diff --git a/.gitignore b/.gitignore index 12f9c20..0435294 100755 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,5 @@ Packer/packer_cache/* Packer/packer_build.log Boxes/* .DS_Store +Terraform/*/*.tfstate +Terraform/*/.terraform diff --git a/README.md b/README.md index 4e6f706..9af12cf 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,6 @@ # Detection Lab +DetectionLab is tested weekly on Saturdays via a scheduled CircleCI workflow to ensure that builds are passing. + CircleCI: [![CircleCI](https://circleci.com/gh/clong/DetectionLab/tree/master.svg?style=svg)](https://circleci.com/gh/clong/DetectionLab/tree/master) #### Donate to the project: @@ -221,7 +223,7 @@ Vagrant has been particularly flaky with VMWare and I encountered many issues wh $ docker stop $(docker ps -aq) $ service docker restart $ cd /home/vagrant/kolide-quickstart -$ docker-compose up -d +$ docker-compose start -d ``` --- @@ -233,8 +235,14 @@ $ docker-compose up -d --- ## Contributing -Please do all of your development in a feature branch on your own fork of detectionlab. -Requests for tools and features will be reviewed on a case by case basis, but I will always accept fixes and improvements. +Please do all of your development in a feature branch on your own fork of DetectionLab. +Contribution guidelines can be found here: [CONTRIBUTING.md](./CONTRIBUTING.md) + +## In the Media +* [DetectionLab, Chris Long – Paul’s Security Weekly #593](https://securityweekly.com/2019/02/08/detectionlab-chris-long-pauls-security-weekly-593/) +* [TaoSecurity - Trying DetectionLab](https://taosecurity.blogspot.com/2019/01/trying-detectionlab.html) +* [Setting up Chris Long's DetectionLab](https://www.psattack.com/articles/20171218/setting-up-chris-longs-detectionlab/) +* [Detection Lab: Visibility & Introspection for Defenders](https://isc.sans.edu/forums/diary/Detection+Lab+Visibility+Introspection+for+Defenders/23135/) ## Credits/Resources A sizable percentage of this code was borrowed and adapted from [Stefan Scherer](https://twitter.com/stefscherer)'s [packer-windows](https://github.com/StefanScherer/packer-windows) and [adfs2](https://github.com/StefanScherer/adfs2) Github repos. A huge thanks to him for building the foundation that allowed me to design this lab environment. @@ -257,3 +265,5 @@ A sizable percentage of this code was borrowed and adapted from [Stefan Scherer] * [Autoruns](https://www.microsoftpressstore.com/articles/article.aspx?p=2762082) * [TA-microsoft-sysmon](https://github.com/splunk/TA-microsoft-sysmon) * [SwiftOnSecurity - Sysmon Config](https://github.com/SwiftOnSecurity/sysmon-config) +* [ThreatHunting](https://github.com/olafhartong/ThreatHunting) +* [sysmon-modular](https://github.com/olafhartong/sysmon-modular) diff --git a/Terraform/Method1/Method1.md b/Terraform/Method1/README.md similarity index 100% rename from Terraform/Method1/Method1.md rename to Terraform/Method1/README.md diff --git a/Terraform/Terraform.md b/Terraform/README.md similarity index 100% rename from Terraform/Terraform.md rename to Terraform/README.md diff --git a/Vagrant/bootstrap.sh b/Vagrant/bootstrap.sh index 3be9cd3..69f0b2e 100644 --- a/Vagrant/bootstrap.sh +++ b/Vagrant/bootstrap.sh @@ -1,6 +1,7 @@ #! /bin/bash export DEBIAN_FRONTEND=noninteractive +sed -i 's/archive.ubuntu.com/us.archive.ubuntu.com/g' /etc/apt/sources.list install_mongo_db_apt_key() { # Install key and apt source for MongoDB diff --git a/Vagrant/resources/splunk_server/props.conf b/Vagrant/resources/splunk_server/props.conf index 8fc9895..199cb78 100644 --- a/Vagrant/resources/splunk_server/props.conf +++ b/Vagrant/resources/splunk_server/props.conf @@ -1,14 +1,14 @@ [source::WinEventLog:*] TRANSFORMS-host = wef_computername_as_host -[sourcetype::powershell_transcript] -TRANSFORMS-powershell_rename_host = powershell_rename_host - [powershell_transcript] -BREAK_ONLY_BEFORE = THISREGEXDOESNTEXIST +TRANSFORMS-powershell_rename_host = powershell_rename_host +SHOULD_LINEMERGE = false +LINE_BREAKER = ([\r\n]+)THISDOESNTEXIST DATETIME_CONFIG = NO_BINARY_CHECK = true TIME_FORMAT = %Y%m%d%H%M%S -TIME_PREFIX = Start\stime\:\s +TIME_PREFIX = Start time:\s category = Custom pulldown_type = true +TRUNCATE = 0 diff --git a/Vagrant/resources/splunk_server/transforms.conf b/Vagrant/resources/splunk_server/transforms.conf index 11c7c9e..6d0d43f 100644 --- a/Vagrant/resources/splunk_server/transforms.conf +++ b/Vagrant/resources/splunk_server/transforms.conf @@ -1,7 +1,7 @@ [powershell_rename_host] DEST_KEY = MetaData:Host SOURCE_KEY = MetaData:Source -REGEX = PowerShell_transcript\.([^\S]+)\. +REGEX = PowerShell_transcript\.([^\.]+)\. FORMAT = host::$1 [wef_computername_as_host] diff --git a/Vagrant/resources/windows/shutup10.cfg b/Vagrant/resources/windows/shutup10.cfg new file mode 100755 index 0000000..80eabea --- /dev/null +++ b/Vagrant/resources/windows/shutup10.cfg @@ -0,0 +1,128 @@ +############################################################################ +# This file was created with O&O ShutUp10 and can be imported onto another computer. +# +# Download the application at https://www.oo-software.com/en/shutup10 +# You can then import the file from within the program. +# +# Alternatively you can import it automatically over a command line. Simply use +# the following parameter: +# ooshutup10.exe +# +# Selecting the Option /quiet ends the app right after the import and the user does not +# get any feedback about the import. +# +# We are always happy to answer any questions you may have! +# (c) 2015-2018 O&O Software GmbH, Berlin. https://www.oo-software.com/ +############################################################################ + +P001 + +P002 + +P003 + +P004 + +P005 + +P006 + +P008 + +P017 + +P026 + +P027 + +P028 + +P009 + +P010 + +P015 + +P016 - +P007 + +P025 + +P023 + +P012 + +P013 + +P019 + +P020 + +P011 + +P018 + +P021 + +P022 + +P014 + +P029 + +P030 + +P031 + +P032 + +P024 - +S001 + +S002 + +S003 + +S004 + +S005 + +S008 + +S009 + +S010 + +E001 + +E002 + +E003 + +E007 + +E010 + +E009 + +E004 + +E005 + +E006 - +Y001 + +Y002 + +Y003 + +Y004 + +Y005 + +Y006 + +Y007 + +C012 + +C002 + +C004 + +C005 + +C006 + +C007 + +C008 + +C009 + +C010 + +C011 + +L001 + +L002 + +L003 + +L004 + +L005 + +L006 + +L007 + +L008 + +U001 + +U002 + +U003 + +U004 + +W001 + +W002 + +W003 + +W011 + +W004 + +W005 + +W010 + +W009 + +W006 + +W007 + +W008 + +M006 + +M011 + +M010 + +O003 + +O001 + +S012 + +S013 + +S014 + +S011 + +K001 + +K002 + +K005 + +M001 + +M002 + +M003 + +M004 + +M005 + +M012 + +M013 + +M014 + +M015 + +N001 + diff --git a/Vagrant/scripts/MakeWindows10GreatAgain.ps1 b/Vagrant/scripts/MakeWindows10GreatAgain.ps1 index 40ff47c..e4b0487 100644 --- a/Vagrant/scripts/MakeWindows10GreatAgain.ps1 +++ b/Vagrant/scripts/MakeWindows10GreatAgain.ps1 @@ -26,3 +26,15 @@ Write-Host "Disabling automatic screen turnoff in order to prevent screen lockin powercfg -change -monitor-timeout-ac 0 powercfg -change -standby-timeout-ac 0 powercfg -change -hibernate-timeout-ac 0 + +# Download and install ShutUp10 +Write-Host "Downloading ShutUp10..." +[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls" +$shutUp10DownloadUrl = "https://dl5.oo-software.com/files/ooshutup10/OOSU10.exe" +$shutUp10RepoPath = "C:\Users\vagrant\AppData\Local\Temp\OOSU10.exe" +if (-not (Test-Path $shutUp10RepoPath)) { + Invoke-WebRequest -Uri "$shutUp10DownloadUrl" -OutFile $shutUp10RepoPath + . $shutUp10RepoPath c:\vagrant\resources\windows\shutup10.cfg /quiet /force +} else { + Write-Host "ShutUp10 was already installed. Moving On." +} diff --git a/ci/README.md b/ci/README.md index 8a6dd62..06be005 100644 --- a/ci/README.md +++ b/ci/README.md @@ -74,12 +74,12 @@ The CircleCI worker will evaluate which files have been modified and set environ | v | +----------------+--------------+ Circle Worker | | packer_and_vagrant_changes.sh | -quries for | | vagrant_changes.sh | +queries for | | vagrant_changes.sh | build results | | packer_changes.sh | | +----------------+--------------+ | | | | - | | | + | | | | | | | | diff --git a/ci/build_machine_bootstrap.sh b/ci/build_machine_bootstrap.sh index e6eda45..8aae779 100755 --- a/ci/build_machine_bootstrap.sh +++ b/ci/build_machine_bootstrap.sh @@ -28,6 +28,8 @@ fi echo "Args: $ARGS" +sed -i 's/archive.ubuntu.com/us.archive.ubuntu.com/g' /etc/apt/sources.list + if [[ "$VAGRANT_ONLY" -eq 1 ]] && [[ "$PACKER_ONLY" -eq 1 ]]; then echo "Somehow this build is configured as both packer-only and vagrant-only. This means something has gone horribly wrong." exit 1 @@ -51,8 +53,8 @@ if [ "$PACKER_ONLY" -eq 0 ]; then # Install Vagrant mkdir /opt/vagrant cd /opt/vagrant || exit 1 - wget https://releases.hashicorp.com/vagrant/2.2.2/vagrant_2.2.2_x86_64.deb - dpkg -i vagrant_2.2.2_x86_64.deb + wget https://releases.hashicorp.com/vagrant/2.2.2/vagrant_2.2.3_x86_64.deb + dpkg -i vagrant_2.2.3_x86_64.deb vagrant plugin install vagrant-reload # Make the Vagrant instances headless