From fd981e8b49c80d8ef3f533f895c9a27e21f964e2 Mon Sep 17 00:00:00 2001 From: w09rkerbee <85173984+w09rkerbee@users.noreply.github.com> Date: Tue, 7 Sep 2021 07:54:20 -0400 Subject: [PATCH 01/26] Set up CI with Azure Pipelines [skip ci] --- azure-pipelines.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 azure-pipelines.yml diff --git a/azure-pipelines.yml b/azure-pipelines.yml new file mode 100644 index 00000000..27a798ad --- /dev/null +++ b/azure-pipelines.yml @@ -0,0 +1,19 @@ +# Starter pipeline +# Start with a minimal pipeline that you can customize to build and deploy your code. +# Add steps that build, run tests, deploy, and more: +# https://aka.ms/yaml + +trigger: +- master + +pool: + vmImage: ubuntu-latest + +steps: +- script: echo Hello, world! + displayName: 'Run a one-line script' + +- script: | + echo Add other tasks to build, test, and deploy your project. + echo See https://aka.ms/yaml + displayName: 'Run a multi-line script' From 50002595c5c5dafafaf727616666e5198d870fbd Mon Sep 17 00:00:00 2001 From: w09rkerbee <85173984+w09rkerbee@users.noreply.github.com> Date: Tue, 7 Sep 2021 09:20:18 -0400 Subject: [PATCH 02/26] Update azure-pipelines.yml for Azure Pipelines --- azure-pipelines.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 27a798ad..364e494c 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -6,8 +6,8 @@ trigger: - master -pool: - vmImage: ubuntu-latest +#pool: +# vmImage: ubuntu-latest steps: - script: echo Hello, world! From 76a7e0f98e5eb485b6efd3c3681f2b76e2354ded Mon Sep 17 00:00:00 2001 From: w09rkerbee <85173984+w09rkerbee@users.noreply.github.com> Date: Tue, 7 Sep 2021 09:28:30 -0400 Subject: [PATCH 03/26] Update azure-pipelines.yml for Azure Pipelines --- azure-pipelines.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 364e494c..0cf4037b 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -6,8 +6,8 @@ trigger: - master -#pool: -# vmImage: ubuntu-latest +pool: + vmImage: windows-2019 steps: - script: echo Hello, world! From 00a9e45a0f01221a96246754cf76b72f88dee034 Mon Sep 17 00:00:00 2001 From: w09rkerbee <85173984+w09rkerbee@users.noreply.github.com> Date: Fri, 10 Sep 2021 12:38:16 -0400 Subject: [PATCH 04/26] Update azure-pipelines.yml for Azure Pipelines --- azure-pipelines.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 0cf4037b..2188bbd1 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -17,3 +17,27 @@ steps: echo Add other tasks to build, test, and deploy your project. echo See https://aka.ms/yaml displayName: 'Run a multi-line script' + +- task: PowerShell@2 + inputs: + targetType: 'inline' + script: | + Write-Host "downloading sysmon..." + $sysmonDir = "C:\Sysmon" + + If (!(test-path $sysmonDir)) { + New-Item -ItemType Directory -Force -Path $sysmonDir} Else { + Write-Host "Sysmon directory exists. Exiting" + exit + } + + $sysmonPath = "C:\Sysmon\Sysmon.exe" + $sysmonConfigPath = "D:\a\1\s\sysmonconfig.xml" + + [Net.ServicePointManager::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + + (New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Sysmon.exe', $sysmonPath) + failOnStderr: true + + + From b73485542442cd1ccc8b0951eae829bf86efad0f Mon Sep 17 00:00:00 2001 From: w09rkerbee <85173984+w09rkerbee@users.noreply.github.com> Date: Fri, 10 Sep 2021 12:44:41 -0400 Subject: [PATCH 05/26] Update azure-pipelines.yml for Azure Pipelines --- azure-pipelines.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 2188bbd1..b95e65b1 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -34,7 +34,7 @@ steps: $sysmonPath = "C:\Sysmon\Sysmon.exe" $sysmonConfigPath = "D:\a\1\s\sysmonconfig.xml" - [Net.ServicePointManager::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 (New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Sysmon.exe', $sysmonPath) failOnStderr: true From e89a8fd92057d73ddd72dd4163052f21c378fd80 Mon Sep 17 00:00:00 2001 From: w09rkerbee <85173984+w09rkerbee@users.noreply.github.com> Date: Fri, 10 Sep 2021 12:53:29 -0400 Subject: [PATCH 06/26] Update azure-pipelines.yml for Azure Pipelines installation --- azure-pipelines.yml | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index b95e65b1..adf8f3da 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -18,7 +18,7 @@ steps: echo See https://aka.ms/yaml displayName: 'Run a multi-line script' -- task: PowerShell@2 +- task: PowerShell@2 Download Sysmon inputs: targetType: 'inline' script: | @@ -40,4 +40,19 @@ steps: failOnStderr: true +- task: PowerShell@2 Install Sysmon + inputs: + targetType: 'inline' + script: | + $sysmonDir= "C:\Sysmon" + + Write-Host "Installing Sysmon" + Start-Process -FilePath "$sysmonDir\Sysmon.exe" -ArgumentList "-accepteula -i" + + Write-Host "verify that sysmon service is running..." + Start-Sleep 5 + If ((Get-Service -name Sysmon).Status -ne "Running") { + throw "The sysmon service did NOT start" + } + failOnStderr: true From 796b8fe7262d20385f27092c91ffb53b1b51aa17 Mon Sep 17 00:00:00 2001 From: w09rkerbee <85173984+w09rkerbee@users.noreply.github.com> Date: Fri, 10 Sep 2021 12:54:15 -0400 Subject: [PATCH 07/26] Update azure-pipelines.yml for Azure Pipelines installation --- azure-pipelines.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index adf8f3da..2270050e 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -18,7 +18,7 @@ steps: echo See https://aka.ms/yaml displayName: 'Run a multi-line script' -- task: PowerShell@2 Download Sysmon +- task: PowerShell@2.1 inputs: targetType: 'inline' script: | @@ -40,7 +40,7 @@ steps: failOnStderr: true -- task: PowerShell@2 Install Sysmon +- task: PowerShell@2.1 inputs: targetType: 'inline' script: | From 547b11e039bfb7f92ff676ecb776cfd974f120d9 Mon Sep 17 00:00:00 2001 From: w09rkerbee <85173984+w09rkerbee@users.noreply.github.com> Date: Fri, 10 Sep 2021 12:54:48 -0400 Subject: [PATCH 08/26] Update azure-pipelines.yml for Azure Pipelines installation --- azure-pipelines.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 2270050e..571c4745 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -18,7 +18,7 @@ steps: echo See https://aka.ms/yaml displayName: 'Run a multi-line script' -- task: PowerShell@2.1 +- task: PowerShell@2.1.1 inputs: targetType: 'inline' script: | @@ -40,7 +40,7 @@ steps: failOnStderr: true -- task: PowerShell@2.1 +- task: PowerShell@2.1.1 inputs: targetType: 'inline' script: | From 13312e0aa415638ce6b3a01e4e2d6addb6ae1143 Mon Sep 17 00:00:00 2001 From: w09rkerbee <85173984+w09rkerbee@users.noreply.github.com> Date: Fri, 10 Sep 2021 12:55:37 -0400 Subject: [PATCH 09/26] Update azure-pipelines.yml for Azure Pipelines installation --- azure-pipelines.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 571c4745..a10b1b14 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -18,7 +18,7 @@ steps: echo See https://aka.ms/yaml displayName: 'Run a multi-line script' -- task: PowerShell@2.1.1 +- task: PowerShell@2 inputs: targetType: 'inline' script: | @@ -40,7 +40,7 @@ steps: failOnStderr: true -- task: PowerShell@2.1.1 +- task: PowerShell@2 inputs: targetType: 'inline' script: | From 08af290405e6ec658d25d093c3ac5881768f07e5 Mon Sep 17 00:00:00 2001 From: w09rkerbee <85173984+w09rkerbee@users.noreply.github.com> Date: Fri, 10 Sep 2021 13:01:57 -0400 Subject: [PATCH 10/26] Update azure-pipelines.yml for Azure Pipelines --- azure-pipelines.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index a10b1b14..fb01cbdd 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -56,3 +56,14 @@ steps: } failOnStderr: true +- task: PowerShell@2 + inputs: + targetType: 'inline' + script: | + $sysmonConfigPath = D:\a\1\s\sysmonconfig-export.xml + + Write-Host "Loading sysmon config" + $sysmon = C:\Sysmon\Sysmon.exe -c $sysmonConfigPath + $sysmon + if($sysmon -like '*Configuration updated.*') {Write-Host "all good!"} else {throw "ERROR"} + failOnStderr: true \ No newline at end of file From b6ce8f69192ae86c8e7c50c50ac5caa2333d170d Mon Sep 17 00:00:00 2001 From: w09rkerbee <85173984+w09rkerbee@users.noreply.github.com> Date: Fri, 10 Sep 2021 13:06:47 -0400 Subject: [PATCH 11/26] Update azure-pipelines.yml for Azure Pipelines --- azure-pipelines.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index fb01cbdd..8a60bbb2 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -60,7 +60,7 @@ steps: inputs: targetType: 'inline' script: | - $sysmonConfigPath = D:\a\1\s\sysmonconfig-export.xml + $sysmonConfigPath = "D:\a\1\s\sysmonconfig-export.xml" Write-Host "Loading sysmon config" $sysmon = C:\Sysmon\Sysmon.exe -c $sysmonConfigPath From b563eaea922297ddf9097d88bed8a66c5d9e86c2 Mon Sep 17 00:00:00 2001 From: w09rkerbee <85173984+w09rkerbee@users.noreply.github.com> Date: Fri, 10 Sep 2021 13:14:31 -0400 Subject: [PATCH 12/26] Update azure-pipelines.yml for Azure Pipelines --- azure-pipelines.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 8a60bbb2..f5ea926b 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -65,5 +65,5 @@ steps: Write-Host "Loading sysmon config" $sysmon = C:\Sysmon\Sysmon.exe -c $sysmonConfigPath $sysmon - if($sysmon -like '*Configuration updated.*') {Write-Host "all good!"} else {throw "ERROR"} + if($sysmon -like '*Configuration updated.*') {Write-Host "all good!"} failOnStderr: true \ No newline at end of file From 667c78dddfedcc1a8fbdba95d4c4939e1daaf1c6 Mon Sep 17 00:00:00 2001 From: w09rkerbee <85173984+w09rkerbee@users.noreply.github.com> Date: Fri, 10 Sep 2021 14:55:52 -0400 Subject: [PATCH 13/26] Update azure-pipelines.yml for Azure Pipelines --- azure-pipelines.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index f5ea926b..8afacb66 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -64,6 +64,6 @@ steps: Write-Host "Loading sysmon config" $sysmon = C:\Sysmon\Sysmon.exe -c $sysmonConfigPath - $sysmon - if($sysmon -like '*Configuration updated.*') {Write-Host "all good!"} + $sysmon 2> $null + if($sysmon -like '*Configuration updated.*') {Write-Host "all good!"} else {throw "Error loading sysmon config to sysmon"} failOnStderr: true \ No newline at end of file From 97ac4c0f01a69027d8863d5bec826a8ba2b18768 Mon Sep 17 00:00:00 2001 From: w09rkerbee <85173984+w09rkerbee@users.noreply.github.com> Date: Fri, 10 Sep 2021 15:26:00 -0400 Subject: [PATCH 14/26] Update azure-pipelines.yml for Azure Pipelines --- azure-pipelines.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 8afacb66..6616f64d 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -65,5 +65,5 @@ steps: Write-Host "Loading sysmon config" $sysmon = C:\Sysmon\Sysmon.exe -c $sysmonConfigPath $sysmon 2> $null - if($sysmon -like '*Configuration updated.*') {Write-Host "all good!"} else {throw "Error loading sysmon config to sysmon"} - failOnStderr: true \ No newline at end of file + if($sysmon -like '*Configuration updatedx.*') {Write-Host "all good!"} else {throw "Error loading sysmon config to sysmon"} + failOnStderr: false \ No newline at end of file From d24d9641b023610343658db68113c90e5cd7bd1d Mon Sep 17 00:00:00 2001 From: w09rkerbee <85173984+w09rkerbee@users.noreply.github.com> Date: Fri, 10 Sep 2021 15:34:39 -0400 Subject: [PATCH 15/26] Update azure-pipelines.yml for Azure Pipelines --- azure-pipelines.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 6616f64d..1a47986b 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -65,5 +65,5 @@ steps: Write-Host "Loading sysmon config" $sysmon = C:\Sysmon\Sysmon.exe -c $sysmonConfigPath $sysmon 2> $null - if($sysmon -like '*Configuration updatedx.*') {Write-Host "all good!"} else {throw "Error loading sysmon config to sysmon"} + if($sysmon -like '*Configuration updated.*') {Write-Host "all good!"} else {throw "Error loading sysmon config to sysmon"} failOnStderr: false \ No newline at end of file From f30a03b7cfad923beefa8f4dbd73f1542507e6e0 Mon Sep 17 00:00:00 2001 From: w09rkerbee <85173984+w09rkerbee@users.noreply.github.com> Date: Fri, 10 Sep 2021 15:39:54 -0400 Subject: [PATCH 16/26] Update azure-pipelines.yml for Azure Pipelines --- azure-pipelines.yml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 1a47986b..9647fcf1 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -9,15 +9,6 @@ trigger: pool: vmImage: windows-2019 -steps: -- script: echo Hello, world! - displayName: 'Run a one-line script' - -- script: | - echo Add other tasks to build, test, and deploy your project. - echo See https://aka.ms/yaml - displayName: 'Run a multi-line script' - - task: PowerShell@2 inputs: targetType: 'inline' @@ -38,7 +29,6 @@ steps: (New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Sysmon.exe', $sysmonPath) failOnStderr: true - - task: PowerShell@2 inputs: From 30150bf07142ee627513cdeb47786baff9041488 Mon Sep 17 00:00:00 2001 From: w09rkerbee <85173984+w09rkerbee@users.noreply.github.com> Date: Fri, 10 Sep 2021 15:40:37 -0400 Subject: [PATCH 17/26] Update azure-pipelines.yml for Azure Pipelines --- azure-pipelines.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 9647fcf1..95e250a1 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -9,6 +9,7 @@ trigger: pool: vmImage: windows-2019 +steps: - task: PowerShell@2 inputs: targetType: 'inline' @@ -29,6 +30,7 @@ pool: (New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Sysmon.exe', $sysmonPath) failOnStderr: true + - task: PowerShell@2 inputs: From 40b093f12f9860f7ea78444d9b3198ff5ab034a2 Mon Sep 17 00:00:00 2001 From: w09rkerbee <85173984+w09rkerbee@users.noreply.github.com> Date: Fri, 10 Sep 2021 16:20:55 -0400 Subject: [PATCH 18/26] Update sysmonconfig-export.xml --- sysmonconfig-export.xml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml index f4acf26c..2b5b6f7e 100644 --- a/sysmonconfig-export.xml +++ b/sysmonconfig-export.xml @@ -1,4 +1,5 @@  - \ No newline at end of file + From 86f7612f8bd38acdf33732626282641c7bbdd9b5 Mon Sep 17 00:00:00 2001 From: w09rkerbee <85173984+w09rkerbee@users.noreply.github.com> Date: Mon, 13 Sep 2021 08:45:00 -0400 Subject: [PATCH 19/26] Update azure-pipelines.yml fir defaults for rest of install --- azure-pipelines.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 95e250a1..559519fe 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -58,4 +58,11 @@ steps: $sysmon = C:\Sysmon\Sysmon.exe -c $sysmonConfigPath $sysmon 2> $null if($sysmon -like '*Configuration updated.*') {Write-Host "all good!"} else {throw "Error loading sysmon config to sysmon"} - failOnStderr: false \ No newline at end of file + failOnStderr: false + + + +- task: PowerShell@2 + inputs: + targetType: 'inline' + script: 'powershell -exec bypass; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true' \ No newline at end of file From d1009ff0c11e5fc2b62bb97689ef87c6ae1fd7f4 Mon Sep 17 00:00:00 2001 From: w09rkerbee <85173984+w09rkerbee@users.noreply.github.com> Date: Mon, 13 Sep 2021 08:58:06 -0400 Subject: [PATCH 20/26] Update azure-pipelines.yml for Azure Pipelines --- azure-pipelines.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 559519fe..ff2563eb 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -60,9 +60,9 @@ steps: if($sysmon -like '*Configuration updated.*') {Write-Host "all good!"} else {throw "Error loading sysmon config to sysmon"} failOnStderr: false - - - task: PowerShell@2 inputs: targetType: 'inline' - script: 'powershell -exec bypass; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true' \ No newline at end of file + script: | + Install-PackageProvider -Name Nuget -MinimumVersion 2.8.5.201 -Force + Set-MpPreference -DisableRealtimeMonitoring $true \ No newline at end of file From 5535540cec1a83bb6a01b1803f574bcac87f2568 Mon Sep 17 00:00:00 2001 From: w09rkerbee <85173984+w09rkerbee@users.noreply.github.com> Date: Mon, 13 Sep 2021 09:08:29 -0400 Subject: [PATCH 21/26] Update azure-pipelines.yml for Azure Pipelines --- azure-pipelines.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index ff2563eb..fc8c2c64 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -8,6 +8,7 @@ trigger: pool: vmImage: windows-2019 + demands: Limit -quals DisAbleParallel steps: - task: PowerShell@2 From 58ca17c1dddd7b8f757eaadd3ab3139d885eedd5 Mon Sep 17 00:00:00 2001 From: w09rkerbee <85173984+w09rkerbee@users.noreply.github.com> Date: Mon, 13 Sep 2021 09:08:46 -0400 Subject: [PATCH 22/26] Update azure-pipelines.yml for Azure Pipelines --- azure-pipelines.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index fc8c2c64..b4c37dea 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -8,7 +8,7 @@ trigger: pool: vmImage: windows-2019 - demands: Limit -quals DisAbleParallel + demands: Limit -equals DisAbleParallel steps: - task: PowerShell@2 From e092e5a7da5a770d27ebaa1a17284ff7d770e53b Mon Sep 17 00:00:00 2001 From: w09rkerbee <85173984+w09rkerbee@users.noreply.github.com> Date: Mon, 13 Sep 2021 09:39:29 -0400 Subject: [PATCH 23/26] Update azure-pipelines.yml for Azure Pipelines --- azure-pipelines.yml | 48 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 47 insertions(+), 1 deletion(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index b4c37dea..065be4c6 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -66,4 +66,50 @@ steps: targetType: 'inline' script: | Install-PackageProvider -Name Nuget -MinimumVersion 2.8.5.201 -Force - Set-MpPreference -DisableRealtimeMonitoring $true \ No newline at end of file + Set-MpPreference -DisableRealtimeMonitoring $true + + +- task: PowerShell@2 + inputs: + targetType: 'inline' + script: | + # install ART; installing the atomics takes a long while + IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing); + Install-AtomicRedTeam -getAtomics -Force + + +- task: PowerShell@2 + inputs: + targetType: 'inline' + script: | + # Clear all sysmon events before invoking ART + + $evtsession = [System.Diagnostics.Eventing.Reader.EventLogSession]::New("localhost") + $evtsession.ClearLog("Microsoft-Windows-Sysmon/Operational") + + +- task: PowerShell@2 + inputs: + targetType: 'inline' + script: | + # then first pull out the windows events at the time + + get-winevent -FilterHashtable @{LogName="Microsoft-Windows-Sysmon/Operational";} | format-table -wrap | Out-File -FilePath .\beforeTest + +- task: AzurePowerShell@5 + inputs: + ScriptType: 'InlineScript' + Inline: | + # Run specific ART tests + Invoke-AtomicTest T1218.010 -TestNumbers 1,2 + +- task: PowerShell@2 + inputs: + targetType: 'inline' + script: | + # pull events after the ART test(s); then diff + + + get-winevent -FilterHashtable @{LogName="Microsoft-Windows-Sysmon/Operational";} | format-table -wrap | Out-File -FilePath .\afterTest + compare-object (get-content .\beforeTest) (get-content .\afterTest)| Out-File -FilePath atomicT1218.010_sysmonResults + From 525e285a2d099b4e44a60e4daee6b3d6c7a27e45 Mon Sep 17 00:00:00 2001 From: w09rkerbee <85173984+w09rkerbee@users.noreply.github.com> Date: Mon, 13 Sep 2021 09:40:21 -0400 Subject: [PATCH 24/26] Update azure-pipelines.yml for Azure Pipelines --- azure-pipelines.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 065be4c6..af28f91e 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -96,7 +96,8 @@ steps: get-winevent -FilterHashtable @{LogName="Microsoft-Windows-Sysmon/Operational";} | format-table -wrap | Out-File -FilePath .\beforeTest -- task: AzurePowerShell@5 + +- task: PowerShell@2 inputs: ScriptType: 'InlineScript' Inline: | From dc2bba783a42169f0d204709200321a9f9e23716 Mon Sep 17 00:00:00 2001 From: w09rkerbee <85173984+w09rkerbee@users.noreply.github.com> Date: Mon, 13 Sep 2021 09:41:59 -0400 Subject: [PATCH 25/26] Update azure-pipelines.yml for Azure Pipelines --- azure-pipelines.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index af28f91e..46a039ad 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -99,8 +99,8 @@ steps: - task: PowerShell@2 inputs: - ScriptType: 'InlineScript' - Inline: | + targetType: 'inline' + script: | # Run specific ART tests Invoke-AtomicTest T1218.010 -TestNumbers 1,2 @@ -110,7 +110,6 @@ steps: script: | # pull events after the ART test(s); then diff - get-winevent -FilterHashtable @{LogName="Microsoft-Windows-Sysmon/Operational";} | format-table -wrap | Out-File -FilePath .\afterTest compare-object (get-content .\beforeTest) (get-content .\afterTest)| Out-File -FilePath atomicT1218.010_sysmonResults From f8853e173d625ffbdd4001d545b835854e9456b6 Mon Sep 17 00:00:00 2001 From: w09rkerbee <85173984+w09rkerbee@users.noreply.github.com> Date: Mon, 13 Sep 2021 22:59:15 -0400 Subject: [PATCH 26/26] Update azure-pipelines.yml for Azure Pipelines --- azure-pipelines.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 46a039ad..4470fd74 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -113,3 +113,4 @@ steps: get-winevent -FilterHashtable @{LogName="Microsoft-Windows-Sysmon/Operational";} | format-table -wrap | Out-File -FilePath .\afterTest compare-object (get-content .\beforeTest) (get-content .\afterTest)| Out-File -FilePath atomicT1218.010_sysmonResults + \ No newline at end of file