Below is the script that I have been working on to install Sysmon through group policy so you do not have to install it on each workstation/server. I hope to make a few more modifications around updating the .xml file or creating a separate script. The guide for this should be coming over the next week or two and will tie into our WEF deployment guide. From there we will export the logs from our WEF server to Splunk for easier manipulation of the data. To use the script, just replace the <<DOMAIN>> with your domain/file location.
IF NOT EXIST "C:\sysmon" (mkdir "C:\sysmon" & copy /v "\\<<DOMAIN>>\SYSVOL\<<DOMAIN>>\Sysmon\sysmonconfig-export.xml" "C:\sysmon\sysmonconfig-export.xml")
IF NOT EXIST "C:\Windows\Sysmon.exe" GOTO Install
IF EXIST "C:\Windows\Sysmon.exe" GOTO StartService
"\\<<DOMAIN>>\SYSVOL\<<DOMAIN>>\Sysmon\sysmon64.exe" -accepteula -i C:\sysmon\sysmonconfig-export.xml
net start Sysmon
END && EXIT
The following is a list of helpful user agent strings that I have found to help block bogus requests to your website. On an unknown site, you are going to see these block a few thousand attempts every day. The largest one I frequently see is Jorgee. They are vulnerability scanners which are using the default user agent. These are likely looking for low hanging fruit but nice to block them anyway. Below, I have separated my Wordfence user agent block and use the equal (=) sign as the delimiter between the string and a description. I will be updating this post when I find more and the new ones will be added at the end.
*Jorgee* = Vulnerability Scanner
*Nikto* = Vulnerability Scanner
*ZmEu* = Vulnerability Scanner
Here are some helpful nmap scans for SQL, SMTP, SMB, and FTP. These can give you ideas by helping to enumerate the target system. Just replace the 192.0.2.0/24 with the target address or range. If a single host is targeted, the option –open can be removed.
nmap -sV -Pn -vv –script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 192.0.2.0/24 -p 3306 –open
nmap –script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 192.0.2.0/24 –open
nmap -p 139,445 –script smb-v* –script-args=unsafe=1 192.0.2.0/24 –open
nmap –script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 192.0.2.0/24 –open