Chris Long
2
.gitignore
vendored
2
.gitignore
vendored
@@ -1,5 +1,5 @@
|
||||
Vagrant/.vagrant/*
|
||||
Vagrant/vagrant_build.log
|
||||
Vagrant/vagrant*.log
|
||||
Packer/packer_cache/*
|
||||
Packer/packer_build.log
|
||||
Boxes/*
|
||||
|
||||
@@ -3,10 +3,6 @@ Write-Host "Making Windows 10 Great again"
|
||||
Write-Host "Importing registry keys..."
|
||||
regedit /s a:\MakeWindows10GreatAgain.reg
|
||||
|
||||
# Install Powershell Help items
|
||||
Write-Host "Updating Powershell Help Library..."
|
||||
Update-Help
|
||||
|
||||
# Remove OneDrive from the System
|
||||
Write-Host "Removing OneDrive..."
|
||||
$onedrive = Get-Process onedrive -ErrorAction SilentlyContinue
|
||||
@@ -14,3 +10,11 @@ if ($onedrive) {
|
||||
taskkill /f /im OneDrive.exe
|
||||
}
|
||||
c:\Windows\SysWOW64\OneDriveSetup.exe /uninstall
|
||||
|
||||
Update-Help -Force -ErrorAction SilentlyContinue
|
||||
|
||||
# Remove Microsoft Store and Edge shortcuts from the taskbar
|
||||
$appname = "Microsoft Edge"
|
||||
((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true}
|
||||
$appname = "Microsoft Store"
|
||||
((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true}
|
||||
|
||||
@@ -36,10 +36,14 @@ Windows Registry Editor Version 5.00
|
||||
|
||||
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
|
||||
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"=dword:00000000
|
||||
|
||||
|
||||
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu]
|
||||
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"=dword:00000000
|
||||
|
||||
# Enable Developer Mode (prerequisite for Linux subsystem)
|
||||
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock]
|
||||
"AllowDevelopmentWithoutDevLicense"=dword:00000001
|
||||
|
||||
# Disable Microsoft People icon from taskbar
|
||||
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People]
|
||||
"PeopleBand"=dword:00000000
|
||||
|
||||
@@ -9,5 +9,6 @@ winrm set winrm/config/client/auth '@{Basic="true"}'
|
||||
winrm set winrm/config/listener?Address=*+Transport=HTTP '@{Port="5985"}'
|
||||
netsh advfirewall firewall set rule group="Windows Remote Administration" new enable=yes
|
||||
netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new enable=yes action=allow
|
||||
Set-Service winrm -startuptype "auto"
|
||||
sc config winrm start= disabled
|
||||
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v StartWinRM /t REG_SZ /f /d "cmd.exe /c 'sc config winrm start= auto & sc start winrm'"
|
||||
Restart-Service winrm
|
||||
|
||||
@@ -1,5 +1,8 @@
|
||||
if not exist "C:\Windows\Temp\7z920-x64.msi" (
|
||||
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://www.7-zip.org/a/7z920-x64.msi', 'C:\Windows\Temp\7z920-x64.msi')" <NUL
|
||||
powershell -Command "Start-Sleep 5; Invoke-WebRequest -Uri 'https://astuteinternet.dl.sourceforge.net/project/sevenzip/7-Zip/9.20/7z920-x64.msi' -Outfile 'C:\Windows\Temp\7z920-x64.msi'" <NUL
|
||||
)
|
||||
if not exist "C:\Windows\Temp\7z920-x64.msi" (
|
||||
powershell -Command "Start-Sleep 5; Invoke-WebRequest -Uri 'http://www.7-zip.org/a/7z920-x64.msi' -Outfile 'C:\Windows\Temp\7z920-x64.msi')" <NUL
|
||||
)
|
||||
msiexec /qb /i C:\Windows\Temp\7z920-x64.msi
|
||||
|
||||
@@ -15,7 +18,7 @@ if exist "C:\Users\vagrant\windows.iso" (
|
||||
)
|
||||
|
||||
if not exist "C:\Windows\Temp\windows.iso" (
|
||||
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://softwareupdate.vmware.com/cds/vmw-desktop/ws/14.1.1/7528167/windows/packages/tools-windows.tar', 'C:\Windows\Temp\vmware-tools.tar')" <NUL
|
||||
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://softwareupdate.vmware.com/cds/vmw-desktop/ws/14.1.2/8497320/windows/packages/tools-windows.tar', 'C:\Windows\Temp\vmware-tools.tar')" <NUL
|
||||
cmd /c ""C:\Program Files\7-Zip\7z.exe" x C:\Windows\Temp\vmware-tools.tar -oC:\Windows\Temp"
|
||||
FOR /r "C:\Windows\Temp" %%a in (VMware-tools-windows-*.iso) DO REN "%%~a" "windows.iso"
|
||||
rd /S /Q "C:\Program Files (x86)\VMWare"
|
||||
@@ -24,6 +27,11 @@ if not exist "C:\Windows\Temp\windows.iso" (
|
||||
cmd /c ""C:\Program Files\7-Zip\7z.exe" x "C:\Windows\Temp\windows.iso" -oC:\Windows\Temp\VMWare"
|
||||
cmd /c C:\Windows\Temp\VMWare\setup.exe /S /v"/qn REBOOT=R\"
|
||||
|
||||
sc query vmtools > NUL
|
||||
IF ERRORLEVEL 1060 cmd /c C:\Windows\Temp\VMWare\setup.exe /S /v"/qn REBOOT=R\"
|
||||
sc query vmtools > NUL
|
||||
IF ERRORLEVEL 1060 ECHO "Unable to install VMware Tools." & exit /b 1
|
||||
|
||||
rd /Q "C:\Windows\Temp\vmware-tools.tar"
|
||||
rd /Q "C:\Windows\Temp\windows.iso"
|
||||
rd /S /Q "C:\Windows\Temp\VMware"
|
||||
@@ -36,7 +44,7 @@ if exist "C:\Users\vagrant\VBoxGuestAdditions.iso" (
|
||||
)
|
||||
|
||||
if not exist "C:\Windows\Temp\VBoxGuestAdditions.iso" (
|
||||
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://download.virtualbox.org/virtualbox/5.2.4/VBoxGuestAdditions_5.2.4.iso', 'C:\Windows\Temp\VBoxGuestAdditions.iso')" <NUL
|
||||
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://download.virtualbox.org/virtualbox/5.2.10/VBoxGuestAdditions_5.2.10.iso', 'C:\Windows\Temp\VBoxGuestAdditions.iso')" <NUL
|
||||
)
|
||||
|
||||
cmd /c ""C:\Program Files\7-Zip\7z.exe" x C:\Windows\Temp\VBoxGuestAdditions.iso -oC:\Windows\Temp\virtualbox"
|
||||
|
||||
@@ -135,8 +135,8 @@
|
||||
"type": "powershell",
|
||||
"scripts": [
|
||||
"./scripts/debloat-windows.ps1",
|
||||
"./scripts/MakeWindows10GreatAgain.ps1",
|
||||
"./scripts/rearm-windows.ps1"
|
||||
"./scripts/rearm-windows.ps1",
|
||||
"./scripts/MakeWindows10GreatAgain.ps1"
|
||||
]
|
||||
},
|
||||
{
|
||||
@@ -170,9 +170,9 @@
|
||||
}
|
||||
],
|
||||
"variables": {
|
||||
"iso_url": "http://care.dlservice.microsoft.com/dl/download/B/8/B/B8B452EC-DD2D-4A8F-A88C-D2180C177624/15063.0.170317-1834.RS2_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X64FRE_EN-US.ISO",
|
||||
"iso_checksum_type": "sha1",
|
||||
"iso_checksum": "6c60f91bf0ad7b20f469ab8f80863035c517f34f",
|
||||
"iso_checksum": "27e4feb9102f7f2b21ebdb364587902a70842fb550204019d1a14b120918e455",
|
||||
"iso_checksum_type": "sha256",
|
||||
"iso_url": "https://software-download.microsoft.com/download/pr/17134.1.180410-1804.rs4_release_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso",
|
||||
"autounattend": "./answer_files/10/Autounattend.xml",
|
||||
"disk_size": "61440"
|
||||
}
|
||||
|
||||
47
Vagrant/Vagrantfile
vendored
47
Vagrant/Vagrantfile
vendored
@@ -12,6 +12,12 @@ Vagrant.configure("2") do |config|
|
||||
v.gui = true
|
||||
end
|
||||
|
||||
cfg.vm.provider "vmware_desktop" do |v, override|
|
||||
v.memory = 2048
|
||||
v.cpus = 1
|
||||
v.gui = true
|
||||
end
|
||||
|
||||
cfg.vm.provider "virtualbox" do |vb, override|
|
||||
vb.gui = true
|
||||
vb.customize ["modifyvm", :id, "--memory", 2048]
|
||||
@@ -25,15 +31,16 @@ Vagrant.configure("2") do |config|
|
||||
config.vm.define "dc" do |cfg|
|
||||
cfg.vm.box = "../Boxes/windows_2016_virtualbox.box"
|
||||
cfg.vm.hostname = "dc"
|
||||
|
||||
cfg.vm.boot_timeout = 600
|
||||
# use the plaintext WinRM transport and force it to use basic authentication.
|
||||
# NB this is needed because the default negotiate transport stops working
|
||||
# after the domain controller is installed.
|
||||
# see https://groups.google.com/forum/#!topic/vagrant-up/sZantuCM0q4
|
||||
cfg.winrm.transport = :plaintext
|
||||
cfg.winrm.basic_auth_only = true
|
||||
|
||||
cfg.vm.communicator = "winrm"
|
||||
cfg.winrm.basic_auth_only = true
|
||||
cfg.winrm.timeout = 300
|
||||
cfg.winrm.retry_limit = 20
|
||||
cfg.vm.network :private_network, ip: "192.168.38.2", gateway: "192.168.38.1"
|
||||
|
||||
cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "192.168.38.2"
|
||||
@@ -51,8 +58,8 @@ Vagrant.configure("2") do |config|
|
||||
cfg.vm.provision "shell", path: "scripts/configure-ou.ps1", privileged: true
|
||||
cfg.vm.provision "shell", path: "scripts/configure-wef-gpo.ps1", privileged: true
|
||||
cfg.vm.provision "shell", path: "scripts/configure-powershelllogging.ps1", privileged: true
|
||||
cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: true
|
||||
cfg.vm.provision "shell", path: "scripts/configure-AuditingPolicyGPOs.ps1", privileged: true
|
||||
cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: true
|
||||
cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: true
|
||||
|
||||
cfg.vm.provider "vmware_fusion" do |v, override|
|
||||
@@ -62,6 +69,13 @@ Vagrant.configure("2") do |config|
|
||||
v.gui = true
|
||||
end
|
||||
|
||||
cfg.vm.provider "vmware_desktop" do |v, override|
|
||||
override.vm.box = "../Boxes/windows_2016_vmware.box"
|
||||
v.memory = 2560
|
||||
v.cpus = 2
|
||||
v.gui = true
|
||||
end
|
||||
|
||||
cfg.vm.provider "virtualbox" do |vb, override|
|
||||
vb.gui = true
|
||||
vb.customize ["modifyvm", :id, "--memory", 2560]
|
||||
@@ -75,8 +89,11 @@ Vagrant.configure("2") do |config|
|
||||
config.vm.define "wef" do |cfg|
|
||||
cfg.vm.box = "../Boxes/windows_2016_virtualbox.box"
|
||||
cfg.vm.hostname = "wef"
|
||||
|
||||
cfg.vm.boot_timeout = 600
|
||||
cfg.vm.communicator = "winrm"
|
||||
cfg.winrm.basic_auth_only = true
|
||||
cfg.winrm.timeout = 300
|
||||
cfg.winrm.retry_limit = 20
|
||||
cfg.vm.network :private_network, ip: "192.168.38.3", gateway: "192.168.38.1", dns: "192.168.38.2"
|
||||
|
||||
cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.3 -dns 192.168.38.2"
|
||||
@@ -105,6 +122,13 @@ Vagrant.configure("2") do |config|
|
||||
v.gui = true
|
||||
end
|
||||
|
||||
cfg.vm.provider "vmware_desktop" do |v, override|
|
||||
override.vm.box = "../Boxes/windows_2016_vmware.box"
|
||||
v.memory = 2048
|
||||
v.cpus = 2
|
||||
v.gui = true
|
||||
end
|
||||
|
||||
cfg.vm.provider "virtualbox" do |vb, override|
|
||||
vb.gui = true
|
||||
vb.customize ["modifyvm", :id, "--memory", 2048]
|
||||
@@ -118,8 +142,10 @@ Vagrant.configure("2") do |config|
|
||||
config.vm.define "win10" do |cfg|
|
||||
cfg.vm.box = "../Boxes/windows_10_virtualbox.box"
|
||||
cfg.vm.hostname = "win10"
|
||||
|
||||
cfg.vm.communicator = "winrm"
|
||||
cfg.winrm.basic_auth_only = true
|
||||
cfg.winrm.timeout = 300
|
||||
cfg.winrm.retry_limit = 20
|
||||
cfg.vm.network :private_network, ip: "192.168.38.4", gateway: "192.168.38.1", dns: "192.168.38.2"
|
||||
|
||||
cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.4 -dns 192.168.38.2"
|
||||
@@ -146,6 +172,15 @@ Vagrant.configure("2") do |config|
|
||||
v.gui = true
|
||||
end
|
||||
|
||||
cfg.vm.provider "vmware_desktop" do |v, override|
|
||||
override.vm.box = "../Boxes/windows_10_vmware.box"
|
||||
v.vmx["gui.fullscreenatpoweron"] = "FALSE"
|
||||
v.vmx["gui.viewModeAtPowerOn"] = "windowed"
|
||||
v.memory = 2048
|
||||
v.cpus = 1
|
||||
v.gui = true
|
||||
end
|
||||
|
||||
cfg.vm.provider "virtualbox" do |vb, override|
|
||||
vb.gui = true
|
||||
vb.customize ["modifyvm", :id, "--memory", 2048]
|
||||
|
||||
@@ -8,6 +8,22 @@ echo "deb http://repo.mongodb.org/apt/ubuntu "$(lsb_release -sc)"/mongodb-org/3.
|
||||
apt-get update
|
||||
apt-get install -y jq whois build-essential git docker docker-compose unzip mongodb-org
|
||||
|
||||
# Fix static IP if it's not set correctly
|
||||
ETH1_IP=$(ifconfig eth1 | grep 'inet addr' | cut -d ':' -f 2 | cut -d ' ' -f 1)
|
||||
if [ "$ETH1_IP" != "192.168.38.5" ]; then
|
||||
echo "Incorrect IP Address settings detected. Attempting to fix."
|
||||
ifdown eth1
|
||||
ip addr flush dev eth1
|
||||
ifup eth1
|
||||
ETH1_IP=$(ifconfig eth1 | grep 'inet addr' | cut -d ':' -f 2 | cut -d ' ' -f 1)
|
||||
if [ "$ETH1_IP" == "192.168.38.5" ]; then
|
||||
echo "The static IP has been fixed and set to 192.168.38.5"
|
||||
else
|
||||
echo "Failed to fix the broken static IP for eth1. Exiting because this will cause problems with other VMs."
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
# Install Python 3.6.4
|
||||
echo "Installing Python v3.6.4..."
|
||||
wget https://www.python.org/ftp/python/3.6.4/Python-3.6.4.tgz
|
||||
@@ -41,9 +57,9 @@ else
|
||||
# Get Splunk.com into the DNS cache. Sometimes resolution randomly fails during wget below
|
||||
dig @8.8.8.8 splunk.com
|
||||
# Download Splunk
|
||||
wget --progress=bar:force -O splunk-7.0.2-03bbabbd5c0f-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.0.2&product=splunk&filename=splunk-7.0.2-03bbabbd5c0f-linux-2.6-amd64.deb&wget=true'
|
||||
dpkg -i splunk-7.0.2-03bbabbd5c0f-linux-2.6-amd64.deb
|
||||
/opt/splunk/bin/splunk start --accept-license
|
||||
wget --progress=bar:force -O splunk-7.1.1-8f0ead9ec3db-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.1.1&product=splunk&filename=splunk-7.1.1-8f0ead9ec3db-linux-2.6-amd64.deb&wget=true'
|
||||
dpkg -i splunk-7.1.1-8f0ead9ec3db-linux-2.6-amd64.deb
|
||||
/opt/splunk/bin/splunk start --accept-license --answer-yes --no-prompt --seed-passwd changeme
|
||||
/opt/splunk/bin/splunk add index wineventlog -auth 'admin:changeme'
|
||||
/opt/splunk/bin/splunk add index osquery -auth 'admin:changeme'
|
||||
/opt/splunk/bin/splunk add index osquery-status -auth 'admin:changeme'
|
||||
@@ -73,6 +89,7 @@ git clone https://github.com/kolide/kolide-quickstart.git
|
||||
cd kolide-quickstart
|
||||
cp /vagrant/resources/fleet/server.* .
|
||||
sed -i 's/ -it//g' demo.sh
|
||||
sed -i 's#kolide/fleet:latest#kolide/fleet:1.0.8#g' docker-compose.yml
|
||||
./demo.sh up simple
|
||||
# Set the enrollment secret to match what we deploy to Windows hosts
|
||||
docker run --rm --network=kolidequickstart_default mysql:5.7 mysql -h mysql -u kolide --password=kolide -e 'update app_configs set osquery_enroll_secret = "enrollmentsecret" where id=1;' --batch kolide
|
||||
|
||||
@@ -1,9 +1,8 @@
|
||||
# Purpose: Sets up the Server and Workstations OUs
|
||||
Write-Host "Sleeping for 30 seconds, then creating Server and Workstation OUs"
|
||||
Start-Sleep 30
|
||||
Write-Host "Creating Servers OU"
|
||||
Write-Host "Creating Server and Workstation OUs..."
|
||||
Write-Host "Creating Servers OU..."
|
||||
if (!([ADSI]::Exists("LDAP://OU=Servers,DC=windomain,DC=local")))
|
||||
{
|
||||
{
|
||||
New-ADOrganizationalUnit -Name "Servers" -Server "dc.windomain.local"
|
||||
}
|
||||
else
|
||||
|
||||
@@ -54,7 +54,7 @@ else
|
||||
{
|
||||
Write-Host "GpLink $GPOName already linked on $OU. Moving On."
|
||||
}
|
||||
$OU = "ou=Workstations,dc=windomain,dc=local"
|
||||
$OU = "ou=Workstations,dc=windomain,dc=local"
|
||||
$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
|
||||
$GPO = Get-GPO -Name $GPOName
|
||||
If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path)
|
||||
@@ -67,7 +67,3 @@ else
|
||||
}
|
||||
|
||||
gpupdate /force
|
||||
# Enable WinRM
|
||||
Write-Host "Enabling WinRM"
|
||||
winrm qc /q:true
|
||||
Write-Host "Rebooting to make settings take effect..."
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
# Purpose: Downloads and unzips a copy of the Palantir osquery Github Repo. These configs are added to the Fleet server in bootstrap.sh.
|
||||
# The items from this config file are used later in install-osquery.ps1
|
||||
Write-Host "Downloading and unzipping the Palantir osquery Repo from Github..."
|
||||
|
||||
$osqueryRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\osquery-Master.zip'
|
||||
@@ -9,8 +10,8 @@ if (-not (Test-Path $osqueryRepoPath))
|
||||
Invoke-WebRequest -Uri "https://github.com/palantir/osquery-configuration/archive/master.zip" -OutFile $osqueryRepoPath
|
||||
Expand-Archive -path "$osqueryRepoPath" -destinationpath 'c:\Users\vagrant\AppData\Local\Temp' -Force
|
||||
}
|
||||
else
|
||||
else
|
||||
{
|
||||
Write-Host "$osqueryRepoPath already exists. Moving On."
|
||||
}
|
||||
Write-Host "Palantir OSQuery download complete!"
|
||||
Write-Host "Palantir osquery config download complete!"
|
||||
|
||||
@@ -15,4 +15,4 @@ else
|
||||
{
|
||||
Write-Host "$wefRepoPath already exists. Moving On."
|
||||
}
|
||||
Write-Host "Palantir WEF download complete!"
|
||||
Write-Host "Palantir WEF download complete!"
|
||||
|
||||
@@ -1,31 +1,26 @@
|
||||
# Source: https://github.com/StefanScherer/adfs2
|
||||
param ([String] $ip, [String] $dns)
|
||||
|
||||
if (Test-Path C:\Users\vagrant\enable-winrm-after-customization.bat) {
|
||||
Write-Host "Nothing to do in vCloud."
|
||||
exit 0
|
||||
}
|
||||
if (! (Test-Path 'C:\Program Files\VMware\VMware Tools')) {
|
||||
Write-Host "Nothing to do for other providers than VMware."
|
||||
exit 0
|
||||
}
|
||||
Write-Host "Setting IP address and DNS information for the Ethernet1 interface"
|
||||
Write-Host "If this step times out, it's because vagrant is connecting to the VM on the wrong interface"
|
||||
Write-Host "See https://github.com/clong/DetectionLab/issues/114 for more information"
|
||||
|
||||
$subnet = $ip -replace "\.\d+$", ""
|
||||
|
||||
$name = (Get-NetIPAddress -AddressFamily IPv4 `
|
||||
| Where-Object -FilterScript { ($_.IPAddress).StartsWith($subnet) } `
|
||||
).InterfaceAlias
|
||||
|
||||
if (!$name) {
|
||||
$name = (Get-NetIPAddress -AddressFamily IPv4 `
|
||||
| Where-Object -FilterScript { ($_.IPAddress).StartsWith("169.254.") } `
|
||||
).InterfaceAlias
|
||||
}
|
||||
|
||||
if ($name) {
|
||||
Write-Host "Set IP address to $ip of interface $name"
|
||||
& netsh.exe int ip set address "$name" static $ip 255.255.255.0 "$subnet.1"
|
||||
|
||||
if ($dns) {
|
||||
Write-Host "Set DNS server address to $dns of interface $name"
|
||||
& netsh.exe interface ipv4 add dnsserver "$name" address=$dns index=1
|
||||
|
||||
@@ -3,8 +3,7 @@
|
||||
Write-Host "Installing AutorunsToWinEventLog..."
|
||||
If ((Get-ScheduledTask -TaskName "AutorunsToWinEventLog" -ea silent) -eq $null)
|
||||
{
|
||||
cd "c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\AutorunsToWinEventLog"
|
||||
.\Install.ps1
|
||||
. c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\AutorunsToWinEventLog\Install.ps1
|
||||
Write-Host "AutorunsToWinEventLog installed. Starting the scheduled task. Future runs will begin at 11am"
|
||||
Start-ScheduledTask -TaskName "AutorunsToWinEventLog"
|
||||
$Tsk = Get-ScheduledTask -TaskName "AutorunsToWinEventLog"
|
||||
@@ -13,7 +12,7 @@ If ((Get-ScheduledTask -TaskName "AutorunsToWinEventLog" -ea silent) -eq $null)
|
||||
throw "AutorunsToWinEventLog scheduled tasks wasn't running after starting it"
|
||||
}
|
||||
}
|
||||
else
|
||||
else
|
||||
{
|
||||
Write-Host "AutorunsToWinEventLog already installed. Moving On."
|
||||
}
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
# Purpose: Installs the Caldera agent on the host
|
||||
|
||||
if (-not (Test-Path 'C:\Program Files\cagent\cagent.exe'))
|
||||
{
|
||||
If (-not (Test-Path 'C:\Program Files\cagent\cagent.exe')) {
|
||||
# Add /etc/hosts entry
|
||||
Add-Content "c:\windows\system32\drivers\etc\hosts" " 192.168.38.5 logger"
|
||||
|
||||
@@ -21,13 +20,15 @@ if (-not (Test-Path 'C:\Program Files\cagent\cagent.exe'))
|
||||
# Ignore SSL warning for conf file download
|
||||
# https://stackoverflow.com/questions/34331206/ignore-ssl-warning-with-powershell-downloadstring
|
||||
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;(New-Object System.Net.WebClient).DownloadFile('https://logger:8888/conf.yml', $cagentConfPath)
|
||||
If (-not (Test-Path "$cagentConfPath" )) {
|
||||
Write-Host "Caldera Agent configuration failed. Unable to retrieve config from logger"
|
||||
}
|
||||
Start-Process -FilePath $cagentPath -ArgumentList '--startup', 'auto', 'install' -Wait
|
||||
Start-Process -FilePath $cagentPath -ArgumentList 'start' -Wait
|
||||
Start-Process -FilePath $cagentPath -ArgumentList 'start' -Wait
|
||||
} Else {
|
||||
Write-Host "Caldera Agent is already installed. Moving on."
|
||||
}
|
||||
If ((Get-Service -name cagent).Status -ne "Running")
|
||||
{
|
||||
If ((Get-Service -name cagent).Status -ne "Running") {
|
||||
throw "Caldera Agent service not running"
|
||||
}
|
||||
Write-Host "Cagent installation complete!"
|
||||
|
||||
@@ -1,12 +1,12 @@
|
||||
# Purpose: Installs a Splunk Universal Forwader on the host
|
||||
|
||||
If (-not (Test-Path "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe")) {
|
||||
Write-Host "Downloading Splunk"
|
||||
$msiFile = $env:Temp + "\splunkforwarder-6.5.2-67571ef4b87d-x64-release.msi"
|
||||
Write-Host "Downloading Splunk Universal Forwarder"
|
||||
$msiFile = $env:Temp + "\splunkforwarder-7.1.0-2e75b3406c5b-x64-release.msi"
|
||||
|
||||
Write-Host "Installing & Starting Splunk"
|
||||
(New-Object System.Net.WebClient).DownloadFile('https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=windows&version=6.5.2&product=universalforwarder&filename=splunkforwarder-6.5.2-67571ef4b87d-x64-release.msi&wget=true', $msiFile)
|
||||
Start-Process -FilePath "c:\windows\system32\msiexec.exe" -ArgumentList '/i', "$msiFile", 'RECEIVING_INDEXER="192.168.38.5:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_APP_ENABLE=1 AGREETOLICENSE=Yes SERVICESTARTTYPE=1 LAUNCHSPLUNK=1 /quiet' -Wait
|
||||
(New-Object System.Net.WebClient).DownloadFile('https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=windows&version=7.1.0&product=universalforwarder&filename=splunkforwarder-7.1.0-2e75b3406c5b-x64-release.msi&wget=true', $msiFile)
|
||||
Start-Process -FilePath "c:\windows\system32\msiexec.exe" -ArgumentList '/i', "$msiFile", 'RECEIVING_INDEXER="192.168.38.5:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_APP_ENABLE=1 AGREETOLICENSE=Yes SERVICESTARTTYPE=1 LAUNCHSPLUNK=1 SPLUNKPASSWORD=changeme /quiet' -Wait
|
||||
} Else {
|
||||
Write-Host "Splunk is already installed. Moving on."
|
||||
}
|
||||
|
||||
@@ -24,23 +24,35 @@ $sysmonPath = "C:\Tools\Sysinternals\Sysmon64.exe"
|
||||
$tcpviewPath = "C:\Tools\Sysinternals\Tcpview.exe"
|
||||
$sysmonConfigPath = "$sysmonDir\sysmonConfig.xml"
|
||||
|
||||
Invoke-WebRequest -Uri "https://live.sysinternals.com/Autoruns64.exe" -OutFile $autorunsPath
|
||||
Invoke-WebRequest -Uri "https://live.sysinternals.com/Procmon.exe" -OutFile $procmonPath
|
||||
Invoke-WebRequest -Uri "https://live.sysinternals.com/PsExec64.exe" -OutFile $psexecPath
|
||||
Invoke-WebRequest -Uri "https://live.sysinternals.com/procexp64.exe" -OutFile $procexpPath
|
||||
Invoke-WebRequest -Uri "https://live.sysinternals.com/Sysmon64.exe" -Outfile $sysmonPath
|
||||
Invoke-WebRequest -Uri "https://live.sysinternals.com/Tcpview.exe" -Outfile $tcpviewPath
|
||||
|
||||
# Microsoft likes TLSv1.2 as well
|
||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
Write-Host "Downloading Autoruns64.exe..."
|
||||
(New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Autoruns64.exe', $autorunsPath)
|
||||
Write-Host "Downloading Procmon.exe..."
|
||||
(New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Procmon.exe', $procmonPath)
|
||||
Write-Host "Downloading PsExec64.exe..."
|
||||
(New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/PsExec64.exe', $psexecPath)
|
||||
Write-Host "Downloading procexp64.exe..."
|
||||
(New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/procexp64.exe', $procexpPath)
|
||||
Write-Host "Downloading Sysmon64.exe..."
|
||||
(New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Sysmon64.exe', $sysmonPath)
|
||||
Write-Host "Downloading Tcpview.exe..."
|
||||
(New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Tcpview.exe', $tcpviewPath)
|
||||
Copy-Item $sysmonPath $sysmonDir
|
||||
|
||||
# Download SwiftOnSecurity's Sysmon config
|
||||
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml" -Outfile "$sysmonConfigPath"
|
||||
Write-Host "Downloading SwiftOnSecurity's Sysmon config..."
|
||||
(New-Object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml', "$sysmonConfigPath")
|
||||
# Alternative: Download Olaf Hartongs Sysmon config (more CPU intensive)
|
||||
# (New-Object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml, "$sysmonConfigPath"
|
||||
|
||||
# Convert Sysmon config schema from 3.30 to 4.0 per GitHub Issue #38
|
||||
(Get-Content $sysmonConfigPath) -replace 'schemaversion="3.30"', 'schemaversion="4.00"' | Set-Content $sysmonConfigPath
|
||||
|
||||
# Convert Schema from 3.30 to 4.0 per GitHub Issue #38
|
||||
(Get-Content $sysmonConfigPath) -replace 'schemaversion="3.30"', 'schemaversion="4.00"' | Set-Content $sysmonConfigPath
|
||||
|
||||
# Startup Sysmon
|
||||
# Start Sysmon
|
||||
Write-Host "Starting Sysmon..."
|
||||
Start-Process -FilePath "$sysmonDir\Sysmon64.exe" -ArgumentList "-accepteula -i $sysmonConfigPath"
|
||||
Write-Host "Verifying that the Sysmon service is running..."
|
||||
Start-Sleep 5 # Give the service time to start
|
||||
If ((Get-Service -name Sysmon64).Status -ne "Running")
|
||||
{
|
||||
throw "The Sysmon service did not start successfully"
|
||||
}
|
||||
|
||||
@@ -3,24 +3,21 @@
|
||||
If (-not (Test-Path "C:\ProgramData\chocolatey")) {
|
||||
Write-Host "Installing Chocolatey"
|
||||
iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))
|
||||
}
|
||||
else {
|
||||
} else {
|
||||
Write-Host "Chocolatey is already installed."
|
||||
}
|
||||
|
||||
Write-Host "Installing atom, Notepad++, Chrome, WinRar, and Mimikatz."
|
||||
choco install -y atom
|
||||
Write-Host "Installing Notepad++, Chrome, WinRar, PowerSploit and Mimikatz."
|
||||
If ($(hostname) -eq "win10") {
|
||||
# Because the Windows10 start menu sucks
|
||||
choco install -y classic-shell -installArgs ADDLOCAL=ClassicStartMenu
|
||||
}
|
||||
choco install -y NotepadPlusPlus
|
||||
choco install -y GoogleChrome
|
||||
choco install -y WinRar
|
||||
Write-Host $env:LOCALAPPDATA
|
||||
$env:PATH="$env:PATH;$env:LOCALAPPDATA\atom\bin"
|
||||
apm install language-powershell
|
||||
apm install language-batch
|
||||
apm install language-docker
|
||||
|
||||
# Disable Windows Defender realtime scanning before downloading Mimikatz
|
||||
If ($env:computername -eq "WIN10") {
|
||||
If ($env:computername -eq "win10") {
|
||||
If (Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender")
|
||||
{
|
||||
Remove-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Recurse -Force
|
||||
@@ -28,7 +25,7 @@ If ($env:computername -eq "WIN10") {
|
||||
gpupdate /force | Out-String
|
||||
Set-MpPreference -ExclusionPath C:\commander.exe, C:\Tools
|
||||
set-MpPreference -DisableRealtimeMonitoring $true
|
||||
|
||||
|
||||
}
|
||||
|
||||
# Purpose: Downloads and unzips a copy of the latest Mimikatz trunk
|
||||
@@ -37,7 +34,6 @@ Write-Host "Determining latest release of Mimikatz..."
|
||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
$tag = (Invoke-WebRequest "https://api.github.com/repos/gentilkiwi/mimikatz/releases" -UseBasicParsing | ConvertFrom-Json)[0].tag_name
|
||||
$mimikatzDownloadUrl = "https://github.com/gentilkiwi/mimikatz/releases/download/$tag/mimikatz_trunk.zip"
|
||||
|
||||
$mimikatzRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\mimikatz_trunk.zip'
|
||||
if (-not (Test-Path $mimikatzRepoPath))
|
||||
{
|
||||
@@ -48,8 +44,19 @@ else
|
||||
{
|
||||
Write-Host "Mimikatz was already installed. Moving On."
|
||||
}
|
||||
# Enable realtime monitoring again, now that exclusion is set for mimikatz
|
||||
If ($env:computername -eq "WIN10") {
|
||||
set-MpPreference -DisableRealtimeMonitoring $false
|
||||
|
||||
# Download and unzip a copy of PowerSploit
|
||||
Write-Host "Downloading Powersploit..."
|
||||
# GitHub requires TLS 1.2 as of 2/27
|
||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
$powersploitDownloadUrl = "https://github.com/PowerShellMafia/PowerSploit/archive/master.zip"
|
||||
$powersploitRepoPath = "C:\Users\vagrant\AppData\Local\Temp\powersploit.zip"
|
||||
if (-not (Test-Path $powersploitRepoPath)) {
|
||||
Invoke-WebRequest -Uri "$powersploitDownloadUrl" -OutFile $powersploitRepoPath
|
||||
Expand-Archive -path "$powersploitRepoPath" -destinationpath 'c:\Tools\PowerSploit' -Force
|
||||
Copy-Item "c:\Tools\PowerSploit\PowerSploit-master\*" "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" -Recurse -Force
|
||||
} else {
|
||||
Write-Host "PowerSploit was already installed. Moving On."
|
||||
}
|
||||
Write-Host "Utilties installation complete!"
|
||||
|
||||
Write-Host "Utilties installation complete!"
|
||||
|
||||
2
build.sh
2
build.sh
@@ -233,7 +233,7 @@ vagrant_up_host() {
|
||||
HOST="$1"
|
||||
(echo >&2 "Attempting to bring up the $HOST host using Vagrant")
|
||||
cd "$DL_DIR"/Vagrant || exit 1
|
||||
VAGRANT_LOG=info $(which vagrant) up "$HOST" --provider="$PROVIDER" 3>&1 1>&2 2>&3 | tee -a "$DL_DIR/Vagrant/vagrant_build.log"
|
||||
$(which vagrant) up "$HOST" --provider="$PROVIDER" 2> "$DL_DIR/Vagrant/vagrant_up_$HOST.log"
|
||||
echo "$?"
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user