From 614af67405c234849818a634175275f40835a303 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Sat, 27 Apr 2019 21:05:23 -0700 Subject: [PATCH 1/6] Update to Caldera 2.0, reduce verbosity --- README.md | 4 +- Vagrant/Vagrantfile_Minimum | 54 +++------------- Vagrant/bootstrap.sh | 63 ++++++++++--------- Vagrant/resources/caldera/caldera.service | 6 +- Vagrant/resources/windows/MenuSettings.xml | 5 ++ .../resources/windows/classic_shell_win7.reg | 4 -- Vagrant/scripts/install-caldera-agent.ps1 | 2 + Vagrant/scripts/install-choco-extras.ps1 | 4 +- Vagrant/scripts/install-utilities.ps1 | 10 +-- .../packer_and_vagrant_changes.sh | 18 +++--- ci/circle_workflows/packer_changes.sh | 28 ++++----- ci/circle_workflows/vagrant_changes.sh | 6 +- 12 files changed, 85 insertions(+), 119 deletions(-) create mode 100755 Vagrant/resources/windows/MenuSettings.xml delete mode 100644 Vagrant/resources/windows/classic_shell_win7.reg diff --git a/README.md b/README.md index e0c51a1..adcf420 100644 --- a/README.md +++ b/README.md @@ -122,9 +122,9 @@ Vagrant commands must be run from the "Vagrant" folder. ## Lab Information * Domain Name: windomain.local * Admininstrator login: vagrant:vagrant -* Fleet login: https://192.168.38.105:8412 - admin@detectionlab.network:admin123# +* Fleet login: https://192.168.38.105:8412 - admin@:admin123# * Splunk login: https://192.168.38.105:8000 - admin:changeme -* Caldera login: https://192.168.38.105:8888 - admin:caldera +* Caldera login: https://192.168.38.105:8888 - admin:admin * MS ATA login: https://192.168.38.103 - wef\vagrant:vagrant ## Lab Hosts diff --git a/Vagrant/Vagrantfile_Minimum b/Vagrant/Vagrantfile_Minimum index 2054745..62f3557 100644 --- a/Vagrant/Vagrantfile_Minimum +++ b/Vagrant/Vagrantfile_Minimum @@ -6,13 +6,6 @@ Vagrant.configure("2") do |config| config.vm.provision :shell, path: "bootstrap.sh" cfg.vm.network :private_network, ip: "192.168.38.105", gateway: "192.168.38.1", dns: "8.8.8.8" - cfg.vm.provider "vmware_fusion" do |v, override| - v.vmx["displayname"] = "logger" - v.memory = 2048 - v.cpus = 1 - v.gui = true - end - cfg.vm.provider "vmware_desktop" do |v, override| v.vmx["displayname"] = "logger" v.memory = 4096 @@ -33,13 +26,9 @@ Vagrant.configure("2") do |config| end config.vm.define "dc" do |cfg| - cfg.vm.box = "../Boxes/windows_2016_virtualbox.box" + cfg.vm.box = "detectionlab/win2016" cfg.vm.hostname = "dc" cfg.vm.boot_timeout = 600 - # use the plaintext WinRM transport and force it to use basic authentication. - # NB this is needed because the default negotiate transport stops working - # after the domain controller is installed. - # see https://groups.google.com/forum/#!topic/vagrant-up/sZantuCM0q4 cfg.winrm.transport = :plaintext cfg.vm.communicator = "winrm" cfg.winrm.basic_auth_only = true @@ -63,22 +52,14 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", path: "scripts/configure-wef-gpo.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/configure-powershelllogging.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/configure-AuditingPolicyGPOs.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/configure-rdp-user-gpo.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: false - cfg.vm.provider "vmware_fusion" do |v, override| - override.vm.box = "../Boxes/windows_2016_vmware.box" - v.vmx["displayname"] = "dc.windomain.local" - v.memory = 2560 - v.cpus = 2 - v.gui = true - end - cfg.vm.provider "vmware_desktop" do |v, override| - override.vm.box = "../Boxes/windows_2016_vmware.box" v.vmx["displayname"] = "dc.windomain.local" - v.memory = 2560 + v.memory = 3072 v.cpus = 2 v.gui = true v.enable_vmrun_ip_lookup = false @@ -88,7 +69,7 @@ Vagrant.configure("2") do |config| vb.gui = true vb.name = "dc.windomain.local" vb.default_nic_type = "82545EM" - vb.customize ["modifyvm", :id, "--memory", 2560] + vb.customize ["modifyvm", :id, "--memory", 3072] vb.customize ["modifyvm", :id, "--cpus", 2] vb.customize ["modifyvm", :id, "--vram", "32"] vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"] @@ -97,7 +78,7 @@ Vagrant.configure("2") do |config| end config.vm.define "wef" do |cfg| - cfg.vm.box = "../Boxes/windows_2016_virtualbox.box" + cfg.vm.box = "detectionlab/win2016" cfg.vm.hostname = "wef" cfg.vm.boot_timeout = 600 cfg.vm.communicator = "winrm" @@ -125,16 +106,7 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: false - cfg.vm.provider "vmware_fusion" do |v, override| - override.vm.box = "../Boxes/windows_2016_vmware.box" - v.vmx["displayname"] = "wef.windomain.local" - v.memory = 2048 - v.cpus = 2 - v.gui = true - end - cfg.vm.provider "vmware_desktop" do |v, override| - override.vm.box = "../Boxes/windows_2016_vmware.box" v.vmx["displayname"] = "wef.windomain.local" v.memory = 2048 v.cpus = 2 @@ -155,7 +127,7 @@ Vagrant.configure("2") do |config| end config.vm.define "win10" do |cfg| - cfg.vm.box = "../Boxes/windows_10_virtualbox.box" + cfg.vm.box = "detectionlab/win10" cfg.vm.hostname = "win10" cfg.vm.boot_timeout = 600 cfg.vm.communicator = "winrm" @@ -165,12 +137,12 @@ Vagrant.configure("2") do |config| cfg.vm.network :private_network, ip: "192.168.38.104", gateway: "192.168.38.1", dns: "192.168.38.102" cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.104 -dns 192.168.38.102" + cfg.vm.provision "shell", path: "scripts/MakeWindows10GreatAgain.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false cfg.vm.provision "reload" cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: false - cfg.vm.provision "shell", path: "scripts/MakeWindows10GreatAgain.ps1", privileged: false cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false @@ -180,19 +152,7 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false - cfg.vm.provider "vmware_fusion" do |v, override| - override.vm.box = "../Boxes/windows_10_vmware.box" - v.vmx["displayname"] = "win10.windomain.local" - v.vmx["gui.fullscreenatpoweron"] = "FALSE" - v.vmx["gui.viewModeAtPowerOn"] = "windowed" - v.vmx["gui.fitguestusingnativedisplayresolution"] = "FALSE" - v.memory = 2048 - v.cpus = 1 - v.gui = true - end - cfg.vm.provider "vmware_desktop" do |v, override| - override.vm.box = "../Boxes/windows_10_vmware.box" v.vmx["displayname"] = "win10.windomain.local" v.vmx["gui.fullscreenatpoweron"] = "FALSE" v.vmx["gui.viewModeAtPowerOn"] = "windowed" diff --git a/Vagrant/bootstrap.sh b/Vagrant/bootstrap.sh index 5c08ef7..348429a 100644 --- a/Vagrant/bootstrap.sh +++ b/Vagrant/bootstrap.sh @@ -5,12 +5,6 @@ echo "apt-fast apt-fast/maxdownloads string 10" | debconf-set-selections; echo "apt-fast apt-fast/dlflag boolean true" | debconf-set-selections; sed -i "2ideb mirror://mirrors.ubuntu.com/mirrors.txt xenial main restricted universe multiverse\ndeb mirror://mirrors.ubuntu.com/mirrors.txt xenial-updates main restricted universe multiverse\ndeb mirror://mirrors.ubuntu.com/mirrors.txt xenial-backports main restricted universe multiverse\ndeb mirror://mirrors.ubuntu.com/mirrors.txt xenial-security main restricted universe multiverse" /etc/apt/sources.list -install_mongo_db_apt_key() { - # Install key and apt source for MongoDB - apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv EA312927 - echo "deb http://repo.mongodb.org/apt/ubuntu $(lsb_release -sc)/mongodb-org/3.2 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.2.list -} - install_python_apt_source() { # Install apt source for Python3.6 add-apt-repository -y ppa:jonathonf/python-3.6 @@ -23,14 +17,14 @@ apt_install_prerequisites() { apt-get -qq update apt-get -qq install -y apt-fast echo "Running apt-fast install..." - apt-fast -qq install -y jq whois build-essential git docker docker-compose unzip mongodb-org python3.6 python3.6-dev + apt-fast -qq install -y jq whois build-essential git docker docker-compose unzip python3.6 python3.6-dev # Install pip for Python 3.6 echo "Installing Pip3.6..." - curl https://bootstrap.pypa.io/get-pip.py | sudo -H python3.6 + curl -s https://bootstrap.pypa.io/get-pip.py | sudo -H python3.6 } test_prerequisites() { - for package in jq whois build-essential git docker docker-compose unzip mongodb-org python3.6 python3.6-dev + for package in jq whois build-essential git docker docker-compose unzip python3.6 python3.6-dev do echo "[TEST] Validating that $package is correctly installed..." # Loop through each package using dpkg @@ -113,9 +107,22 @@ install_splunk() { echo "Installing Splunk..." # Get Splunk.com into the DNS cache. Sometimes resolution randomly fails during wget below dig @8.8.8.8 splunk.com - # Download Splunk - wget --progress=bar:force -O splunk-7.2.5.1-962d9a8e1586-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.5.1&product=splunk&filename=splunk-7.2.5.1-962d9a8e1586-linux-2.6-amd64.deb&wget=true' - dpkg -i splunk-7.2.5.1-962d9a8e1586-linux-2.6-amd64.deb + mkdir splunk + + # Try to resolve the latest version of Splunk by parsing the HTML on the downloads page + LATEST_SPLUNK=$(curl https://www.splunk.com/en_us/download/splunk-enterprise.html | grep -i deb | grep -Eo "data-link=\"................................................................................................................................" | cut -d '"' -f 2) + # Sanity check what was returned from the auto-parse attempt + echo "Attempting to autoresolve the latest version of Splunk..." + if [[ "$(echo $LATEST_SPLUNK | grep -c "^https:")" -eq 1 ]] && [[ "$(echo $LATEST_SPLUNK | grep -c "\.deb$")" -eq 1 ]]; then + echo "The URL to the latest Splunk version was automatically resolved as: $LATEST_SPLUNK" + echo "Attempting to download..." + wget --progress=bar:force -P splunk/ "$LATEST_SPLUNK" + else + echo "Unable to auto-resolve the latest Splunk version. Falling back to hardcoded URL..." + # Download Hardcoded Splunk + wget --progress=bar:force -O splunk/splunk-7.2.6-c0bf0f679ce9-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.6&product=splunk&filename=splunk-7.2.6-c0bf0f679ce9-linux-2.6-amd64.deb&wget=true' + fi + dpkg -i splunk/*.deb /opt/splunk/bin/splunk start --accept-license --answer-yes --no-prompt --seed-passwd changeme /opt/splunk/bin/splunk add index wineventlog -auth 'admin:changeme' /opt/splunk/bin/splunk add index osquery -auth 'admin:changeme' @@ -192,12 +199,12 @@ download_palantir_osquery_config() { } import_osquery_config_into_fleet() { - wget --progress=bar:force https://github.com/kolide/fleet/releases/download/2.0.1/fleet_2.0.1.zip - unzip fleet_2.0.1.zip -d fleet_2.0.1 - cp fleet_2.0.1/linux/fleetctl /usr/local/bin/fleetctl && chmod +x /usr/local/bin/fleetctl + wget --progress=bar:force https://github.com/kolide/fleet/releases/download/2.1.1/fleet_2.1.1.zip + unzip fleet_2.1.1.zip -d fleet_2.1.1 + cp fleet_2.1.1/linux/fleetctl /usr/local/bin/fleetctl && chmod +x /usr/local/bin/fleetctl fleetctl config set --address https://192.168.38.105:8412 fleetctl config set --tls-skip-verify true - fleetctl setup --email admin@detectionlab.network --password 'admin123#' --org-name DetectionLab + fleetctl setup --email admin@detectionlab.network --username admin --password 'admin123#' --org-name DetectionLab fleetctl login --email admin@detectionlab.network --password 'admin123#' # Use fleetctl to import YAML files @@ -220,23 +227,20 @@ install_caldera() { echo "Installing Caldera..." cd /home/vagrant || exit git clone https://github.com/mitre/caldera.git - cd /home/vagrant/caldera/caldera || exit + cd /home/vagrant/caldera/plugins || exit + git clone https://github.com/mitre/adversary.git adversary + git clone https://github.com/mitre/chain.git chain + git clone https://github.com/mitre/gui.git gui + git clone https://github.com/mitre/sandcat.git sandcat + git clone https://github.com/mitre/stockpile.git stockpile + cd /home/vagrant/caldera || exit pip3.6 install -r requirements.txt - - # Add a Systemd service for MongoDB - # https://www.howtoforge.com/tutorial/install-mongodb-on-ubuntu-16.04/ - cp /vagrant/resources/caldera/mongod.service /lib/systemd/system/mongod.service + # Make Caldera accessible on all ports + sed -i 's/127.0.0.1/0.0.0.0/g' conf/local.yml # Create Systemd service for Caldera cp /vagrant/resources/caldera/caldera.service /lib/systemd/system/caldera.service - # Enable replication - echo 'replication: - replSetName: caldera' >> /etc/mongod.conf - service mongod start - systemctl enable mongod.service cd /home/vagrant/caldera || exit - mkdir -p dep/crater/crater - wget --progress=bar:force https://github.com/mitre/caldera-crater/releases/download/v0.1.0/CraterMainWin8up.exe -O /home/vagrant/caldera/dep/crater/crater/CraterMain.exe - cp /vagrant/resources/caldera/cert.pem /vagrant/resources/caldera/key.pem /vagrant/resources/caldera/settings.yml /home/vagrant/caldera/caldera/conf + cp /vagrant/resources/caldera/cert.pem /vagrant/resources/caldera/key.pem /home/vagrant/caldera/conf service caldera start systemctl enable caldera.service fi @@ -423,7 +427,6 @@ test_suricata_prerequisites() { } main() { - install_mongo_db_apt_key install_python_apt_source apt_install_prerequisites test_prerequisites diff --git a/Vagrant/resources/caldera/caldera.service b/Vagrant/resources/caldera/caldera.service index 044bd26..fade6b1 100644 --- a/Vagrant/resources/caldera/caldera.service +++ b/Vagrant/resources/caldera/caldera.service @@ -1,11 +1,11 @@ [Unit] -Description=My Script Service +Description=Caldera After=multi-user.target [Service] Type=idle -WorkingDirectory=/home/vagrant/caldera/caldera -ExecStart=/usr/bin/python3.6 caldera.py +WorkingDirectory=/home/vagrant/caldera +ExecStart=/usr/bin/python3.6 server.py -E local [Install] WantedBy=multi-user.target diff --git a/Vagrant/resources/windows/MenuSettings.xml b/Vagrant/resources/windows/MenuSettings.xml new file mode 100755 index 0000000..05144c1 --- /dev/null +++ b/Vagrant/resources/windows/MenuSettings.xml @@ -0,0 +1,5 @@ + + + + + diff --git a/Vagrant/resources/windows/classic_shell_win7.reg b/Vagrant/resources/windows/classic_shell_win7.reg deleted file mode 100644 index 83fb24e..0000000 --- a/Vagrant/resources/windows/classic_shell_win7.reg +++ /dev/null @@ -1,4 +0,0 @@ -Windows Registry Editor Version 5.00 - -[HKEY_LOCAL_MACHINE\SOFTWARE\IvoSoft\ClassicStartMenu] -"MenuStyle_Default"="Win7" diff --git a/Vagrant/scripts/install-caldera-agent.ps1 b/Vagrant/scripts/install-caldera-agent.ps1 index 65c72c3..bb9c202 100644 --- a/Vagrant/scripts/install-caldera-agent.ps1 +++ b/Vagrant/scripts/install-caldera-agent.ps1 @@ -1,4 +1,6 @@ # Purpose: Installs the Caldera agent on the host +Write-Host "Installing the Caldera agent..." +$url="https://192.168.38.105:8888/file/render"; $ps_table = $PSVersionTable.PSVersion;If([double]$ps_table.Major -ge 6){iex (irm -Method Post -Uri $url -Headers @{"file"="54ndc47.ps1"} -SkipCertificateCheck);}else{[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$True};$web=New-Object System.Net.WebClient;$web.Headers.Add("file","54ndc47.ps1");$resp=$web.UploadString("$url",'');iex($resp);} If (-not (Test-Path 'C:\Program Files\cagent\cagent.exe')) { # Add /etc/hosts entry diff --git a/Vagrant/scripts/install-choco-extras.ps1 b/Vagrant/scripts/install-choco-extras.ps1 index d7f8c2f..b26905a 100644 --- a/Vagrant/scripts/install-choco-extras.ps1 +++ b/Vagrant/scripts/install-choco-extras.ps1 @@ -10,7 +10,7 @@ If (-not (Test-Path "C:\ProgramData\chocolatey")) { } Write-Host "Installing Chocolatey extras..." -choco install -y wireshark -choco install -y winpcap +choco install -y --limit-output wireshark +choco install -y --limit-output winpcap Write-Host "Choco addons complete!" diff --git a/Vagrant/scripts/install-utilities.ps1 b/Vagrant/scripts/install-utilities.ps1 index 2b2a419..5755e61 100755 --- a/Vagrant/scripts/install-utilities.ps1 +++ b/Vagrant/scripts/install-utilities.ps1 @@ -10,11 +10,11 @@ If (-not (Test-Path "C:\ProgramData\chocolatey")) { Write-Host "Installing utilities..." If ($(hostname) -eq "win10") { # Because the Windows10 start menu sucks - choco install -y classic-shell -installArgs ADDLOCAL=ClassicStartMenu - reg import "c:\vagrant\resources\windows\classic_shell_win7.reg" + choco install -y --limit-output classic-shell -installArgs ADDLOCAL=ClassicStartMenu + & "C:\Program Files\Classic Shell\ClassicStartMenu.exe" "-xml" "c:\vagrant\resources\windows\MenuSettings.xml" } -choco install -y NotepadPlusPlus -choco install -y GoogleChrome -choco install -y WinRar +choco install -y --limit-output NotepadPlusPlus +choco install -y --limit-output GoogleChrome +choco install -y --limit-output WinRar Write-Host "Utilties installation complete!" diff --git a/ci/circle_workflows/packer_and_vagrant_changes.sh b/ci/circle_workflows/packer_and_vagrant_changes.sh index 93e4842..e9ee1c2 100644 --- a/ci/circle_workflows/packer_and_vagrant_changes.sh +++ b/ci/circle_workflows/packer_and_vagrant_changes.sh @@ -43,8 +43,8 @@ while [ "$MINUTES_PAST" -lt 400 ]; do STATUS=$(curl $IP_ADDRESS) if [ "$STATUS" == "building" ]; then echo "$STATUS" - scp -i ~/.ssh/id_rsa root@"$IP_ADDRESS":/opt/DetectionLab/Vagrant/vagrant_up_*.log /tmp/artifacts/|| echo "Vagrant log not yet present" - scp -i ~/.ssh/id_rsa root@"$IP_ADDRESS":/opt/DetectionLab/Packer/packer_build.log /tmp/artifacts/packer_build.log || echo "Packer log not yet present" + scp -q -i ~/.ssh/id_rsa root@"$IP_ADDRESS":/opt/DetectionLab/Vagrant/vagrant_up_*.log /tmp/artifacts/|| echo "Vagrant log not yet present" + scp -q -i ~/.ssh/id_rsa root@"$IP_ADDRESS":/opt/DetectionLab/Packer/packer_build.log /tmp/artifacts/packer_build.log || echo "Packer log not yet present" sleep 300 ((MINUTES_PAST += 5)) else @@ -53,9 +53,9 @@ while [ "$MINUTES_PAST" -lt 400 ]; do done if [ "$MINUTES_PAST" -gt 400 ]; then echo "Serer timed out. Uptime: $MINUTES_PAST minutes." - scp -i ~/.ssh/id_rsa root@"$IP_ADDRESS":/opt/DetectionLab/Vagrant/vagrant_up_*.log /tmp/artifacts/ || echo "Vagrant log not yet present" - scp -i ~/.ssh/id_rsa root@"$IP_ADDRESS":/opt/DetectionLab/Packer/packer_build.log /tmp/artifacts/packer_build.log || echo "Packer log not yet present" - curl -X DELETE --header 'Accept: application/json' --header 'X-Auth-Token: '"$PACKET_API_TOKEN" 'https://api.packet.net/devices/'"$DEVICE_ID" + scp -q -i ~/.ssh/id_rsa root@"$IP_ADDRESS":/opt/DetectionLab/Vagrant/vagrant_up_*.log /tmp/artifacts/ || echo "Vagrant log not yet present" + scp -q -i ~/.ssh/id_rsa root@"$IP_ADDRESS":/opt/DetectionLab/Packer/packer_build.log /tmp/artifacts/packer_build.log || echo "Packer log not yet present" + curl -s -X DELETE --header 'Accept: application/json' --header 'X-Auth-Token: '"$PACKET_API_TOKEN" 'https://api.packet.net/devices/'"$DEVICE_ID" exit 1 fi @@ -63,11 +63,11 @@ fi echo $STATUS if [ "$STATUS" != "success" ]; then echo "Build failed. Cleaning up server with ID $DEVICE_ID" - scp -i ~/.ssh/id_rsa root@"$IP_ADDRESS":/opt/DetectionLab/Vagrant/vagrant_up_*.log /tmp/artifacts/ || echo "Vagrant log not yet present" - scp -i ~/.ssh/id_rsa root@"$IP_ADDRESS":/opt/DetectionLab/Packer/packer_build.log /tmp/artifacts/packer_build.log || echo "Packer log not yet present" - curl -X DELETE --header 'Accept: application/json' --header 'X-Auth-Token: '"$PACKET_API_TOKEN" 'https://api.packet.net/devices/'"$DEVICE_ID" + scp -q -i ~/.ssh/id_rsa root@"$IP_ADDRESS":/opt/DetectionLab/Vagrant/vagrant_up_*.log /tmp/artifacts/ || echo "Vagrant log not yet present" + scp -q -i ~/.ssh/id_rsa root@"$IP_ADDRESS":/opt/DetectionLab/Packer/packer_build.log /tmp/artifacts/packer_build.log || echo "Packer log not yet present" + curl -s -X DELETE --header 'Accept: application/json' --header 'X-Auth-Token: '"$PACKET_API_TOKEN" 'https://api.packet.net/devices/'"$DEVICE_ID" exit 1 fi echo "Build was successful. Cleaning up server with ID $DEVICE_ID" -curl -X DELETE --header 'Accept: application/json' --header 'X-Auth-Token: '"$PACKET_API_TOKEN" 'https://api.packet.net/devices/'"$DEVICE_ID" +curl -s -X DELETE --header 'Accept: application/json' --header 'X-Auth-Token: '"$PACKET_API_TOKEN" 'https://api.packet.net/devices/'"$DEVICE_ID" exit 0 diff --git a/ci/circle_workflows/packer_changes.sh b/ci/circle_workflows/packer_changes.sh index 88c348d..704dba2 100644 --- a/ci/circle_workflows/packer_changes.sh +++ b/ci/circle_workflows/packer_changes.sh @@ -9,7 +9,7 @@ fi ## Provision two Type1 baremetal Packet.net servers echo "Provisioning packerwindows2016 on Packet.net" -SERVER1_ID=$(curl -X POST -s --header 'Accept: application/json' --header 'Content-Type: application/json' --header 'X-Auth-Token: '"$PACKET_API_TOKEN" -d '{ "facility": "sjc1", "plan": "baremetal_1", "hostname": "packerwindows2016", "description": "testing", "billing_cycle": "hourly", "operating_system": "ubuntu_16_04", "userdata": "", "locked": "false", "project_ssh_keys":["315a9565-d5b1-41b6-913d-fcf022bb89a6", "755b134a-f63c-4fc5-9103-c1b63e65fdfc"] }' 'https://api.packet.net/projects/0b3f4f2e-ff05-41a8-899d-7923f620ca85/devices' | jq ."id" | tr -d '"') +SERVER1_ID=$(curl -s -X POST -s --header 'Accept: application/json' --header 'Content-Type: application/json' --header 'X-Auth-Token: '"$PACKET_API_TOKEN" -d '{ "facility": "sjc1", "plan": "baremetal_1", "hostname": "packerwindows2016", "description": "testing", "billing_cycle": "hourly", "operating_system": "ubuntu_16_04", "userdata": "", "locked": "false", "project_ssh_keys":["315a9565-d5b1-41b6-913d-fcf022bb89a6", "755b134a-f63c-4fc5-9103-c1b63e65fdfc"] }' 'https://api.packet.net/projects/0b3f4f2e-ff05-41a8-899d-7923f620ca85/devices' | jq ."id" | tr -d '"') if [ "$(echo -n $SERVER1_ID | wc -c)" -ne 36 ]; then echo "Server may have failed provisionining. Device ID is set to: $SERVER1_ID" exit 1 @@ -19,7 +19,7 @@ echo "packerwindows2016 successfully provisioned with ID: $SERVER1_ID" sleep 5 # Wait a bit before issuing another provision command echo "Provisioning packerwindows10 on Packet.net" -SERVER2_ID=$(curl -X POST -s --header 'Accept: application/json' --header 'Content-Type: application/json' --header 'X-Auth-Token: '"$PACKET_API_TOKEN" -d '{ "facility": "sjc1", "plan": "baremetal_1", "hostname": "packerwindows10", "description": "testing", "billing_cycle": "hourly", "operating_system": "ubuntu_16_04", "userdata": "", "locked": "false", "project_ssh_keys":["315a9565-d5b1-41b6-913d-fcf022bb89a6", "755b134a-f63c-4fc5-9103-c1b63e65fdfc"] }' 'https://api.packet.net/projects/0b3f4f2e-ff05-41a8-899d-7923f620ca85/devices' | jq ."id" | tr -d '"') +SERVER2_ID=$(curl -s -X POST -s --header 'Accept: application/json' --header 'Content-Type: application/json' --header 'X-Auth-Token: '"$PACKET_API_TOKEN" -d '{ "facility": "sjc1", "plan": "baremetal_1", "hostname": "packerwindows10", "description": "testing", "billing_cycle": "hourly", "operating_system": "ubuntu_16_04", "userdata": "", "locked": "false", "project_ssh_keys":["315a9565-d5b1-41b6-913d-fcf022bb89a6", "755b134a-f63c-4fc5-9103-c1b63e65fdfc"] }' 'https://api.packet.net/projects/0b3f4f2e-ff05-41a8-899d-7923f620ca85/devices' | jq ."id" | tr -d '"') if [ "$(echo -n $SERVER2_ID | wc -c)" -ne 36 ]; then echo "Server may have failed provisionining. Device ID is set to: $SERVER2_ID" exit 1 @@ -32,8 +32,8 @@ echo "Sleeping 5 more minutes (CircleCI Keepalive)" sleep 300 ## Recording the IP address of the newly provisioned Packet servers -SERVER1_IP_ADDRESS=$(curl -X GET --header 'Accept: application/json' --header 'X-Auth-Token: '"$PACKET_API_TOKEN" "https://api.packet.net/devices/$SERVER1_ID/ips" | jq ."ip_addresses[0].address" | tr -d '"') -SERVER2_IP_ADDRESS=$(curl -X GET --header 'Accept: application/json' --header 'X-Auth-Token: '"$PACKET_API_TOKEN" "https://api.packet.net/devices/$SERVER2_ID/ips" | jq ."ip_addresses[0].address" | tr -d '"') +SERVER1_IP_ADDRESS=$(curl -s -X GET --header 'Accept: application/json' --header 'X-Auth-Token: '"$PACKET_API_TOKEN" "https://api.packet.net/devices/$SERVER1_ID/ips" | jq ."ip_addresses[0].address" | tr -d '"') +SERVER2_IP_ADDRESS=$(curl -s -X GET --header 'Accept: application/json' --header 'X-Auth-Token: '"$PACKET_API_TOKEN" "https://api.packet.net/devices/$SERVER2_ID/ips" | jq ."ip_addresses[0].address" | tr -d '"') # Copy repo to Packet servers # TODO: Tar up the repo and expand it remotely @@ -54,8 +54,8 @@ while [ "$MINUTES_PAST" -lt 150 ]; do SERVER2_STATUS=$(curl $SERVER2_IP_ADDRESS) if [[ "$SERVER1_STATUS" == "building" ]] || [[ "$SERVER2_STATUS" == "building" ]]; then echo "$SERVER1_STATUS" :: "$SERVER2_STATUS" - scp -i ~/.ssh/id_rsa root@"$SERVER1_IP_ADDRESS":/opt/DetectionLab/Packer/packer_build.log /tmp/artifacts/server1_packer.log - scp -i ~/.ssh/id_rsa root@"$SERVER2_IP_ADDRESS":/opt/DetectionLab/Packer/packer_build.log /tmp/artifacts/server2_packer.log + scp -q -i ~/.ssh/id_rsa root@"$SERVER1_IP_ADDRESS":/opt/DetectionLab/Packer/packer_build.log /tmp/artifacts/server1_packer.log + scp -q -i ~/.ssh/id_rsa root@"$SERVER2_IP_ADDRESS":/opt/DetectionLab/Packer/packer_build.log /tmp/artifacts/server2_packer.log sleep 300 ((MINUTES_PAST += 5)) fi @@ -64,8 +64,8 @@ while [ "$MINUTES_PAST" -lt 150 ]; do fi if [ "$MINUTES_PAST" -gt 150 ]; then echo "Serer timed out. Uptime: $MINUTES_PAST minutes." - curl -X DELETE --header 'Accept: application/json' --header 'X-Auth-Token: '"$PACKET_API_TOKEN" 'https://api.packet.net/devices/'"$SERVER1_ID" - curl -X DELETE --header 'Accept: application/json' --header 'X-Auth-Token: '"$PACKET_API_TOKEN" 'https://api.packet.net/devices/'"$SERVER2_ID" + curl -s -X DELETE --header 'Accept: application/json' --header 'X-Auth-Token: '"$PACKET_API_TOKEN" 'https://api.packet.net/devices/'"$SERVER1_ID" + curl -s -X DELETE --header 'Accept: application/json' --header 'X-Auth-Token: '"$PACKET_API_TOKEN" 'https://api.packet.net/devices/'"$SERVER2_ID" exit 1 fi done @@ -75,17 +75,17 @@ echo "Server1 Status: $SERVER1_STATUS" echo "Server2 Status: $SERVER2_STATUS" if [ "$SERVER1_STATUS" != "success" ]; then echo "Build failed. Cleaning up server with ID $SERVER1_ID" - scp -i ~/.ssh/id_rsa root@"$SERVER1_IP_ADDRESS":/opt/DetectionLab/Packer/packer_build.log /tmp/artifacts/server1_packer.log || echo "Serveer1 packer_build.log not available yet" - curl -X DELETE --header 'Accept: application/json' --header 'X-Auth-Token: '"$PACKET_API_TOKEN" 'https://api.packet.net/devices/'"$SERVER1_ID" + scp -q -i ~/.ssh/id_rsa root@"$SERVER1_IP_ADDRESS":/opt/DetectionLab/Packer/packer_build.log /tmp/artifacts/server1_packer.log || echo "Serveer1 packer_build.log not available yet" + curl -s -X DELETE --header 'Accept: application/json' --header 'X-Auth-Token: '"$PACKET_API_TOKEN" 'https://api.packet.net/devices/'"$SERVER1_ID" exit 1 fi if [ "$SERVER2_STATUS" != "success" ]; then echo "Build failed. Cleaning up server with ID $SERVER2_ID" - scp -i ~/.ssh/id_rsa root@"$SERVER2_IP_ADDRESS":/opt/DetectionLab/Packer/packer_build.log /tmp/artifacts/server2_packer.log || echo "Server2 packer_build.log not available yet" - curl -X DELETE --header 'Accept: application/json' --header 'X-Auth-Token: '"$PACKET_API_TOKEN" 'https://api.packet.net/devices/'"$SERVER2_ID" + scp -q -i ~/.ssh/id_rsa root@"$SERVER2_IP_ADDRESS":/opt/DetectionLab/Packer/packer_build.log /tmp/artifacts/server2_packer.log || echo "Server2 packer_build.log not available yet" + curl -s -X DELETE --header 'Accept: application/json' --header 'X-Auth-Token: '"$PACKET_API_TOKEN" 'https://api.packet.net/devices/'"$SERVER2_ID" exit 1 fi echo "Builds were successful. Cleaning up servers with IDs $SERVER1_ID and $SERVER2_ID" -curl -X DELETE --header 'Accept: application/json' --header 'X-Auth-Token: '"$PACKET_API_TOKEN" 'https://api.packet.net/devices/'"$SERVER1_ID" -curl -X DELETE --header 'Accept: application/json' --header 'X-Auth-Token: '"$PACKET_API_TOKEN" 'https://api.packet.net/devices/'"$SERVER2_ID" +curl -s -X DELETE --header 'Accept: application/json' --header 'X-Auth-Token: '"$PACKET_API_TOKEN" 'https://api.packet.net/devices/'"$SERVER1_ID" +curl -s -X DELETE --header 'Accept: application/json' --header 'X-Auth-Token: '"$PACKET_API_TOKEN" 'https://api.packet.net/devices/'"$SERVER2_ID" exit 0 diff --git a/ci/circle_workflows/vagrant_changes.sh b/ci/circle_workflows/vagrant_changes.sh index 6d6f56d..3eff371 100644 --- a/ci/circle_workflows/vagrant_changes.sh +++ b/ci/circle_workflows/vagrant_changes.sh @@ -56,7 +56,7 @@ while [ "$MINUTES_PAST" -lt 180 ]; do if [ "$MINUTES_PAST" -gt 180 ]; then echo "Serer timed out. Uptime: $MINUTES_PAST minutes." scp -q -i ~/.ssh/id_rsa root@"$IP_ADDRESS":/opt/DetectionLab/Vagrant/vagrant_up_*.log /tmp/artifacts/ - curl -X DELETE --header 'Accept: application/json' --header 'X-Auth-Token: '"$PACKET_API_TOKEN" 'https://api.packet.net/devices/'"$DEVICE_ID" + curl -s -X DELETE --header 'Accept: application/json' --header 'X-Auth-Token: '"$PACKET_API_TOKEN" 'https://api.packet.net/devices/'"$DEVICE_ID" exit 1 fi done @@ -66,9 +66,9 @@ echo $STATUS if [ "$STATUS" != "success" ]; then scp -q -i ~/.ssh/id_rsa root@"$IP_ADDRESS":/opt/DetectionLab/Vagrant/vagrant_up_*.log /tmp/artifacts/ echo "Build failed. Cleaning up server with ID $DEVICE_ID" - curl -X DELETE --header 'Accept: application/json' --header 'X-Auth-Token: '"$PACKET_API_TOKEN" 'https://api.packet.net/devices/'"$DEVICE_ID" + curl -s -X DELETE --header 'Accept: application/json' --header 'X-Auth-Token: '"$PACKET_API_TOKEN" 'https://api.packet.net/devices/'"$DEVICE_ID" exit 1 fi echo "Build was successful. Cleaning up server with ID $DEVICE_ID" -curl -X DELETE --header 'Accept: application/json' --header 'X-Auth-Token: '"$PACKET_API_TOKEN" 'https://api.packet.net/devices/'"$DEVICE_ID" +curl -s -X DELETE --header 'Accept: application/json' --header 'X-Auth-Token: '"$PACKET_API_TOKEN" 'https://api.packet.net/devices/'"$DEVICE_ID" exit 0 From 7d844fd98801c896d2c90356ad7c68c02f2e90fe Mon Sep 17 00:00:00 2001 From: Chris Long Date: Sat, 27 Apr 2019 22:36:06 -0700 Subject: [PATCH 2/6] Removing Caldera --- README.md | 11 ++---- Terraform/main.tf | 11 ------ Vagrant/Vagrantfile | 3 -- Vagrant/Vagrantfile_Minimum | 3 -- Vagrant/bootstrap.sh | 41 ++--------------------- Vagrant/resources/caldera/caldera.service | 11 ------ Vagrant/resources/caldera/cert.pem | 20 ----------- Vagrant/resources/caldera/conf.yml | 24 ------------- Vagrant/resources/caldera/key.pem | 28 ---------------- Vagrant/resources/caldera/mongod.service | 12 ------- Vagrant/resources/caldera/settings.yml | 27 --------------- Vagrant/scripts/install-caldera-agent.ps1 | 36 -------------------- build.ps1 | 7 ---- build.sh | 6 +--- 14 files changed, 6 insertions(+), 234 deletions(-) delete mode 100644 Vagrant/resources/caldera/caldera.service delete mode 100644 Vagrant/resources/caldera/cert.pem delete mode 100644 Vagrant/resources/caldera/conf.yml delete mode 100644 Vagrant/resources/caldera/key.pem delete mode 100644 Vagrant/resources/caldera/mongod.service delete mode 100644 Vagrant/resources/caldera/settings.yml delete mode 100644 Vagrant/scripts/install-caldera-agent.ps1 diff --git a/README.md b/README.md index adcf420..993cda0 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,6 @@ NOTE: This lab has not been hardened in any way and runs with default vagrant cr * Powershell transcript logging is enabled. All logs are saved to `\\wef\pslogs` * osquery comes installed on each host and is pre-configured to connect to a [Fleet](https://kolide.co/fleet) server via TLS. Fleet is preconfigured with the configuration from [Palantir's osquery Configuration](https://github.com/palantir/osquery-configuration) * Sysmon is installed and configured using SwiftOnSecurity’s open-sourced configuration -* Mitre's [Caldera](https://github.com/mitre/caldera) server is built on the logger host and the Caldera agent gets pre-installed on all Windows hosts * All autostart items are logged to Windows Event Logs via [AutorunsToWinEventLog](https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog) * SMBv1 Auditing is enabled @@ -93,7 +92,7 @@ $ packer build --only=[vmware|virtualbox]-iso windows_2016.json 4. cd into the Vagrant directory: `cd ../Vagrant` 5. Install the Vagrant-Reload plugin: `vagrant plugin install vagrant-reload` -6. Ensure you are in the Vagrant folrder and run `vagrant up`. This command will do the following: +6. Ensure you are in the Vagrant folder and run `vagrant up`. This command will do the following: * Provision the logger host. This host will run the [Fleet](https://kolide.co/fleet) osquery manager and a fully featured pre-configured Splunk instance. * Provision the DC host and configure it as a Domain Controller * Provision the WEF host and configure it as a Windows Event Collector in the Servers OU @@ -101,7 +100,6 @@ $ packer build --only=[vmware|virtualbox]-iso windows_2016.json 7. Navigate to https://192.168.38.105:8000 in a browser to access the Splunk instance on logger. Default credentials are admin:changeme (you will have the option to change them on the next screen) 8. Navigate to https://192.168.38.105:8412 in a browser to access the Fleet server on logger. Default credentials are admin:admin123#. Query packs are pre-configured with queries from [palantir/osquery-configuration](https://github.com/palantir/osquery-configuration). -9. Navigate to https://192.168.38.105:8888 in a browser to access the Caldera server on logger. Default credentials are admin:caldera. ## Basic Vagrant Usage Vagrant commands must be run from the "Vagrant" folder. @@ -122,9 +120,8 @@ Vagrant commands must be run from the "Vagrant" folder. ## Lab Information * Domain Name: windomain.local * Admininstrator login: vagrant:vagrant -* Fleet login: https://192.168.38.105:8412 - admin@:admin123# +* Fleet login: https://192.168.38.105:8412 - admin:admin123# * Splunk login: https://192.168.38.105:8000 - admin:changeme -* Caldera login: https://192.168.38.105:8888 - admin:admin * MS ATA login: https://192.168.38.103 - wef\vagrant:vagrant ## Lab Hosts @@ -155,7 +152,6 @@ Vagrant commands must be run from the "Vagrant" folder. * Logger - Ubuntu 16.04 * Splunk Enterprise * Fleet osquery Manager - * Mitre's Caldera Server * Bro * Suricata @@ -174,7 +170,6 @@ suricata | Suricata IDS logs * Sysmon * osquery * AutorunsToWinEventLog - * Caldera Agent * Process Monitor * Process Explorer * PsExec @@ -184,6 +179,7 @@ suricata | Suricata IDS logs * WinRar * Mimikatz * Wireshark + * Powersploit ## Applied GPOs * [Custom Event Channel Permissions](https://rawgit.com/clong/DetectionLab/master/Vagrant/resources/GPO/reports/Custom%20Event%20Channel%20Permissions.htm) @@ -255,7 +251,6 @@ A sizable percentage of this code was borrowed and adapted from [Stefan Scherer] * [Splunk](https://www.splunk.com) * [osquery](https://osquery.io) * [Fleet](https://kolide.co/fleet) -* [Caldera](https://github.com/mitre/caldera) * [Windows Event Forwarding for Network Defense](https://medium.com/@palantir/windows-event-forwarding-for-network-defense-cb208d5ff86f) * [palantir/windows-event-forwarding](http://github.com/palantir/windows-event-forwarding) * [osquery Across the Enterprise](https://medium.com/@palantir/osquery-across-the-enterprise-3c3c9d13ec55) diff --git a/Terraform/main.tf b/Terraform/main.tf index f976f4b..a955455 100644 --- a/Terraform/main.tf +++ b/Terraform/main.tf @@ -71,14 +71,6 @@ resource "aws_security_group" "logger" { cidr_blocks = "${var.ip_whitelist}" } - # Caldera access - ingress { - from_port = 8888 - to_port = 8888 - protocol = "tcp" - cidr_blocks = "${var.ip_whitelist}" - } - # Allow all traffic from the private subnet ingress { from_port = 0 @@ -166,7 +158,6 @@ resource "aws_instance" "logger" { "sudo mkdir /home/vagrant/.ssh && sudo cp /home/ubuntu/.ssh/authorized_keys /home/vagrant/.ssh/authorized_keys && sudo chown -R vagrant:vagrant /home/vagrant/.ssh", "echo 'vagrant ALL=(ALL:ALL) NOPASSWD:ALL' | sudo tee -a /etc/sudoers", "sudo git clone https://github.com/clong/DetectionLab.git /opt/DetectionLab", - "sudo sed -i \"s#sed -i 's/archive.ubuntu.com/us.archive.ubuntu.com/g' /etc/apt/sources.list##g\" /opt/DetectionLab/Vagrant/bootstrap.sh", "sudo sed -i 's/eth1/eth0/g' /opt/DetectionLab/Vagrant/bootstrap.sh", "sudo sed -i 's/ETH1/ETH0/g' /opt/DetectionLab/Vagrant/bootstrap.sh", "sudo sed -i 's#/usr/local/go/bin/go get -u#GOPATH=/root/go /usr/local/go/bin/go get -u#g' /opt/DetectionLab/Vagrant/bootstrap.sh", @@ -174,8 +165,6 @@ resource "aws_instance" "logger" { "sudo chmod +x /opt/DetectionLab/Vagrant/bootstrap.sh", "sudo apt-get update", "sudo /opt/DetectionLab/Vagrant/bootstrap.sh", - "sudo pip3.6 install --upgrade --force-reinstall pip==9.0.3 && sudo pip3.6 install -r /home/vagrant/caldera/caldera/requirements.txt && sudo pip3.6 install --upgrade pip", - "sudo service caldera stop && sudo service caldera start", ] connection { type = "ssh" diff --git a/Vagrant/Vagrantfile b/Vagrant/Vagrantfile index 6969716..e8329f5 100644 --- a/Vagrant/Vagrantfile +++ b/Vagrant/Vagrantfile @@ -48,7 +48,6 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false - cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/configure-ou.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/configure-wef-gpo.ps1", privileged: false @@ -104,7 +103,6 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false - cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/configure-pslogstranscriptsshare.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false @@ -154,7 +152,6 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false - cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false diff --git a/Vagrant/Vagrantfile_Minimum b/Vagrant/Vagrantfile_Minimum index 62f3557..96ca99a 100644 --- a/Vagrant/Vagrantfile_Minimum +++ b/Vagrant/Vagrantfile_Minimum @@ -46,7 +46,6 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false - cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/configure-ou.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/configure-wef-gpo.ps1", privileged: false @@ -100,7 +99,6 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false - cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/configure-pslogstranscriptsshare.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false @@ -147,7 +145,6 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false - cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false diff --git a/Vagrant/bootstrap.sh b/Vagrant/bootstrap.sh index 348429a..7085c08 100644 --- a/Vagrant/bootstrap.sh +++ b/Vagrant/bootstrap.sh @@ -5,26 +5,17 @@ echo "apt-fast apt-fast/maxdownloads string 10" | debconf-set-selections; echo "apt-fast apt-fast/dlflag boolean true" | debconf-set-selections; sed -i "2ideb mirror://mirrors.ubuntu.com/mirrors.txt xenial main restricted universe multiverse\ndeb mirror://mirrors.ubuntu.com/mirrors.txt xenial-updates main restricted universe multiverse\ndeb mirror://mirrors.ubuntu.com/mirrors.txt xenial-backports main restricted universe multiverse\ndeb mirror://mirrors.ubuntu.com/mirrors.txt xenial-security main restricted universe multiverse" /etc/apt/sources.list -install_python_apt_source() { - # Install apt source for Python3.6 - add-apt-repository -y ppa:jonathonf/python-3.6 - add-apt-repository -y ppa:apt-fast/stable -} - apt_install_prerequisites() { # Install prerequisites and useful tools echo "Running apt-get update..." apt-get -qq update apt-get -qq install -y apt-fast echo "Running apt-fast install..." - apt-fast -qq install -y jq whois build-essential git docker docker-compose unzip python3.6 python3.6-dev - # Install pip for Python 3.6 - echo "Installing Pip3.6..." - curl -s https://bootstrap.pypa.io/get-pip.py | sudo -H python3.6 + apt-fast -qq install -y jq whois build-essential git docker docker-compose unzip } test_prerequisites() { - for package in jq whois build-essential git docker docker-compose unzip python3.6 python3.6-dev + for package in jq whois build-essential git docker docker-compose unzip do echo "[TEST] Validating that $package is correctly installed..." # Loop through each package using dpkg @@ -219,33 +210,6 @@ import_osquery_config_into_fleet() { /opt/splunk/bin/splunk add monitor "/home/vagrant/kolide-quickstart/osquery_status" -index osquery-status -sourcetype 'osquery:status' -auth 'admin:changeme' } -install_caldera() { - if [ -f "/lib/systemd/system/caldera.service" ]; then - echo "Caldera is already installed... Skipping" - else - # Install Mitre's Caldera - echo "Installing Caldera..." - cd /home/vagrant || exit - git clone https://github.com/mitre/caldera.git - cd /home/vagrant/caldera/plugins || exit - git clone https://github.com/mitre/adversary.git adversary - git clone https://github.com/mitre/chain.git chain - git clone https://github.com/mitre/gui.git gui - git clone https://github.com/mitre/sandcat.git sandcat - git clone https://github.com/mitre/stockpile.git stockpile - cd /home/vagrant/caldera || exit - pip3.6 install -r requirements.txt - # Make Caldera accessible on all ports - sed -i 's/127.0.0.1/0.0.0.0/g' conf/local.yml - # Create Systemd service for Caldera - cp /vagrant/resources/caldera/caldera.service /lib/systemd/system/caldera.service - cd /home/vagrant/caldera || exit - cp /vagrant/resources/caldera/cert.pem /vagrant/resources/caldera/key.pem /home/vagrant/caldera/conf - service caldera start - systemctl enable caldera.service - fi -} - install_bro() { # Environment variables NODECFG=/opt/bro/etc/node.cfg @@ -436,7 +400,6 @@ main() { install_fleet download_palantir_osquery_config import_osquery_config_into_fleet - install_caldera install_suricata install_bro } diff --git a/Vagrant/resources/caldera/caldera.service b/Vagrant/resources/caldera/caldera.service deleted file mode 100644 index fade6b1..0000000 --- a/Vagrant/resources/caldera/caldera.service +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=Caldera -After=multi-user.target - -[Service] -Type=idle -WorkingDirectory=/home/vagrant/caldera -ExecStart=/usr/bin/python3.6 server.py -E local - -[Install] -WantedBy=multi-user.target diff --git a/Vagrant/resources/caldera/cert.pem b/Vagrant/resources/caldera/cert.pem deleted file mode 100644 index ff54454..0000000 --- a/Vagrant/resources/caldera/cert.pem +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDVTCCAj2gAwIBAgIJAKUxnMnJz4CPMA0GCSqGSIb3DQEBCwUAMEExDzANBgNV -BAMMBmxvZ2dlcjEQMA4GA1UECwwHU2VydmVyczEPMA0GA1UECgwGbG9nZ2VyMQsw -CQYDVQQGEwJVUzAeFw0xOTAzMjcwMzU3NThaFw0yOTAzMjYwMzU3NThaMEExDzAN -BgNVBAMMBmxvZ2dlcjEQMA4GA1UECwwHU2VydmVyczEPMA0GA1UECgwGbG9nZ2Vy -MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKL/ -7cDUXrSac8oILHLN3iKtuhoLttPrVi+GuYsdfKer7D9M9DrkGAvQ+qHLpHgg+omY -ZIK4kDjS26eDKP2SGTHjeYwlmcJPnII6YU8vYdzyvi4eLJjI+lMO8BYd2yL2PVJX -W8ScY/2MoC8LX31A8maGDW+4E6bu3ItAEchh4EWRj8V4PqCDJH1XnY18A0N0QEDV -Osleb2dFWvXtyFmSu0OsqiMxBzlPbf/yl71Q1VjrRUT+alDJNfF3ewctshvx4hV8 -qDwpATR9GPfPKV6w1lj0a+81Qpwy6vOLve3yCV02lWe1TaCjL2otGbTspujbulkR -DGy6MC9/9i1CRkEIBj0CAwEAAaNQME4wHQYDVR0OBBYEFKGWfBB6O2ktq/a4frXy -LKxZNjngMB8GA1UdIwQYMBaAFKGWfBB6O2ktq/a4frXyLKxZNjngMAwGA1UdEwQF -MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAIgLaPeFJS/bHzITf62RgDbBEU3zaeOg -72xiFHWd6uIA9SCHGHuKhbpzLOqBtoSGZlejI75/QDwAiwpu/cd9BWx9h9S/f0Zf -fZnA/ngPojhnaHYFIn8165z/XSJwNvDhVh1oYqMcfTPgeSlbRdPTwAjxdYsJ4nik -4xriKHV6WQ9ixFwOk9ROYg1M/OJ2lmOi23NFODKVP0LFPAqZEX7evKJatWQiJ2tF -iUAm+4xvkGVJfPd6hShYEsXDjTJC+fVFgsPTWhaHGnLjiLORJLgvd/E6wIGGzvx7 -fIw1x7LxMmhlWa74yyGZKAMUOlMh4uBAYR3JhsVYl2LNSK9HwZYnfXc= ------END CERTIFICATE----- diff --git a/Vagrant/resources/caldera/conf.yml b/Vagrant/resources/caldera/conf.yml deleted file mode 100644 index 3e00c40..0000000 --- a/Vagrant/resources/caldera/conf.yml +++ /dev/null @@ -1,24 +0,0 @@ -url_root: https://logger:8888 -verify_hostname: false -cert: | - -----BEGIN CERTIFICATE----- - MIIDVTCCAj2gAwIBAgIJAKUxnMnJz4CPMA0GCSqGSIb3DQEBCwUAMEExDzANBgNV - BAMMBmxvZ2dlcjEQMA4GA1UECwwHU2VydmVyczEPMA0GA1UECgwGbG9nZ2VyMQsw - CQYDVQQGEwJVUzAeFw0xOTAzMjcwMzU3NThaFw0yOTAzMjYwMzU3NThaMEExDzAN - BgNVBAMMBmxvZ2dlcjEQMA4GA1UECwwHU2VydmVyczEPMA0GA1UECgwGbG9nZ2Vy - MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKL/ - 7cDUXrSac8oILHLN3iKtuhoLttPrVi+GuYsdfKer7D9M9DrkGAvQ+qHLpHgg+omY - ZIK4kDjS26eDKP2SGTHjeYwlmcJPnII6YU8vYdzyvi4eLJjI+lMO8BYd2yL2PVJX - W8ScY/2MoC8LX31A8maGDW+4E6bu3ItAEchh4EWRj8V4PqCDJH1XnY18A0N0QEDV - Osleb2dFWvXtyFmSu0OsqiMxBzlPbf/yl71Q1VjrRUT+alDJNfF3ewctshvx4hV8 - qDwpATR9GPfPKV6w1lj0a+81Qpwy6vOLve3yCV02lWe1TaCjL2otGbTspujbulkR - DGy6MC9/9i1CRkEIBj0CAwEAAaNQME4wHQYDVR0OBBYEFKGWfBB6O2ktq/a4frXy - LKxZNjngMB8GA1UdIwQYMBaAFKGWfBB6O2ktq/a4frXyLKxZNjngMAwGA1UdEwQF - MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAIgLaPeFJS/bHzITf62RgDbBEU3zaeOg - 72xiFHWd6uIA9SCHGHuKhbpzLOqBtoSGZlejI75/QDwAiwpu/cd9BWx9h9S/f0Zf - fZnA/ngPojhnaHYFIn8165z/XSJwNvDhVh1oYqMcfTPgeSlbRdPTwAjxdYsJ4nik - 4xriKHV6WQ9ixFwOk9ROYg1M/OJ2lmOi23NFODKVP0LFPAqZEX7evKJatWQiJ2tF - iUAm+4xvkGVJfPd6hShYEsXDjTJC+fVFgsPTWhaHGnLjiLORJLgvd/E6wIGGzvx7 - fIw1x7LxMmhlWa74yyGZKAMUOlMh4uBAYR3JhsVYl2LNSK9HwZYnfXc= - -----END CERTIFICATE----- -logging_level: debug diff --git a/Vagrant/resources/caldera/key.pem b/Vagrant/resources/caldera/key.pem deleted file mode 100644 index 826058a..0000000 --- a/Vagrant/resources/caldera/key.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCi/+3A1F60mnPK -CCxyzd4irboaC7bT61YvhrmLHXynq+w/TPQ65BgL0Pqhy6R4IPqJmGSCuJA40tun -gyj9khkx43mMJZnCT5yCOmFPL2Hc8r4uHiyYyPpTDvAWHdsi9j1SV1vEnGP9jKAv -C199QPJmhg1vuBOm7tyLQBHIYeBFkY/FeD6ggyR9V52NfANDdEBA1TrJXm9nRVr1 -7chZkrtDrKojMQc5T23/8pe9UNVY60VE/mpQyTXxd3sHLbIb8eIVfKg8KQE0fRj3 -zylesNZY9GvvNUKcMurzi73t8gldNpVntU2goy9qLRm07Kbo27pZEQxsujAvf/Yt -QkZBCAY9AgMBAAECggEAchAQKyExyMZQgq9nk0r2yGOz2GgcH34OyKFJk80lnxvS -7ZUHT3KwVQx/Zttfk2TYjZLjuwo2el0rsrQ46gDjuqKJOwZQ68XUKtl5oPTyUbBY -X2NkJ+J0Mc1BOujXoUaZMNbK8/HQkuxmZ6VYxAi/1/i0zFoO/oEmOheymfvL+kG9 -Yi9o7DR8o8yHT2XAJM3sdRLb19/BdquB8vcXYvHY/X2+2uLU4vDycHZ9bFiRWfMK -bpgzH0XRsfz5/9nV42gUhPZWbKJYZnauYI4k603i5uT165chkkv4HJld5mgUMZel -U58zFE9LwGOKuQJbYkvKDj4G+vF4i9ONRMg5jNhO4QKBgQDPRALjFSFoTd5wOjef -Z2n5P307DPyix+GxbE1VRvsKpWNW/DYmVHrLX9cyZPpVPwcAla11gSoSOQ4AW3F4 -8uVrL86FTPI3h4nCZje6NvLlzNvI7zmNgCVHLrtp16sub7qxRTuLJuO8V0Penka8 -dpRI1npaetvwuVjNjw98NdioWQKBgQDJU2hKEbCmX+h9IfuKdOCT5gMYjii1ndC4 -uUwrUf+Fy9Z0aZIIDa/TKjmVnUEd+2C4AGdWIc0p/ApzKId9o9f0RUTFv0x2fKGt -wQUE4BuvHBTQY++N6lYSEVBHOicoITbKfTQyiHimzgg19JjRaxPEoI7zla7euOtz -wD8RZisQhQKBgQCoqP14cG95AzSpOpacvnh7/PAZJ15F0EWWLT1Y0aPja+ZEmIQv -+Lrb2CezuHwE9n7qOOKoJe1oWslL/R1/gJiz+nkh/BV2nnK5oJhkjeZmnaeUASdi -QA8Vt6+GV5vS89SGAIKNn53eW1y9QSrqncvY4b869ZMYdpsO2wWM2/xsMQKBgQCU -cgaszrxlAMTJN3xky+cnxmqz+WY0/AeBnUd3jb+OJQ2cypbdj1H8rt7E3a288LSR -F+MaFFRVx7zgypqU3nGGcGjUMkir+RuxpWgQ/zoKdPc37OgeyRHrwo5h5pQmt87R -oV4SgKQNwk81kYP4ri5mRkkBfHXzTYB22eLm7mGEjQKBgB+WaIOMpgQwrewRkU17 -S63jjHso3J4S21OHm748vpx3ize4JpnAkRpfpwZ9Rj+TmyOjgitJNWdV77zdiQkN -5Dv5ZjsIurrnDXMslBww37mnV7LXyDAAsyaKqSGQuikKusz45FSej82KIfr/zGv+ -WbNZ+sK8mdVZoUSam+6BO9JH ------END PRIVATE KEY----- diff --git a/Vagrant/resources/caldera/mongod.service b/Vagrant/resources/caldera/mongod.service deleted file mode 100644 index 5a726a1..0000000 --- a/Vagrant/resources/caldera/mongod.service +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=High-performance, schema-free document-oriented database -After=network.target -Documentation=https://docs.mongodb.org/manual - -[Service] -User=mongodb -Group=mongodb -ExecStart=/usr/bin/mongod --quiet --config /etc/mongod.conf - -[Install] -WantedBy=multi-user.target diff --git a/Vagrant/resources/caldera/settings.yml b/Vagrant/resources/caldera/settings.yml deleted file mode 100644 index 8e5a294..0000000 --- a/Vagrant/resources/caldera/settings.yml +++ /dev/null @@ -1,27 +0,0 @@ -auth: - key: !!binary | - QfVQNdpJt0br69u4yGYgjJYr8mlKRb8nhkzxd+XkuBt7D/JKeCUmSafJuBFY3w7oXatwSqFYKdWn - ZhVklJsZAmoPy3BEr1maTwFFfJtfav6e6JUMfPKP2SXHFW0fsyF3mdxpXtMbRrMTwnQ4TrndAtCs - E0jWC9qM/ktTga5UweS3YkDlQpWQHktgPPRC8nLk2dtGkWLuam7lfFCW93mxrNyYAAlbNQPq8/ld - DvYD+eWB8tviOh5ZcntmST4tCXXZqk6pGByWV8m7EnBRK4ffIoNmgNV5K7UrWBPEI5ZbNbHx9rSl - GNqAiA9T020MJ5qyrCl9mgZTnbmKXiUOcgpr6g== -crypto: - cert: conf/cert.pem - key: conf/key.pem -database: - host: localhost - key: !!binary | - UXFoNGMzdU1kYWJzU195ZDEybUItWnBJbEg5UnNqYndmQWJpcC1xNjFNaz0= - port: 27017 -proxy: - default: - cert: '' - http: '' - https: '' -server: - host: 0.0.0.0 - https: true - port: 8888 -users: -- name: admin - password: caldera diff --git a/Vagrant/scripts/install-caldera-agent.ps1 b/Vagrant/scripts/install-caldera-agent.ps1 deleted file mode 100644 index bb9c202..0000000 --- a/Vagrant/scripts/install-caldera-agent.ps1 +++ /dev/null @@ -1,36 +0,0 @@ -# Purpose: Installs the Caldera agent on the host -Write-Host "Installing the Caldera agent..." -$url="https://192.168.38.105:8888/file/render"; $ps_table = $PSVersionTable.PSVersion;If([double]$ps_table.Major -ge 6){iex (irm -Method Post -Uri $url -Headers @{"file"="54ndc47.ps1"} -SkipCertificateCheck);}else{[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$True};$web=New-Object System.Net.WebClient;$web.Headers.Add("file","54ndc47.ps1");$resp=$web.UploadString("$url",'');iex($resp);} - -If (-not (Test-Path 'C:\Program Files\cagent\cagent.exe')) { - # Add /etc/hosts entry - Add-Content "c:\windows\system32\drivers\etc\hosts" " 192.168.38.105 logger" - - # Make the directory - New-Item "c:\Program Files\cagent" -type directory - - # Install Visual Studio 2015 C++ Redistributable - choco install -y vcredist2015 - - # Download cagent and start the service - Write-Host "Downloading Caldera Agent (cagent.exe)" - $cagentPath = "C:\Program Files\cagent\cagent.exe" - $cagentConfPath = "C:\Program Files\cagent\conf.yml" - # GitHub requires TLS 1.2 as of 2/1/2018 - [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - (New-Object System.Net.WebClient).DownloadFile('https://github.com/mitre/caldera-agent/releases/download/v0.1.0/cagent.exe', $cagentPath) - # Copy hardocded Caldera config from the Vagrant resources folder - Copy-Item "C:\vagrant\resources\caldera\conf.yml" $cagentConfPath -Force - If (-not (Test-Path "$cagentConfPath" )) { - Write-Host "Caldera Agent configuration failed. Unable to retrieve config from resources folder." - } - Start-Process -FilePath $cagentPath -ArgumentList '--startup', 'auto', 'install' -Wait - Start-Process -FilePath $cagentPath -ArgumentList 'start' -Wait -} Else { - Write-Host "Caldera Agent is already installed. Moving on." -} -Start-Sleep 5 -If ((Get-Service -name cagent).Status -ne "Running") { - throw "Caldera Agent service not running" -} -Write-Host "Cagent installation complete!" diff --git a/build.ps1 b/build.ps1 index 1e164a5..f518eb9 100644 --- a/build.ps1 +++ b/build.ps1 @@ -338,10 +338,6 @@ function download { function post_build_checks { - Write-Host '[post_build_checks] Running Caldera Check.' - $CALDERA_CHECK = download -URL 'https://192.168.38.105:8888' -PatternToMatch 'CALDERA' - Write-Host "[post_build_checks] Cladera Result: $CALDERA_CHECK" - Write-Host '[post_build_checks] Running Splunk Check.' $SPLUNK_CHECK = download -URL 'https://192.168.38.105:8000/en-US/account/login?return_to=%2Fen-US%2F' -PatternToMatch 'This browser is not supported by Splunk' Write-Host "[post_build_checks] Splunk Result: $SPLUNK_CHECK" @@ -354,9 +350,6 @@ function post_build_checks { $ATA_CHECK = download -URL 'https://192.168.38.103' -SuccessOn401 Write-Host "[post_build_checks] ATA Result: $ATA_CHECK" - if ($CALDERA_CHECK -eq $false) { - Write-Warning 'Caldera failed post-build tests and may not be functioning correctly.' - } if ($SPLUNK_CHECK -eq $false) { Write-Warning 'Splunk failed post-build tests and may not be functioning correctly.' } diff --git a/build.sh b/build.sh index 5726158..36b9f44 100755 --- a/build.sh +++ b/build.sh @@ -261,7 +261,6 @@ vagrant_reload_host() { post_build_checks() { # If the curl operation fails, we'll just leave the variable equal to 0 # This is needed to prevent the script from exiting if the curl operation fails - CALDERA_CHECK=$(curl -ks -m 2 https://192.168.38.105:8888 | grep -c '302: Found' || echo "") SPLUNK_CHECK=$(curl -ks -m 2 https://192.168.38.105:8000/en-US/account/login?return_to=%2Fen-US%2F | grep -c 'This browser is not supported by Splunk' || echo "") FLEET_CHECK=$(curl -ks -m 2 https://192.168.38.105:8412 | grep -c 'Kolide Fleet' || echo "") ATA_CHECK=$(curl --fail --write-out "%{http_code}" -ks https://192.168.38.103 -m 2) @@ -271,16 +270,13 @@ post_build_checks() { # Associative arrays are only supported in bash 4 and up if [ "$BASH_MAJOR_VERSION" -ge 4 ]; then declare -A SERVICES - SERVICES=(["caldera"]="$CALDERA_CHECK" ["splunk"]="$SPLUNK_CHECK" ["fleet"]="$FLEET_CHECK" ["ms_ata"]="$ATA_CHECK") + SERVICES=(["splunk"]="$SPLUNK_CHECK" ["fleet"]="$FLEET_CHECK" ["ms_ata"]="$ATA_CHECK") for SERVICE in "${!SERVICES[@]}"; do if [ "${SERVICES[$SERVICE]}" -lt 1 ]; then (echo >&2 "Warning: $SERVICE failed post-build tests and may not be functioning correctly.") fi done else - if [ "$CALDERA_CHECK" -lt 1 ]; then - (echo >&2 "Warning: Caldera failed post-build tests and may not be functioning correctly.") - fi if [ "$SPLUNK_CHECK" -lt 1 ]; then (echo >&2 "Warning: Splunk failed post-build tests and may not be functioning correctly.") fi From 4414718cb8904b95388d29e9fb0d1aafb19cbf35 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Sat, 27 Apr 2019 22:37:12 -0700 Subject: [PATCH 3/6] Less verbose apt-get update in TF --- Terraform/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Terraform/main.tf b/Terraform/main.tf index a955455..615d577 100644 --- a/Terraform/main.tf +++ b/Terraform/main.tf @@ -163,7 +163,7 @@ resource "aws_instance" "logger" { "sudo sed -i 's#/usr/local/go/bin/go get -u#GOPATH=/root/go /usr/local/go/bin/go get -u#g' /opt/DetectionLab/Vagrant/bootstrap.sh", "sudo sed -i 's#/vagrant/resources#/opt/DetectionLab/Vagrant/resources#g' /opt/DetectionLab/Vagrant/bootstrap.sh", "sudo chmod +x /opt/DetectionLab/Vagrant/bootstrap.sh", - "sudo apt-get update", + "sudo apt-get -qq update", "sudo /opt/DetectionLab/Vagrant/bootstrap.sh", ] connection { From 65381681c9d93fd79ab1df5b043b3b9beee27a12 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Sat, 27 Apr 2019 22:53:13 -0700 Subject: [PATCH 4/6] Removing remnants of python3.6 and pip --- Vagrant/bootstrap.sh | 22 +-------- ci/manual_machine_bootstrap_vmware.sh | 65 +++++++++++++++++++++++++++ 2 files changed, 66 insertions(+), 21 deletions(-) create mode 100644 ci/manual_machine_bootstrap_vmware.sh diff --git a/Vagrant/bootstrap.sh b/Vagrant/bootstrap.sh index 7085c08..d7cb023 100644 --- a/Vagrant/bootstrap.sh +++ b/Vagrant/bootstrap.sh @@ -15,7 +15,7 @@ apt_install_prerequisites() { } test_prerequisites() { - for package in jq whois build-essential git docker docker-compose unzip + for package in jq whois build-essential git docker docker-compose unzip do echo "[TEST] Validating that $package is correctly installed..." # Loop through each package using dpkg @@ -32,25 +32,6 @@ test_prerequisites() { echo "[+] $package was successfully installed!" fi done - - # One-off support for packages which aren't installed via dpkg - for package in "pip3.6" - do - echo "[TEST] Validating that $package is correctly installed..." - # Loop through each package using which - if ! which $package > /dev/null; then - # If which returns a non-zero return code, try to re-install the package - echo "[-] $package was not found. Attempting to reinstall." - curl https://bootstrap.pypa.io/get-pip.py | sudo -H python3.6 - if ! which $package > /dev/null; then - # If the reinstall fails, give up - echo "[X] Unable to install $package even after a retry. Exiting." - exit 1 - fi - else - echo "[+] $package was successfully installed!" - fi - done } fix_eth1_static_ip() { @@ -391,7 +372,6 @@ test_suricata_prerequisites() { } main() { - install_python_apt_source apt_install_prerequisites test_prerequisites fix_eth1_static_ip diff --git a/ci/manual_machine_bootstrap_vmware.sh b/ci/manual_machine_bootstrap_vmware.sh new file mode 100644 index 0000000..f6ff1cf --- /dev/null +++ b/ci/manual_machine_bootstrap_vmware.sh @@ -0,0 +1,65 @@ +#! /bin/bash + +# This script is used to manually prepare an Ubuntu 16.04 server for DetectionLab building + +SERIALNUMBER="TODO" +LICENSEFILE="TODO" + +sed -i 's/archive.ubuntu.com/us.archive.ubuntu.com/g' /etc/apt/sources.list + +if [[ "$VAGRANT_ONLY" -eq 1 ]] && [[ "$PACKER_ONLY" -eq 1 ]]; then + echo "Somehow this build is configured as both packer-only and vagrant-only. This means something has gone horribly wrong." + exit 1 +fi + +# Install VMWare Workstation 15 +apt-get update +apt-get install -y linux-headers-"$(uname -r)" build-essential unzip git ufw apache2 python-pip +pip install awscli --upgrade --user +export PATH=$PATH:/root/.local/bin + +wget -O VMware-Workstation-Full-15.0.4-12990004.x86_64.bundle "https://download3.vmware.com/software/wkst/file/VMware-Workstation-Full-15.0.4-12990004.x86_64.bundle?HashKey=6f83753e4d9e94da7f920c32b5808033¶ms=%7B%22custnumber%22%3A%22KipkcHRoJWVlZA%3D%3D%22%2C%22sourcefilesize%22%3A%22472.70+MB%22%2C%22dlgcode%22%3A%22WKST-1504-LX%22%2C%22languagecode%22%3A%22en%22%2C%22source%22%3A%22DOWNLOADS%22%2C%22downloadtype%22%3A%22manual%22%2C%22eula%22%3A%22Y%22%2C%22downloaduuid%22%3A%225caee685-d5ad-4f6b-94db-2ddc4f7f3a97%22%2C%22purchased%22%3A%22N%22%2C%22dlgtype%22%3A%22Product+Binaries%22%2C%22productversion%22%3A%2215.0.4%22%2C%22productfamily%22%3A%22VMware+Workstation+Pro%22%7D&AuthKey=1556427011_a994b5252f29429710c077c8dcab1c19" +chmod +x VMware-Workstation-Full-15.0.4-12990004.x86_64.bundle +sudo sh VMware-Workstation-Full-15.0.4-12990004.x86_64.bundle --console --required --eulas-agreed --set-setting vmware-workstation serialNumber $SERIALNUMBER + +echo "building" > /var/www/html/index.html + +# Set up firewall +ufw allow ssh +ufw allow http +ufw default allow outgoing +ufw --force enable + +git clone https://github.com/clong/DetectionLab.git /opt/DetectionLab + +# Install Vagrant +mkdir /opt/vagrant +cd /opt/vagrant || exit 1 +wget --progress=bar:force https://releases.hashicorp.com/vagrant/2.2.4/vagrant_2.2.4_x86_64.deb +dpkg -i vagrant_2.2.4_x86_64.deb +vagrant plugin install vagrant-reload +vagrant plugin install vagrant-vmware-desktop +vagrant plugin license vagrant-vmware-desktop $LICENSEFILE +wget --progress=bar:force "https://releases.hashicorp.com/vagrant-vmware-utility/1.0.7/vagrant-vmware-utility_1.0.7_x86_64.deb" +dpkg -i vagrant-vmware-utility_1.0.7_x86_64.deb + +# Make the Vagrant instances headless +cd /opt/DetectionLab/Vagrant || exit 1 +sed -i 's/v.gui = true/v.gui = false/g' Vagrantfile + +# Install Packer +mkdir /opt/packer +cd /opt/packer || exit 1 +wget --progress=bar:force https://releases.hashicorp.com/packer/1.3.2/packer_1.3.2_linux_amd64.zip +unzip packer_1.3.2_linux_amd64.zip +cp packer /usr/local/bin/packer + +# Make the Packer images headless +cd /opt/DetectionLab/Packer || exit 1 +for file in *.json; do + sed -i 's/"headless": false,/"headless": true,/g' "$file"; +done + +# Ensure the script is executable +chmod +x /opt/DetectionLab/build.sh +cd /opt/DetectionLab || exit 1 From e1039c8090b3d1ddf287a9f7ce898e4f33d4e132 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Sat, 27 Apr 2019 23:07:11 -0700 Subject: [PATCH 5/6] Adding back repository for apt-fast --- Vagrant/bootstrap.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Vagrant/bootstrap.sh b/Vagrant/bootstrap.sh index d7cb023..ad9bf5f 100644 --- a/Vagrant/bootstrap.sh +++ b/Vagrant/bootstrap.sh @@ -6,6 +6,8 @@ echo "apt-fast apt-fast/dlflag boolean true" | debconf-set-selections; sed -i "2ideb mirror://mirrors.ubuntu.com/mirrors.txt xenial main restricted universe multiverse\ndeb mirror://mirrors.ubuntu.com/mirrors.txt xenial-updates main restricted universe multiverse\ndeb mirror://mirrors.ubuntu.com/mirrors.txt xenial-backports main restricted universe multiverse\ndeb mirror://mirrors.ubuntu.com/mirrors.txt xenial-security main restricted universe multiverse" /etc/apt/sources.list apt_install_prerequisites() { + # Add repository for apt-fast + add-apt-repository -y ppa:apt-fast/stable # Install prerequisites and useful tools echo "Running apt-get update..." apt-get -qq update From 88cd120e6e7a25e29081ce04d29d20b070466e90 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Sun, 28 Apr 2019 01:42:25 -0700 Subject: [PATCH 6/6] Don't try to re-disable Defender --- Vagrant/scripts/install-redteam.ps1 | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/Vagrant/scripts/install-redteam.ps1 b/Vagrant/scripts/install-redteam.ps1 index b5a3bfe..2e6928a 100644 --- a/Vagrant/scripts/install-redteam.ps1 +++ b/Vagrant/scripts/install-redteam.ps1 @@ -2,19 +2,7 @@ Write-Host "Installing Red Team Tooling..." - -# Disable Windows Defender realtime scanning before downloading Mimikatz and drop the firewall -If ($env:computername -eq "win10") { - If (Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender") - { - Remove-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Recurse -Force - } - gpupdate /force | Out-String - Write-Host "Disabling Windows Defender Realtime Monitoring..." - Set-MpPreference -ExclusionPath C:\commander.exe, C:\Tools - set-MpPreference -DisableRealtimeMonitoring $true - Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False -} +# Windows Defender should be disabled already by O&O ShutUp10 # Purpose: Downloads and unzips a copy of the latest Mimikatz trunk Write-Host "Determining latest release of Mimikatz..."