC_HOST = "https://localhost:8088/services/collector/event" | |
| $SPLUNK_HEC_AUTH_TOKEN = "TOKEN-TOKEN" | |
| #BEGIN REGION HEC setup | |
| add-type @" | |
| using System.Net; | |
| using System.Security.Cryptography.X509Certificates; | |
| public class TrustAllCertsPolicy : ICertificatePolicy { | |
| public bool CheckValidationResult( | |
| ServicePoint srvPoint, X509Certificate certificate, | |
| WebRequest request, int certificateProblem) { | |
| return true; | |
| } | |
| } | |
| "@ | |
| $headers=@{Authorization="Splunk $SPLUNK_HEC_AUTH_TOKEN"} | |
| $AllProtocols = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12' | |
| [System.Net.ServicePointManager]::SecurityProtocol = $AllProtocols | |
| [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy | |
| #END REGION HEC setup | |
| #defaults to the current AD domain | |
| $DomainToInspect = [System.Directoryservices.Activedirectory.Domain]::GetCurrentDomain() | |
| $DomainName= [System.Directoryservices.Activedirectory.Domain]::GetCurrentDomain().Name | |
| $DomainControllersToInspect = [System.Directoryservices.Activedirectory.Domain]::GetCurrentDomain().DomainControllers | Sort-Object {Get-Random} | |
| if ($Debug) { | |
| $DomainControllersToInspect = [System.Directoryservices.Activedirectory.Domain]::GetCurrentDomain().DomainControllers | Sort-Object {Get-Random} | Select-Object -first 1 | |
| } | |
| #$DomainControllersToInspect | Invoke-all { | |
| $DomainControllersToInspect | ForEach-Object { | |
| $DCBeingProcessed = $_.Name | |
| Write-Host "Checking connectivity to $DCBeingProcessed" | |
| $DC_sysvol_path="\\" + $DCBeingProcessed+ "\sysvol" | |
| Test-NetConnection -ComputerName $DCBeingProcessed -InformationLevel "Detailed" | |
| Write-Host "Analyzing the contents of files in $($DC_sysvol_path)" | |
| $file_index=0; | |
| Get-childitem $DC_sysvol_path -recurse -File | ForEach-Object { | |
| if ($Debug) { | |
| #Only iterate on 3 files | |
| if ($file_index -eq 3) | |
| { | |
| break | |
| } | |
| $file_index++ | |
| } | |
| Write-host "File: $($_.FullName)" | |
| #Let's select specific properties of the file, and collect additional entries to only send the relevant properties to the collector | |
| $NTFSProperties = get-itemproperty -Path $_.FullName | select FullName, Extension, DirectoryName, Length, CreationTime, LastAccessTime, LastWriteTime | |
| $ACLs = get-acl $_.FullName | select Owner, Group, AccessToString | |
| $filedata = New-Object -TypeName PSObject -Property @{ | |
| Domain= $DomainName | |
| DomainController = $DCBeingProcessed | |
| File = $($_.FullName) | |
| GCILastWriteTime = $($_.LastWriteTime.ToUniversalTime().ToString("s")) | |
| GCICreationTime = $($_.CreationTime.ToUniversalTime().ToString("s")) | |
| SHA256=$((Get-FileHash -Path $_.FullName -Algorithm SHA256).Hash) | |
| NTFSFullName = $($NTFSProperties.FullName) | |
| NTFSExtension = $($NTFSProperties.Extension) | |
| NTFSDirectory = $($NTFSProperties.DirectoryName) | |
| NTFSReplicatedPath = $($NTFSProperties.FullName -split "sysvol")[1] | |
| NTFSLength = $($NTFSProperties.Length) | |
| NTFSLastWriteTime = $($NTFSProperties.LastWriteTime.ToUniversalTime().ToString("s")) | |
| NTFSCreationTime = $($NTFSProperties.CreationTime.ToUniversalTime().ToString("s")) | |
| NTFSLastAccessTime = $($NTFSProperties.LastAccessTime.ToUniversalTime().ToString("s")) | |
| ACL_Owner=$($ACLs.Owner) | |
| ACL_Group=$($ACLs.Group) | |
| ACL_AccessToString=$($ACLs.AccessToString.split("`r`n")) | |
| } | |
| $postParams = '{ | |
| "host":"' + $env:computername + '", | |
| "sourcetype":"GPO-inspector", | |
| "event":' + $($filedata | convertto-json ) + ' | |
| }' | |
| #Send the data of each file to the HEC | |
| $response = Invoke-WebRequest -Uri $($SPLUNK_HEC_HOST) -Method POST -Body $postParams -Headers $headers | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment