trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Chris Long
2017-12-11 08:49:25 -08:00
commit 1577341ce9
157 changed files with 5271 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
Vagrant/scripts/bginfo-simple.bgi Executable file
View File

Binary file not shown.

BIN
Vagrant/scripts/bginfo-workshop.bgi Executable file
View File

Binary file not shown.

BIN
Vagrant/scripts/bginfo.bgi Executable file
View File

Binary file not shown.

13
Vagrant/scripts/configure-AuditingPolicyGPOs.ps1 Normal file
View File

@@ -0,0 +1,13 @@
# Purpose: Installs the GPOs for the custom WinEventLog auditing policy.
Write-Host "Configuring auditing policy GPOS..."
Write-Host "Importing Domain Controller Enhanced Auditing Policy..."
Import-GPO -BackupGpoName 'Domain Controllers Enhanced Auditing Policy' -Path "c:\vagrant\resources\GPO\Domain_Controllers_Enhanced_Auditing_Policy" -TargetName 'Domain Controllers Enhanced Auditing Policy' -CreateIfNeeded
New-GPLink -Name 'Domain Controllers Enhanced Auditing Policy' -Target "ou=Domain Controllers,dc=windomain,dc=local" -Enforced yes
Write-Host "Importing Servers Enhanced Auditing Policy..."
Import-GPO -BackupGpoName 'Servers Enhanced Auditing Policy' -Path "c:\vagrant\resources\GPO\Servers_Enhanced_Auditing_Policy" -TargetName 'Servers Enhanced Auditing Policy' -CreateIfNeeded
New-GPLink -Name 'Servers Enhanced Auditing Policy' -Target "ou=Servers,dc=windomain,dc=local" -Enforced yes
Write-Host "Importing Workstations Enhanced Auditing Policy..."
Import-GPO -BackupGpoName 'Workstations Enhanced Auditing Policy' -Path "c:\vagrant\resources\GPO\Workstations_Enhanced_Auditing_Policy" -TargetName 'Workstations Enhanced Auditing Policy' -CreateIfNeeded
New-GPLink -Name 'Workstations Enhanced Auditing Policy' -Target "ou=Workstations,dc=windomain,dc=local" -Enforced yes

12
Vagrant/scripts/configure-ou.ps1 Normal file
View File

@@ -0,0 +1,12 @@
# Purpose: Sets up the Server and Workstations OUs
Write-Host "Sleeping for 30 seconds, then creating Server and Workstation OUs"
Start-Sleep 30
Write-Host "Creating Servers OU"
New-ADOrganizationalUnit -Name "Servers" -Server "dc.windomain.local"
Write-Host "Creating Workstations OU"
New-ADOrganizationalUnit -Name "Workstations" -Server "dc.windomain.local"
# Sysprep breaks auto-login. Let's restore it here:
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -Value 1
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Value "vagrant"
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Value "vagrant"

6
Vagrant/scripts/configure-powershelllogging.ps1 Executable file
View File

@@ -0,0 +1,6 @@
# Purpose: Install the GPO that specifies the WEF collector
Write-Host "Importing the GPO to enable Powershell Module, ScriptBlock and Transcript logging..."
Import-GPO -BackupGpoName 'Powershell Logging' -Path "c:\vagrant\resources\GPO\powershell_logging" -TargetName 'Powershell Logging' -CreateIfNeeded
New-GPLink -Name 'Powershell Logging' -Target "dc=windomain,dc=local" -Enforced yes
New-GPLink -Name 'Powershell Logging' -Target "ou=Domain Controllers,dc=windomain,dc=local" -Enforced yes
gpupdate /force

42
Vagrant/scripts/configure-pslogstranscriptsshare.ps1 Executable file
View File

@@ -0,0 +1,42 @@
# Purpose: Configure an SMB share for Powershell transcription logs to be written to
# Source: https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/
Write-Host "Configuring the Powershell Transcripts Share"
md c:\pslogs
## Kill all inherited permissions
$acl = Get-Acl c:\pslogs
$acl.SetAccessRuleProtection($true, $false)
## Grant Administrators full control
$administrators = [System.Security.Principal.NTAccount] "Administrators"
$permission = $administrators,"FullControl","ObjectInherit,ContainerInherit","None","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.AddAccessRule($accessRule)
## Grant everyone else Write and ReadAttributes. This prevents users from listing
## transcripts from other machines on the domain.
$everyone = [System.Security.Principal.NTAccount] "Everyone"
$permission = $everyone,"Write,ReadAttributes","ObjectInherit,ContainerInherit","None","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.AddAccessRule($accessRule)
## TODO: Leaving this commented out so Splunk Forwader can read these files
## Might be a way to leave this permission intact but still allow Splunk
## Deny "Creator Owner" everything. This prevents users from
## viewing the content of previously written files.
#$creatorOwner = [System.Security.Principal.NTAccount] "Creator Owner"
#$permission = $creatorOwner,"FullControl","ObjectInherit,ContainerInherit","InheritOnly","Deny"
#$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
#$acl.AddAccessRule($accessRule)
## Set the ACL
$acl | Set-Acl c:\pslogs\
## Create the SMB Share, granting Everyone the right to read and write files. Specific
## actions will actually be enforced by the ACL on the file folder.
New-SmbShare -Name pslogs -Path c:\pslogs -ChangeAccess Everyone

16
Vagrant/scripts/configure-wef-gpo.ps1 Normal file
View File

@@ -0,0 +1,16 @@
# Purpose: Installs the GPOs needed to specify a Windows Event Collector and makes certain event channels readable by Event Logger
Write-Host "Importing the GPO to specify the WEF collector"
Import-GPO -BackupGpoName 'Windows Event Forwarding Server' -Path "c:\vagrant\resources\GPO\wef_configuration" -TargetName 'Windows Event Forwarding Server' -CreateIfNeeded
New-GPLink -Name 'Windows Event Forwarding Server' -Target "dc=windomain,dc=local" -Enforced yes
New-GPLink -Name 'Windows Event Forwarding Server' -Target "ou=Domain Controllers,dc=windomain,dc=local" -Enforced yes
Write-Host "Importing the GPO to modify ACLs on Custom Event Channels"
Import-GPO -BackupGPOName 'Custom Event Channel Permissions' -Path "c:\vagrant\resources\GPO\wef_configuration" -TargetName 'Custom Event Channel Permissions' -CreateIfNeeded
New-GPLink -Name 'Custom Event Channel Permissions' -Target "dc=windomain,dc=local" -Enforced yes
New-GPLink -Name 'Custom Event Channel Permissions' -Target "ou=Domain Controllers,dc=windomain,dc=local" -Enforced yes
New-GPLink -Name 'Custom Event Channel Permissions' -Target "ou=Servers,dc=windomain,dc=local" -Enforced yes
New-GPLink -Name 'Custom Event Channel Permissions' -Target "ou=Workstations,dc=windomain,dc=local" -Enforced yes
gpupdate /force
# Enable WinRM
Write-Host "Enabling WinRM"
winrm qc /q:true
Write-Host "Rebooting to make settings take effect..."

55
Vagrant/scripts/create-domain.ps1 Normal file
View File

@@ -0,0 +1,55 @@
# Purpose: Creates the "windomain.local" domain
# Source: https://github.com/StefanScherer/adfs2
param ([String] $ip)
$subnet = $ip -replace "\.\d+$", ""
if ((gwmi win32_computersystem).partofdomain -eq $false) {
Write-Host 'Installing RSAT tools'
Import-Module ServerManager
Add-WindowsFeature RSAT-AD-PowerShell,RSAT-AD-AdminCenter
Write-Host 'Creating domain controller'
# Disable password complexity policy
secedit /export /cfg C:\secpol.cfg
(gc C:\secpol.cfg).replace("PasswordComplexity = 1", "PasswordComplexity = 0") | Out-File C:\secpol.cfg
secedit /configure /db C:\Windows\security\local.sdb /cfg C:\secpol.cfg /areas SECURITYPOLICY
rm -force C:\secpol.cfg -confirm:$false
# Set administrator password
$computerName = $env:COMPUTERNAME
$adminPassword = "vagrant"
$adminUser = [ADSI] "WinNT://$computerName/Administrator,User"
$adminUser.SetPassword($adminPassword)
$PlainPassword = "vagrant" # "P@ssw0rd"
$SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force
# Windows Server 2016 R2
Install-WindowsFeature AD-domain-services
Import-Module ADDSDeployment
Install-ADDSForest `
-SafeModeAdministratorPassword $SecurePassword `
-CreateDnsDelegation:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainMode "7" `
-DomainName "windomain.local" `
-DomainNetbiosName "WINDOMAIN" `
-ForestMode "7" `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$true `
-SysvolPath "C:\Windows\SYSVOL" `
-Force:$true
$newDNSServers = "8.8.8.8", "4.4.4.4"
$adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object { $_.IPAddress -And ($_.IPAddress).StartsWith($subnet) }
if ($adapters) {
Write-Host Setting DNS
$adapters | ForEach-Object {$_.SetDNSServerSearchOrder($newDNSServers)}
}
Write-Host "Setting timezone to UTC"
c:\windows\system32\tzutil.exe /s "UTC"
Write-Host "Excluding NAT interface from DNS"
}

7
Vagrant/scripts/download_palantir_osquery.ps1 Normal file
View File

@@ -0,0 +1,7 @@
# Purpose: Downloads and unzips a copy of the Palantir osquery Github Repo. These configs are added to the Fleet server in bootstrap.sh.
Write-Host "Downloading and unzipping the Palantir osquery Repo from Github..."
$osqueryRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\osquery-Master.zip'
Invoke-WebRequest -Uri "https://github.com/palantir/osquery-configuration/archive/master.zip" -OutFile $osqueryRepoPath
Expand-Archive -path "$osqueryRepoPath" -destinationpath 'c:\Users\vagrant\AppData\Local\Temp' -Force

7
Vagrant/scripts/download_palantir_wef.ps1 Normal file
View File

@@ -0,0 +1,7 @@
# Purpose: Downloads and unzips a copy of the Palantir WEF Github Repo. This includes WEF subscriptions and custom WEF channels.
Write-Host "Downloading and unzipping the Palantir Windows Event Forwarding Repo from Github..."
$wefRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\wef-Master.zip'
Invoke-WebRequest -Uri "https://github.com/palantir/windows-event-forwarding/archive/master.zip" -OutFile $wefRepoPath
Expand-Archive -path "$wefRepoPath" -destinationpath 'c:\Users\vagrant\AppData\Local\Temp' -Force

35
Vagrant/scripts/fix-second-network.ps1 Executable file
View File

@@ -0,0 +1,35 @@
# Source: https://github.com/StefanScherer/adfs2
param ([String] $ip, [String] $dns)
if (Test-Path C:\Users\vagrant\enable-winrm-after-customization.bat) {
Write-Host "Nothing to do in vCloud."
exit 0
}
if (! (Test-Path 'C:\Program Files\VMware\VMware Tools')) {
Write-Host "Nothing to do for other providers than VMware."
exit 0
}
$subnet = $ip -replace "\.\d+$", ""
$name = (Get-NetIPAddress -AddressFamily IPv4 `
| Where-Object -FilterScript { ($_.IPAddress).StartsWith($subnet) } `
).InterfaceAlias
if (!$name) {
$name = (Get-NetIPAddress -AddressFamily IPv4 `
| Where-Object -FilterScript { ($_.IPAddress).StartsWith("169.254.") } `
).InterfaceAlias
}
if ($name) {
Write-Host "Set IP address to $ip of interface $name"
& netsh.exe int ip set address "$name" static $ip 255.255.255.0 "$subnet.1"
if ($dns) {
Write-Host "Set DNS server address to $dns of interface $name"
& netsh.exe interface ipv4 add dnsserver "$name" address=$dns index=1
}
} else {
Write-Error "Could not find a interface with subnet $subnet.xx"
}

7
Vagrant/scripts/install-autorunstowineventlog.ps1 Normal file
View File

@@ -0,0 +1,7 @@
# Purpose: Installs AutorunsToWinEventLog from the Palantir WEF repo: (https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog)
# TL;DR - Logs all entries from Autoruns to the Windows event log to be indexed by Splunk
Write-Host "Installing AutorunsToWinEventLog..."
cd "c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\AutorunsToWinEventLog"
.\Install.ps1
Write-Host "AutorunsToWinEventLog installed. Starting the scheduled task. Future runs will begin at 11am"
Start-ScheduledTask -TaskName "AutorunsToWinEventLog"

20
Vagrant/scripts/install-bginfo.ps1 Executable file
View File

@@ -0,0 +1,20 @@
# Installs BGInfo on the host for easy identification
# Source: https://github.com/StefanScherer/adfs2
if (!(Test-Path 'c:\Program Files\sysinternals')) {
New-Item -Path 'c:\Program Files\sysinternals' -type directory -Force -ErrorAction SilentlyContinue
}
if (!(Test-Path 'c:\Program Files\sysinternals\bginfo.exe')) {
(New-Object Net.WebClient).DownloadFile('http://live.sysinternals.com/bginfo.exe', 'c:\Program Files\sysinternals\bginfo.exe')
}
$vbsScript = @'
WScript.Sleep 15000
Dim objShell
Set objShell = WScript.CreateObject( "WScript.Shell" )
objShell.Run("""c:\Program Files\sysinternals\bginfo.exe"" /accepteula ""c:\Program Files\sysinternals\bginfo.bgi"" /silent /timer:0")
'@
$vbsScript | Out-File 'c:\Program Files\sysinternals\bginfo.vbs'
Copy-Item "C:\vagrant\scripts\bginfo.bgi" 'c:\Program Files\sysinternals\bginfo.bgi'
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -Name bginfo -Value 'wscript "c:\Program Files\sysinternals\bginfo.vbs"'

16
Vagrant/scripts/install-inputsconf.ps1 Executable file
View File

@@ -0,0 +1,16 @@
# Purpose: Configures the inputs.conf for the Splunk forwarders on the Windows hosts
Write-Host "Setting up Splunk Inputs for Sysmon & osquery"
$inputsPath = "C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf"
Write-Host "Stopping the Splunk forwarder"
Stop-Service splunkforwarder
Write-Host "Deleting the default configuration"
Remove-Item $inputsPath
Write-Host "Copying over the custom configuration"
Copy-Item c:\vagrant\resources\splunk_forwarder\inputs.conf $inputsPath
Write-Host "Starting the Splunk forwarder"
Start-Service splunkforwarder

40
Vagrant/scripts/install-osquery.ps1 Executable file
View File

@@ -0,0 +1,40 @@
# Purpose: Installs osquery on the host
# Note: by default, osquery will be configured to connect to the Fleet server on the "logger" host via TLS.
# If you would like to have osquery run without TLS & Fleet, uncomment line 15 and comment lines 21-30.
Write-Host "Installing osquery"
$packsDir = "c:\programdata\osquery\packs"
choco install -y osquery | Out-String # Apparently Out-String makes the process wait
$service = Get-WmiObject -Class Win32_Service -Filter "Name='osqueryd'"
If (-not ($service)) {
Write-Host "Setting osquery to run as a service"
Start-Process -FilePath "c:\programdata\osquery\osqueryd\osqueryd.exe" -ArgumentList "--install" -Wait
# Copy over the config and packs from the Palantir repo
Copy-Item "c:\Users\vagrant\AppData\Local\Temp\osquery-configuration-master\Endpoints\Windows\*" "c:\ProgramData\osquery"
Copy-Item "c:\Users\vagrant\AppData\Local\Temp\osquery-configuration-master\Endpoints\packs" -Path "c:\ProgramData\osquery"
## Use the TLS config by default. Un-comment the line below to use the local configuration and avoid connecting to Fleet.
# Copy-Item "c:\ProgramData\osquery\osquery_no_tls.flags" -Path "c:\ProgramData\osquery\osquery.flags" -Force
### --- TLS CONFIG BEGINS ---
### COMMENT ALL LINES BELOW UNTIL "TLS CONFIG ENDS" if using local configuration
## Add entry to hosts file for Kolide for SSL validation
Add-Content "c:\windows\system32\drivers\etc\hosts" " 192.168.38.5 kolide"
## Add kolide secret and avoid BOM
$Utf8NoBomEncoding = New-Object System.Text.UTF8Encoding $False
[System.IO.File]::WriteAllLines("c:\ProgramData\osquery\kolide_secret.txt", "enrollmentsecret", $Utf8NoBomEncoding)
## Change TLS server hostname
(Get-Content c:\ProgramData\osquery\osquery.flags) -replace 'tls.endpoint.server.com', 'kolide:8412' | Set-Content c:\ProgramData\osquery\osquery.flags
## Change path to secrets
(Get-Content c:\ProgramData\osquery\osquery.flags) -replace 'path\\to\\file\\containing\\secret.txt', 'ProgramData\osquery\kolide_secret.txt' | Set-Content c:\ProgramData\osquery\osquery.flags
## Add certfile.crt
Copy-Item "c:\vagrant\resources\fleet\server.crt" "c:\ProgramData\osquery\certfile.crt"
### --- TLS CONFIG ENDS ---
Stop-service osqueryd
Start-Sleep -s 5
Start-Service osqueryd
}
else {
Write-Host "osquery is already installed"
}

13
Vagrant/scripts/install-splunkuf.ps1 Executable file
View File

@@ -0,0 +1,13 @@
# Purpose: Installs a Splunk Universal Forwader on the host
If (-not (Test-Path "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe")) {
Write-Host "Downloading Splunk"
$msiFile = $env:Temp + "\splunkforwarder-6.5.2-67571ef4b87d-x64-release.msi"
Write-Host "Installing & Starting Splunk"
(New-Object System.Net.WebClient).DownloadFile('https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=windows&version=6.5.2&product=universalforwarder&filename=splunkforwarder-6.5.2-67571ef4b87d-x64-release.msi&wget=true', $msiFile)
Start-Process -FilePath "c:\windows\system32\msiexec.exe" -ArgumentList '/i', "$msiFile", 'RECEIVING_INDEXER="192.168.38.5:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_APP_ENABLE=1 AGREETOLICENSE=Yes SERVICESTARTTYPE=1 LAUNCHSPLUNK=1 /quiet' -Wait
} Else {
Write-Host "Splunk is already installed. Moving on."
}
Write-Host "Splunk installation complete!"

40
Vagrant/scripts/install-sysinternals.ps1 Executable file
View File

@@ -0,0 +1,40 @@
# Purpose: Installs a handful of SysInternals tools on the host into c:\Tools\Sysinternals
$sysinternalsDir = "C:\Tools\Sysinternals"
$sysmonDir = "C:\ProgramData\Sysmon"
If(!(test-path $sysinternalsDir)) {
New-Item -ItemType Directory -Force -Path $sysinternalsDir
} Else {
Write-Host "Tools directory exists. Exiting."
exit
}
If(!(test-path $sysmonDir)) {
New-Item -ItemType Directory -Force -Path $sysmonDir
} Else {
Write-Host "Sysmon directory exists. Exiting."
exit
}
$autorunsPath = "C:\Tools\Sysinternals\Autoruns64.exe"
$procmonPath = "C:\Tools\Sysinternals\Procmon.exe"
$psexecPath = "C:\Tools\Sysinternals\PsExec64.exe"
$procexpPath = "C:\Tools\Sysinternals\procexp64.exe"
$sysmonPath = "C:\Tools\Sysinternals\Sysmon64.exe"
$tcpviewPath = "C:\Tools\Sysinternals\Tcpview.exe"
$sysmonConfigPath = "$sysmonDir\sysmonConfig.xml"
Invoke-WebRequest -Uri "https://live.sysinternals.com/Autoruns64.exe" -OutFile $autorunsPath
Invoke-WebRequest -Uri "https://live.sysinternals.com/Procmon.exe" -OutFile $procmonPath
Invoke-WebRequest -Uri "https://live.sysinternals.com/PsExec64.exe" -OutFile $psexecPath
Invoke-WebRequest -Uri "https://live.sysinternals.com/procexp64.exe" -OutFile $procexpPath
Invoke-WebRequest -Uri "https://live.sysinternals.com/Sysmon64.exe" -Outfile $sysmonPath
Invoke-WebRequest -Uri "https://live.sysinternals.com/Tcpview.exe" -Outfile $tcpviewPath
Copy-Item $sysmonPath $sysmonDir
# Download SwiftOnSecurity's Sysmon config
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml" -Outfile "$sysmonDir\sysmonConfig.xml"
# Startup Sysmon
Write-Host "Starting Sysmon..."
Start-Process -FilePath "$sysmonDir\Sysmon64.exe" -ArgumentList "-accepteula -i $sysmonConfigPath"

25
Vagrant/scripts/install-utilities.ps1 Executable file
View File

@@ -0,0 +1,25 @@
# Purpose: Installs chocolatey package manager, then installs custom utilities from Choco and adds syntax highlighting for Powershell, Batch, and Docker. Also installs Mimikatz into c:\Tools\Mimikatz.
If (-not (Test-Path "C:\ProgramData\chocolatey")) {
Write-Host "Installing Chocolatey"
iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))
}
else {
Write-Host "Chocolatey is already installed."
}
Write-Host "Installing atom, Notepad++, Chrome, WinRar, and Mimikatz."
choco install -y atom
choco install -y NotepadPlusPlus
choco install -y GoogleChrome
choco install -y WinRar
Write-Host $env:LOCALAPPDATA
$env:PATH="$env:PATH;$env:LOCALAPPDATA\atom\bin"
apm install language-powershell
apm install language-batch
apm install language-docker
# Purpose: Downloads and unzips a copy of the Palantir osquery Github Repo. These configs are added to the Fleet server in bootstrap.sh.
$mimikatzRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\osquery-Master.zip'
Invoke-WebRequest -Uri "https://github.com/gentilkiwi/mimikatz/releases/download/2.1.1-20171203/mimikatz_trunk.zip" -OutFile $mimikatzRepoPath
Expand-Archive -path "$mimikatzRepoPath" -destinationpath 'c:\Tools\Mimikatz' -Force

27
Vagrant/scripts/install-wefsubscriptions.ps1 Normal file
View File

@@ -0,0 +1,27 @@
# Purpose: Imports the custom Windows Event Channel and XML subscriptions on the WEF host
# Note: This only needs to be installed on the WEF server
Write-Host "Installing WEF Subscriptions"
Write-Host "Copying Custom Event Channels DLL"
Copy-Item c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\windows-event-channels\CustomEventChannels.dll c:\windows\system32
Copy-Item c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\windows-event-channels\CustomEventChannels.man c:\windows\system32
Write-Host "Installing Custom Event Channels Manifest"
wevtutil im "c:\windows\system32\CustomEventChannels.man"
Write-Host "Resizing Channels to 4GB"
$xml = wevtutil el | select-string -pattern "WEC"
foreach ($subscription in $xml) { wevtutil sl $subscription /ms:4294967296 }
Write-Host "Starting the Windows Event Collector Service"
net start wecsvc
Write-Host "Creating custom event subscriptions"
cd c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions
cmd /c "for /r %i in (*.xml) do wecutil cs %i"
Write-Host "Enabling custom event subscriptions"
cmd /c "for /r %i in (*.xml) do wecutil ss %~ni /e:true"
Write-Host "Enabling WecUtil Quick Config"
wecutil qc /q:true

29
Vagrant/scripts/install-windows_ta.ps1 Executable file
View File

@@ -0,0 +1,29 @@
# Purpose: Installs the Windows Splunk Technial Add-On
# Note: This only needs to be installed on the WEF server
Write-Host "Installing the Windows TA for Splunk"
If (test-path "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default") {
Write-Host "Windows TA is already installed. Moving on."
Exit
}
# Install Windows TA (this only needs to be done on the WEF server)
$windowstaPath = "C:\vagrant\resources\splunk_forwarder\splunk-add-on-for-microsoft-windows_483.tgz"
$inputsPath = "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf"
Write-Host "Installing the Windows TA"
Start-Process -FilePath "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" -ArgumentList "install app $windowstaPath -auth admin:changeme" -NoNewWindow
# Create local directory
New-Item -ItemType Directory -Force -Path "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local"
Copy-Item c:\vagrant\resources\splunk_forwarder\wef_inputs.conf $inputsPath
# Add a check here to make sure the TA was installed correctly
Write-Host "Sleeping for 15 seconds"
start-sleep -s 15
If (test-path "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default") {
Write-Host "Windows TA installed successfully."
} Else {
Write-Host "Something went wrong during installation."
exit 1
}

29
Vagrant/scripts/join-domain.ps1 Executable file
View File

@@ -0,0 +1,29 @@
# Purpose: Joins a Windows host to the windomain.local domain which was created with "create-domain.ps1".
# Source: https://github.com/StefanScherer/adfs2
Write-Host 'Join the domain'
Write-Host "First, set DNS to DC to join the domain"
$newDNSServers = "192.168.38.2"
$adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.IPAddress -match "192.168.38."}
$adapters | ForEach-Object {$_.SetDNSServerSearchOrder($newDNSServers)}
Write-Host "Now join the domain"
$hostname = $(hostname)
$user = "windomain.local\vagrant"
$pass = ConvertTo-SecureString "vagrant" -AsPlainText -Force
$DomainCred = New-Object System.Management.Automation.PSCredential $user, $pass
# Place the computer in the correct OU based on hostname
If ($hostname -eq "wef") {
Add-Computer -DomainName "windomain.local" -credential $DomainCred -OUPath "ou=Servers,dc=windomain,dc=local" -PassThru
} ElseIf ($hostname -eq "win10") {
Write-Host "Adding Win10 to the domain. Sometimes this step times out when using VMWare. If that happens, just run 'vagrant reload win10 --provision'" #debug
Add-Computer -DomainName "windomain.local" -credential $DomainCred -OUPath "ou=Workstations,dc=windomain,dc=local"
} Else {
Add-Computer -DomainName "windomain.local" -credential $DomainCred -PassThru
}
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -Value 1
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Value "vagrant"
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Value "vagrant"

48
Vagrant/scripts/provision.ps1 Normal file
View File

@@ -0,0 +1,48 @@
# Purpose: Sets timezone to UTC, sets hostname, creates/joins domain.
# Source: https://github.com/StefanScherer/adfs2
$box = Get-ItemProperty -Path HKLM:SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName -Name "ComputerName"
$box = $box.ComputerName.ToString().ToLower()
Write-Host "Setting timezone to UTC"
c:\windows\system32\tzutil.exe /s "UTC"
if ($env:COMPUTERNAME -imatch 'vagrant') {
Write-Host 'Hostname is still the original one, skip provisioning for reboot'
Write-Host 'Install bginfo'
. c:\vagrant\scripts\install-bginfo.ps1
Write-Host -fore red 'Hint: vagrant reload' $box '--provision'
} elseif ((gwmi win32_computersystem).partofdomain -eq $false) {
Write-Host -fore red "Current domain is set to 'workgroup'. Time to join the domain!"
if (!(Test-Path 'c:\Program Files\sysinternals\bginfo.exe')) {
Write-Host 'Install bginfo'
. c:\vagrant\scripts\install-bginfo.ps1
}
if ($env:COMPUTERNAME -imatch 'dc') {
. c:\vagrant\scripts\create-domain.ps1 192.168.38.2
} else {
. c:\vagrant\scripts\join-domain.ps1
}
Write-Host -fore red 'Hint: vagrant reload' $box '--provision'
} else {
Write-Host -fore green "I am domain joined!"
if (!(Test-Path 'c:\Program Files\sysinternals\bginfo.exe')) {
Write-Host 'Install bginfo'
. c:\vagrant\scripts\install-bginfo.ps1
}
Write-Host 'Provisioning after joining domain'
# $script = "c:\vagrant\scripts\provision-" + $box + ".ps1"
# . $script
}