Adding timestamps to scripts, Vagrantfile_prebuilt, logo
This commit is contained in:
Chris Long
@@ -1,14 +1,10 @@
|
||||
if "%PACKER_BUILDER_TYPE:~0,6%"=="hyperv" (
|
||||
echo "Skip compact steps in Hyper-V build."
|
||||
goto :eof
|
||||
if not exist "C:\Windows\Temp\7z1900-x64.msi" (
|
||||
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://www.7-zip.org/a/7z1900-x64.msi', 'C:\Windows\Temp\7z1900-x64.msi')" <NUL
|
||||
)
|
||||
if not exist "C:\Windows\Temp\7z920-x64.msi" (
|
||||
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://www.7-zip.org/a/7z920-x64.msi', 'C:\Windows\Temp\7z920-x64.msi')" <NUL
|
||||
)
|
||||
msiexec /qb /i C:\Windows\Temp\7z920-x64.msi
|
||||
msiexec /qb /i C:\Windows\Temp\7z1900-x64.msi
|
||||
|
||||
if not exist "C:\Windows\Temp\ultradefrag.zip" (
|
||||
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://downloads.sourceforge.net/project/ultradefrag/stable-release/6.1.0/ultradefrag-portable-6.1.0.bin.amd64.zip', 'C:\Windows\Temp\ultradefrag.zip')" <NUL
|
||||
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://downloads.sourceforge.net/project/ultradefrag/stable-release/6.1.0/ultradefrag-portable-6.1.0.bin.amd64.zip', 'C:\Windows\Temp\ultradefrag.zip')" <NUL
|
||||
)
|
||||
|
||||
if not exist "C:\Windows\Temp\ultradefrag-portable-6.1.0.amd64\udefrag.exe" (
|
||||
@@ -16,7 +12,7 @@ if not exist "C:\Windows\Temp\ultradefrag-portable-6.1.0.amd64\udefrag.exe" (
|
||||
)
|
||||
|
||||
if not exist "C:\Windows\Temp\SDelete.zip" (
|
||||
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://download.sysinternals.com/files/SDelete.zip', 'C:\Windows\Temp\SDelete.zip')" <NUL
|
||||
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://download.sysinternals.com/files/SDelete.zip', 'C:\Windows\Temp\SDelete.zip')" <NUL
|
||||
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://vagrantboxes.blob.core.windows.net/box/sdelete/v1.6.1/sdelete.exe', 'C:\Windows\Temp\sdelete.exe')" <NUL
|
||||
)
|
||||
|
||||
@@ -24,16 +20,13 @@ if not exist "C:\Windows\Temp\sdelete.exe" (
|
||||
cmd /c ""C:\Program Files\7-Zip\7z.exe" x C:\Windows\Temp\SDelete.zip -oC:\Windows\Temp"
|
||||
)
|
||||
|
||||
msiexec /qb /x C:\Windows\Temp\7z920-x64.msi
|
||||
msiexec /qb /x C:\Windows\Temp\7z1900-x64.msi
|
||||
|
||||
net stop wuauserv
|
||||
net stop wuauserv 1> nul 2>&1
|
||||
rmdir /S /Q C:\Windows\SoftwareDistribution\Download
|
||||
mkdir C:\Windows\SoftwareDistribution\Download
|
||||
net start wuauserv
|
||||
|
||||
if "%PACKER_BUILDER_TYPE%" neq "hyperv-iso" (
|
||||
cmd /c C:\Windows\Temp\ultradefrag-portable-6.1.0.amd64\udefrag.exe --optimize --repeat C:
|
||||
|
||||
cmd /c %SystemRoot%\System32\reg.exe ADD HKCU\Software\Sysinternals\SDelete /v EulaAccepted /t REG_DWORD /d 1 /f
|
||||
cmd /c C:\Windows\Temp\sdelete.exe -q -z C:
|
||||
)
|
||||
|
||||
@@ -1,14 +1,13 @@
|
||||
if not exist "C:\Windows\Temp\7z920-x64.msi" (
|
||||
powershell -Command "Start-Sleep 5; Invoke-WebRequest -Uri 'https://astuteinternet.dl.sourceforge.net/project/sevenzip/7-Zip/9.20/7z920-x64.msi' -Outfile 'C:\Windows\Temp\7z920-x64.msi'" <NUL
|
||||
if not exist "C:\Windows\Temp\7z1900-x64.msi" (
|
||||
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://www.7-zip.org/a/7z1900-x64.msi', 'C:\Windows\Temp\7z1900-x64.msi')" <NUL
|
||||
)
|
||||
if not exist "C:\Windows\Temp\7z920-x64.msi" (
|
||||
powershell -Command "Start-Sleep 5; Invoke-WebRequest -Uri 'http://www.7-zip.org/a/7z920-x64.msi' -Outfile 'C:\Windows\Temp\7z920-x64.msi')" <NUL
|
||||
if not exist "C:\Windows\Temp\7z1900-x64.msi" (
|
||||
powershell -Command "Start-Sleep 5 ; (New-Object System.Net.WebClient).DownloadFile('https://www.7-zip.org/a/7z1900-x64.msi', 'C:\Windows\Temp\7z1900-x64.msi')" <NUL
|
||||
)
|
||||
msiexec /qb /i C:\Windows\Temp\7z920-x64.msi
|
||||
msiexec /qb /i C:\Windows\Temp\7z1900-x64.msi
|
||||
|
||||
if "%PACKER_BUILDER_TYPE%" equ "vmware-iso" goto :vmware
|
||||
if "%PACKER_BUILDER_TYPE%" equ "virtualbox-iso" goto :virtualbox
|
||||
if "%PACKER_BUILDER_TYPE%" equ "parallels-iso" goto :parallels
|
||||
goto :done
|
||||
|
||||
:vmware
|
||||
@@ -18,7 +17,7 @@ if exist "C:\Users\vagrant\windows.iso" (
|
||||
)
|
||||
|
||||
if not exist "C:\Windows\Temp\windows.iso" (
|
||||
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://softwareupdate.vmware.com/cds/vmw-desktop/ws/14.1.3/9474260/windows/packages/tools-windows.tar', 'C:\Windows\Temp\vmware-tools.tar')" <NUL
|
||||
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://softwareupdate.vmware.com/cds/vmw-desktop/ws/15.0.4/12990004/windows/packages/tools-windows.tar', 'C:\Windows\Temp\vmware-tools.tar')" <NUL
|
||||
cmd /c ""C:\Program Files\7-Zip\7z.exe" x C:\Windows\Temp\vmware-tools.tar -oC:\Windows\Temp"
|
||||
FOR /r "C:\Windows\Temp" %%a in (VMware-tools-windows-*.iso) DO REN "%%~a" "windows.iso"
|
||||
rd /S /Q "C:\Program Files (x86)\VMWare"
|
||||
@@ -27,13 +26,8 @@ if not exist "C:\Windows\Temp\windows.iso" (
|
||||
cmd /c ""C:\Program Files\7-Zip\7z.exe" x "C:\Windows\Temp\windows.iso" -oC:\Windows\Temp\VMWare"
|
||||
cmd /c C:\Windows\Temp\VMWare\setup.exe /S /v"/qn REBOOT=R\"
|
||||
|
||||
sc query vmtools > NUL
|
||||
IF ERRORLEVEL 1060 cmd /c C:\Windows\Temp\VMWare\setup.exe /S /v"/qn REBOOT=R\"
|
||||
sc query vmtools > NUL
|
||||
IF ERRORLEVEL 1060 ECHO "Unable to install VMware Tools." & exit /b 1
|
||||
|
||||
rd /Q "C:\Windows\Temp\vmware-tools.tar"
|
||||
rd /Q "C:\Windows\Temp\windows.iso"
|
||||
del /Q "C:\Windows\Temp\vmware-tools.tar"
|
||||
del /Q "C:\Windows\Temp\windows.iso"
|
||||
rd /S /Q "C:\Windows\Temp\VMware"
|
||||
goto :done
|
||||
|
||||
@@ -44,24 +38,14 @@ if exist "C:\Users\vagrant\VBoxGuestAdditions.iso" (
|
||||
)
|
||||
|
||||
if not exist "C:\Windows\Temp\VBoxGuestAdditions.iso" (
|
||||
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://download.virtualbox.org/virtualbox/5.2.16/VBoxGuestAdditions_5.2.16.iso', 'C:\Windows\Temp\VBoxGuestAdditions.iso')" <NUL
|
||||
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://download.virtualbox.org/virtualbox/5.2.26/VBoxGuestAdditions_5.2.26.iso', 'C:\Windows\Temp\VBoxGuestAdditions.iso')" <NUL
|
||||
)
|
||||
|
||||
cmd /c ""C:\Program Files\7-Zip\7z.exe" x C:\Windows\Temp\VBoxGuestAdditions.iso -oC:\Windows\Temp\virtualbox"
|
||||
certutil -addstore -f "TrustedPublisher" C:\Windows\Temp\virtualbox\cert\vbox-sha256-r3.cer
|
||||
certutil -addstore -f "TrustedPublisher" C:\Windows\Temp\virtualbox\cert\vbox-sha256.cer
|
||||
certutil -addstore -f "TrustedPublisher" C:\Windows\Temp\virtualbox\cert\vbox-sha1.cer
|
||||
cmd /c for %%i in (C:\Windows\Temp\virtualbox\cert\vbox*.cer) do C:\Windows\Temp\virtualbox\cert\VBoxCertUtil add-trusted-publisher %%i --root %%i
|
||||
cmd /c C:\Windows\Temp\virtualbox\VBoxWindowsAdditions.exe /S
|
||||
rd /S /Q "C:\Windows\Temp\virtualbox"
|
||||
goto :done
|
||||
|
||||
:parallels
|
||||
if exist "C:\Users\vagrant\prl-tools-win.iso" (
|
||||
move /Y C:\Users\vagrant\prl-tools-win.iso C:\Windows\Temp
|
||||
cmd /C "C:\Program Files\7-Zip\7z.exe" x C:\Windows\Temp\prl-tools-win.iso -oC:\Windows\Temp\parallels
|
||||
cmd /C C:\Windows\Temp\parallels\PTAgent.exe /install_silent
|
||||
rd /S /Q "C:\Windows\Temp\parallels"
|
||||
)
|
||||
|
||||
:done
|
||||
msiexec /qb /x C:\Windows\Temp\7z920-x64.msi
|
||||
msiexec /qb /x C:\Windows\Temp\7z1900-x64.msi
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
|
||||
# Detection Lab
|
||||
DetectionLab is tested weekly on Saturdays via a scheduled CircleCI workflow to ensure that builds are passing.
|
||||
|
||||
|
||||
120
Vagrant/Vagrantfile_Prebuilt
Normal file
120
Vagrant/Vagrantfile_Prebuilt
Normal file
@@ -0,0 +1,120 @@
|
||||
Vagrant.configure("2") do |config|
|
||||
|
||||
config.vm.define "logger" do |cfg|
|
||||
cfg.vm.box = "bento/ubuntu-16.04"
|
||||
cfg.vm.hostname = "logger"
|
||||
config.vm.provision :shell, path: "bootstrap.sh"
|
||||
cfg.vm.network :private_network, ip: "192.168.38.105", gateway: "192.168.38.1", dns: "8.8.8.8"
|
||||
|
||||
cfg.vm.provider "vmware_desktop" do |v, override|
|
||||
v.vmx["displayname"] = "logger"
|
||||
v.memory = 4096
|
||||
v.cpus = 2
|
||||
v.gui = true
|
||||
end
|
||||
|
||||
cfg.vm.provider "virtualbox" do |vb, override|
|
||||
vb.gui = true
|
||||
vb.name = "logger"
|
||||
vb.customize ["modifyvm", :id, "--memory", 4096]
|
||||
vb.customize ["modifyvm", :id, "--cpus", 2]
|
||||
vb.customize ["modifyvm", :id, "--vram", "32"]
|
||||
vb.customize ["modifyvm", :id, "--nicpromisc2", "allow-all"]
|
||||
vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
|
||||
vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
|
||||
end
|
||||
end
|
||||
|
||||
config.vm.define "dc" do |cfg|
|
||||
cfg.vm.box = "detectionlab/dc-prebuilt"
|
||||
cfg.vm.hostname = "dc"
|
||||
cfg.vm.boot_timeout = 600
|
||||
cfg.winrm.transport = :plaintext
|
||||
cfg.vm.communicator = "winrm"
|
||||
cfg.winrm.basic_auth_only = true
|
||||
cfg.winrm.timeout = 300
|
||||
cfg.winrm.retry_limit = 20
|
||||
cfg.vm.network :private_network, ip: "192.168.38.102", gateway: "192.168.38.1"
|
||||
|
||||
cfg.vm.provider "vmware_desktop" do |v, override|
|
||||
v.vmx["displayname"] = "dc.windomain.local"
|
||||
v.memory = 3072
|
||||
v.cpus = 2
|
||||
v.gui = true
|
||||
v.enable_vmrun_ip_lookup = false
|
||||
end
|
||||
|
||||
cfg.vm.provider "virtualbox" do |vb, override|
|
||||
vb.gui = true
|
||||
vb.name = "dc.windomain.local"
|
||||
vb.default_nic_type = "82545EM"
|
||||
vb.customize ["modifyvm", :id, "--memory", 3072]
|
||||
vb.customize ["modifyvm", :id, "--cpus", 2]
|
||||
vb.customize ["modifyvm", :id, "--vram", "32"]
|
||||
vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
|
||||
vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
|
||||
end
|
||||
end
|
||||
|
||||
config.vm.define "wef" do |cfg|
|
||||
cfg.vm.box = "detectionlab/wef-prebuilt"
|
||||
cfg.vm.hostname = "wef"
|
||||
cfg.vm.boot_timeout = 600
|
||||
cfg.vm.communicator = "winrm"
|
||||
cfg.winrm.basic_auth_only = true
|
||||
cfg.winrm.timeout = 300
|
||||
cfg.winrm.retry_limit = 20
|
||||
cfg.vm.network :private_network, ip: "192.168.38.103", gateway: "192.168.38.1", dns: "192.168.38.102"
|
||||
|
||||
cfg.vm.provider "vmware_desktop" do |v, override|
|
||||
v.vmx["displayname"] = "wef.windomain.local"
|
||||
v.memory = 2048
|
||||
v.cpus = 2
|
||||
v.gui = true
|
||||
v.enable_vmrun_ip_lookup = false
|
||||
end
|
||||
|
||||
cfg.vm.provider "virtualbox" do |vb, override|
|
||||
vb.gui = true
|
||||
vb.name = "wef.windomain.local"
|
||||
vb.default_nic_type = "82545EM"
|
||||
vb.customize ["modifyvm", :id, "--memory", 2048]
|
||||
vb.customize ["modifyvm", :id, "--cpus", 2]
|
||||
vb.customize ["modifyvm", :id, "--vram", "32"]
|
||||
vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
|
||||
vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
|
||||
end
|
||||
end
|
||||
|
||||
config.vm.define "win10" do |cfg|
|
||||
cfg.vm.box = "detectionlab/win10-prebuilt"
|
||||
cfg.vm.hostname = "win10"
|
||||
cfg.vm.boot_timeout = 600
|
||||
cfg.vm.communicator = "winrm"
|
||||
cfg.winrm.basic_auth_only = true
|
||||
cfg.winrm.timeout = 300
|
||||
cfg.winrm.retry_limit = 20
|
||||
cfg.vm.network :private_network, ip: "192.168.38.104", gateway: "192.168.38.1", dns: "192.168.38.102"
|
||||
|
||||
cfg.vm.provider "vmware_desktop" do |v, override|
|
||||
v.vmx["displayname"] = "win10.windomain.local"
|
||||
v.vmx["gui.fullscreenatpoweron"] = "FALSE"
|
||||
v.vmx["gui.viewModeAtPowerOn"] = "windowed"
|
||||
v.memory = 2048
|
||||
v.cpus = 1
|
||||
v.gui = true
|
||||
v.enable_vmrun_ip_lookup = false
|
||||
end
|
||||
|
||||
cfg.vm.provider "virtualbox" do |vb, override|
|
||||
vb.gui = true
|
||||
vb.name = "win10.windomain.local"
|
||||
vb.default_nic_type = "82545EM"
|
||||
vb.customize ["modifyvm", :id, "--memory", 2048]
|
||||
vb.customize ["modifyvm", :id, "--cpus", 1]
|
||||
vb.customize ["modifyvm", :id, "--vram", "32"]
|
||||
vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
|
||||
vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
|
||||
end
|
||||
end
|
||||
end
|
||||
@@ -9,17 +9,17 @@ apt_install_prerequisites() {
|
||||
# Add repository for apt-fast
|
||||
add-apt-repository -y ppa:apt-fast/stable
|
||||
# Install prerequisites and useful tools
|
||||
echo "Running apt-get update..."
|
||||
echo "[$(date +%H:%M:%S)]: Running apt-get update..."
|
||||
apt-get -qq update
|
||||
apt-get -qq install -y apt-fast
|
||||
echo "Running apt-fast install..."
|
||||
echo "[$(date +%H:%M:%S)]: Running apt-fast install..."
|
||||
apt-fast -qq install -y jq whois build-essential git docker docker-compose unzip
|
||||
}
|
||||
|
||||
test_prerequisites() {
|
||||
for package in jq whois build-essential git docker docker-compose unzip
|
||||
do
|
||||
echo "[TEST] Validating that $package is correctly installed..."
|
||||
echo "[$(date +%H:%M:%S)]: [TEST] Validating that $package is correctly installed..."
|
||||
# Loop through each package using dpkg
|
||||
if ! dpkg -S $package > /dev/null; then
|
||||
# If which returns a non-zero return code, try to re-install the package
|
||||
@@ -53,9 +53,9 @@ fix_eth1_static_ip() {
|
||||
ifup eth1
|
||||
ETH1_IP=$(ifconfig eth1 | grep 'inet addr' | cut -d ':' -f 2 | cut -d ' ' -f 1)
|
||||
if [ "$ETH1_IP" == "192.168.38.105" ]; then
|
||||
echo "The static IP has been fixed and set to 192.168.38.105"
|
||||
echo "[$(date +%H:%M:%S)]: The static IP has been fixed and set to 192.168.38.105"
|
||||
else
|
||||
echo "Failed to fix the broken static IP for eth1. Exiting because this will cause problems with other VMs."
|
||||
echo "[$(date +%H:%M:%S)]: Failed to fix the broken static IP for eth1. Exiting because this will cause problems with other VMs."
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
@@ -63,37 +63,37 @@ fix_eth1_static_ip() {
|
||||
|
||||
install_golang() {
|
||||
if ! which go > /dev/null; then
|
||||
echo "Installing Golang v.1.12..."
|
||||
echo "[$(date +%H:%M:%S)]: Installing Golang v.1.12..."
|
||||
cd /home/vagrant || exit
|
||||
wget --progress=bar:force https://dl.google.com/go/go1.12.linux-amd64.tar.gz
|
||||
tar -C /usr/local -xzf go1.12.linux-amd64.tar.gz
|
||||
mkdir /root/go
|
||||
else
|
||||
echo "Golang seems to be installed already. Skipping."
|
||||
echo "[$(date +%H:%M:%S)]: Golang seems to be installed already. Skipping."
|
||||
fi
|
||||
}
|
||||
|
||||
install_splunk() {
|
||||
# Check if Splunk is already installed
|
||||
if [ -f "/opt/splunk/bin/splunk" ]; then
|
||||
echo "Splunk is already installed"
|
||||
echo "[$(date +%H:%M:%S)]: Splunk is already installed"
|
||||
else
|
||||
echo "Installing Splunk..."
|
||||
echo "[$(date +%H:%M:%S)]: Installing Splunk..."
|
||||
# Get download.splunk.com into the DNS cache. Sometimes resolution randomly fails during wget below
|
||||
dig @8.8.8.8 download.splunk.com > /dev/null
|
||||
dig @8.8.8.8 splunk.com > /dev/null
|
||||
mkdir splunk
|
||||
|
||||
# Try to resolve the latest version of Splunk by parsing the HTML on the downloads page
|
||||
echo "Attempting to autoresolve the latest version of Splunk..."
|
||||
echo "[$(date +%H:%M:%S)]: Attempting to autoresolve the latest version of Splunk..."
|
||||
LATEST_SPLUNK=$(curl https://www.splunk.com/en_us/download/splunk-enterprise.html | grep -i deb | grep -Eo "data-link=\"................................................................................................................................" | cut -d '"' -f 2)
|
||||
# Sanity check what was returned from the auto-parse attempt
|
||||
if [[ "$(echo $LATEST_SPLUNK | grep -c "^https:")" -eq 1 ]] && [[ "$(echo $LATEST_SPLUNK | grep -c "\.deb$")" -eq 1 ]]; then
|
||||
echo "The URL to the latest Splunk version was automatically resolved as: $LATEST_SPLUNK"
|
||||
echo "Attempting to download..."
|
||||
echo "[$(date +%H:%M:%S)]: The URL to the latest Splunk version was automatically resolved as: $LATEST_SPLUNK"
|
||||
echo "[$(date +%H:%M:%S)]: Attempting to download..."
|
||||
wget --progress=bar:force -P splunk/ "$LATEST_SPLUNK"
|
||||
else
|
||||
echo "Unable to auto-resolve the latest Splunk version. Falling back to hardcoded URL..."
|
||||
echo "[$(date +%H:%M:%S)]: Unable to auto-resolve the latest Splunk version. Falling back to hardcoded URL..."
|
||||
# Download Hardcoded Splunk
|
||||
wget --progress=bar:force -O splunk/splunk-7.2.6-c0bf0f679ce9-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.6&product=splunk&filename=splunk-7.2.6-c0bf0f679ce9-linux-2.6-amd64.deb&wget=true'
|
||||
fi
|
||||
@@ -129,7 +129,7 @@ install_splunk() {
|
||||
sed -i.bak 's/max_memtable_bytes = 10000000/max_memtable_bytes = 30000000/g' /opt/splunk/etc/system/local/limits.conf
|
||||
|
||||
# Skip Splunk Tour and Change Password Dialog
|
||||
echo "Disabling the Splunk tour prompt..."
|
||||
echo "[$(date +%H:%M:%S)]: Disabling the Splunk tour prompt..."
|
||||
touch /opt/splunk/etc/.ui_login
|
||||
mkdir /opt/splunk/etc/users/admin/search/local
|
||||
echo -e "[search-tour]\nviewed = 1" > /opt/splunk/etc/users/admin/search/local/ui-tour.conf
|
||||
@@ -147,9 +147,9 @@ install_splunk() {
|
||||
install_fleet() {
|
||||
# Install Fleet
|
||||
if [ -f "/home/vagrant/kolide-quickstart" ]; then
|
||||
echo "Fleet is already installed"
|
||||
echo "[$(date +%H:%M:%S)]: Fleet is already installed"
|
||||
else
|
||||
echo "Installing Fleet..."
|
||||
echo "[$(date +%H:%M:%S)]: Installing Fleet..."
|
||||
echo -e "\n127.0.0.1 kolide" >> /etc/hosts
|
||||
echo -e "\n127.0.0.1 logger" >> /etc/hosts
|
||||
git clone https://github.com/kolide/kolide-quickstart.git
|
||||
@@ -168,10 +168,10 @@ install_fleet() {
|
||||
|
||||
download_palantir_osquery_config() {
|
||||
if [ -f /home/vagrant/osquery-configuration ]; then
|
||||
echo "osquery configs have already been downloaded"
|
||||
echo "[$(date +%H:%M:%S)]: osquery configs have already been downloaded"
|
||||
else
|
||||
# Import Palantir osquery configs into Fleet
|
||||
echo "Downloading Palantir configs..."
|
||||
echo "[$(date +%H:%M:%S)]: Downloading Palantir osquery configs..."
|
||||
git clone https://github.com/palantir/osquery-configuration.git
|
||||
fi
|
||||
}
|
||||
@@ -198,6 +198,7 @@ import_osquery_config_into_fleet() {
|
||||
}
|
||||
|
||||
install_bro() {
|
||||
echo "[$(date +%H:%M:%S)]: Installing Bro..."
|
||||
# Environment variables
|
||||
NODECFG=/opt/bro/etc/node.cfg
|
||||
SPLUNK_BRO_JSON=/opt/splunk/etc/apps/TA-bro_json
|
||||
@@ -279,7 +280,7 @@ install_bro() {
|
||||
|
||||
install_suricata() {
|
||||
# Run iwr -Uri testmyids.com -UserAgent "BlackSun" in Powershell to generate test alerts
|
||||
|
||||
echo "[$(date +%H:%M:%S)]: Installing Suricata..."
|
||||
# Install yq to maniuplate the suricata.yaml inline
|
||||
/usr/local/go/bin/go get -u github.com/mikefarah/yq
|
||||
|
||||
@@ -344,7 +345,7 @@ install_suricata() {
|
||||
test_suricata_prerequisites() {
|
||||
for package in suricata crudini
|
||||
do
|
||||
echo "[TEST] Validating that $package is correctly installed..."
|
||||
echo "[$(date +%H:%M:%S)]: [TEST] Validating that $package is correctly installed..."
|
||||
# Loop through each package using dpkg
|
||||
if ! dpkg -S $package > /dev/null; then
|
||||
# If which returns a non-zero return code, try to re-install the package
|
||||
@@ -361,7 +362,7 @@ test_suricata_prerequisites() {
|
||||
done
|
||||
|
||||
# One-off support for packages which aren't installed via dpkg
|
||||
echo "[TEST] Validating that yq is correctly installed..."
|
||||
echo "[$(date +%H:%M:%S)]: [TEST] Validating that yq is correctly installed..."
|
||||
# Check if the binary exists
|
||||
if ! [ -f /root/go/bin/yq ]; then
|
||||
# If it doesn't exist, try to re-install the package
|
||||
|
||||
@@ -1,20 +1,20 @@
|
||||
# Import the registry keys
|
||||
Write-Host "Making Windows 10 Great again"
|
||||
Write-Host "Importing registry keys..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Making Windows 10 Great again"
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Importing registry keys..."
|
||||
regedit /s a:\MakeWindows10GreatAgain.reg
|
||||
|
||||
# Remove OneDrive from the System
|
||||
Write-Host "Removing OneDrive..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Removing OneDrive..."
|
||||
$onedrive = Get-Process onedrive -ErrorAction SilentlyContinue
|
||||
if ($onedrive) {
|
||||
taskkill /f /im OneDrive.exe
|
||||
}
|
||||
c:\Windows\SysWOW64\OneDriveSetup.exe /uninstall
|
||||
|
||||
Write-Host "Running Update-Help..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Running Update-Help..."
|
||||
Update-Help -Force -ErrorAction SilentlyContinue
|
||||
|
||||
Write-Host "Removing Microsoft Store and Edge shortcuts from the taskbar..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Removing Microsoft Store and Edge shortcuts from the taskbar..."
|
||||
$appname = "Microsoft Edge"
|
||||
((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true}
|
||||
$appname = "Microsoft Store"
|
||||
@@ -22,13 +22,13 @@ $appname = "Microsoft Store"
|
||||
$appname = "Mail"
|
||||
((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true}
|
||||
|
||||
Write-Host "Disabling automatic screen turnoff in order to prevent screen locking..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Disabling automatic screen turnoff in order to prevent screen locking..."
|
||||
powercfg -change -monitor-timeout-ac 0
|
||||
powercfg -change -standby-timeout-ac 0
|
||||
powercfg -change -hibernate-timeout-ac 0
|
||||
|
||||
# Download and install ShutUp10
|
||||
Write-Host "Downloading ShutUp10..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading ShutUp10..."
|
||||
[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"
|
||||
$shutUp10DownloadUrl = "https://dl5.oo-software.com/files/ooshutup10/OOSU10.exe"
|
||||
$shutUp10RepoPath = "C:\Users\vagrant\AppData\Local\Temp\OOSU10.exe"
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
# Purpose: Installs the GPOs for the custom WinEventLog auditing policy.
|
||||
Write-Host "Configuring auditing policy GPOS..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Configuring auditing policy GPOs..."
|
||||
$GPOName = 'Domain Controllers Enhanced Auditing Policy'
|
||||
$OU = "ou=Domain Controllers,dc=windomain,dc=local"
|
||||
Write-Host "Importing $GPOName..."
|
||||
@@ -17,7 +17,7 @@ else
|
||||
}
|
||||
$GPOName = 'Servers Enhanced Auditing Policy'
|
||||
$OU = "ou=Servers,dc=windomain,dc=local"
|
||||
Write-Host "Importing $GPOName..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Importing $GPOName..."
|
||||
Import-GPO -BackupGpoName $GPOName -Path "c:\vagrant\resources\GPO\Servers_Enhanced_Auditing_Policy" -TargetName $GPOName -CreateIfNeeded
|
||||
$gpLinks = $null
|
||||
$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
|
||||
@@ -33,7 +33,7 @@ else
|
||||
|
||||
$GPOName = 'Workstations Enhanced Auditing Policy'
|
||||
$OU = "ou=Workstations,dc=windomain,dc=local"
|
||||
Write-Host "Importing $GPOName..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Importing $GPOName..."
|
||||
Import-GPO -BackupGpoName $GPOName -Path "c:\vagrant\resources\GPO\Workstations_Enhanced_Auditing_Policy" -TargetName $GPOName -CreateIfNeeded
|
||||
$gpLinks = $null
|
||||
$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
|
||||
@@ -46,4 +46,3 @@ else
|
||||
{
|
||||
Write-Host "GpLink $GPOName already linked on $OU. Moving On."
|
||||
}
|
||||
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# Purpose: Sets up the Server and Workstations OUs
|
||||
|
||||
Write-Host "Checking AD services status..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Checking AD services status..."
|
||||
$svcs = "adws","dns","kdc","netlogon"
|
||||
Get-Service -name $svcs -ComputerName localhost | Select Machinename,Name,Status
|
||||
|
||||
@@ -11,8 +11,8 @@ Add-Content "c:\windows\system32\drivers\etc\hosts" " 192.168.38.102 d
|
||||
ping /n 1 dc.windomain.local
|
||||
ping /n 1 windomain.local
|
||||
|
||||
Write-Host "Creating Server and Workstation OUs..."
|
||||
Write-Host "Creating Servers OU..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Server and Workstation OUs..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Servers OU..."
|
||||
|
||||
if (!([ADSI]::Exists("LDAP://OU=Servers,DC=windomain,DC=local")))
|
||||
{
|
||||
@@ -23,7 +23,7 @@ else
|
||||
Write-Host "Servers OU already exists. Moving On."
|
||||
}
|
||||
|
||||
Write-Host "Creating Workstations OU"
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Workstations OU"
|
||||
if (!([ADSI]::Exists("LDAP://OU=Workstations,DC=windomain,DC=local")))
|
||||
{
|
||||
New-ADOrganizationalUnit -Name "Workstations" -Server "dc.windomain.local"
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
# Purpose: Install the GPO that specifies the WEF collector
|
||||
Write-Host "Importing the GPO to enable Powershell Module, ScriptBlock and Transcript logging..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Importing the GPO to enable Powershell Module, ScriptBlock and Transcript logging..."
|
||||
Import-GPO -BackupGpoName 'Powershell Logging' -Path "c:\vagrant\resources\GPO\powershell_logging" -TargetName 'Powershell Logging' -CreateIfNeeded
|
||||
$OU = "ou=Workstations,dc=windomain,dc=local"
|
||||
$gPLinks = $null
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# Purpose: Configure an SMB share for Powershell transcription logs to be written to
|
||||
# Source: https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/
|
||||
Write-Host "Configuring the Powershell Transcripts Share"
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Configuring the Powershell Transcripts Share"
|
||||
If (-not (Test-Path c:\pslogs))
|
||||
{
|
||||
md c:\pslogs
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
# Purpose: Install the GPO that allows windomain\vagrant to RDP
|
||||
Write-Host "Importing the GPO to allow windomain/vagrant to RDP..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Importing the GPO to allow windomain/vagrant to RDP..."
|
||||
Import-GPO -BackupGpoName 'Allow Domain Users RDP' -Path "c:\vagrant\resources\GPO\rdp_users" -TargetName 'Allow Domain Users RDP' -CreateIfNeeded
|
||||
|
||||
$OU = "ou=Workstations,dc=windomain,dc=local"
|
||||
|
||||
@@ -1,9 +1,10 @@
|
||||
# Purpose: Installs the GPOs needed to specify a Windows Event Collector and makes certain event channels readable by Event Logger
|
||||
Write-Host "Importing the GPO to specify the WEF collector"
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Importing the GPO to specify the WEF collector"
|
||||
$GPOName = 'Windows Event Forwarding Server'
|
||||
Import-GPO -BackupGpoName $GPOName -Path "c:\vagrant\resources\GPO\wef_configuration" -TargetName $GPOName -CreateIfNeeded
|
||||
$gpLinks = $null
|
||||
$OU = "OU=Servers,dc=windomain,dc=local"
|
||||
|
||||
$gPLinks = Get-ADOrganizationalUnit -Server "dc.windomain.local" -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
|
||||
$GPO = Get-GPO -Name $GPOName
|
||||
If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path)
|
||||
@@ -33,7 +34,7 @@ If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path)
|
||||
Write-Host "GpLink $GPOName already linked on $OU. Moving On."
|
||||
}
|
||||
|
||||
Write-Host "Importing the GPO to modify ACLs on Custom Event Channels"
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Importing the GPO to modify ACLs on Custom Event Channels"
|
||||
|
||||
$GPOName = 'Custom Event Channel Permissions'
|
||||
Import-GPO -BackupGpoName $GPOName -Path "c:\vagrant\resources\GPO\wef_configuration" -TargetName $GPOName -CreateIfNeeded
|
||||
|
||||
@@ -8,11 +8,11 @@ $domain= "windomain.local"
|
||||
|
||||
if ((gwmi win32_computersystem).partofdomain -eq $false) {
|
||||
|
||||
Write-Host 'Installing RSAT tools'
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing RSAT tools"
|
||||
Import-Module ServerManager
|
||||
Add-WindowsFeature RSAT-AD-PowerShell,RSAT-AD-AdminCenter
|
||||
|
||||
Write-Host 'Creating domain controller'
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating domain controller..."
|
||||
# Disable password complexity policy
|
||||
secedit /export /cfg C:\secpol.cfg
|
||||
(gc C:\secpol.cfg).replace("PasswordComplexity = 1", "PasswordComplexity = 0") | Out-File C:\secpol.cfg
|
||||
@@ -48,13 +48,13 @@ if ((gwmi win32_computersystem).partofdomain -eq $false) {
|
||||
$newDNSServers = "127.0.0.1", "8.8.8.8", "4.4.4.4"
|
||||
$adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object { $_.IPAddress -And ($_.IPAddress).StartsWith($subnet) }
|
||||
if ($adapters) {
|
||||
Write-Host Setting DNS
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Setting DNS"
|
||||
$adapters | ForEach-Object {$_.SetDNSServerSearchOrder($newDNSServers)}
|
||||
}
|
||||
Write-Host "Setting timezone to UTC"
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Setting timezone to UTC"
|
||||
c:\windows\system32\tzutil.exe /s "UTC"
|
||||
|
||||
Write-Host "Excluding NAT interface from DNS"
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Excluding NAT interface from DNS"
|
||||
$nics=Get-WmiObject "Win32_NetworkAdapterConfiguration where IPEnabled='TRUE'" |? { $_.IPAddress[0] -ilike "172.25.*" }
|
||||
$dnslistenip=$nics.IPAddress
|
||||
$dnslistenip
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# Purpose: Downloads and unzips a copy of the Palantir osquery Github Repo. These configs are added to the Fleet server in bootstrap.sh.
|
||||
# The items from this config file are used later in install-osquery.ps1
|
||||
Write-Host "Downloading and unzipping the Palantir osquery Repo from Github..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading and unzipping the Palantir osquery Repo from Github..."
|
||||
|
||||
$osqueryRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\osquery-Master.zip'
|
||||
if (-not (Test-Path $osqueryRepoPath))
|
||||
@@ -14,4 +14,4 @@ else
|
||||
{
|
||||
Write-Host "$osqueryRepoPath already exists. Moving On."
|
||||
}
|
||||
Write-Host "Palantir osquery config download complete!"
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Palantir osquery config download complete!"
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# Purpose: Downloads and unzips a copy of the Palantir WEF Github Repo. This includes WEF subscriptions and custom WEF channels.
|
||||
|
||||
Write-Host "Downloading and unzipping the Palantir Windows Event Forwarding Repo from Github..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading and unzipping the Palantir Windows Event Forwarding Repo from Github..."
|
||||
|
||||
$wefRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\wef-Master.zip'
|
||||
|
||||
@@ -15,4 +15,4 @@ else
|
||||
{
|
||||
Write-Host "$wefRepoPath already exists. Moving On."
|
||||
}
|
||||
Write-Host "Palantir WEF download complete!"
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Palantir WEF download complete!"
|
||||
|
||||
@@ -5,6 +5,7 @@ if (! (Test-Path 'C:\Program Files\VMware\VMware Tools')) {
|
||||
Write-Host "Nothing to do for other providers than VMware."
|
||||
exit 0
|
||||
}
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date))"
|
||||
Write-Host "Setting IP address and DNS information for the Ethernet1 interface"
|
||||
Write-Host "If this step times out, it's because vagrant is connecting to the VM on the wrong interface"
|
||||
Write-Host "See https://github.com/clong/DetectionLab/issues/114 for more information"
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# Purpose: Installs AutorunsToWinEventLog from the Palantir WEF repo: (https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog)
|
||||
# TL;DR - Logs all entries from Autoruns to the Windows event log to be indexed by Splunk
|
||||
Write-Host "Installing AutorunsToWinEventLog..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing AutorunsToWinEventLog..."
|
||||
If ((Get-ScheduledTask -TaskName "AutorunsToWinEventLog" -ea silent) -eq $null)
|
||||
{
|
||||
. c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\AutorunsToWinEventLog\Install.ps1
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
# Installs BGInfo on the host for easy identification
|
||||
# Source: https://github.com/StefanScherer/adfs2
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing BGInfo..."
|
||||
if (!(Test-Path 'c:\Program Files\sysinternals')) {
|
||||
New-Item -Path 'c:\Program Files\sysinternals' -type directory -Force -ErrorAction SilentlyContinue
|
||||
}
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# Purpose: Install additional packages from Chocolatey.
|
||||
|
||||
Write-Host "Installing additional Choco packages..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing additional Choco packages..."
|
||||
|
||||
If (-not (Test-Path "C:\ProgramData\chocolatey")) {
|
||||
Write-Host "Installing Chocolatey"
|
||||
@@ -13,4 +13,4 @@ Write-Host "Installing Chocolatey extras..."
|
||||
choco install -y --limit-output --no-progress wireshark
|
||||
choco install -y --limit-output --no-progress winpcap
|
||||
|
||||
Write-Host "Choco addons complete!"
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Choco addons complete!"
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# Purpose: Configures the inputs.conf for the Splunk forwarders on the Windows hosts
|
||||
|
||||
Write-Host "Setting up Splunk Inputs for Sysmon & osquery"
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Setting up Splunk Inputs for Sysmon & osquery"
|
||||
|
||||
$inputsPath = "C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf"
|
||||
$currentContent = get-content $inputsPath
|
||||
@@ -8,22 +8,22 @@ $targetContent = get-content c:\vagrant\resources\splunk_forwarder\inputs.conf
|
||||
|
||||
if ($currentContent -ne $targetContent)
|
||||
{
|
||||
Write-Host "Stopping the Splunk forwarder"
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Stopping the Splunk forwarder"
|
||||
try {
|
||||
Stop-Service splunkforwarder -ErrorAction Stop
|
||||
} catch {
|
||||
Write-Host "Failed to stop SplunkForwarder. Trying again..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Failed to stop SplunkForwarder. Trying again..."
|
||||
Set-Location "C:\Program Files\SplunkUniversalForwarder\bin"
|
||||
& ".\splunk.exe" "stop"
|
||||
}
|
||||
|
||||
Write-Host "Deleting the default configuration"
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Deleting the default configuration"
|
||||
Remove-Item $inputsPath
|
||||
|
||||
Write-Host "Copying over the custom configuration"
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Copying over the custom configuration"
|
||||
Copy-Item c:\vagrant\resources\splunk_forwarder\inputs.conf $inputsPath
|
||||
|
||||
Write-Host "Starting the Splunk forwarder"
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Starting the Splunk forwarder"
|
||||
Start-Service splunkforwarder
|
||||
}
|
||||
else
|
||||
@@ -34,4 +34,4 @@ If ((Get-Service -name splunkforwarder).Status -ne "Running")
|
||||
{
|
||||
throw "splunkforwarder service was not running."
|
||||
}
|
||||
Write-Host "Splunk forwarder installation complete!"
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Splunk forwarder installation complete!"
|
||||
|
||||
@@ -80,7 +80,7 @@ Start-Sleep -Seconds 60
|
||||
|
||||
Invoke-Command -computername dc -Credential (new-object pscredential("windomain\vagrant",(ConvertTo-SecureString -AsPlainText -Force -String "vagrant"))) -ScriptBlock {
|
||||
|
||||
Write-Host "[$env:computername] Installing ATA Lightweight gateway..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Installing ATA Lightweight gateway..."
|
||||
|
||||
# Enable web requests to endpoints with invalid SSL certs (like self-signed certs)
|
||||
if (-not("SSLValidator" -as [type])) {
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
# Note: by default, osquery will be configured to connect to the Fleet server on the "logger" host via TLS.
|
||||
# If you would like to have osquery run without TLS & Fleet, uncomment line 15 and comment lines 21-30.
|
||||
|
||||
Write-Host "Installing osquery"
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing osquery..."
|
||||
$packsDir = "c:\programdata\osquery\packs"
|
||||
choco install -y --limit-output --no-progress osquery | Out-String # Apparently Out-String makes the process wait
|
||||
$service = Get-WmiObject -Class Win32_Service -Filter "Name='osqueryd'"
|
||||
|
||||
@@ -1,11 +1,11 @@
|
||||
# Purpose: Installs Mimikatz and Powersploit into c:\Tools\Mimikatz. Used to install redteam related tooling.
|
||||
|
||||
Write-Host "Installing Red Team Tooling..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing Red Team Tooling..."
|
||||
|
||||
# Windows Defender should be disabled already by O&O ShutUp10
|
||||
|
||||
# Purpose: Downloads and unzips a copy of the latest Mimikatz trunk
|
||||
Write-Host "Determining latest release of Mimikatz..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Determining latest release of Mimikatz..."
|
||||
# GitHub requires TLS 1.2 as of 2/27
|
||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
$tag = (Invoke-WebRequest "https://api.github.com/repos/gentilkiwi/mimikatz/releases" -UseBasicParsing | ConvertFrom-Json)[0].tag_name
|
||||
@@ -22,7 +22,7 @@ else
|
||||
}
|
||||
|
||||
# Download and unzip a copy of PowerSploit
|
||||
Write-Host "Downloading Powersploit..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Powersploit..."
|
||||
# GitHub requires TLS 1.2 as of 2/27
|
||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
$powersploitDownloadUrl = "https://github.com/PowerShellMafia/PowerSploit/archive/dev.zip"
|
||||
@@ -36,7 +36,7 @@ if (-not (Test-Path $powersploitRepoPath)) {
|
||||
}
|
||||
|
||||
# Download and unzip a copy of Atomic Red Team
|
||||
Write-Host "Downloading Atomic Red Team..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Atomic Red Team..."
|
||||
# GitHub requires TLS 1.2 as of 2/27
|
||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
$atomicRedTeamDownloadUrl = "https://github.com/redcanaryco/atomic-red-team/archive/master.zip"
|
||||
@@ -48,4 +48,4 @@ if (-not (Test-Path $atomicRedTeamRepoPath)) {
|
||||
Write-Host "Atomic Red Team was already installed. Moving On."
|
||||
}
|
||||
|
||||
Write-Host "Red Team tooling installation complete!"
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Red Team tooling installation complete!"
|
||||
|
||||
@@ -4,7 +4,7 @@ If (-not (Test-Path "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"))
|
||||
Write-Host "Downloading Splunk Universal Forwarder"
|
||||
$msiFile = $env:Temp + "\splunkforwarder-7.1.0-2e75b3406c5b-x64-release.msi"
|
||||
|
||||
Write-Host "Installing & Starting Splunk"
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing & Starting Splunk"
|
||||
(New-Object System.Net.WebClient).DownloadFile('https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=windows&version=7.1.0&product=universalforwarder&filename=splunkforwarder-7.1.0-2e75b3406c5b-x64-release.msi&wget=true', $msiFile)
|
||||
Start-Process -FilePath "c:\windows\system32\msiexec.exe" -ArgumentList '/i', "$msiFile", 'RECEIVING_INDEXER="192.168.38.105:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_APP_ENABLE=1 AGREETOLICENSE=Yes SERVICESTARTTYPE=1 LAUNCHSPLUNK=1 SPLUNKPASSWORD=changeme /quiet' -Wait
|
||||
} Else {
|
||||
@@ -14,4 +14,4 @@ If ((Get-Service -name splunkforwarder).Status -ne "Running")
|
||||
{
|
||||
throw "Splunk forwarder service not running"
|
||||
}
|
||||
Write-Host "Splunk installation complete!"
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Splunk installation complete!"
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
# Purpose: Installs a handful of SysInternals tools on the host into c:\Tools\Sysinternals
|
||||
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing SysInternals Tooling..."
|
||||
$sysinternalsDir = "C:\Tools\Sysinternals"
|
||||
$sysmonDir = "C:\ProgramData\Sysmon"
|
||||
If(!(test-path $sysinternalsDir)) {
|
||||
@@ -27,31 +28,31 @@ $sysmonConfigPath = "$sysmonDir\sysmonConfig.xml"
|
||||
|
||||
# Microsoft likes TLSv1.2 as well
|
||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
Write-Host "Downloading Autoruns64.exe..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Autoruns64.exe..."
|
||||
(New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Autoruns64.exe', $autorunsPath)
|
||||
Write-Host "Downloading Procmon.exe..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Procmon.exe..."
|
||||
(New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Procmon.exe', $procmonPath)
|
||||
Write-Host "Downloading PsExec64.exe..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading PsExec64.exe..."
|
||||
(New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/PsExec64.exe', $psexecPath)
|
||||
Write-Host "Downloading procexp64.exe..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading procexp64.exe..."
|
||||
(New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/procexp64.exe', $procexpPath)
|
||||
Write-Host "Downloading Sysmon64.exe..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Sysmon64.exe..."
|
||||
(New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Sysmon64.exe', $sysmonPath)
|
||||
Write-Host "Downloading Tcpview.exe..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Tcpview.exe..."
|
||||
(New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Tcpview.exe', $tcpviewPath)
|
||||
Copy-Item $sysmonPath $sysmonDir
|
||||
|
||||
# Download Olaf Hartongs Sysmon config
|
||||
Write-Host "Downloading Olaf Hartong's Sysmon config..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Olaf Hartong's Sysmon config..."
|
||||
(New-Object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml', "$sysmonConfigPath")
|
||||
# Alternative: Download SwiftOnSecurity's Sysmon config
|
||||
# Write-Host "Downloading SwiftOnSecurity's Sysmon config..."
|
||||
# (New-Object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml', "$sysmonConfigPath")
|
||||
|
||||
# Start Sysmon
|
||||
Write-Host "Starting Sysmon..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Starting Sysmon..."
|
||||
Start-Process -FilePath "$sysmonDir\Sysmon64.exe" -ArgumentList "-accepteula -i $sysmonConfigPath"
|
||||
Write-Host "Verifying that the Sysmon service is running..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Verifying that the Sysmon service is running..."
|
||||
Start-Sleep 5 # Give the service time to start
|
||||
If ((Get-Service -name Sysmon64).Status -ne "Running")
|
||||
{
|
||||
|
||||
@@ -7,7 +7,7 @@ If (-not (Test-Path "C:\ProgramData\chocolatey")) {
|
||||
Write-Host "Chocolatey is already installed."
|
||||
}
|
||||
|
||||
Write-Host "Installing utilities..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing utilities..."
|
||||
If ($(hostname) -eq "win10") {
|
||||
# Because the Windows10 start menu sucks
|
||||
choco install -y --limit-output --no-progress classic-shell -installArgs ADDLOCAL=ClassicStartMenu
|
||||
|
||||
@@ -1,31 +1,31 @@
|
||||
# Purpose: Imports the custom Windows Event Channel and XML subscriptions on the WEF host
|
||||
# Note: This only needs to be installed on the WEF server
|
||||
|
||||
Write-Host "Installing WEF Subscriptions..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing WEF Subscriptions..."
|
||||
|
||||
Write-Host "Copying Custom Event Channels DLL..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Copying Custom Event Channels DLL..."
|
||||
if (-not (Test-Path "$env:windir\system32\CustomEventChannels.dll"))
|
||||
{
|
||||
Copy-Item c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\windows-event-channels\CustomEventChannels.dll "$env:windir\system32"
|
||||
Copy-Item c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\windows-event-channels\CustomEventChannels.man "$env:windir\system32"
|
||||
|
||||
Write-Host "Installing Custom Event Channels Manifest..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing Custom Event Channels Manifest..."
|
||||
wevtutil im "c:\windows\system32\CustomEventChannels.man"
|
||||
Write-Host "Resizing Channels to 4GB..."
|
||||
$xml = wevtutil el | select-string -pattern "WEC"
|
||||
foreach ($subscription in $xml) { wevtutil sl $subscription /ms:4294967296 }
|
||||
|
||||
Write-Host "Starting the Windows Event Collector Service..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Starting the Windows Event Collector Service..."
|
||||
net start wecsvc
|
||||
|
||||
Write-Host "Creating custom event subscriptions..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating custom event subscriptions..."
|
||||
cd c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions
|
||||
cmd /c "for /r %i in (*.xml) do wecutil cs %i"
|
||||
|
||||
Write-Host "Enabling custom event subscriptions..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Enabling custom event subscriptions..."
|
||||
cmd /c "for /r %i in (*.xml) do wecutil ss %~ni /e:true"
|
||||
|
||||
Write-Host "Enabling WecUtil Quick Config..."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Enabling WecUtil Quick Config..."
|
||||
wecutil qc /q:true
|
||||
}
|
||||
else
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
# Purpose: Installs the Windows Splunk Technial Add-On
|
||||
# Note: This only needs to be installed on the WEF server
|
||||
|
||||
Write-Host "Installing the Windows TA for Splunk"
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing the Windows TA for Splunk"
|
||||
|
||||
If (test-path "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default") {
|
||||
Write-Host "Windows TA is already installed. Moving on."
|
||||
@@ -11,7 +11,7 @@ If (test-path "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_wind
|
||||
# Install Windows TA (this only needs to be done on the WEF server)
|
||||
$windowstaPath = "C:\vagrant\resources\splunk_forwarder\splunk-add-on-for-microsoft-windows_500.tgz"
|
||||
$inputsPath = "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf"
|
||||
Write-Host "Installing the Windows TA"
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing the Windows TA"
|
||||
Start-Process -FilePath "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" -ArgumentList "install app $windowstaPath -auth admin:changeme" -NoNewWindow
|
||||
|
||||
# Create local directory
|
||||
@@ -19,10 +19,10 @@ New-Item -ItemType Directory -Force -Path "C:\Program Files\SplunkUniversalForwa
|
||||
Copy-Item c:\vagrant\resources\splunk_forwarder\wef_inputs.conf $inputsPath
|
||||
|
||||
# Add a check here to make sure the TA was installed correctly
|
||||
Write-Host "Sleeping for 15 seconds"
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Sleeping for 15 seconds"
|
||||
start-sleep -s 15
|
||||
If (test-path "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default") {
|
||||
Write-Host "Windows TA installed successfully."
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Windows TA installed successfully."
|
||||
} Else {
|
||||
Write-Host "Something went wrong during installation."
|
||||
exit 1
|
||||
|
||||
@@ -1,14 +1,14 @@
|
||||
# Purpose: Joins a Windows host to the windomain.local domain which was created with "create-domain.ps1".
|
||||
# Source: https://github.com/StefanScherer/adfs2
|
||||
|
||||
Write-Host 'Join the domain'
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Joining the domain..."
|
||||
|
||||
Write-Host "First, set DNS to DC to join the domain"
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) First, set DNS to DC to join the domain..."
|
||||
$newDNSServers = "192.168.38.102"
|
||||
$adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.IPAddress -match "192.168.38."}
|
||||
$adapters | ForEach-Object {$_.SetDNSServerSearchOrder($newDNSServers)}
|
||||
|
||||
Write-Host "Now join the domain"
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Now join the domain..."
|
||||
$hostname = $(hostname)
|
||||
$user = "windomain.local\vagrant"
|
||||
$pass = ConvertTo-SecureString "vagrant" -AsPlainText -Force
|
||||
|
||||
@@ -4,21 +4,21 @@
|
||||
$box = Get-ItemProperty -Path HKLM:SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName -Name "ComputerName"
|
||||
$box = $box.ComputerName.ToString().ToLower()
|
||||
|
||||
Write-Host "Setting timezone to UTC"
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Setting timezone to UTC..."
|
||||
c:\windows\system32\tzutil.exe /s "UTC"
|
||||
|
||||
if ($env:COMPUTERNAME -imatch 'vagrant') {
|
||||
|
||||
Write-Host 'Hostname is still the original one, skip provisioning for reboot'
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Hostname is still the original one, skip provisioning for reboot..."
|
||||
|
||||
Write-Host 'Installing bginfo...'
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing bginfo..."
|
||||
. c:\vagrant\scripts\install-bginfo.ps1
|
||||
|
||||
Write-Host -fore red 'Hint: vagrant reload' $box '--provision'
|
||||
|
||||
} elseif ((gwmi win32_computersystem).partofdomain -eq $false) {
|
||||
|
||||
Write-Host -fore red "Current domain is set to 'workgroup'. Time to join the domain!"
|
||||
Write-Host -fore red "$('[{0:HH:mm}]' -f (Get-Date)) Current domain is set to 'workgroup'. Time to join the domain!"
|
||||
|
||||
if (!(Test-Path 'c:\Program Files\sysinternals\bginfo.exe')) {
|
||||
Write-Host 'Install bginfo'
|
||||
@@ -39,12 +39,12 @@ if ($env:COMPUTERNAME -imatch 'vagrant') {
|
||||
|
||||
} else {
|
||||
|
||||
Write-Host -fore green "I am domain joined!"
|
||||
Write-Host -fore green "$('[{0:HH:mm}]' -f (Get-Date)) I am domain joined!"
|
||||
|
||||
if (!(Test-Path 'c:\Program Files\sysinternals\bginfo.exe')) {
|
||||
Write-Host 'Install bginfo'
|
||||
. c:\vagrant\scripts\install-bginfo.ps1
|
||||
}
|
||||
|
||||
Write-Host 'Provisioning after joining domain...'
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Provisioning after joining domain..."
|
||||
}
|
||||
|
||||
BIN
img/DetectionLab.png
Normal file
BIN
img/DetectionLab.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 104 KiB |
Reference in New Issue
Block a user