urls=[] ipaddr="localhost"#ipaddr import ctypes import re import time import socket import _winreg import platform import shutil import ssl import urllib2 import getpass import zipfile import shutil import os import glob from subprocess import PIPE,Popen import ctypes class disable_file_system_redirection: _disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirection _revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirection def __enter__(self): self.old_value = ctypes.c_long() self.success = self._disable(ctypes.byref(self.old_value)) def __exit__(self, type, value, traceback): if self.success: self._revert(self.old_value) start=time.time() os_arch=os.popen("wmic os get osarchitecture").read().split()[-1] if "32" in os_arch: url32="https://script-downloads.comodo.com/sysmon_winlogbeat/winlogbeat/winlogbeat-7.14.0-windows-x86.zip" urls.append(url32) else: url64="https://script-downloads.comodo.com/sysmon_winlogbeat/winlogbeat/winlogbeat-7.14.0-windows-x86_64.zip" urls.append(url64) def Download(src_path, URL,fp): import urllib2 request = urllib2.Request(URL, headers={'User-Agent' : "Magic Browser"}) try: gcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1) parsed = urllib2.urlopen(request,context=gcontext) except: parsed = urllib2.urlopen(request) if not os.path.exists(src_path): os.makedirs(src_path) with open(fp, 'wb') as f: while True: chunk=parsed.read(100*1000*1000) if chunk: f.write(chunk) else: break return fp def filezip(Excutable_path,dest_path): with zipfile.ZipFile(Excutable_path,"r") as zip_ref: zip_ref.extractall(dest_path) print 'file unzipped to ' +dest_path def permissions(dirpath): mode=0o777 if os.path.isdir(dirpath): try: for root,dirs,files in os.walk(dirpath,topdown=False): for dircs in [os.path.join(root,d) for d in dirs]: os.chmod(dircs,mode) for s_file in [os.path.join(root,f) for f in files]: os.chmod(s_file,mode) except Exception as E: print "File being Used %s" Folder=os.environ['programdata']+r"\extraction_file" if not os.path.exists(Folder): os.mkdir(Folder) dest_path=os.environ['programdata']+r"\extraction_file" for i,j in enumerate(urls): fileName=str(i)+"_l"+r".zip" src_path=Folder fp = os.path.join(src_path, fileName) Excutable_path=Download(Folder,j,fp) print "Downloaded succesfully to "+Excutable_path+"" filezip(Excutable_path,dest_path) permissions(dest_path) os.chdir(dest_path) ############################################YAML_File################################################################ winlogbeat_yaml_file_64=""" ###################### Winlogbeat Configuration Example ######################## # This file is an example configuration file highlighting only the most common # options. The winlogbeat.reference.yml file from the same directory contains # all the supported options with more comments. You can use it as a reference. # # You can find the full configuration reference here: # https://www.elastic.co/guide/en/beats/winlogbeat/index.html # ======================== Winlogbeat specific options ========================= # event_logs specifies a list of event logs to monitor as well as any # accompanying options. The YAML data type of event_logs is a list of # dictionaries. # # The supported keys are name (required), tags, fields, fields_under_root, # forwarded, ignore_older, level, event_id, provider, and include_xml. Please # visit the documentation for the complete details of each option. # https://go.es.io/WinlogbeatConfig winlogbeat.event_logs: - name: Application ignore_older: 72h - name: System - name: Security processors: - script: lang: javascript id: security file: ${path.home}/module/security/config/winlogbeat-security.js - name: Microsoft-Windows-Sysmon/Operational processors: - script: lang: javascript id: sysmon file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js - name: Windows PowerShell event_id: 400, 403, 600, 800 processors: - script: lang: javascript id: powershell file: ${path.home}/module/powershell/config/winlogbeat-powershell.js - name: Microsoft-Windows-PowerShell/Operational event_id: 4103, 4104, 4105, 4106 processors: - script: lang: javascript id: powershell file: ${path.home}/module/powershell/config/winlogbeat-powershell.js - name: ForwardedEvents tags: [forwarded] processors: - script: when.equals.winlog.channel: Security lang: javascript id: security file: ${path.home}/module/security/config/winlogbeat-security.js - script: when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational lang: javascript id: sysmon file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js - script: when.equals.winlog.channel: Windows PowerShell lang: javascript id: powershell file: ${path.home}/module/powershell/config/winlogbeat-powershell.js - script: when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational lang: javascript id: powershell file: ${path.home}/module/powershell/config/winlogbeat-powershell.js # ====================== Elasticsearch template settings ======================= setup.template.settings: index.number_of_shards: 1 #index.codec: best_compression #_source.enabled: false # ================================== General =================================== # The name of the shipper that publishes the network data. It can be used to group # all the transactions sent by a single shipper in the web interface. #name: # The tags of the shipper are included in their own field with each # transaction published. #tags: ["service-X", "web-tier"] # Optional fields that you can specify to add additional information to the # output. #fields: # env: staging # ================================= Dashboards ================================= # These settings control loading the sample dashboards to the Kibana index. Loading # the dashboards is disabled by default and can be enabled either by setting the # options here or by using the `setup` command. #setup.dashboards.enabled: false # The URL from where to download the dashboards archive. By default this URL # has a value which is computed based on the Beat name and version. For released # versions, this URL points to the dashboard archive on the artifacts.elastic.co # website. #setup.dashboards.url: # =================================== Kibana =================================== # Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. # This requires a Kibana endpoint configuration. setup.kibana: # Kibana Host # Scheme and port can be left out and will be set to the default (http and 5601) # In case you specify and additional path, the scheme is required: http://localhost:5601/path # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 #host: "localhost:5601" # Kibana Space ID # ID of the Kibana Space into which the dashboards should be loaded. By default, # the Default Space will be used. #space.id: # =============================== Elastic Cloud ================================ # These settings simplify using Winlogbeat with the Elastic Cloud (https://cloud.elastic.co/). # The cloud.id setting overwrites the `output.elasticsearch.hosts` and # `setup.kibana.host` options. # You can find the `cloud.id` in the Elastic Cloud web UI. #cloud.id: # The cloud.auth setting overwrites the `output.elasticsearch.username` and # `output.elasticsearch.password` settings. The format is `:`. #cloud.auth: # ================================== Outputs =================================== # Configure what output to use when sending the data collected by the beat. # ---------------------------- Elasticsearch Output ---------------------------- output.elasticsearch: # Array of hosts to connect to. #hosts: ["localhost:9200"] # Protocol - either `http` (default) or `https`. #protocol: "https" # Authentication credentials - either API key or username/password. #api_key: "id:api_key" #username: "elastic" #password: "changeme" # ------------------------------ Logstash Output ------------------------------- #output.logstash: # The Logstash hosts hosts: ["localhost:5044"] # Optional SSL. By default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" # Client Certificate Key #ssl.key: "/etc/pki/client/cert.key" # ================================= Processors ================================= processors: - add_host_metadata: when.not.contains.tags: forwarded - add_cloud_metadata: ~ # ================================== Logging =================================== # Sets log level. The default log level is info. # Available log levels are: error, warning, info, debug #logging.level: debug # At debug level, you can selectively enable logging only for some components. # To enable all selectors use ["*"]. Examples of other selectors are "beat", # "publisher", "service". #logging.selectors: ["*"] # ============================= X-Pack Monitoring ============================== # Winlogbeat can export internal metrics to a central Elasticsearch monitoring # cluster. This requires xpack monitoring to be enabled in Elasticsearch. The # reporting is disabled by default. # Set to true to enable the monitoring reporter. #monitoring.enabled: false # Sets the UUID of the Elasticsearch cluster under which monitoring data for this # Winlogbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch # is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch. #monitoring.cluster_uuid: # Uncomment to send the metrics to Elasticsearch. Most settings from the # Elasticsearch output are accepted here as well. # Note that the settings should point to your Elasticsearch *monitoring* cluster. # Any setting that is not set is automatically inherited from the Elasticsearch # output configuration, so if you have the Elasticsearch output configured such # that it is pointing to your Elasticsearch monitoring cluster, you can simply # uncomment the following line. #monitoring.elasticsearch: # ============================== Instrumentation =============================== # Instrumentation support for the winlogbeat. #instrumentation: # Set to true to enable instrumentation of winlogbeat. #enabled: false # Environment in which winlogbeat is running on (eg: staging, production, etc.) #environment: "" # APM Server hosts to report instrumentation results to. #hosts: # - http://localhost:8200 # API Key for the APM Server(s). # If api_key is set then secret_token will be ignored. #api_key: # Secret token for the APM Server(s). #secret_token: # ================================= Migration ================================== # This allows to enable 6.7 migration aliases #migration.6_to_7.enabled: true """ winlogbeat_yaml_file_32=""" ###################### Winlogbeat Configuration Example ######################## # This file is an example configuration file highlighting only the most common # options. The winlogbeat.reference.yml file from the same directory contains # all the supported options with more comments. You can use it as a reference. # # You can find the full configuration reference here: # https://www.elastic.co/guide/en/beats/winlogbeat/index.html # ======================== Winlogbeat specific options ========================= # event_logs specifies a list of event logs to monitor as well as any # accompanying options. The YAML data type of event_logs is a list of # dictionaries. # # The supported keys are name (required), tags, fields, fields_under_root, # forwarded, ignore_older, level, event_id, provider, and include_xml. Please # visit the documentation for the complete details of each option. # https://go.es.io/WinlogbeatConfig winlogbeat.event_logs: - name: Application ignore_older: 72h - name: System - name: Security processors: - script: lang: javascript id: security file: ${path.home}/module/security/config/winlogbeat-security.js - name: Microsoft-Windows-Sysmon/Operational processors: - script: lang: javascript id: sysmon file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js - name: Windows PowerShell event_id: 400, 403, 600, 800 processors: - script: lang: javascript id: powershell file: ${path.home}/module/powershell/config/winlogbeat-powershell.js - name: Microsoft-Windows-PowerShell/Operational event_id: 4103, 4104, 4105, 4106 processors: - script: lang: javascript id: powershell file: ${path.home}/module/powershell/config/winlogbeat-powershell.js - name: ForwardedEvents tags: [forwarded] processors: - script: when.equals.winlog.channel: Security lang: javascript id: security file: ${path.home}/module/security/config/winlogbeat-security.js - script: when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational lang: javascript id: sysmon file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js - script: when.equals.winlog.channel: Windows PowerShell lang: javascript id: powershell file: ${path.home}/module/powershell/config/winlogbeat-powershell.js - script: when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational lang: javascript id: powershell file: ${path.home}/module/powershell/config/winlogbeat-powershell.js # ====================== Elasticsearch template settings ======================= setup.template.settings: index.number_of_shards: 1 #index.codec: best_compression #_source.enabled: false # ================================== General =================================== # The name of the shipper that publishes the network data. It can be used to group # all the transactions sent by a single shipper in the web interface. #name: # The tags of the shipper are included in their own field with each # transaction published. #tags: ["service-X", "web-tier"] # Optional fields that you can specify to add additional information to the # output. #fields: # env: staging # ================================= Dashboards ================================= # These settings control loading the sample dashboards to the Kibana index. Loading # the dashboards is disabled by default and can be enabled either by setting the # options here or by using the `setup` command. #setup.dashboards.enabled: false # The URL from where to download the dashboards archive. By default this URL # has a value which is computed based on the Beat name and version. For released # versions, this URL points to the dashboard archive on the artifacts.elastic.co # website. #setup.dashboards.url: # =================================== Kibana =================================== # Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. # This requires a Kibana endpoint configuration. setup.kibana: # Kibana Host # Scheme and port can be left out and will be set to the default (http and 5601) # In case you specify and additional path, the scheme is required: http://localhost:5601/path # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 #host: "localhost:5601" # Kibana Space ID # ID of the Kibana Space into which the dashboards should be loaded. By default, # the Default Space will be used. #space.id: # =============================== Elastic Cloud ================================ # These settings simplify using Winlogbeat with the Elastic Cloud (https://cloud.elastic.co/). # The cloud.id setting overwrites the `output.elasticsearch.hosts` and # `setup.kibana.host` options. # You can find the `cloud.id` in the Elastic Cloud web UI. #cloud.id: # The cloud.auth setting overwrites the `output.elasticsearch.username` and # `output.elasticsearch.password` settings. The format is `:`. #cloud.auth: # ================================== Outputs =================================== # Configure what output to use when sending the data collected by the beat. # ---------------------------- Elasticsearch Output ---------------------------- output.elasticsearch: # Array of hosts to connect to. #hosts: ["localhost:9200"] # Protocol - either `http` (default) or `https`. #protocol: "https" # Authentication credentials - either API key or username/password. #api_key: "id:api_key" #username: "elastic" #password: "changeme" # ------------------------------ Logstash Output ------------------------------- #output.logstash: # The Logstash hosts hosts: ["localhost:5044"] # Optional SSL. By default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" # Client Certificate Key #ssl.key: "/etc/pki/client/cert.key" # ================================= Processors ================================= processors: - add_host_metadata: when.not.contains.tags: forwarded - add_cloud_metadata: ~ # ================================== Logging =================================== # Sets log level. The default log level is info. # Available log levels are: error, warning, info, debug #logging.level: debug # At debug level, you can selectively enable logging only for some components. # To enable all selectors use ["*"]. Examples of other selectors are "beat", # "publisher", "service". #logging.selectors: ["*"] # ============================= X-Pack Monitoring ============================== # Winlogbeat can export internal metrics to a central Elasticsearch monitoring # cluster. This requires xpack monitoring to be enabled in Elasticsearch. The # reporting is disabled by default. # Set to true to enable the monitoring reporter. #monitoring.enabled: false # Sets the UUID of the Elasticsearch cluster under which monitoring data for this # Winlogbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch # is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch. #monitoring.cluster_uuid: # Uncomment to send the metrics to Elasticsearch. Most settings from the # Elasticsearch output are accepted here as well. # Note that the settings should point to your Elasticsearch *monitoring* cluster. # Any setting that is not set is automatically inherited from the Elasticsearch # output configuration, so if you have the Elasticsearch output configured such # that it is pointing to your Elasticsearch monitoring cluster, you can simply # uncomment the following line. #monitoring.elasticsearch: # ============================== Instrumentation =============================== # Instrumentation support for the winlogbeat. #instrumentation: # Set to true to enable instrumentation of winlogbeat. #enabled: false # Environment in which winlogbeat is running on (eg: staging, production, etc.) #environment: "" # APM Server hosts to report instrumentation results to. #hosts: # - http://localhost:8200 # API Key for the APM Server(s). # If api_key is set then secret_token will be ignored. #api_key: # Secret token for the APM Server(s). #secret_token: # ================================= Migration ================================== # This allows to enable 6.7 migration aliases #migration.6_to_7.enabled: true """ ############################################Yaml_file_creation_complete############################################## if "32" in os_arch: directory=[i for i,j,k in os.walk(dest_path)][1] os.chdir(directory) print("Configuring yaml file...") permissions(directory) with open(directory+"\\winlogbeat.yml","w") as f: f.write(winlogbeat_yaml_file_32) with disable_file_system_redirection(): os.popen('powershell "Set-ExecutionPolicy RemoteSigned"') obj2=Popen("""powershell.exe '-Exec bypass -File .\install-service-winlogbeat.ps1' && powershell.exe 'Set-Service -Name "winlogbeat" -StartupType automatic' && powershell.exe 'Start-Service -Name "winlogbeat"'""",stdout=PIPE,stderr=PIPE,shell=True) res2,err2=obj2.communicate() if err2: print(err2) else: print(res2) if obj2.returncode==0: print("winlogbeat Installed Successfully") else: print("Failed to install winlogbeat returncode %s"%(obj2.returncode)) elif "64" in os_arch: directory=[i for i,j,k in os.walk(dest_path)][1] os.chdir(directory) print("Configuring yaml file...") permissions(directory) with open(directory+"\\winlogbeat.yml","w") as f: f.write(winlogbeat_yaml_file_32) with disable_file_system_redirection(): os.popen('powershell "Set-ExecutionPolicy RemoteSigned"') obj2=Popen("""powershell.exe '-Exec bypass -File .\install-service-winlogbeat.ps1' && powershell.exe 'Set-Service -Name "winlogbeat" -StartupType automatic' && powershell.exe 'Start-Service -Name "winlogbeat"'""",stdout=PIPE,stderr=PIPE,shell=True) res2,err2=obj2.communicate() if err2: print(err2) else: print(res2) if obj2.returncode==0: print("winlogbeat Installed Successfully") else: print("Failed to install winlogbeat returncode %s"%(obj2.returncode))