diff --git a/Packer/scripts/compact.bat b/Packer/scripts/compact.bat index d67c864..4ab6261 100755 --- a/Packer/scripts/compact.bat +++ b/Packer/scripts/compact.bat @@ -1,39 +1,32 @@ -if "%PACKER_BUILDER_TYPE:~0,6%"=="hyperv" ( - echo "Skip compact steps in Hyper-V build." - goto :eof +if not exist "C:\Windows\Temp\7z1900-x64.msi" ( + powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://www.7-zip.org/a/7z1900-x64.msi', 'C:\Windows\Temp\7z1900-x64.msi')" nul 2>&1 rmdir /S /Q C:\Windows\SoftwareDistribution\Download mkdir C:\Windows\SoftwareDistribution\Download net start wuauserv -if "%PACKER_BUILDER_TYPE%" neq "hyperv-iso" ( - cmd /c C:\Windows\Temp\ultradefrag-portable-6.1.0.amd64\udefrag.exe --optimize --repeat C: - - cmd /c %SystemRoot%\System32\reg.exe ADD HKCU\Software\Sysinternals\SDelete /v EulaAccepted /t REG_DWORD /d 1 /f - cmd /c C:\Windows\Temp\sdelete.exe -q -z C: -) +cmd /c C:\Windows\Temp\ultradefrag-portable-6.1.0.amd64\udefrag.exe --optimize --repeat C: +cmd /c %SystemRoot%\System32\reg.exe ADD HKCU\Software\Sysinternals\SDelete /v EulaAccepted /t REG_DWORD /d 1 /f +cmd /c C:\Windows\Temp\sdelete.exe -q -z C: diff --git a/Packer/scripts/vm-guest-tools.bat b/Packer/scripts/vm-guest-tools.bat index 1dc65d7..cacb016 100755 --- a/Packer/scripts/vm-guest-tools.bat +++ b/Packer/scripts/vm-guest-tools.bat @@ -1,67 +1,51 @@ -if not exist "C:\Windows\Temp\7z920-x64.msi" ( - powershell -Command "Start-Sleep 5; Invoke-WebRequest -Uri 'https://astuteinternet.dl.sourceforge.net/project/sevenzip/7-Zip/9.20/7z920-x64.msi' -Outfile 'C:\Windows\Temp\7z920-x64.msi'" NUL -IF ERRORLEVEL 1060 cmd /c C:\Windows\Temp\VMWare\setup.exe /S /v"/qn REBOOT=R\" -sc query vmtools > NUL -IF ERRORLEVEL 1060 ECHO "Unable to install VMware Tools." & exit /b 1 - -rd /Q "C:\Windows\Temp\vmware-tools.tar" -rd /Q "C:\Windows\Temp\windows.iso" +del /Q "C:\Windows\Temp\vmware-tools.tar" +del /Q "C:\Windows\Temp\windows.iso" rd /S /Q "C:\Windows\Temp\VMware" goto :done :virtualbox if exist "C:\Users\vagrant\VBoxGuestAdditions.iso" ( - move /Y C:\Users\vagrant\VBoxGuestAdditions.iso C:\Windows\Temp + move /Y C:\Users\vagrant\VBoxGuestAdditions.iso C:\Windows\Temp ) if not exist "C:\Windows\Temp\VBoxGuestAdditions.iso" ( - powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://download.virtualbox.org/virtualbox/5.2.16/VBoxGuestAdditions_5.2.16.iso', 'C:\Windows\Temp\VBoxGuestAdditions.iso')" /dev/null; then # If which returns a non-zero return code, try to re-install the package @@ -53,9 +53,9 @@ fix_eth1_static_ip() { ifup eth1 ETH1_IP=$(ifconfig eth1 | grep 'inet addr' | cut -d ':' -f 2 | cut -d ' ' -f 1) if [ "$ETH1_IP" == "192.168.38.105" ]; then - echo "The static IP has been fixed and set to 192.168.38.105" + echo "[$(date +%H:%M:%S)]: The static IP has been fixed and set to 192.168.38.105" else - echo "Failed to fix the broken static IP for eth1. Exiting because this will cause problems with other VMs." + echo "[$(date +%H:%M:%S)]: Failed to fix the broken static IP for eth1. Exiting because this will cause problems with other VMs." exit 1 fi fi @@ -63,37 +63,37 @@ fix_eth1_static_ip() { install_golang() { if ! which go > /dev/null; then - echo "Installing Golang v.1.12..." + echo "[$(date +%H:%M:%S)]: Installing Golang v.1.12..." cd /home/vagrant || exit wget --progress=bar:force https://dl.google.com/go/go1.12.linux-amd64.tar.gz tar -C /usr/local -xzf go1.12.linux-amd64.tar.gz mkdir /root/go else - echo "Golang seems to be installed already. Skipping." + echo "[$(date +%H:%M:%S)]: Golang seems to be installed already. Skipping." fi } install_splunk() { # Check if Splunk is already installed if [ -f "/opt/splunk/bin/splunk" ]; then - echo "Splunk is already installed" + echo "[$(date +%H:%M:%S)]: Splunk is already installed" else - echo "Installing Splunk..." + echo "[$(date +%H:%M:%S)]: Installing Splunk..." # Get download.splunk.com into the DNS cache. Sometimes resolution randomly fails during wget below dig @8.8.8.8 download.splunk.com > /dev/null dig @8.8.8.8 splunk.com > /dev/null mkdir splunk # Try to resolve the latest version of Splunk by parsing the HTML on the downloads page - echo "Attempting to autoresolve the latest version of Splunk..." + echo "[$(date +%H:%M:%S)]: Attempting to autoresolve the latest version of Splunk..." LATEST_SPLUNK=$(curl https://www.splunk.com/en_us/download/splunk-enterprise.html | grep -i deb | grep -Eo "data-link=\"................................................................................................................................" | cut -d '"' -f 2) # Sanity check what was returned from the auto-parse attempt if [[ "$(echo $LATEST_SPLUNK | grep -c "^https:")" -eq 1 ]] && [[ "$(echo $LATEST_SPLUNK | grep -c "\.deb$")" -eq 1 ]]; then - echo "The URL to the latest Splunk version was automatically resolved as: $LATEST_SPLUNK" - echo "Attempting to download..." + echo "[$(date +%H:%M:%S)]: The URL to the latest Splunk version was automatically resolved as: $LATEST_SPLUNK" + echo "[$(date +%H:%M:%S)]: Attempting to download..." wget --progress=bar:force -P splunk/ "$LATEST_SPLUNK" else - echo "Unable to auto-resolve the latest Splunk version. Falling back to hardcoded URL..." + echo "[$(date +%H:%M:%S)]: Unable to auto-resolve the latest Splunk version. Falling back to hardcoded URL..." # Download Hardcoded Splunk wget --progress=bar:force -O splunk/splunk-7.2.6-c0bf0f679ce9-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.6&product=splunk&filename=splunk-7.2.6-c0bf0f679ce9-linux-2.6-amd64.deb&wget=true' fi @@ -129,11 +129,11 @@ install_splunk() { sed -i.bak 's/max_memtable_bytes = 10000000/max_memtable_bytes = 30000000/g' /opt/splunk/etc/system/local/limits.conf # Skip Splunk Tour and Change Password Dialog - echo "Disabling the Splunk tour prompt..." + echo "[$(date +%H:%M:%S)]: Disabling the Splunk tour prompt..." touch /opt/splunk/etc/.ui_login mkdir /opt/splunk/etc/users/admin/search/local echo -e "[search-tour]\nviewed = 1" > /opt/splunk/etc/users/admin/search/local/ui-tour.conf - + # Enable SSL Login for Splunk echo -e "[settings]\nenableSplunkWebSSL = true" > /opt/splunk/etc/system/local/web.conf # Reboot Splunk to make changes take effect @@ -147,9 +147,9 @@ install_splunk() { install_fleet() { # Install Fleet if [ -f "/home/vagrant/kolide-quickstart" ]; then - echo "Fleet is already installed" + echo "[$(date +%H:%M:%S)]: Fleet is already installed" else - echo "Installing Fleet..." + echo "[$(date +%H:%M:%S)]: Installing Fleet..." echo -e "\n127.0.0.1 kolide" >> /etc/hosts echo -e "\n127.0.0.1 logger" >> /etc/hosts git clone https://github.com/kolide/kolide-quickstart.git @@ -168,10 +168,10 @@ install_fleet() { download_palantir_osquery_config() { if [ -f /home/vagrant/osquery-configuration ]; then - echo "osquery configs have already been downloaded" + echo "[$(date +%H:%M:%S)]: osquery configs have already been downloaded" else # Import Palantir osquery configs into Fleet - echo "Downloading Palantir configs..." + echo "[$(date +%H:%M:%S)]: Downloading Palantir osquery configs..." git clone https://github.com/palantir/osquery-configuration.git fi } @@ -198,6 +198,7 @@ import_osquery_config_into_fleet() { } install_bro() { + echo "[$(date +%H:%M:%S)]: Installing Bro..." # Environment variables NODECFG=/opt/bro/etc/node.cfg SPLUNK_BRO_JSON=/opt/splunk/etc/apps/TA-bro_json @@ -279,7 +280,7 @@ install_bro() { install_suricata() { # Run iwr -Uri testmyids.com -UserAgent "BlackSun" in Powershell to generate test alerts - + echo "[$(date +%H:%M:%S)]: Installing Suricata..." # Install yq to maniuplate the suricata.yaml inline /usr/local/go/bin/go get -u github.com/mikefarah/yq @@ -344,7 +345,7 @@ install_suricata() { test_suricata_prerequisites() { for package in suricata crudini do - echo "[TEST] Validating that $package is correctly installed..." + echo "[$(date +%H:%M:%S)]: [TEST] Validating that $package is correctly installed..." # Loop through each package using dpkg if ! dpkg -S $package > /dev/null; then # If which returns a non-zero return code, try to re-install the package @@ -361,7 +362,7 @@ test_suricata_prerequisites() { done # One-off support for packages which aren't installed via dpkg - echo "[TEST] Validating that yq is correctly installed..." + echo "[$(date +%H:%M:%S)]: [TEST] Validating that yq is correctly installed..." # Check if the binary exists if ! [ -f /root/go/bin/yq ]; then # If it doesn't exist, try to re-install the package diff --git a/Vagrant/scripts/MakeWindows10GreatAgain.ps1 b/Vagrant/scripts/MakeWindows10GreatAgain.ps1 index e4b0487..e2c5db2 100644 --- a/Vagrant/scripts/MakeWindows10GreatAgain.ps1 +++ b/Vagrant/scripts/MakeWindows10GreatAgain.ps1 @@ -1,20 +1,20 @@ # Import the registry keys -Write-Host "Making Windows 10 Great again" -Write-Host "Importing registry keys..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Making Windows 10 Great again" +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Importing registry keys..." regedit /s a:\MakeWindows10GreatAgain.reg # Remove OneDrive from the System -Write-Host "Removing OneDrive..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Removing OneDrive..." $onedrive = Get-Process onedrive -ErrorAction SilentlyContinue if ($onedrive) { taskkill /f /im OneDrive.exe } c:\Windows\SysWOW64\OneDriveSetup.exe /uninstall -Write-Host "Running Update-Help..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Running Update-Help..." Update-Help -Force -ErrorAction SilentlyContinue -Write-Host "Removing Microsoft Store and Edge shortcuts from the taskbar..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Removing Microsoft Store and Edge shortcuts from the taskbar..." $appname = "Microsoft Edge" ((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true} $appname = "Microsoft Store" @@ -22,13 +22,13 @@ $appname = "Microsoft Store" $appname = "Mail" ((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true} -Write-Host "Disabling automatic screen turnoff in order to prevent screen locking..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Disabling automatic screen turnoff in order to prevent screen locking..." powercfg -change -monitor-timeout-ac 0 powercfg -change -standby-timeout-ac 0 powercfg -change -hibernate-timeout-ac 0 # Download and install ShutUp10 -Write-Host "Downloading ShutUp10..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading ShutUp10..." [Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls" $shutUp10DownloadUrl = "https://dl5.oo-software.com/files/ooshutup10/OOSU10.exe" $shutUp10RepoPath = "C:\Users\vagrant\AppData\Local\Temp\OOSU10.exe" diff --git a/Vagrant/scripts/configure-AuditingPolicyGPOs.ps1 b/Vagrant/scripts/configure-AuditingPolicyGPOs.ps1 index 5708127..fa0ac69 100644 --- a/Vagrant/scripts/configure-AuditingPolicyGPOs.ps1 +++ b/Vagrant/scripts/configure-AuditingPolicyGPOs.ps1 @@ -1,5 +1,5 @@ # Purpose: Installs the GPOs for the custom WinEventLog auditing policy. -Write-Host "Configuring auditing policy GPOS..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Configuring auditing policy GPOs..." $GPOName = 'Domain Controllers Enhanced Auditing Policy' $OU = "ou=Domain Controllers,dc=windomain,dc=local" Write-Host "Importing $GPOName..." @@ -17,7 +17,7 @@ else } $GPOName = 'Servers Enhanced Auditing Policy' $OU = "ou=Servers,dc=windomain,dc=local" -Write-Host "Importing $GPOName..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Importing $GPOName..." Import-GPO -BackupGpoName $GPOName -Path "c:\vagrant\resources\GPO\Servers_Enhanced_Auditing_Policy" -TargetName $GPOName -CreateIfNeeded $gpLinks = $null $gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions @@ -32,8 +32,8 @@ else } $GPOName = 'Workstations Enhanced Auditing Policy' -$OU = "ou=Workstations,dc=windomain,dc=local" -Write-Host "Importing $GPOName..." +$OU = "ou=Workstations,dc=windomain,dc=local" +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Importing $GPOName..." Import-GPO -BackupGpoName $GPOName -Path "c:\vagrant\resources\GPO\Workstations_Enhanced_Auditing_Policy" -TargetName $GPOName -CreateIfNeeded $gpLinks = $null $gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions @@ -46,4 +46,3 @@ else { Write-Host "GpLink $GPOName already linked on $OU. Moving On." } - diff --git a/Vagrant/scripts/configure-ou.ps1 b/Vagrant/scripts/configure-ou.ps1 index cf078d6..8b8022d 100644 --- a/Vagrant/scripts/configure-ou.ps1 +++ b/Vagrant/scripts/configure-ou.ps1 @@ -1,6 +1,6 @@ # Purpose: Sets up the Server and Workstations OUs -Write-Host "Checking AD services status..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Checking AD services status..." $svcs = "adws","dns","kdc","netlogon" Get-Service -name $svcs -ComputerName localhost | Select Machinename,Name,Status @@ -11,8 +11,8 @@ Add-Content "c:\windows\system32\drivers\etc\hosts" " 192.168.38.102 d ping /n 1 dc.windomain.local ping /n 1 windomain.local -Write-Host "Creating Server and Workstation OUs..." -Write-Host "Creating Servers OU..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Server and Workstation OUs..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Servers OU..." if (!([ADSI]::Exists("LDAP://OU=Servers,DC=windomain,DC=local"))) { @@ -23,7 +23,7 @@ else Write-Host "Servers OU already exists. Moving On." } -Write-Host "Creating Workstations OU" +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Workstations OU" if (!([ADSI]::Exists("LDAP://OU=Workstations,DC=windomain,DC=local"))) { New-ADOrganizationalUnit -Name "Workstations" -Server "dc.windomain.local" diff --git a/Vagrant/scripts/configure-powershelllogging.ps1 b/Vagrant/scripts/configure-powershelllogging.ps1 index 213c323..f4a47d2 100755 --- a/Vagrant/scripts/configure-powershelllogging.ps1 +++ b/Vagrant/scripts/configure-powershelllogging.ps1 @@ -1,5 +1,5 @@ # Purpose: Install the GPO that specifies the WEF collector -Write-Host "Importing the GPO to enable Powershell Module, ScriptBlock and Transcript logging..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Importing the GPO to enable Powershell Module, ScriptBlock and Transcript logging..." Import-GPO -BackupGpoName 'Powershell Logging' -Path "c:\vagrant\resources\GPO\powershell_logging" -TargetName 'Powershell Logging' -CreateIfNeeded $OU = "ou=Workstations,dc=windomain,dc=local" $gPLinks = $null diff --git a/Vagrant/scripts/configure-pslogstranscriptsshare.ps1 b/Vagrant/scripts/configure-pslogstranscriptsshare.ps1 index e76da63..6a83d46 100755 --- a/Vagrant/scripts/configure-pslogstranscriptsshare.ps1 +++ b/Vagrant/scripts/configure-pslogstranscriptsshare.ps1 @@ -1,6 +1,6 @@ # Purpose: Configure an SMB share for Powershell transcription logs to be written to # Source: https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/ -Write-Host "Configuring the Powershell Transcripts Share" +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Configuring the Powershell Transcripts Share" If (-not (Test-Path c:\pslogs)) { md c:\pslogs diff --git a/Vagrant/scripts/configure-rdp-user-gpo.ps1 b/Vagrant/scripts/configure-rdp-user-gpo.ps1 index 19a1452..bb28168 100644 --- a/Vagrant/scripts/configure-rdp-user-gpo.ps1 +++ b/Vagrant/scripts/configure-rdp-user-gpo.ps1 @@ -1,5 +1,5 @@ # Purpose: Install the GPO that allows windomain\vagrant to RDP -Write-Host "Importing the GPO to allow windomain/vagrant to RDP..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Importing the GPO to allow windomain/vagrant to RDP..." Import-GPO -BackupGpoName 'Allow Domain Users RDP' -Path "c:\vagrant\resources\GPO\rdp_users" -TargetName 'Allow Domain Users RDP' -CreateIfNeeded $OU = "ou=Workstations,dc=windomain,dc=local" diff --git a/Vagrant/scripts/configure-wef-gpo.ps1 b/Vagrant/scripts/configure-wef-gpo.ps1 index c04cde8..f7d1486 100644 --- a/Vagrant/scripts/configure-wef-gpo.ps1 +++ b/Vagrant/scripts/configure-wef-gpo.ps1 @@ -1,9 +1,10 @@ # Purpose: Installs the GPOs needed to specify a Windows Event Collector and makes certain event channels readable by Event Logger -Write-Host "Importing the GPO to specify the WEF collector" +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Importing the GPO to specify the WEF collector" $GPOName = 'Windows Event Forwarding Server' Import-GPO -BackupGpoName $GPOName -Path "c:\vagrant\resources\GPO\wef_configuration" -TargetName $GPOName -CreateIfNeeded $gpLinks = $null $OU = "OU=Servers,dc=windomain,dc=local" + $gPLinks = Get-ADOrganizationalUnit -Server "dc.windomain.local" -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions $GPO = Get-GPO -Name $GPOName If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path) @@ -33,7 +34,7 @@ If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path) Write-Host "GpLink $GPOName already linked on $OU. Moving On." } -Write-Host "Importing the GPO to modify ACLs on Custom Event Channels" +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Importing the GPO to modify ACLs on Custom Event Channels" $GPOName = 'Custom Event Channel Permissions' Import-GPO -BackupGpoName $GPOName -Path "c:\vagrant\resources\GPO\wef_configuration" -TargetName $GPOName -CreateIfNeeded diff --git a/Vagrant/scripts/create-domain.ps1 b/Vagrant/scripts/create-domain.ps1 index 33b8170..0cef2c3 100644 --- a/Vagrant/scripts/create-domain.ps1 +++ b/Vagrant/scripts/create-domain.ps1 @@ -8,11 +8,11 @@ $domain= "windomain.local" if ((gwmi win32_computersystem).partofdomain -eq $false) { - Write-Host 'Installing RSAT tools' + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing RSAT tools" Import-Module ServerManager Add-WindowsFeature RSAT-AD-PowerShell,RSAT-AD-AdminCenter - Write-Host 'Creating domain controller' + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating domain controller..." # Disable password complexity policy secedit /export /cfg C:\secpol.cfg (gc C:\secpol.cfg).replace("PasswordComplexity = 1", "PasswordComplexity = 0") | Out-File C:\secpol.cfg @@ -48,13 +48,13 @@ if ((gwmi win32_computersystem).partofdomain -eq $false) { $newDNSServers = "127.0.0.1", "8.8.8.8", "4.4.4.4" $adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object { $_.IPAddress -And ($_.IPAddress).StartsWith($subnet) } if ($adapters) { - Write-Host Setting DNS + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Setting DNS" $adapters | ForEach-Object {$_.SetDNSServerSearchOrder($newDNSServers)} } - Write-Host "Setting timezone to UTC" + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Setting timezone to UTC" c:\windows\system32\tzutil.exe /s "UTC" - - Write-Host "Excluding NAT interface from DNS" + + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Excluding NAT interface from DNS" $nics=Get-WmiObject "Win32_NetworkAdapterConfiguration where IPEnabled='TRUE'" |? { $_.IPAddress[0] -ilike "172.25.*" } $dnslistenip=$nics.IPAddress $dnslistenip @@ -74,11 +74,11 @@ if ((gwmi win32_computersystem).partofdomain -eq $false) { foreach($RR in $RRs) { if ( (Select-Object -InputObject $RR HostName,RecordType -ExpandProperty RecordData).IPv4Address -ilike "10.*") - { + { Remove-DnsServerResourceRecord -ZoneName $domain -RRType A -Name "@" -RecordData $RR.RecordData.IPv4Address -Confirm } } Restart-Service DNS - + } diff --git a/Vagrant/scripts/download_palantir_osquery.ps1 b/Vagrant/scripts/download_palantir_osquery.ps1 index a699c63..d20c7dd 100644 --- a/Vagrant/scripts/download_palantir_osquery.ps1 +++ b/Vagrant/scripts/download_palantir_osquery.ps1 @@ -1,6 +1,6 @@ # Purpose: Downloads and unzips a copy of the Palantir osquery Github Repo. These configs are added to the Fleet server in bootstrap.sh. # The items from this config file are used later in install-osquery.ps1 -Write-Host "Downloading and unzipping the Palantir osquery Repo from Github..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading and unzipping the Palantir osquery Repo from Github..." $osqueryRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\osquery-Master.zip' if (-not (Test-Path $osqueryRepoPath)) @@ -14,4 +14,4 @@ else { Write-Host "$osqueryRepoPath already exists. Moving On." } -Write-Host "Palantir osquery config download complete!" +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Palantir osquery config download complete!" diff --git a/Vagrant/scripts/download_palantir_wef.ps1 b/Vagrant/scripts/download_palantir_wef.ps1 index 14dade2..a5a3c3c 100644 --- a/Vagrant/scripts/download_palantir_wef.ps1 +++ b/Vagrant/scripts/download_palantir_wef.ps1 @@ -1,6 +1,6 @@ # Purpose: Downloads and unzips a copy of the Palantir WEF Github Repo. This includes WEF subscriptions and custom WEF channels. -Write-Host "Downloading and unzipping the Palantir Windows Event Forwarding Repo from Github..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading and unzipping the Palantir Windows Event Forwarding Repo from Github..." $wefRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\wef-Master.zip' @@ -15,4 +15,4 @@ else { Write-Host "$wefRepoPath already exists. Moving On." } -Write-Host "Palantir WEF download complete!" +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Palantir WEF download complete!" diff --git a/Vagrant/scripts/fix-second-network.ps1 b/Vagrant/scripts/fix-second-network.ps1 index a032d15..4c199cc 100755 --- a/Vagrant/scripts/fix-second-network.ps1 +++ b/Vagrant/scripts/fix-second-network.ps1 @@ -5,6 +5,7 @@ if (! (Test-Path 'C:\Program Files\VMware\VMware Tools')) { Write-Host "Nothing to do for other providers than VMware." exit 0 } +Write-Host "$('[{0:HH:mm}]' -f (Get-Date))" Write-Host "Setting IP address and DNS information for the Ethernet1 interface" Write-Host "If this step times out, it's because vagrant is connecting to the VM on the wrong interface" Write-Host "See https://github.com/clong/DetectionLab/issues/114 for more information" diff --git a/Vagrant/scripts/install-autorunstowineventlog.ps1 b/Vagrant/scripts/install-autorunstowineventlog.ps1 index c93bc52..693331c 100644 --- a/Vagrant/scripts/install-autorunstowineventlog.ps1 +++ b/Vagrant/scripts/install-autorunstowineventlog.ps1 @@ -1,6 +1,6 @@ # Purpose: Installs AutorunsToWinEventLog from the Palantir WEF repo: (https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog) # TL;DR - Logs all entries from Autoruns to the Windows event log to be indexed by Splunk -Write-Host "Installing AutorunsToWinEventLog..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing AutorunsToWinEventLog..." If ((Get-ScheduledTask -TaskName "AutorunsToWinEventLog" -ea silent) -eq $null) { . c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\AutorunsToWinEventLog\Install.ps1 diff --git a/Vagrant/scripts/install-bginfo.ps1 b/Vagrant/scripts/install-bginfo.ps1 index 589c1b0..bb127d3 100755 --- a/Vagrant/scripts/install-bginfo.ps1 +++ b/Vagrant/scripts/install-bginfo.ps1 @@ -1,5 +1,6 @@ # Installs BGInfo on the host for easy identification # Source: https://github.com/StefanScherer/adfs2 +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing BGInfo..." if (!(Test-Path 'c:\Program Files\sysinternals')) { New-Item -Path 'c:\Program Files\sysinternals' -type directory -Force -ErrorAction SilentlyContinue } diff --git a/Vagrant/scripts/install-choco-extras.ps1 b/Vagrant/scripts/install-choco-extras.ps1 index a5d8bbd..5fd4cd3 100644 --- a/Vagrant/scripts/install-choco-extras.ps1 +++ b/Vagrant/scripts/install-choco-extras.ps1 @@ -1,6 +1,6 @@ # Purpose: Install additional packages from Chocolatey. -Write-Host "Installing additional Choco packages..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing additional Choco packages..." If (-not (Test-Path "C:\ProgramData\chocolatey")) { Write-Host "Installing Chocolatey" @@ -13,4 +13,4 @@ Write-Host "Installing Chocolatey extras..." choco install -y --limit-output --no-progress wireshark choco install -y --limit-output --no-progress winpcap -Write-Host "Choco addons complete!" +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Choco addons complete!" diff --git a/Vagrant/scripts/install-inputsconf.ps1 b/Vagrant/scripts/install-inputsconf.ps1 index 2dcd282..b061168 100755 --- a/Vagrant/scripts/install-inputsconf.ps1 +++ b/Vagrant/scripts/install-inputsconf.ps1 @@ -1,6 +1,6 @@ # Purpose: Configures the inputs.conf for the Splunk forwarders on the Windows hosts -Write-Host "Setting up Splunk Inputs for Sysmon & osquery" +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Setting up Splunk Inputs for Sysmon & osquery" $inputsPath = "C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf" $currentContent = get-content $inputsPath @@ -8,22 +8,22 @@ $targetContent = get-content c:\vagrant\resources\splunk_forwarder\inputs.conf if ($currentContent -ne $targetContent) { - Write-Host "Stopping the Splunk forwarder" + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Stopping the Splunk forwarder" try { Stop-Service splunkforwarder -ErrorAction Stop } catch { - Write-Host "Failed to stop SplunkForwarder. Trying again..." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Failed to stop SplunkForwarder. Trying again..." Set-Location "C:\Program Files\SplunkUniversalForwarder\bin" & ".\splunk.exe" "stop" } - Write-Host "Deleting the default configuration" + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Deleting the default configuration" Remove-Item $inputsPath - Write-Host "Copying over the custom configuration" + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Copying over the custom configuration" Copy-Item c:\vagrant\resources\splunk_forwarder\inputs.conf $inputsPath - Write-Host "Starting the Splunk forwarder" + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Starting the Splunk forwarder" Start-Service splunkforwarder } else @@ -34,4 +34,4 @@ If ((Get-Service -name splunkforwarder).Status -ne "Running") { throw "splunkforwarder service was not running." } -Write-Host "Splunk forwarder installation complete!" +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Splunk forwarder installation complete!" diff --git a/Vagrant/scripts/install-microsoft-ata.ps1 b/Vagrant/scripts/install-microsoft-ata.ps1 index 426972f..a3f1bcc 100644 --- a/Vagrant/scripts/install-microsoft-ata.ps1 +++ b/Vagrant/scripts/install-microsoft-ata.ps1 @@ -28,7 +28,7 @@ public static class SSLValidator { if (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center")) { $download = $false - if (-not (Test-Path "$env:temp\$title.iso")) + if (-not (Test-Path "$env:temp\$title.iso")) { Write-Host "$title.iso doesn't exist yet, downloading..." $download = $true @@ -40,13 +40,13 @@ if (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center { Write-Host "$title.iso exists, but has wrong hash, downloading..." $download = $true - } + } } if ($download -eq $true) { Write-Host "Downloading $title..." Invoke-WebRequest -Uri $downloadUrl -OutFile "$env:temp\$title.iso" - $actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash + $actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash If (-not ($actualHash -eq $fileHash)) { throw "$title.iso was not downloaded correctly: hash from downloaded file: $actualHash, should've been: $fileHash" @@ -59,19 +59,19 @@ if (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center $Install $Mount | Dismount-DiskImage -Confirm:$false $body = get-content "C:\vagrant\resources\microsoft_ata\microsoft-ata-config.json" - + $req = [System.Net.WebRequest]::CreateHttp("https://wef") - try + try { $req.GetResponse() } - catch + catch { # we don't care about errors here, we just want to get the cert ;) } $ThumbPrint = $req.ServicePoint.Certificate.GetCertHashString() $body = $body -replace "{{THUMBPRINT}}", $ThumbPrint - + Invoke-RestMethod -uri https://localhost/api/management/systemProfiles/center -body $body -Method Post -UseBasicParsing -UseDefaultCredentials -ContentType "application/json" } @@ -79,9 +79,9 @@ if (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center Start-Sleep -Seconds 60 Invoke-Command -computername dc -Credential (new-object pscredential("windomain\vagrant",(ConvertTo-SecureString -AsPlainText -Force -String "vagrant"))) -ScriptBlock { - - Write-Host "[$env:computername] Installing ATA Lightweight gateway..." - + + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Installing ATA Lightweight gateway..." + # Enable web requests to endpoints with invalid SSL certs (like self-signed certs) if (-not("SSLValidator" -as [type])) { add-type -TypeDefinition @" @@ -89,13 +89,13 @@ Invoke-Command -computername dc -Credential (new-object pscredential("windomain\ using System.Net; using System.Net.Security; using System.Security.Cryptography.X509Certificates; - + public static class SSLValidator { public static bool ReturnTrue(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { return true; } - + public static RemoteCertificateValidationCallback GetDelegate() { return new RemoteCertificateValidationCallback(SSLValidator.ReturnTrue); } @@ -103,7 +103,7 @@ Invoke-Command -computername dc -Credential (new-object pscredential("windomain\ "@ } [System.Net.ServicePointManager]::ServerCertificateValidationCallback = [SSLValidator]::GetDelegate() - + If (-not (Test-Path "$env:temp\gatewaysetup.zip")) { Invoke-WebRequest -uri https://wef/api/management/softwareUpdates/gateways/deploymentPackage -UseBasicParsing -OutFile "$env:temp\gatewaysetup.zip" -Credential (new-object pscredential("wef\vagrant",(convertto-securestring -AsPlainText -Force -String "vagrant"))) @@ -115,10 +115,10 @@ Invoke-Command -computername dc -Credential (new-object pscredential("windomain\ } if (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics")) { - Set-Location "$env:temp\gatewaysetup" + Set-Location "$env:temp\gatewaysetup" Start-Process -Wait -FilePath ".\Microsoft ATA Gateway Setup.exe" -ArgumentList "/q NetFrameworkCommandLineArguments=`"/q`" ConsoleAccountName=`"wef\vagrant`" ConsoleAccountPassword=`"vagrant`"" } - else + else { Write-Host "[$env:computername] ATA Gateway already installed. Moving On." } @@ -144,4 +144,4 @@ Invoke-RestMethod -Uri "https://localhost/api/management/systemProfiles/gateways If ((Get-Service -name "ATACenter").Status -ne "Running") { throw "MS ATA service was not running." -} \ No newline at end of file +} diff --git a/Vagrant/scripts/install-osquery.ps1 b/Vagrant/scripts/install-osquery.ps1 index 522749b..bc63efb 100755 --- a/Vagrant/scripts/install-osquery.ps1 +++ b/Vagrant/scripts/install-osquery.ps1 @@ -2,7 +2,7 @@ # Note: by default, osquery will be configured to connect to the Fleet server on the "logger" host via TLS. # If you would like to have osquery run without TLS & Fleet, uncomment line 15 and comment lines 21-30. -Write-Host "Installing osquery" +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing osquery..." $packsDir = "c:\programdata\osquery\packs" choco install -y --limit-output --no-progress osquery | Out-String # Apparently Out-String makes the process wait $service = Get-WmiObject -Class Win32_Service -Filter "Name='osqueryd'" diff --git a/Vagrant/scripts/install-redteam.ps1 b/Vagrant/scripts/install-redteam.ps1 index d214c0a..fcd2efe 100644 --- a/Vagrant/scripts/install-redteam.ps1 +++ b/Vagrant/scripts/install-redteam.ps1 @@ -1,11 +1,11 @@ # Purpose: Installs Mimikatz and Powersploit into c:\Tools\Mimikatz. Used to install redteam related tooling. -Write-Host "Installing Red Team Tooling..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing Red Team Tooling..." # Windows Defender should be disabled already by O&O ShutUp10 # Purpose: Downloads and unzips a copy of the latest Mimikatz trunk -Write-Host "Determining latest release of Mimikatz..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Determining latest release of Mimikatz..." # GitHub requires TLS 1.2 as of 2/27 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $tag = (Invoke-WebRequest "https://api.github.com/repos/gentilkiwi/mimikatz/releases" -UseBasicParsing | ConvertFrom-Json)[0].tag_name @@ -22,7 +22,7 @@ else } # Download and unzip a copy of PowerSploit -Write-Host "Downloading Powersploit..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Powersploit..." # GitHub requires TLS 1.2 as of 2/27 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $powersploitDownloadUrl = "https://github.com/PowerShellMafia/PowerSploit/archive/dev.zip" @@ -36,7 +36,7 @@ if (-not (Test-Path $powersploitRepoPath)) { } # Download and unzip a copy of Atomic Red Team -Write-Host "Downloading Atomic Red Team..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Atomic Red Team..." # GitHub requires TLS 1.2 as of 2/27 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $atomicRedTeamDownloadUrl = "https://github.com/redcanaryco/atomic-red-team/archive/master.zip" @@ -48,4 +48,4 @@ if (-not (Test-Path $atomicRedTeamRepoPath)) { Write-Host "Atomic Red Team was already installed. Moving On." } -Write-Host "Red Team tooling installation complete!" +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Red Team tooling installation complete!" diff --git a/Vagrant/scripts/install-splunkuf.ps1 b/Vagrant/scripts/install-splunkuf.ps1 index ea291e4..6c0cbe5 100755 --- a/Vagrant/scripts/install-splunkuf.ps1 +++ b/Vagrant/scripts/install-splunkuf.ps1 @@ -4,7 +4,7 @@ If (-not (Test-Path "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe")) Write-Host "Downloading Splunk Universal Forwarder" $msiFile = $env:Temp + "\splunkforwarder-7.1.0-2e75b3406c5b-x64-release.msi" - Write-Host "Installing & Starting Splunk" + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing & Starting Splunk" (New-Object System.Net.WebClient).DownloadFile('https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=windows&version=7.1.0&product=universalforwarder&filename=splunkforwarder-7.1.0-2e75b3406c5b-x64-release.msi&wget=true', $msiFile) Start-Process -FilePath "c:\windows\system32\msiexec.exe" -ArgumentList '/i', "$msiFile", 'RECEIVING_INDEXER="192.168.38.105:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_APP_ENABLE=1 AGREETOLICENSE=Yes SERVICESTARTTYPE=1 LAUNCHSPLUNK=1 SPLUNKPASSWORD=changeme /quiet' -Wait } Else { @@ -14,4 +14,4 @@ If ((Get-Service -name splunkforwarder).Status -ne "Running") { throw "Splunk forwarder service not running" } -Write-Host "Splunk installation complete!" +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Splunk installation complete!" diff --git a/Vagrant/scripts/install-sysinternals.ps1 b/Vagrant/scripts/install-sysinternals.ps1 index 6d9df52..0ffa5de 100755 --- a/Vagrant/scripts/install-sysinternals.ps1 +++ b/Vagrant/scripts/install-sysinternals.ps1 @@ -1,5 +1,6 @@ # Purpose: Installs a handful of SysInternals tools on the host into c:\Tools\Sysinternals +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing SysInternals Tooling..." $sysinternalsDir = "C:\Tools\Sysinternals" $sysmonDir = "C:\ProgramData\Sysmon" If(!(test-path $sysinternalsDir)) { @@ -27,31 +28,31 @@ $sysmonConfigPath = "$sysmonDir\sysmonConfig.xml" # Microsoft likes TLSv1.2 as well [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -Write-Host "Downloading Autoruns64.exe..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Autoruns64.exe..." (New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Autoruns64.exe', $autorunsPath) -Write-Host "Downloading Procmon.exe..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Procmon.exe..." (New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Procmon.exe', $procmonPath) -Write-Host "Downloading PsExec64.exe..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading PsExec64.exe..." (New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/PsExec64.exe', $psexecPath) -Write-Host "Downloading procexp64.exe..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading procexp64.exe..." (New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/procexp64.exe', $procexpPath) -Write-Host "Downloading Sysmon64.exe..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Sysmon64.exe..." (New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Sysmon64.exe', $sysmonPath) -Write-Host "Downloading Tcpview.exe..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Tcpview.exe..." (New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Tcpview.exe', $tcpviewPath) Copy-Item $sysmonPath $sysmonDir # Download Olaf Hartongs Sysmon config -Write-Host "Downloading Olaf Hartong's Sysmon config..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Olaf Hartong's Sysmon config..." (New-Object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml', "$sysmonConfigPath") # Alternative: Download SwiftOnSecurity's Sysmon config # Write-Host "Downloading SwiftOnSecurity's Sysmon config..." # (New-Object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml', "$sysmonConfigPath") # Start Sysmon -Write-Host "Starting Sysmon..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Starting Sysmon..." Start-Process -FilePath "$sysmonDir\Sysmon64.exe" -ArgumentList "-accepteula -i $sysmonConfigPath" -Write-Host "Verifying that the Sysmon service is running..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Verifying that the Sysmon service is running..." Start-Sleep 5 # Give the service time to start If ((Get-Service -name Sysmon64).Status -ne "Running") { diff --git a/Vagrant/scripts/install-utilities.ps1 b/Vagrant/scripts/install-utilities.ps1 index c185d48..fd24a52 100755 --- a/Vagrant/scripts/install-utilities.ps1 +++ b/Vagrant/scripts/install-utilities.ps1 @@ -7,7 +7,7 @@ If (-not (Test-Path "C:\ProgramData\chocolatey")) { Write-Host "Chocolatey is already installed." } -Write-Host "Installing utilities..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing utilities..." If ($(hostname) -eq "win10") { # Because the Windows10 start menu sucks choco install -y --limit-output --no-progress classic-shell -installArgs ADDLOCAL=ClassicStartMenu diff --git a/Vagrant/scripts/install-wefsubscriptions.ps1 b/Vagrant/scripts/install-wefsubscriptions.ps1 index 45f6251..7d74e2f 100644 --- a/Vagrant/scripts/install-wefsubscriptions.ps1 +++ b/Vagrant/scripts/install-wefsubscriptions.ps1 @@ -1,31 +1,31 @@ # Purpose: Imports the custom Windows Event Channel and XML subscriptions on the WEF host # Note: This only needs to be installed on the WEF server -Write-Host "Installing WEF Subscriptions..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing WEF Subscriptions..." -Write-Host "Copying Custom Event Channels DLL..." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Copying Custom Event Channels DLL..." if (-not (Test-Path "$env:windir\system32\CustomEventChannels.dll")) { Copy-Item c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\windows-event-channels\CustomEventChannels.dll "$env:windir\system32" Copy-Item c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\windows-event-channels\CustomEventChannels.man "$env:windir\system32" - Write-Host "Installing Custom Event Channels Manifest..." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing Custom Event Channels Manifest..." wevtutil im "c:\windows\system32\CustomEventChannels.man" Write-Host "Resizing Channels to 4GB..." $xml = wevtutil el | select-string -pattern "WEC" foreach ($subscription in $xml) { wevtutil sl $subscription /ms:4294967296 } - Write-Host "Starting the Windows Event Collector Service..." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Starting the Windows Event Collector Service..." net start wecsvc - Write-Host "Creating custom event subscriptions..." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating custom event subscriptions..." cd c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions cmd /c "for /r %i in (*.xml) do wecutil cs %i" - Write-Host "Enabling custom event subscriptions..." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Enabling custom event subscriptions..." cmd /c "for /r %i in (*.xml) do wecutil ss %~ni /e:true" - Write-Host "Enabling WecUtil Quick Config..." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Enabling WecUtil Quick Config..." wecutil qc /q:true } else diff --git a/Vagrant/scripts/install-windows_ta.ps1 b/Vagrant/scripts/install-windows_ta.ps1 index fead3ea..bcf5d3f 100755 --- a/Vagrant/scripts/install-windows_ta.ps1 +++ b/Vagrant/scripts/install-windows_ta.ps1 @@ -1,7 +1,7 @@ # Purpose: Installs the Windows Splunk Technial Add-On # Note: This only needs to be installed on the WEF server -Write-Host "Installing the Windows TA for Splunk" +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing the Windows TA for Splunk" If (test-path "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default") { Write-Host "Windows TA is already installed. Moving on." @@ -11,7 +11,7 @@ If (test-path "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_wind # Install Windows TA (this only needs to be done on the WEF server) $windowstaPath = "C:\vagrant\resources\splunk_forwarder\splunk-add-on-for-microsoft-windows_500.tgz" $inputsPath = "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf" -Write-Host "Installing the Windows TA" +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing the Windows TA" Start-Process -FilePath "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" -ArgumentList "install app $windowstaPath -auth admin:changeme" -NoNewWindow # Create local directory @@ -19,10 +19,10 @@ New-Item -ItemType Directory -Force -Path "C:\Program Files\SplunkUniversalForwa Copy-Item c:\vagrant\resources\splunk_forwarder\wef_inputs.conf $inputsPath # Add a check here to make sure the TA was installed correctly -Write-Host "Sleeping for 15 seconds" +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Sleeping for 15 seconds" start-sleep -s 15 If (test-path "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default") { - Write-Host "Windows TA installed successfully." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Windows TA installed successfully." } Else { Write-Host "Something went wrong during installation." exit 1 diff --git a/Vagrant/scripts/join-domain.ps1 b/Vagrant/scripts/join-domain.ps1 index 304ace3..70579e4 100755 --- a/Vagrant/scripts/join-domain.ps1 +++ b/Vagrant/scripts/join-domain.ps1 @@ -1,14 +1,14 @@ # Purpose: Joins a Windows host to the windomain.local domain which was created with "create-domain.ps1". # Source: https://github.com/StefanScherer/adfs2 -Write-Host 'Join the domain' +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Joining the domain..." -Write-Host "First, set DNS to DC to join the domain" +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) First, set DNS to DC to join the domain..." $newDNSServers = "192.168.38.102" $adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.IPAddress -match "192.168.38."} $adapters | ForEach-Object {$_.SetDNSServerSearchOrder($newDNSServers)} -Write-Host "Now join the domain" +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Now join the domain..." $hostname = $(hostname) $user = "windomain.local\vagrant" $pass = ConvertTo-SecureString "vagrant" -AsPlainText -Force diff --git a/Vagrant/scripts/provision.ps1 b/Vagrant/scripts/provision.ps1 index d27b93d..f5cb1c6 100644 --- a/Vagrant/scripts/provision.ps1 +++ b/Vagrant/scripts/provision.ps1 @@ -4,21 +4,21 @@ $box = Get-ItemProperty -Path HKLM:SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName -Name "ComputerName" $box = $box.ComputerName.ToString().ToLower() -Write-Host "Setting timezone to UTC" +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Setting timezone to UTC..." c:\windows\system32\tzutil.exe /s "UTC" if ($env:COMPUTERNAME -imatch 'vagrant') { - Write-Host 'Hostname is still the original one, skip provisioning for reboot' + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Hostname is still the original one, skip provisioning for reboot..." - Write-Host 'Installing bginfo...' + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing bginfo..." . c:\vagrant\scripts\install-bginfo.ps1 Write-Host -fore red 'Hint: vagrant reload' $box '--provision' } elseif ((gwmi win32_computersystem).partofdomain -eq $false) { - Write-Host -fore red "Current domain is set to 'workgroup'. Time to join the domain!" + Write-Host -fore red "$('[{0:HH:mm}]' -f (Get-Date)) Current domain is set to 'workgroup'. Time to join the domain!" if (!(Test-Path 'c:\Program Files\sysinternals\bginfo.exe')) { Write-Host 'Install bginfo' @@ -39,12 +39,12 @@ if ($env:COMPUTERNAME -imatch 'vagrant') { } else { - Write-Host -fore green "I am domain joined!" + Write-Host -fore green "$('[{0:HH:mm}]' -f (Get-Date)) I am domain joined!" if (!(Test-Path 'c:\Program Files\sysinternals\bginfo.exe')) { Write-Host 'Install bginfo' . c:\vagrant\scripts\install-bginfo.ps1 } - Write-Host 'Provisioning after joining domain...' + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Provisioning after joining domain..." } diff --git a/img/DetectionLab.png b/img/DetectionLab.png new file mode 100644 index 0000000..10fb7af Binary files /dev/null and b/img/DetectionLab.png differ