-
Notifications
You must be signed in to change notification settings - Fork 35
/
deploy-wazuh-windows-agent-suite.ps1
548 lines (515 loc) · 22.3 KB
/
deploy-wazuh-windows-agent-suite.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
#
# deploy-wazuh-windows-agent-suite.ps1
# by Kevin Branch ([email protected])
# with contributions by Ken Fredericksen ([email protected])
#
# Deployment script for Wazuh agent and subagents (by default Sysmon and Osquery).
#
# The Agent self registration process is included, but will be skipped if an existing working registration can be recycled.
#
# From command shell or PowerShell (Run as Administrator), run this script as follows:
# PowerShell.exe -ExecutionPolicy Bypass -File ./deploy-wazuh-windows-agent-suite.ps1 -WazuhMgr "10.20.30.40" -WazuhRegPass "theRegistrationPW"
#
# This script should work on Windows systems as old as Windows Server 2012 provided PowerShell 5.1 is present. Likely Powershell 5.0 would be OK.
#
# -WazuhVer Full version of Wazuh agent to install, like "3.12.2"
# -WazuhMgr IP or FQDN of the Wazuh manager for ongoing agent connections. Required.
# -WazuhRegMgr IP or FQDN of the Wazuh manager for agent registration connection (defaults to $WazuhMgr if not specified)
# -WazuhRegPass Password for registration with Wazuh manager (put in quotes). Required.
# -WazuhAgentName Name under which to register this agent in place of locally detected Windows host name
# -WazuhGroups Comma separated list of Wazuh groups to member this agent. No spaces. Put whole list in quotes. Groups must already exist.
# Cannot skip -WazuhGroups if using -SkipSysmon or -SkipOsquery
# -WazuhSrc Static download path to fetch Wazuh agent installer. Overrides $WazVer
# -SysmonSrc Static download path to fetch Sysmon installer zip file.
# -SysmonDLuser Optional web credentials for downloading Sysmon from -SysmonSrc alternate source, used like "-SysmonDLuser myusername"
# -SysmonDLpass Optional web credentials for downloading Sysmon from -SysmonSrc alternate source, used like "-SysmonDLpass mypassword". Ignored if -SysmonDLuser skipped.
# -SysmonDLhash SHA256 hash of the Sysmon download file for validation. Required if -SysmonSrc is used.
# -SysmonConfSrc Static download path to fetch Sysmon configuration file.
# -SkipSysmon Do not install Sysmon. Completely remove it if present.
# -OsqueryVer Full version of Osquery to install, like "4.2.0"
# -OsquerySrc Static download path to fetch Osquery agent installer. Overrides $OsqVer
# -SkipOsquery Do not install Osquery. Completely remove it if present.
# -Local Expect all download files already to be present in current directory. Do not use any $...Src parameters with this.
#
param ( $WazuhVer,
$WazuhMgr,
$WazuhRegMgr,
$WazuhRegPass,
$WazuhAgentName = $env:computername,
$WazuhGroups = "#NOGROUP#",
$WazuhSrc,
$SysmonSrc,
$SysmonDLuser,
$SysmonDLpass,
$SysmonDLhash,
$SysmonConfSrc = "https://raw.githubusercontent.com/branchnetconsulting/sysmon-config/master/sysmonconfig-export.xml",
[switch]$SkipSysmon=$false,
$OsqueryVer,
$OsquerySrc,
[switch]$SkipOsquery=$false,
[switch]$Local=$false
);
if ($WazuhMgr -eq $null) {
write-host "Must use '-WazuhMgr' to specify the FQDN or IP of the Wazuh manager to which the agent shall retain a connection."
exit 1
}
if ($WazuhRegPass -eq $null) {
write-host "Must use '-WazuhRegPass' to specify the password to use for agent registration."
exit 1
}
if ($WazuhVer -eq $null) {
write-host "Must use '-WazuhVer' to specify the target version of Wazuh agent, like 3.13.1."
exit 1
}
if ( ($OsqueryVer -eq $null) -and ( $SkipOsquery -eq $false ) -and ( $OsquerySrc -eq $null ) ) {
write-host "Must use '-OsqueryVer' to specify the password to use for agent registration."
exit 1
}
if ($SysmonSrc -eq $null) {
$SysmonSrc = "https://download.sysinternals.com/files/Sysmon.zip"
} else {
if ( $SysmonDLhash -eq $null ) {
write-host "When specifying -SysmonSrc, the -SysmonDLhash option must also be used to specify the SHA256 hash to verify the Sysmon installer."
exit 1
}
}
if ( -not ($SysmonDLuser -eq $null) ) {
if ($SysmonDLpass -eq $null) {
write-host "When specifying -SysmonDLuser, you must also specify -SysmonDLpass."
exit 1
}
$pair = "$($SysmonDLuser):$($SysmonDLpass)"
$encodedCredentials = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($Pair))
$headers = @{ Authorization = "Basic $encodedCredentials" }
}
if ($WazuhRegMgr -eq $null) {
$WazuhRegMgr = $WazuhMgr
}
if ($WazuhSrc -eq $null) {
$WazuhSrc = "https://packages.wazuh.com/3.x/windows/wazuh-agent-$WazuhVer-1.msi"
}
if ($OsquerySrc -eq $null) {
$OsquerySrc = "https://pkg.osquery.io/windows/osquery-$OsqueryVer.msi"
}
if ( !($PSVersionTable.PSVersion.Major) -ge 5 ) {
write-host "PowerShell 5.0 or higher is required by this script."
exit 1
}
if ( $WazuhGroups -eq "#NOGROUP#" ) {
$SkippedGroups = $true
$WazuhGroups = ""
} else {
$SkippedGroups = $false
}
if ( $SkippedGroups -eq $true ) {
if ( ($SkipSysmon -eq $true) -or ($SkipOsquery -eq $true) ) {
write-host "-SkipSysmon and -SkipOsquery must always be accompanied with the use of -WazuhGroups."
exit 1
}
}
# Blend standard/dynamic groups with custom groups
$WazuhGroupsPrefix = "windows,windows-local,"
if ( $SkipOsquery -eq $false ) {
$WazuhGroupsPrefix = $WazuhGroupsPrefix+"osquery,osquery-local,"
}
if ( $SkipSysmon -eq $false ) {
$WazuhGroupsPrefix = $WazuhGroupsPrefix+"sysmon,sysmon-local,"
}
$WazuhGroupsPrefix = $WazuhGroupsPrefix+"org,"
$WazuhGroups = $WazuhGroupsPrefix+$WazuhGroups
$WazuhGroups = $WazuhGroups.TrimEnd(",")
# If "-Local" option selected, confirm all required local files are present.
if ( $Local -eq $true ) {
if ( -not (Test-Path -LiteralPath "nuget.zip") ) {
Write-Output "Option '-Local' specified but no 'nuget.zip' file was found in current directory. Giving up and aborting the installation..."
exit 1
}
if ( -not (Test-Path -LiteralPath "wazuh-agent.msi") ) {
Write-Output "Option '-Local' specified but no 'wazuh-agent.msi' file was found in current directory. Giving up and aborting the installation..."
exit 1
}
if ( -not (Test-Path -LiteralPath "Sysmon.zip") ) {
Write-Output "Option '-Local' specified but no 'Sysmon.zip' file was found in current directory. Giving up and aborting the installation..."
exit 1
}
if ( -not (Test-Path -LiteralPath "sysmonconfig.xml") ) {
Write-Output "Option '-Local' specified but no 'sysmonconfig.xml' file was found in current directory. Giving up and aborting the installation..."
exit 1
}
if ( -not (Test-Path -LiteralPath "osquery.msi") ) {
Write-Output "Option '-Local' specified but no 'osquery.msi' file was found in current directory. Giving up and aborting the installation..."
exit 1
}
}
# Set https protocol defaults to try stronger TLS first and allow all three forms of TLS
[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"
# Take note if agent is already connected to a Wazuh manager and collect relevant data
# If the agent is already connected to the same target manager, the agent name has not changed, and the agent group list is exactly the same,
# then the registration will be retained by backing up client.keys now and restoring it after reinstallation of the Wazuh agent, skipping self-registration.
$file = Get-Content "C:\Program Files (x86)\ossec-agent\ossec-agent.state" -erroraction 'silentlycontinue'
$file2 = Get-Content "C:\Program Files (x86)\ossec-agent\shared\merged.mg" -erroraction 'silentlycontinue'
if ($file -match "'connected'" ) {
Write-Output "Agent currently connected, so saving client.keys to $env:TEMP\client.keys.bnc"
$ALREADY_CONNECTED=$true
$OLDNAME=(type "C:\Program Files (x86)\ossec-agent\client.keys").Split(" ")[1]
Remove-Item -Path "$env:TEMP\client.keys.bnc" -erroraction 'silentlycontinue' | out-null
Copy-Item 'C:\Program Files (x86)\ossec-agent\client.keys' -Destination "$env:TEMP\client.keys.bnc"
if ($file2 -match "Source\sfile:") {
$CURR_GROUPS=((((Select-String -Path 'C:\Program Files (x86)\ossec-agent\shared\merged.mg' -Pattern "Source file:") | Select-Object -ExpandProperty Line).Replace("<!-- Source file: ","")).Replace("/agent.conf -->","")) -join ','
} else {
# If the agent is presently a member of only one agent group, then pull that group name into current group variable.
$CURR_GROUPS=((((Select-String -Path 'C:\Program Files (x86)\ossec-agent\shared\merged.mg' -Pattern "#") | Select-Object -ExpandProperty Line).Replace("#","")))
}
} else {
$ALREADY_CONNECTED=$false
}
# NuGet Dependency
if ( -not (Test-Path -LiteralPath "C:\Program Files\PackageManagement\ProviderAssemblies\nuget" -PathType Container) ) {
Write-Output "Installing dependency (NuGet) to be able to uninstall other packages..."
if ( $Local -eq $false ) {
cd c:\
$count = 0
$success = $false;
do{
try{
Install-PackageProvider -Name NuGet -Force
$success = $true
}
catch{
if ($count -lt 5) {
Write-Output "Download attempt failed. Will retry 10 seconds."
} else {
Write-Output "Download attempt still failed. Giving up and aborting the installation..."
exit 1
}
Start-sleep -Seconds 10
}
$count++
}until($count -eq 6 -or $success)
} else {
if ( -not (Test-Path -LiteralPath "C:\Program Files\PackageManagement\ProviderAssemblies" -PathType Container ) ) {
New-Item -ItemType "directory" -Path "C:\Program Files\PackageManagement\ProviderAssemblies"
}
Microsoft.PowerShell.Archive\Expand-Archive "nuget.zip" -DestinationPath "C:\Program Files\PackageManagement\ProviderAssemblies\"
Import-PackageProvider -Name NuGet
}
}
#
# Wazuh Agent
#
# Download Wazuh Agent installer or confirm it is already locally present if "-Local" option specified.
if ( $Local -eq $false ) {
# Download the correct version of the Wazuh installer MSI
Write-Output "Downloading $WazuhSrc"
$count = 0
$success = $false;
do{
try{
Invoke-WebRequest -Uri $WazuhSrc -OutFile wazuh-agent.msi
$success = $true
}
catch{
if ($count -lt 5) {
Write-Output "Download attempt failed. Will retry 10 seconds."
} else {
Write-Output "Download attempt still failed. Giving up and aborting the installation..."
exit 1
}
Start-sleep -Seconds 10
}
$count++
}until($count -eq 6 -or $success)
}
# If Wazuh agent already installed, blow it away
if (Test-Path 'C:\Program Files (x86)\ossec-agent\ossec-agent.exe' -PathType leaf) {
Write-Output "Uninstalling existing Wazuh Agent..."
if ( Get-Service | findstr -i " Wazuh " | findstr -i "Running" ) {
Write-Output "Stopping current Wazuh Agent service..."
net stop wazuh
}
Uninstall-Package -Name "Wazuh Agent" -erroraction 'silentlycontinue' | out-null
}
# Install Wazuh Agent and then remove the installer file
Write-Output "Installing Wazuh Agent"
Start-Process -FilePath wazuh-agent.msi -ArgumentList "/q" -Wait -WindowStyle 'Hidden'
if ( $Local -eq $false ) {
rm .\wazuh-agent.msi
}
# If we can safely skip self registration and just restore the backed up client.keys file, then do so. Otherwise, self-register.
# This should keep us from burning through so many agent ID numbers.
$SKIP_REG = $false
if ($ALREADY_CONNECTED -eq "yes") {
Write-Output "Agent is presently connected..."
Write-Output "Current registered agent name is: $OLDNAME and new target name is: $WazuhAgentName"
if ($WazuhAgentName -eq $OLDNAME) {
Write-Output "Old and new agent registration names match."
Write-Output "Current group memberships are: $CURR_GROUPS and new target group memberships are: $WazuhGroups"
if ($SkippedGroups -eq $false) {
if ($CURR_GROUPS -eq $WazuhGroups) {
Write-Output "Old and new agent group memberships match. Will skip self-registration and restore client.keys backup instead."
$SKIP_REG = $true
} else {
Write-Output "Current groups and new target groups do not match."
$SKIP_REG = $false
}
} else {
Write-Output "Skipping group comparison."
$SKIP_REG = $true
}
}
}
if ($SKIP_REG -eq $false) {
# Register the agent with the manager (keep existing groups if agent connected and -WazuhGroups not specified)
Write-Output "Registering Wazuh Agent with $WazuhRegMgr..."
if ( ($SkippedGroups -eq $true) -and ( $ALREADY_CONNECTED -eq "yes" ) ) {
rm 'C:\Program Files (x86)\ossec-agent\client.keys'
C:\Progra~2\ossec-agent\agent-auth.exe -m "$WazuhRegMgr" -P "$WazuhRegPass" -G "$CURR_GROUPS" -A "$WazuhAgentName"
} else {
rm 'C:\Program Files (x86)\ossec-agent\client.keys'
C:\Progra~2\ossec-agent\agent-auth.exe -m "$WazuhRegMgr" -P "$WazuhRegPass" -G "$WazuhGroups" -A "$WazuhAgentName"
}
if ( -not (Test-Path 'C:\Program Files (x86)\ossec-agent\client.keys' -PathType leaf) ) {
Write-Output "Wazuh Agent self-registration failed."
exit 1
}
} else {
Copy-Item "$env:TEMP\client.keys.bnc" -Destination 'C:\Program Files (x86)\ossec-agent\client.keys'
}
# Detect Windows version for use in configprofile line of ossec.conf
switch ((Get-CimInstance Win32_OperatingSystem).BuildNumber)
{
6001 {$OS = "Win2008"}
6002 {$OS = "Win2008"}
6003 {$OS = "Win2008"}
7600 {$OS = "Win2008, Win2008R2"}
7601 {$OS = "Win2008, Win2008R2"}
9200 {$OS = "Win2012"}
9600 {$OS = "Win2012, Win2012R2"}
14393 {$OS = "Win2016"}
16299 {$OS = "Win2016"}
10240 {$OS = "Win10or2019"}
10586 {$OS = "Win10or2019"}
14393 {$OS = "Win10or2019"}
15063 {$OS = "Win10or2019"}
16299 {$OS = "Win10or2019"}
17134 {$OS = "Win10or2019"}
17763 {$OS = "Win10or2019"}
18362 {$OS = "Win10or2019"}
18363 {$OS = "Win10or2019"}
{$_ -gt 18362} {$OS = "Win10or2019"}
default { $OS = "WindowsUnknown"}
}
Write-Output "Writing ossec.conf"
# Write the ossec.conf file
$ConfigToWrite = @"
<ossec_config>
<client>
<server>
<address>$WazuhMgr</address>
<port>1514</port>
<protocol>tcp</protocol>
</server>
<config-profile>$OS</config-profile>
<notify_time>60</notify_time>
<time-reconnect>300</time-reconnect>
<auto_restart>yes</auto_restart>
</client>
<logging>
<log_format>plain,json</log_format>
</logging>
</ossec_config>
"@
$ConfigToWrite | Out-File -FilePath C:/Progra~2/ossec-agent/ossec.conf -Encoding ASCII
# Write the local_internal_options.conf file
Write-Output "Writing local_internal_options.conf..."
$ConfigToWrite = @"
logcollector.remote_commands=1
wazuh_command.remote_commands=1
sca.remote_commands=1
"@
$ConfigToWrite | Out-File -FilePath C:/Progra~2/ossec-agent/local_internal_options.conf -Encoding ASCII
#
# Sysmon
#
# Create "C:\Program Files (x86)\sysmon-wazuh" directory if missing
if ( -not (Test-Path -LiteralPath "C:\Program Files (x86)\sysmon-wazuh" -PathType Container) ) { New-Item -Path "C:\Program Files (x86)\" -Name "sysmon-wazuh" -ItemType "directory" | out-null }
# Download and unzip Sysmon.zip, or unzip it from local directory if "-Local" option specified.
# Sysmon must be acquired locally or via download even if "-SkipSysmon" was specified, so that we can use Sysmon.exe to uninstall Sysmon.
Remove-Item "C:\Progra~2\sysmon-wazuh\*" -Force
if ( $Local -eq $false ) {
Write-Output "Downloading and unpacking Sysmon installer..."
$count = 0
$success = $false;
do{
try{
if ( $SysmonDLhash -eq $null ) {
Invoke-WebRequest -Uri $SysmonSrc -OutFile "$env:TEMP\Sysmon.zip"
} else {
Invoke-WebRequest -Uri $SysmonSrc -Method Get -Headers $headers -OutFile "$env:TEMP\Sysmon.zip"
}
$success = $true
}
catch{
if ($count -lt 5) {
Write-Output "Download attempt failed. Will retry 10 seconds."
} else {
Write-Output "Download attempt still failed. Giving up and aborting the installation..."
exit 1
}
Start-sleep -Seconds 10
}
$count++
}until($count -eq 6 -or $success)
# If a hash was provided then calculate the hash of the downloaded Sysmon.zip and if the hashes don't match then fail.
if ( -not ( $SysmonDLhash -eq $null ) ) {
$SysmonRealHash=(Get-FileHash "$env:TEMP\Sysmon.zip" -Algorithm SHA256).Hash
if ( -not ( $SysmonDLhash -eq $SysmonRealHash ) ) {
Write-Output "The Sysmon verification hash does not match the downloaded $SysmonSrc."
exit 1
}
}
Microsoft.PowerShell.Archive\Expand-Archive "$env:TEMP\Sysmon.zip" -DestinationPath "C:\Program Files (x86)\sysmon-wazuh"
Remove-Item "$env:TEMP\Sysmon.zip" -Force -erroraction 'silentlycontinue'
} else {
Microsoft.PowerShell.Archive\Expand-Archive "Sysmon.zip" -DestinationPath "C:\Program Files (x86)\sysmon-wazuh\"
}
if ( $SkipSysmon -eq $false ) {
# Download SwiftOnSecurity config file for Sysmon or confirm it is already locally present if "-Local" option specified.
if ( $Local -eq $false ) {
# Download the latest SwiftOnSecurity config file for Sysmon and write it to Wazuh agent shared directory.
# This is only to seed it so that the install process works even if the official and perhaps localized file hasn't propagated down from Wazuh manager yet.
Write-Output "Downloading $SysmonConfSrc as sysmonconfig.xml..."
$count = 0
$success = $false;
do{
try{
Invoke-WebRequest -Uri "$SysmonConfSrc" -OutFile "C:\Program Files (x86)\ossec-agent\shared\sysmonconfig.xml"
$success = $true
}
catch{
Write-Output "Next attempt in 10 seconds"
Start-sleep -Seconds 10
}
$count++
}until($count -eq 6 -or $success)
if(-not($success)){exit 1}
} else {
Copy-Item "sysmonconfig.xml" -Destination "C:\Program Files (x86)\ossec-agent\shared\"
}
}
#
# If Sysmon is present, attempt to remove it with the Sysmon.exe or Sysmon64.exe that it was actually installed with, moving the original installer to old-Sysmon.exe or old-Sysmon64.exe in c:\progra~2\sysmon-wazuh\
#
if ( (Test-Path c:\windows\SysmonDrv.sys -PathType leaf) -or (Test-Path c:\windows\Sysmon.exe -PathType leaf) -or (Test-Path c:\windows\Sysmon64.exe -PathType leaf) ) {
Write-Output "Removing presently installed Sysmon..."
if ( (Test-Path c:\windows\SysmonDrv.sys -PathType leaf) -and (Test-Path c:\windows\Sysmon.exe -PathType leaf) ) {
Move-Item -Path "c:\windows\Sysmon.exe" -Destination "c:\Sysmon.exe" -Force
Start-Process -FilePath "C:\Sysmon.exe" -ArgumentList "-u" -Wait -WindowStyle 'Hidden'
if (Test-Path c:\windows\SysmonDrv.sys -PathType leaf) {
Start-Process -FilePath "C:\Sysmon.exe" -ArgumentList "-u", "force" -Wait -WindowStyle 'Hidden'
}
Move-Item -Path "c:\Sysmon.exe" -Destination "c:\progra~2\sysmon-wazuh\old-Sysmon.exe" -Force
}
if ( (Test-Path c:\windows\SysmonDrv.sys -PathType leaf) -and (Test-Path c:\windows\Sysmon64.exe -PathType leaf) ) {
Move-Item -Path "c:\windows\Sysmon64.exe" -Destination "c:\Sysmon64.exe" -Force
Start-Process -FilePath "C:\Sysmon64.exe" -ArgumentList "-u" -Wait -WindowStyle 'Hidden'
if (Test-Path c:\windows\SysmonDrv.sys -PathType leaf) {
Start-Process -FilePath "C:\Sysmon64.exe" -ArgumentList "-u", "force" -Wait -WindowStyle 'Hidden'
}
Move-Item -Path "c:\Sysmon64.exe" -Destination "c:\progra~2\sysmon-wazuh\old-Sysmon64.exe" -Force
}
if (Test-Path c:\windows\SysmonDrv.sys -PathType leaf) {
Start-Process -FilePath "C:\Progra~2\sysmon-wazuh\Sysmon.exe" -ArgumentList "-u" -Wait -WindowStyle 'Hidden'
}
if (Test-Path c:\windows\SysmonDrv.sys -PathType leaf) {
Start-Process -FilePath "C:\Progra~2\sysmon-wazuh\Sysmon.exe" -ArgumentList "-u", "force" -Wait -WindowStyle 'Hidden'
}
Write-Output "Waiting 10 more seconds to be sure Sysmon removal process is complete."
Start-Sleep -Seconds 10
if ( (Test-Path c:\windows\SysmonDrv.sys -PathType leaf) -or (Test-Path c:\windows\Sysmon.exe -PathType leaf) -or (Test-Path c:\windows\Sysmon64.exe -PathType leaf) ) {
Write-Output "Removal of Sysmon failed."
exit 1
}
}
if ( $SkipSysmon -eq $true ) {
Remove-Item "C:\Program Files (x86)\sysmon-wazuh" -recurse -erroraction 'silentlycontinue'
} else {
Write-Output "Installing Sysmon..."
If ([Environment]::Is64BitProcess){
Start-Process -FilePath C:\Progra~2\sysmon-wazuh\Sysmon64.exe -ArgumentList "-i","c:\progra~2\ossec-agent\shared\sysmonconfig.xml","-accepteula" -Wait -WindowStyle 'Hidden'
}else{
Start-Process -FilePath C:\Progra~2\sysmon-wazuh\Sysmon.exe -ArgumentList "-i","c:\progra~2\ossec-agent\shared\sysmonconfig.xml","-accepteula" -Wait -WindowStyle 'Hidden'
}
}
# Confirm Sysmon driver is actually loaded
if (-not ( fltmc | findstr -i SysmonDrv )) {
Write-Output "Installation of Sysmon failed. Driver not loaded."
exit 1
}
#
# osquery
#
# Remove osquery if present (making sure wazuh agent is not running before blowing away osquery dir)
if (Test-Path "c:\Program Files\osquery\osqueryd\osqueryd.exe" -PathType leaf) {
Write-Output "Removing Osquery..."
if ( Get-Service | findstr -i " Wazuh " | findstr -i "Running" ) {
net stop wazuh
}
Uninstall-Package -Name "osquery" -erroraction 'silentlycontinue' | out-null
Remove-Item "C:\Progra~1\osquery" -recurse -erroraction 'silentlycontinue'
}
if (Test-Path "c:\Program Files\osquery\osqueryd\osqueryd.exe" -PathType leaf) {
Write-Output "Failed to remove Osquery."
exit 1
}
if ( $SkipOsquery -eq $false ) {
# Download Osquery installer or confirm it is already locally present if "-Local" option specified.
if ( $Local -eq $false ) {
# Download the osquery MSI
Write-Output "Downloading $OsquerySrc..."
$count = 0
$success = $false;
do{
try{
Invoke-WebRequest -Uri $OsquerySrc -OutFile osquery.msi
$success = $true
}
catch{
if ($count -lt 5) {
Write-Output "Download attempt failed. Will retry 10 seconds."
} else {
Write-Output "Download attempt still failed. Giving up and aborting the installation..."
exit 1
}
Start-sleep -Seconds 10
}
$count++
}until($count -eq 6 -or $success)
}
# Install osquery
Write-Output "Installing Osquery..."
Start-Process -FilePath osquery.msi -ArgumentList "/q" -Wait -WindowStyle 'Hidden'
if ( $Local -eq $false ) {
rm .\osquery.msi
}
# Remove the Windows service that the MSI installed which we do not want
Write-Output "Removing the osquery Windows service so Wazuh agent can manage it instead..."
Start-Process -FilePath C:\Progra~1\osquery\osqueryd\osqueryd.exe -ArgumentList "--uninstall" -Wait -WindowStyle 'Hidden'
}
#
# Last Wazuh Agent steps
#
# Start up the Wazuh agent service
Write-Output "Starting up the Wazuh agent..."
net start wazuh
# After 15 seconds confirm agent connected to manager
Write-Output "Pausing for 15 seconds to allow agent to connect to manager..."
Start-Sleep -s 15
$file = Get-Content "C:\Program Files (x86)\ossec-agent\ossec.log" -erroraction 'silentlycontinue'
if ($file -match "Connected to the server " ) {
Write-Output "This agent has successfully connected to the Wazuh manager!"
exit 0
} else {
Write-Output "This agent FAILED to connect to the Wazuh manager."
exit 1
}