Add ShutUp10, Upgrade Vagrant, Issue 12

.gitignore

@@ -4,3 +4,5 @@ Packer/packer_cache/*
 Packer/packer_build.log
 Boxes/*
 .DS_Store
+Terraform/*/*.tfstate
+Terraform/*/.terraform

README.md

@@ -1,4 +1,6 @@
 # Detection Lab
+DetectionLab is tested weekly on Saturdays via a scheduled CircleCI workflow to ensure that builds are passing.
+
 CircleCI: [![CircleCI](https://circleci.com/gh/clong/DetectionLab/tree/master.svg?style=svg)](https://circleci.com/gh/clong/DetectionLab/tree/master)
 
 #### Donate to the project:
@@ -221,7 +223,7 @@ Vagrant has been particularly flaky with VMWare and I encountered many issues wh
 $ docker stop $(docker ps -aq)
 $ service docker restart
 $ cd /home/vagrant/kolide-quickstart
-$ docker-compose up -d
+$ docker-compose start -d
 ```
 
 ---
@@ -233,8 +235,14 @@ $ docker-compose up -d
 ---
 
 ## Contributing
-Please do all of your development in a feature branch on your own fork of detectionlab.
-Requests for tools and features will be reviewed on a case by case basis, but I will always accept fixes and improvements.
+Please do all of your development in a feature branch on your own fork of DetectionLab.
+Contribution guidelines can be found here: [CONTRIBUTING.md](./CONTRIBUTING.md)
+
+## In the Media
+* [DetectionLab, Chris Long – Paul’s Security Weekly #593](https://securityweekly.com/2019/02/08/detectionlab-chris-long-pauls-security-weekly-593/)
+* [TaoSecurity - Trying DetectionLab](https://taosecurity.blogspot.com/2019/01/trying-detectionlab.html)
+* [Setting up Chris Long's DetectionLab](https://www.psattack.com/articles/20171218/setting-up-chris-longs-detectionlab/)
+* [Detection Lab: Visibility & Introspection for Defenders](https://isc.sans.edu/forums/diary/Detection+Lab+Visibility+Introspection+for+Defenders/23135/)
 
 ## Credits/Resources
 A sizable percentage of this code was borrowed and adapted from [Stefan Scherer](https://twitter.com/stefscherer)'s [packer-windows](https://github.com/StefanScherer/packer-windows) and [adfs2](https://github.com/StefanScherer/adfs2) Github repos. A huge thanks to him for building the foundation that allowed me to design this lab environment.
@@ -257,3 +265,5 @@ A sizable percentage of this code was borrowed and adapted from [Stefan Scherer]
 * [Autoruns](https://www.microsoftpressstore.com/articles/article.aspx?p=2762082)
 * [TA-microsoft-sysmon](https://github.com/splunk/TA-microsoft-sysmon)
 * [SwiftOnSecurity - Sysmon Config](https://github.com/SwiftOnSecurity/sysmon-config)
+* [ThreatHunting](https://github.com/olafhartong/ThreatHunting)
+* [sysmon-modular](https://github.com/olafhartong/sysmon-modular)

Vagrant/bootstrap.sh

@@ -1,6 +1,7 @@
 #! /bin/bash
 
 export DEBIAN_FRONTEND=noninteractive
+sed -i 's/archive.ubuntu.com/us.archive.ubuntu.com/g' /etc/apt/sources.list
 
 install_mongo_db_apt_key() {
   # Install key and apt source for MongoDB

Vagrant/resources/splunk_server/props.conf

@@ -1,14 +1,14 @@
 [source::WinEventLog:*]
 TRANSFORMS-host = wef_computername_as_host
 
-[sourcetype::powershell_transcript]
-TRANSFORMS-powershell_rename_host = powershell_rename_host
-
 [powershell_transcript]
-BREAK_ONLY_BEFORE = THISREGEXDOESNTEXIST
+TRANSFORMS-powershell_rename_host = powershell_rename_host
+SHOULD_LINEMERGE = false
+LINE_BREAKER = ([\r\n]+)THISDOESNTEXIST
 DATETIME_CONFIG =
 NO_BINARY_CHECK = true
 TIME_FORMAT = %Y%m%d%H%M%S
-TIME_PREFIX = Start\stime\:\s
+TIME_PREFIX = Start time:\s
 category = Custom
 pulldown_type = true
+TRUNCATE = 0

Vagrant/resources/splunk_server/transforms.conf

@@ -1,7 +1,7 @@
 [powershell_rename_host]
 DEST_KEY = MetaData:Host
 SOURCE_KEY = MetaData:Source
-REGEX = PowerShell_transcript\.([^\S]+)\.
+REGEX = PowerShell_transcript\.([^\.]+)\.
 FORMAT = host::$1
 
 [wef_computername_as_host]

Vagrant/resources/windows/shutup10.cfg

@@ -0,0 +1,128 @@
+############################################################################
+# This file was created with O&O ShutUp10 and can be imported onto another computer. 
+#
+# Download the application at https://www.oo-software.com/en/shutup10
+# You can then import the file from within the program. 
+#
+# Alternatively you can import it automatically over a command line. Simply use
+# the following parameter: 
+# ooshutup10.exe <path to file>
+# 
+# Selecting the Option /quiet ends the app right after the import and the user does not 
+# get any feedback about the import.
+#
+# We are always happy to answer any questions you may have!
+# (c) 2015-2018 O&O Software GmbH, Berlin. https://www.oo-software.com/
+############################################################################
+
+P001	+
+P002	+
+P003	+
+P004	+
+P005	+
+P006	+
+P008	+
+P017	+
+P026	+
+P027	+
+P028	+
+P009	+
+P010	+
+P015	+
+P016	-
+P007	+
+P025	+
+P023	+
+P012	+
+P013	+
+P019	+
+P020	+
+P011	+
+P018	+
+P021	+
+P022	+
+P014	+
+P029	+
+P030	+
+P031	+
+P032	+
+P024	-
+S001	+
+S002	+
+S003	+
+S004	+
+S005	+
+S008	+
+S009	+
+S010	+
+E001	+
+E002	+
+E003	+
+E007	+
+E010	+
+E009	+
+E004	+
+E005	+
+E006	-
+Y001	+
+Y002	+
+Y003	+
+Y004	+
+Y005	+
+Y006	+
+Y007	+
+C012	+
+C002	+
+C004	+
+C005	+
+C006	+
+C007	+
+C008	+
+C009	+
+C010	+
+C011	+
+L001	+
+L002	+
+L003	+
+L004	+
+L005	+
+L006	+
+L007	+
+L008	+
+U001	+
+U002	+
+U003	+
+U004	+
+W001	+
+W002	+
+W003	+
+W011	+
+W004	+
+W005	+
+W010	+
+W009	+
+W006	+
+W007	+
+W008	+
+M006	+
+M011	+
+M010	+
+O003	+
+O001	+
+S012	+
+S013	+
+S014	+
+S011	+
+K001	+
+K002	+
+K005	+
+M001	+
+M002	+
+M003	+
+M004	+
+M005	+
+M012	+
+M013	+
+M014	+
+M015	+
+N001	+

Vagrant/scripts/MakeWindows10GreatAgain.ps1

@@ -26,3 +26,15 @@ Write-Host "Disabling automatic screen turnoff in order to prevent screen lockin
 powercfg -change -monitor-timeout-ac 0
 powercfg -change -standby-timeout-ac 0
 powercfg -change -hibernate-timeout-ac 0
+
+# Download and install ShutUp10
+Write-Host "Downloading ShutUp10..."
+[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"
+$shutUp10DownloadUrl = "https://dl5.oo-software.com/files/ooshutup10/OOSU10.exe"
+$shutUp10RepoPath = "C:\Users\vagrant\AppData\Local\Temp\OOSU10.exe"
+if (-not (Test-Path $shutUp10RepoPath)) {
+  Invoke-WebRequest -Uri "$shutUp10DownloadUrl" -OutFile $shutUp10RepoPath
+  . $shutUp10RepoPath c:\vagrant\resources\windows\shutup10.cfg /quiet /force
+} else {
+  Write-Host "ShutUp10 was already installed. Moving On."
+}

ci/README.md

@@ -74,12 +74,12 @@ The CircleCI worker will evaluate which files have been modified and set environ
               |                                     v
               |                    +----------------+--------------+
 Circle Worker |                    | packer_and_vagrant_changes.sh |
-quries for    |                    | vagrant_changes.sh            |
+queries for    |                   | vagrant_changes.sh            |
 build results |                    | packer_changes.sh             |        
               |                    +----------------+--------------+             
               |                                     |
               |                                     |
-              |          |                          |
+              |                                     |
               |                                     |
               |                                     |
               |                                     |

ci/build_machine_bootstrap.sh

@@ -28,6 +28,8 @@ fi
 
 echo "Args: $ARGS"
 
+sed -i 's/archive.ubuntu.com/us.archive.ubuntu.com/g' /etc/apt/sources.list
+
 if [[ "$VAGRANT_ONLY" -eq 1 ]] && [[ "$PACKER_ONLY" -eq 1 ]]; then
   echo "Somehow this build is configured as both packer-only and vagrant-only. This means something has gone horribly wrong."
   exit 1
@@ -51,8 +53,8 @@ if [ "$PACKER_ONLY" -eq 0 ]; then
   # Install Vagrant
   mkdir /opt/vagrant
   cd /opt/vagrant || exit 1
-  wget https://releases.hashicorp.com/vagrant/2.2.2/vagrant_2.2.2_x86_64.deb
-  dpkg -i vagrant_2.2.2_x86_64.deb
+  wget https://releases.hashicorp.com/vagrant/2.2.2/vagrant_2.2.3_x86_64.deb
+  dpkg -i vagrant_2.2.3_x86_64.deb
   vagrant plugin install vagrant-reload
 
   # Make the Vagrant instances headless