diff --git a/Azure/Ansible/roles/wef/tasks/main.yml b/Azure/Ansible/roles/wef/tasks/main.yml
index 3681b50..d1bed68 100644
--- a/Azure/Ansible/roles/wef/tasks/main.yml
+++ b/Azure/Ansible/roles/wef/tasks/main.yml
@@ -92,6 +92,15 @@
- debug: msg="{{ pstranscriptshare.stdout_lines }}"
+- name: Installing the EVTX Event Samples
+ win_shell: ".\\install-evtx-attack-samples.ps1"
+ args:
+ chdir: 'c:\vagrant\scripts'
+ register: evtxeventsamples
+ failed_when: "'Exception' in evtxeventsamples.stdout"
+
+- debug: msg="{{ evtxeventsamples.stdout_lines }}"
+
- name: Installing Microsoft Advanced Threat Analytics
win_shell: ".\\install-microsoft-ata.ps1"
args:
diff --git a/Azure/README.md b/Azure/README.md
index e0a6a3b..7703d0a 100644
--- a/Azure/README.md
+++ b/Azure/README.md
@@ -85,6 +85,7 @@ If you run into any issues along the way, please open an issue on Github and I'l
* If an Ansible playbook fails (and they sometimes do), you can pick up where it left off with `ansible-playbook -vvv detectionlab.yml --tags="hostname-goes-here" --start-at-task="taskname"`
* "Installing Red Team Tooling" hangs if AV isn't disabled successfully
* It seems like sometimes the logger provisioning "errors" somewhere and causes the box to become tained, despite the provision being successful. Work around this by untainting it: `terraform untaint azurerm_virtual_machine.dc`
+* If running Ansible causes a `fork()` related error message, set the following environment variable before running Ansible: `export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES`. More on this [here](https://github.com/clong/DetectionLab/issues/543).
## Future work required
* It probably makes sense to abstract all of the logic in `bootstrap.sh` into individual Ansible tasks
diff --git a/Azure/Terraform/main.tf b/Azure/Terraform/main.tf
index 7e3fb0c..ebcf9c3 100644
--- a/Azure/Terraform/main.tf
+++ b/Azure/Terraform/main.tf
@@ -266,8 +266,10 @@ resource "azurerm_virtual_machine" "logger" {
}
inline = [
"sudo add-apt-repository universe && sudo apt-get -qq update && sudo apt-get -qq install -y git",
+ "sudo sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/g' /etc/ssh/sshd_config && sudo service ssh restart",
"echo 'logger' | sudo tee /etc/hostname && sudo hostnamectl set-hostname logger",
"sudo adduser --disabled-password --gecos \"\" vagrant && echo 'vagrant:vagrant' | sudo chpasswd",
+ "echo 'vagrant:vagrant' | sudo chpasswd",
"sudo mkdir /home/vagrant/.ssh && sudo cp /home/ubuntu/.ssh/authorized_keys /home/vagrant/.ssh/authorized_keys && sudo chown -R vagrant:vagrant /home/vagrant/.ssh",
"echo 'vagrant ALL=(ALL:ALL) NOPASSWD:ALL' | sudo tee -a /etc/sudoers",
"sudo git clone https://github.com/clong/DetectionLab.git /opt/DetectionLab",
diff --git a/Azure/build_ansible_inventory.sh b/Azure/build_ansible_inventory.sh
index d0ed6a0..516cdc6 100755
--- a/Azure/build_ansible_inventory.sh
+++ b/Azure/build_ansible_inventory.sh
@@ -1,4 +1,4 @@
-#! /bin/bash
+#! /usr/bin/env bash
# This script is used to populate the Azure Ansible inventory.yml with
# the results of "terraform output"
diff --git a/ESXi/Packer/ubuntu1804_esxi.json b/ESXi/Packer/ubuntu1804_esxi.json
index a6b6747..77d8a3d 100644
--- a/ESXi/Packer/ubuntu1804_esxi.json
+++ b/ESXi/Packer/ubuntu1804_esxi.json
@@ -90,8 +90,8 @@
"esxi_password": "",
"headless": "false",
"guest_additions_url": "",
- "iso_checksum": "sha256:e2ecdace33c939527cbc9e8d23576381c493b071107207d2040af72595f8990b",
- "iso_name": "ubuntu-18.04.4-server-amd64.iso",
+ "iso_checksum": "sha256:8c5fc24894394035402f66f3824beb7234b757dd2b5531379cb310cedfdf0996",
+ "iso_name": "ubuntu-18.04.5-server-amd64.iso",
"memory": "4096",
"mirror": "http://cdimage.ubuntu.com",
"mirror_directory": "ubuntu/releases/18.04.4/release",
diff --git a/ESXi/README.md b/ESXi/README.md
index ca916a0..8e2a464 100644
--- a/ESXi/README.md
+++ b/ESXi/README.md
@@ -23,6 +23,15 @@ NOTE: This is an early release and it's possible that certain features may not w
1. **(5 Minutes)** Edit the variables in `DetectionLab/ESXi/Packer/variables.json` to match your ESXi configuration. The `esxi_network_with_dhcp_and_internet` variable refers to any ESXi network that will be able to provide DHCP and internet access to the VM while it's being built in Packer.
+Note: As per ESXI 7.x, built-in VNC server has been removed from distribution (https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-vcenter-server-70-release-notes.html). If you are using ESXI 7.x, you need to:
+* Upgrade Packer to 1.6.3+, we need to use `vnc_over_websocket` instead of old vnc configuration : [see packer issue](https://github.com/hashicorp/packer/issues/8984), [changelog](https://github.com/hashicorp/packer/blob/master/CHANGELOG.md)
+* Add two config to windows_10_esxi.json, windows_2016_esxi.json, ubuntu1804_esxi.json like this:
+```
+"vnc_over_websocket": true,
+"insecure_connection": true,
+```
+Ref: https://www.virtuallyghetto.com/2020/10/quick-tip-vmware-iso-builder-for-packer-now-supported-with-esxi-7-0.html
+
2. **(45 Minutes)** From the `DetectionLab/ESXi/Packer` directory, run:
* `PACKER_CACHE_DIR=../../Packer/packer_cache packer build -var-file variables.json windows_10_esxi.json`
* `PACKER_CACHE_DIR=../../Packer/packer_cache packer build -var-file variables.json windows_2016_esxi.json`
@@ -41,7 +50,7 @@ These commands can be run in parallel from three separate terminal sessions.
8. **(3 Minute)s** Edit `DetectionLab/ESXi/resources/01-netcfg.yaml`. These are the IP addresses that will be applied to the logger network interfaces. These should be be able to be found in your ESXi console or from the Terraform outputs.
9. **(3 Minute)** Before running any Ansible playbooks, I highly recommend taking snapshots of all your VMs! If anything goes wrong with provisioning, you can simply restore the snapshot and easily debug the issue.
10. Change your directory to `DetectionLab/ESXi/Ansible`
-11. **(30 Minutes)** Run `ansible-playbook -vvv detectionlab.yml`
+11. **(30 Minutes)** Run `ansible-playbook -vvv detectionlab.yml` - If running Ansible causes a `fork()` related error message, set the following environment variable before running Ansible: `export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES`. More on this [here](https://github.com/clong/DetectionLab/issues/543).
12. If all goes well, you should see the following and your lab is complete!
diff --git a/ESXi/ansible/roles/dc/tasks/main.yml b/ESXi/ansible/roles/dc/tasks/main.yml
index 72b1a74..c16bb9e 100644
--- a/ESXi/ansible/roles/dc/tasks/main.yml
+++ b/ESXi/ansible/roles/dc/tasks/main.yml
@@ -10,10 +10,10 @@
when: res.reboot_required
- name: Set HostOnly IP Address
- win_shell: "New-NetIPAddress –InterfaceAlias Ethernet2 –AddressFamily IPv4 -IPAddress 192.168.38.102 –PrefixLength 24 -DefaultGateway 192.168.38.1"
+ win_shell: "New-NetIPAddress –InterfaceAlias Ethernet1 –AddressFamily IPv4 -IPAddress 192.168.38.102 –PrefixLength 24 -DefaultGateway 192.168.38.1"
- name: Set DNS Address
- win_shell: "Set-DnsClientServerAddress -InterfaceAlias Ethernet2 -ServerAddresses 127.0.0.1,8.8.8.8"
+ win_shell: "Set-DnsClientServerAddress -InterfaceAlias Ethernet1 -ServerAddresses 127.0.0.1,8.8.8.8"
- name: Install git
win_chocolatey:
diff --git a/ESXi/ansible/roles/logger/tasks/main.yml b/ESXi/ansible/roles/logger/tasks/main.yml
index 89b72e2..30f5681 100644
--- a/ESXi/ansible/roles/logger/tasks/main.yml
+++ b/ESXi/ansible/roles/logger/tasks/main.yml
@@ -219,11 +219,6 @@
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/link-analysis-app-for-splunk_161.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_144.tgz -auth 'admin:changeme'
- ## Fix a bug with the ThreatHunting App (https://github.com/olafhartong/ThreatHunting/pull/57)
- mv /opt/splunk/etc/apps/ThreatHunting/lookups/sysmonevencodes.csv /opt/splunk/etc/apps/ThreatHunting/lookups/sysmoneventcodes.csv
- sed -i 's/= sysmoneventcode /= sysmoneventcodes.csv /g' /opt/splunk/etc/apps/ThreatHunting/default/props.conf
- sed -i 's/sysmoneventcode.csv/sysmoneventcodes.csv/g' /opt/splunk/etc/apps/ThreatHunting/default/props.conf
-
# Install the Maxmind license key for the ASNgen App
if [ ! -z $MAXMIND_LICENSE ]; then
mkdir /opt/splunk/etc/apps/TA-asngen/local
@@ -231,8 +226,17 @@
sed -i "s/license_key =/license_key = $MAXMIND_LICENSE/g" /opt/splunk/etc/apps/TA-asngen/local/asngen.conf
fi
+ # Replace the props.conf for Sysmon TA and Windows TA
+ # Removed all the 'rename = xmlwineventlog' directives
+ # I know youre not supposed to modify files in "default",
+ # but for some reason adding them to "local" wasnt working
+ cp /vagrant/resources/splunk_server/windows_ta_props.conf /opt/splunk/etc/apps/Splunk_TA_windows/default/props.conf
+ cp /vagrant/resources/splunk_server/sysmon_ta_props.conf /opt/splunk/etc/apps/TA-microsoft-sysmon/default/props.conf
+
# Add custom Macro definitions for ThreatHunting App
cp /vagrant/resources/splunk_server/macros.conf /opt/splunk/etc/apps/ThreatHunting/default/macros.conf
+ # Fix props.conf in ThreatHunting App
+ sed -i 's/EVAL-host_fqdn = Computer/EVAL-host_fqdn = ComputerName/g' /opt/splunk/etc/apps/ThreatHunting/default/props.conf
# Fix Windows TA macros
mkdir /opt/splunk/etc/apps/Splunk_TA_windows/local
cp /opt/splunk/etc/apps/Splunk_TA_windows/default/macros.conf /opt/splunk/etc/apps/Splunk_TA_windows/local
@@ -263,8 +267,6 @@
dismissedInstrumentationOptInVersion = 4
notification_python_3_impact = false
display.page.home.dashboardId = /servicesNS/nobody/search/data/ui/views/logger_dashboard' > /opt/splunk/etc/users/admin/user-prefs/local/user-prefs.conf
- # Disable the instrumentation popup
- echo -e "showOptInModal = 0\noptInVersionAcknowledged = 4" >>/opt/splunk/etc/apps/splunk_instrumentation/local/telemetry.conf
# Enable SSL Login for Splunk
echo -e "[settings]\nenableSplunkWebSSL = true" >/opt/splunk/etc/system/local/web.conf
# Copy over the Logger Dashboard
@@ -275,8 +277,6 @@
# Reboot Splunk to make changes take effect
/opt/splunk/bin/splunk restart
/opt/splunk/bin/splunk enable boot-start
- # Generate the ASN lookup table
- /opt/splunk/bin/splunk search "|asngen | outputlookup asn" -auth 'admin:changeme'
fi
register: install_splunk
changed_when: "'The Splunk web interface is at https://logger:8000' in install_splunk.stdout"
diff --git a/ESXi/ansible/roles/wef/tasks/main.yml b/ESXi/ansible/roles/wef/tasks/main.yml
index 6c8b91a..bc8cbf6 100644
--- a/ESXi/ansible/roles/wef/tasks/main.yml
+++ b/ESXi/ansible/roles/wef/tasks/main.yml
@@ -11,11 +11,11 @@
# This needs to be made idempodent
- name: Set HostOnly IP Address
- win_shell: "New-NetIPAddress –InterfaceAlias Ethernet2 –AddressFamily IPv4 -IPAddress 192.168.38.103 –PrefixLength 24 -DefaultGateway 192.168.38.1"
+ win_shell: "New-NetIPAddress –InterfaceAlias Ethernet1 –AddressFamily IPv4 -IPAddress 192.168.38.103 –PrefixLength 24 -DefaultGateway 192.168.38.1"
# This needs to be made idempodent
- name: Set HostOnly DNS Address
- win_shell: "Set-DnsClientServerAddress -InterfaceAlias Ethernet2 -ServerAddresses 192.168.38.102,8.8.8.8"
+ win_shell: "Set-DnsClientServerAddress -InterfaceAlias Ethernet1 -ServerAddresses 192.168.38.102,8.8.8.8"
- name: Install git
win_chocolatey:
@@ -106,6 +106,15 @@
- debug: msg="{{ pstranscriptshare.stdout_lines }}"
+- name: Installing the EVTX Event Samples
+ win_shell: ".\\install-evtx-attack-samples.ps1"
+ args:
+ chdir: 'c:\vagrant\scripts'
+ register: evtxeventsamples
+ failed_when: "'Exception' in evtxeventsamples.stdout"
+
+- debug: msg="{{ evtxeventsamples.stdout_lines }}"
+
- name: Installing Microsoft Advanced Threat Analytics
win_shell: ".\\install-microsoft-ata.ps1"
args:
diff --git a/ESXi/ansible/roles/win10/tasks/main.yml b/ESXi/ansible/roles/win10/tasks/main.yml
index e277e43..03f443a 100644
--- a/ESXi/ansible/roles/win10/tasks/main.yml
+++ b/ESXi/ansible/roles/win10/tasks/main.yml
@@ -10,10 +10,10 @@
when: res.reboot_required
- name: Set HostOnly IP Address
- win_shell: "New-NetIPAddress –InterfaceAlias Ethernet2 –AddressFamily IPv4 -IPAddress 192.168.38.104 –PrefixLength 24 -DefaultGateway 192.168.38.1"
+ win_shell: "New-NetIPAddress –InterfaceAlias Ethernet1 –AddressFamily IPv4 -IPAddress 192.168.38.104 –PrefixLength 24 -DefaultGateway 192.168.38.1"
- name: Set HostOnly DNS Address
- win_shell: "Set-DnsClientServerAddress -InterfaceAlias Ethernet2 -ServerAddresses 192.168.38.102,8.8.8.8"
+ win_shell: "Set-DnsClientServerAddress -InterfaceAlias Ethernet1 -ServerAddresses 192.168.38.102,8.8.8.8"
- name: Install git
win_chocolatey:
diff --git a/ESXi/main.tf b/ESXi/main.tf
index 8e58641..1714a99 100644
--- a/ESXi/main.tf
+++ b/ESXi/main.tf
@@ -86,12 +86,6 @@ resource "esxi_guest" "dc" {
mac_address = "00:50:56:a1:b1:c2"
nic_type = "e1000"
}
- # OPTIONAL: You can comment out this interface stanza if your vm_network provides internet access
- network_interfaces {
- virtual_network = var.nat_network
- mac_address = "00:50:56:a1:b1:c3"
- nic_type = "e1000"
- }
# This is the local network that will be used for 192.168.38.x addressing
network_interfaces {
virtual_network = var.hostonly_network
@@ -121,12 +115,6 @@ resource "esxi_guest" "wef" {
mac_address = "00:50:56:a1:b2:c2"
nic_type = "e1000"
}
- # OPTIONAL: You can comment out this interface stanza if your vm_network provides internet access
- network_interfaces {
- virtual_network = var.nat_network
- mac_address = "00:50:56:a1:b3:c3"
- nic_type = "e1000"
- }
# This is the local network that will be used for 192.168.38.x addressing
network_interfaces {
virtual_network = var.hostonly_network
@@ -156,12 +144,6 @@ resource "esxi_guest" "win10" {
mac_address = "00:50:56:a2:b1:c2"
nic_type = "e1000"
}
- # OPTIONAL: You can comment out this interface stanza if your vm_network provides internet access
- network_interfaces {
- virtual_network = var.nat_network
- mac_address = "00:50:56:a2:b1:c3"
- nic_type = "e1000"
- }
# This is the local network that will be used for 192.168.38.x addressing
network_interfaces {
virtual_network = var.hostonly_network
diff --git a/ESXi/variables.tf b/ESXi/variables.tf
index 369626a..41a23b3 100644
--- a/ESXi/variables.tf
+++ b/ESXi/variables.tf
@@ -22,10 +22,6 @@ variable "vm_network" {
default = "VM Network"
}
-variable "nat_network" {
- default = "NAT Network"
-}
-
variable "hostonly_network" {
default = "HostOnly Network"
}
diff --git a/ESXi/versions.tf b/ESXi/versions.tf
new file mode 100644
index 0000000..f4d2f64
--- /dev/null
+++ b/ESXi/versions.tf
@@ -0,0 +1,8 @@
+terraform {
+ required_providers {
+ esxi = {
+ source = "josenk/esxi"
+ version = "1.8.0"
+ }
+ }
+}
diff --git a/HyperV/bootstrap.sh b/HyperV/bootstrap.sh
index 59476a0..738125e 100644
--- a/HyperV/bootstrap.sh
+++ b/HyperV/bootstrap.sh
@@ -1,4 +1,4 @@
-#! /bin/bash
+#! /usr/bin/env bash
# Override existing DNS Settings using netplan, but don't do it for Terraform builds
if ! curl -s 169.254.169.254 --connect-timeout 2 >/dev/null; then
diff --git a/Packer/scripts/download-microsoft-ata.ps1 b/Packer/scripts/download-microsoft-ata.ps1
new file mode 100644
index 0000000..af6e0fb
--- /dev/null
+++ b/Packer/scripts/download-microsoft-ata.ps1
@@ -0,0 +1,44 @@
+# Purpose: Downloads, installs and configures Microsft ATA 1.9
+$title = "Microsoft ATA 1.9"
+$downloadUrl = "http://download.microsoft.com/download/4/9/1/491394D1-3F28-4261-ABC6-C836A301290E/ATA1.9.iso"
+$fileHash = "DC1070A9E8F84E75198A920A2E00DDC3CA8D12745AF64F6B161892D9F3975857" # Use Get-FileHash on a correct downloaded file to get the hash
+
+# Enable web requests to endpoints with invalid SSL certs (like self-signed certs)
+If (-not("SSLValidator" -as [type])) {
+ add-type -TypeDefinition @"
+using System;
+using System.Net;
+using System.Net.Security;
+using System.Security.Cryptography.X509Certificates;
+
+public static class SSLValidator {
+ public static bool ReturnTrue(object sender,
+ X509Certificate certificate,
+ X509Chain chain,
+ SslPolicyErrors sslPolicyErrors) { return true; }
+
+ public static RemoteCertificateValidationCallback GetDelegate() {
+ return new RemoteCertificateValidationCallback(SSLValidator.ReturnTrue);
+ }
+}
+"@
+}
+[System.Net.ServicePointManager]::ServerCertificateValidationCallback = [SSLValidator]::GetDelegate()
+
+
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading $title..."
+# Disabling the progress bar speeds up IWR https://github.com/PowerShell/PowerShell/issues/2138
+$ProgressPreference = 'SilentlyContinue'
+Invoke-WebRequest -Uri $downloadUrl -OutFile "c:\$title.iso"
+$actualHash = (Get-FileHash -Algorithm SHA256 -Path "c:\$title.iso").Hash
+If (-not ($actualHash -eq $fileHash)) {
+ Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso was not downloaded correctly: hash from downloaded file: $actualHash, should've been: $fileHash. Re-trying using BitsAdmin now..."
+ Remove-Item -Path "c:\$title.iso" -Force
+ bitsadmin /Transfer ATA $downloadUrl "c:\$title.iso"
+ $actualHash = (Get-FileHash -Algorithm SHA256 -Path "c:\$title.iso").Hash
+ If (-not ($actualHash -eq $fileHash)) {
+ Throw "$title.iso was not downloaded correctly after a retry: hash from downloaded file: $actualHash, should've been: $fileHash - Giving up."
+ }
+}
+
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Microsoft ATA sucessfully downloaded to c:\$title.iso !"
\ No newline at end of file
diff --git a/Packer/scripts/vm-guest-tools.ps1 b/Packer/scripts/vm-guest-tools.ps1
index 7148696..9771cd1 100644
--- a/Packer/scripts/vm-guest-tools.ps1
+++ b/Packer/scripts/vm-guest-tools.ps1
@@ -38,7 +38,16 @@ if ("$env:PACKER_BUILDER_TYPE" -eq "vmware-iso") {
}
cmd /c "C:\PROGRA~1\7-Zip\7z.exe" x "C:\Windows\Temp\windows.iso" -oC:\Windows\Temp\VMWare
- cmd /c C:\Windows\Temp\VMWare\setup.exe /S /v"/qn REBOOT=R\"
+ cmd /c C:\Windows\Temp\VMWare\setup.exe /S /v "/qn REBOOT=R"
+ $software = "VMware Tools";
+ $installed = (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where { $_.DisplayName -eq $software }) -ne $null
+
+ If (-Not $installed) {
+ Write-Host "'$software' did not install successfully. Quitting.";
+ exit 1
+ } Else {
+ Write-Host "'$software' was installed successfully."
+ }
Remove-Item -Force "C:\Windows\Temp\vmware-tools.tar"
Remove-Item -Force "C:\Windows\Temp\windows.iso"
diff --git a/Packer/windows_2016.json b/Packer/windows_2016.json
index d549ddb..83a7716 100644
--- a/Packer/windows_2016.json
+++ b/Packer/windows_2016.json
@@ -143,7 +143,8 @@
"type": "powershell",
"scripts": [
"./scripts/vm-guest-tools.ps1",
- "./scripts/debloat-windows.ps1"
+ "./scripts/debloat-windows.ps1",
+ "./scripts/download-microsoft-ata.ps1"
]
},
{
diff --git a/README.md b/README.md
index 1ba94c2..84793df 100644
--- a/README.md
+++ b/README.md
@@ -100,6 +100,7 @@ A sizable percentage of this code was borrowed and adapted from [Stefan Scherer]
* [Velociraptor](https://github.com/Velocidex/velociraptor)
* [BadBlood](https://github.com/davidprowe/BadBlood)
* [PurpleSharp](https://github.com/mvelazc0/PurpleSharp)
+* [EVTX-ATTACK-SAMPLES](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES)
# DetectionLab Sponsors
#### Lated updated: 9/16/2020
diff --git a/Vagrant/Vagrantfile b/Vagrant/Vagrantfile
index 3601edb..74c12e2 100644
--- a/Vagrant/Vagrantfile
+++ b/Vagrant/Vagrantfile
@@ -136,6 +136,7 @@ Vagrant.configure("2") do |config|
cfg.vm.provision "shell", path: "scripts/install-windows_ta.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false
+ cfg.vm.provision "shell", path: "scripts/install-evtx-attack-samples.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
@@ -170,7 +171,7 @@ Vagrant.configure("2") do |config|
lv.graphics_type = "spice"
lv.video_type = "qxl"
lv.input :type => "tablet", :bus => "usb"
- override.vm.box = "../Boxes/windows_2016_libvirt.box"
+ override.vm.box = "../Boxes/windows_2016_libvirt.box"
lv.video_vram = 32768
lv.memory = 2048
lv.cpus = 2
diff --git a/Vagrant/bootstrap.sh b/Vagrant/bootstrap.sh
index e93bfb7..99c9080 100644
--- a/Vagrant/bootstrap.sh
+++ b/Vagrant/bootstrap.sh
@@ -1,4 +1,4 @@
-#! /bin/bash
+#! /usr/bin/env bash
# Override existing DNS Settings using netplan, but don't do it for Terraform builds
if ! curl -s 169.254.169.254 --connect-timeout 2 >/dev/null; then
@@ -154,6 +154,7 @@ install_splunk() {
/opt/splunk/bin/splunk add index zeek -auth 'admin:changeme'
/opt/splunk/bin/splunk add index suricata -auth 'admin:changeme'
/opt/splunk/bin/splunk add index threathunting -auth 'admin:changeme'
+ /opt/splunk/bin/splunk add index evtx_attack_samples -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_forwarder/splunk-add-on-for-microsoft-windows_700.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-microsoft-sysmon_1062.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/asn-lookup-generator_110.tgz -auth 'admin:changeme'
diff --git a/Vagrant/post_build_checks.sh b/Vagrant/post_build_checks.sh
index 6d7935b..c66280f 100755
--- a/Vagrant/post_build_checks.sh
+++ b/Vagrant/post_build_checks.sh
@@ -1,4 +1,4 @@
-#! /bin/bash
+#! /usr/bin/env bash
# This script is meant to verify that DetectionLab was built successfully.
# Only MacOS and Linux are supported. Use post_build_checks.ps1 for Windows.
diff --git a/Vagrant/prepare.sh b/Vagrant/prepare.sh
index c90a116..090dfcd 100755
--- a/Vagrant/prepare.sh
+++ b/Vagrant/prepare.sh
@@ -1,4 +1,4 @@
-#! /bin/bash
+#! /usr/bin/env bash
# This script is meant to verify that your system is configured to
# build DetectionLab successfully.
diff --git a/Vagrant/resources/GPO/rdp_users/manifest.xml b/Vagrant/resources/GPO/rdp_users/manifest.xml
index fd766e0..c8f230f 100644
--- a/Vagrant/resources/GPO/rdp_users/manifest.xml
+++ b/Vagrant/resources/GPO/rdp_users/manifest.xml
@@ -1 +1 @@
-
\ No newline at end of file
+
\ No newline at end of file
diff --git a/Vagrant/resources/GPO/rdp_users/rdp_users.migtable b/Vagrant/resources/GPO/rdp_users/rdp_users.migtable
new file mode 100644
index 0000000..b18a278
Binary files /dev/null and b/Vagrant/resources/GPO/rdp_users/rdp_users.migtable differ
diff --git a/Vagrant/resources/GPO/rdp_users/{02BF61B9-4ECA-4D86-B20B-323CF53B1E9F}/Backup.xml b/Vagrant/resources/GPO/rdp_users/{02BF61B9-4ECA-4D86-B20B-323CF53B1E9F}/Backup.xml
new file mode 100644
index 0000000..93964de
--- /dev/null
+++ b/Vagrant/resources/GPO/rdp_users/{02BF61B9-4ECA-4D86-B20B-323CF53B1E9F}/Backup.xml
@@ -0,0 +1,20 @@
+
+ 01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 ee 96 fb b4 65 f1 fa 2b 36 e3 31 df e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 ee 96 fb b4 65 f1 fa 2b 36 e3 31 df 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 ee 96 fb b4 65 f1 fa 2b 36 e3 31 df 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/Vagrant/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf b/Vagrant/resources/GPO/rdp_users/{02BF61B9-4ECA-4D86-B20B-323CF53B1E9F}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf
similarity index 78%
rename from Vagrant/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf
rename to Vagrant/resources/GPO/rdp_users/{02BF61B9-4ECA-4D86-B20B-323CF53B1E9F}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf
index ef38d8a..667c750 100644
Binary files a/Vagrant/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf and b/Vagrant/resources/GPO/rdp_users/{02BF61B9-4ECA-4D86-B20B-323CF53B1E9F}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf differ
diff --git a/Vagrant/resources/GPO/rdp_users/{02BF61B9-4ECA-4D86-B20B-323CF53B1E9F}/bkupInfo.xml b/Vagrant/resources/GPO/rdp_users/{02BF61B9-4ECA-4D86-B20B-323CF53B1E9F}/bkupInfo.xml
new file mode 100644
index 0000000..9319227
--- /dev/null
+++ b/Vagrant/resources/GPO/rdp_users/{02BF61B9-4ECA-4D86-B20B-323CF53B1E9F}/bkupInfo.xml
@@ -0,0 +1 @@
+
diff --git a/Vagrant/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/gpreport.xml b/Vagrant/resources/GPO/rdp_users/{02BF61B9-4ECA-4D86-B20B-323CF53B1E9F}/gpreport.xml
similarity index 81%
rename from Vagrant/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/gpreport.xml
rename to Vagrant/resources/GPO/rdp_users/{02BF61B9-4ECA-4D86-B20B-323CF53B1E9F}/gpreport.xml
index 58ca288..cd2bc5a 100644
Binary files a/Vagrant/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/gpreport.xml and b/Vagrant/resources/GPO/rdp_users/{02BF61B9-4ECA-4D86-B20B-323CF53B1E9F}/gpreport.xml differ
diff --git a/Vagrant/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/Backup.xml b/Vagrant/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/Backup.xml
deleted file mode 100644
index ab953e5..0000000
--- a/Vagrant/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/Backup.xml
+++ /dev/null
@@ -1,20 +0,0 @@
-
- 01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 11 ba 8e 91 83 90 50 4c a7 e8 f6 a4 e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 11 ba 8e 91 83 90 50 4c a7 e8 f6 a4 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 11 ba 8e 91 83 90 50 4c a7 e8 f6 a4 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/Vagrant/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/bkupInfo.xml b/Vagrant/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/bkupInfo.xml
deleted file mode 100644
index 88e7503..0000000
--- a/Vagrant/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/bkupInfo.xml
+++ /dev/null
@@ -1 +0,0 @@
-
diff --git a/Vagrant/scripts/configure-rdp-user-gpo.ps1 b/Vagrant/scripts/configure-rdp-user-gpo.ps1
index 1fbea02..a51a203 100644
--- a/Vagrant/scripts/configure-rdp-user-gpo.ps1
+++ b/Vagrant/scripts/configure-rdp-user-gpo.ps1
@@ -1,6 +1,6 @@
# Purpose: Install the GPO that allows windomain\vagrant to RDP
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Importing the GPO to allow windomain/vagrant to RDP..."
-Import-GPO -BackupGpoName 'Allow Domain Users RDP' -Path "c:\vagrant\resources\GPO\rdp_users" -TargetName 'Allow Domain Users RDP' -CreateIfNeeded
+Import-GPO -BackupGpoName 'Allow Domain Users RDP' -Path "c:\vagrant\resources\GPO\rdp_users" -MigrationTable "c:\vagrant\resources\GPO\rdp_users\rdp_users.migtable" -TargetName 'Allow Domain Users RDP' -CreateIfNeeded
$OU = "ou=Workstations,dc=windomain,dc=local"
$gPLinks = $null
diff --git a/Vagrant/scripts/install-botsv2.sh b/Vagrant/scripts/install-botsv2.sh
index d0a90c6..d17c1d9 100644
--- a/Vagrant/scripts/install-botsv2.sh
+++ b/Vagrant/scripts/install-botsv2.sh
@@ -1,4 +1,4 @@
-#! /bin/bash
+#! /usr/bin/env bash
# Thanks to @MHaggis for this addition!
# It is recommended to only uncomment the attack-only dataset comment block.
diff --git a/Vagrant/scripts/install-botsv3.sh b/Vagrant/scripts/install-botsv3.sh
index c694a6b..6081a64 100644
--- a/Vagrant/scripts/install-botsv3.sh
+++ b/Vagrant/scripts/install-botsv3.sh
@@ -1,4 +1,4 @@
-#! /bin/bash
+#! /usr/bin/env bash
#Thanks to @MHaggis for this addition!
#More information on BOTSv3 can be found at https://github.com/splunk/botsv3
diff --git a/Vagrant/scripts/install-evtx-attack-samples.ps1 b/Vagrant/scripts/install-evtx-attack-samples.ps1
new file mode 100644
index 0000000..1045be5
--- /dev/null
+++ b/Vagrant/scripts/install-evtx-attack-samples.ps1
@@ -0,0 +1,70 @@
+# Purpose: Downloads and indexes the EVTX samples from https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/ into Splunk
+
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Indexing EVTX Attack Samples into Splunk..."
+
+# Disabling the progress bar speeds up IWR https://github.com/PowerShell/PowerShell/issues/2138
+$ProgressPreference = 'SilentlyContinue'
+# GitHub requires TLS 1.2 as of 2/27
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+
+$inputsConf = "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf"
+
+# Download and unzip a copy of EVTX Attack Samples
+$evtxAttackDownloadUrl = "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/archive/master.zip"
+$evtxAttackRepoPath = "C:\Users\vagrant\AppData\Local\Temp\evtxattack.zip"
+If (-not (Test-Path "C:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master")) {
+ Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading EVTX Attack Samples"
+ Invoke-WebRequest -Uri "$evtxAttackDownloadUrl" -OutFile "$evtxAttackRepoPath"
+ Expand-Archive -path "$evtxAttackRepoPath" -destinationpath 'c:\Tools\EVTX-ATTACK-SAMPLES' -Force
+ # Add stanzas to Splunk inputs.conf to index the evtx files
+ # Huge thanks to https://www.cloud-response.com/2019/07/importing-windows-event-log-files-into.html for showing how to do this!
+ If (!(Select-String -Path $inputsConf -Pattern "evtx_attack_sample")) {
+ Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Splunk inputs.conf has not yet been modified. Adding stanzas for these evtx files now..."
+ Add-Content -Path "$inputsConf" -Value '
+[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\AutomatedTestingTools\*.evtx]
+index = evtx_attack_samples
+sourcetype = preprocess-winevt
+
+[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Command and Control\*.evtx]
+index = evtx_attack_samples
+sourcetype = preprocess-winevt
+
+[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Credential Access\*.evtx]
+index = evtx_attack_samples
+sourcetype = preprocess-winevt
+
+[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Defense Evasion\*.evtx]
+index = evtx_attack_samples
+sourcetype = preprocess-winevt
+
+[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Discovery\*.evtx]
+index = evtx_attack_samples
+sourcetype = preprocess-winevt
+
+[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Execution\*.evtx]
+index = evtx_attack_samples
+sourcetype = preprocess-winevt
+
+[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Lateral Movement\*.evtx]
+index = evtx_attack_samples
+sourcetype = preprocess-winevt
+
+[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Other\*.evtx]
+index = evtx_attack_samples
+sourcetype = preprocess-winevt
+
+[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Persistence\*.evtx]
+index = evtx_attack_samples
+sourcetype = preprocess-winevt
+
+[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Privilege Escalation\*.evtx]
+index = evtx_attack_samples
+sourcetype = preprocess-winevt'
+ # Restart the forwarder to pick up changes
+ Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Restarting the Splunk Forwarder..."
+ Restart-Service SplunkForwarder
+ Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Done! Look in 'index=EVTX-ATTACK-SAMPLES' in Splunk to query these samples."
+ }
+} Else {
+ Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) EVTX attack samples were already installed. Moving On."
+}
\ No newline at end of file
diff --git a/Vagrant/scripts/install-microsoft-ata.ps1 b/Vagrant/scripts/install-microsoft-ata.ps1
index 6d64cdb..8af36db 100644
--- a/Vagrant/scripts/install-microsoft-ata.ps1
+++ b/Vagrant/scripts/install-microsoft-ata.ps1
@@ -28,14 +28,14 @@ public static class SSLValidator {
If (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center"))
{
$download = $false
- If (-not (Test-Path "$env:temp\$title.iso"))
+ If (-not (Test-Path "c:\$title.iso"))
{
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso doesn't exist yet, downloading..."
$download = $true
}
Else
{
- $actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash
+ $actualHash = (Get-FileHash -Algorithm SHA256 -Path "c:\$title.iso").Hash
If (-not ($actualHash -eq $fileHash))
{
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso exists, but the hash did not validate successfully. Downloading a new copy..."
@@ -47,21 +47,21 @@ If (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading $title..."
# Disabling the progress bar speeds up IWR https://github.com/PowerShell/PowerShell/issues/2138
$ProgressPreference = 'SilentlyContinue'
- Invoke-WebRequest -Uri $downloadUrl -OutFile "$env:temp\$title.iso"
- $actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash
+ Invoke-WebRequest -Uri $downloadUrl -OutFile "c:\$title.iso"
+ $actualHash = (Get-FileHash -Algorithm SHA256 -Path "c:\$title.iso").Hash
If (-not ($actualHash -eq $fileHash))
{
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso was not downloaded correctly: hash from downloaded file: $actualHash, should've been: $fileHash. Re-trying using BitsAdmin now..."
- Remove-Item -Path "$env:temp\$title.iso" -Force
- bitsadmin /Transfer ATA $downloadUrl "$env:temp\$title.iso"
- $actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash
+ Remove-Item -Path "c:\$title.iso" -Force
+ bitsadmin /Transfer ATA $downloadUrl "c:\$title.iso"
+ $actualHash = (Get-FileHash -Algorithm SHA256 -Path "c:\$title.iso").Hash
If (-not ($actualHash -eq $fileHash))
{
Throw "$title.iso was not downloaded correctly after a retry: hash from downloaded file: $actualHash, should've been: $fileHash - Giving up."
}
}
}
- $Mount = Mount-DiskImage -ImagePath "$env:temp\$title.iso" -StorageType ISO -Access ReadOnly -PassThru
+ $Mount = Mount-DiskImage -ImagePath "c:\$title.iso" -StorageType ISO -Access ReadOnly -PassThru
$Volume = $Mount | Get-Volume
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing $title"
$Install = Start-Process -Wait -FilePath ($Volume.DriveLetter + ":\Microsoft ATA Center Setup.exe") -ArgumentList "/q --LicenseAccepted NetFrameworkCommandLineArguments=`"/q`" --EnableMicrosoftUpdate" -PassThru
diff --git a/Vagrant/scripts/install-utilities.ps1 b/Vagrant/scripts/install-utilities.ps1
index 5859699..c3b20e9 100755
--- a/Vagrant/scripts/install-utilities.ps1
+++ b/Vagrant/scripts/install-utilities.ps1
@@ -3,7 +3,7 @@
If (-not (Test-Path "C:\ProgramData\chocolatey")) {
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing Chocolatey"
- iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))
+ Invoke-Expression ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))
} else {
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Chocolatey is already installed."
}
diff --git a/Vagrant/scripts/join-domain.ps1 b/Vagrant/scripts/join-domain.ps1
index 30822b8..f0bc59e 100755
--- a/Vagrant/scripts/join-domain.ps1
+++ b/Vagrant/scripts/join-domain.ps1
@@ -1,13 +1,16 @@
# Purpose: Joins a Windows host to the windomain.local domain which was created with "create-domain.ps1".
# Source: https://github.com/StefanScherer/adfs2
+$hostsFile = "c:\Windows\System32\drivers\etc\hosts"
+
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Joining the domain..."
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) First, set DNS to DC to join the domain..."
$newDNSServers = "192.168.38.102"
$adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.IPAddress -match "192.168.38."}
# Don't do this in Azure. If the network adatper description contains "Hyper-V", this won't apply changes.
-$adapters | ForEach-Object {if (!($_.Description).Contains("Hyper-V")) {$_.SetDNSServerSearchOrder($newDNSServers)}}
+# Specify the DC as a WINS server to help with connectivity as well
+$adapters | ForEach-Object {if (!($_.Description).Contains("Hyper-V")) {$_.SetDNSServerSearchOrder($newDNSServers); $_.SetWINSServer($newDNSServers, "")}}
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Now join the domain..."
$hostname = $(hostname)
@@ -18,6 +21,10 @@ $DomainCred = New-Object System.Management.Automation.PSCredential $user, $pass
# Place the computer in the correct OU based on hostname
If ($hostname -eq "wef") {
Add-Computer -DomainName "windomain.local" -credential $DomainCred -OUPath "ou=Servers,dc=windomain,dc=local" -PassThru
+ # Attempt to fix Issue #517
+ Set-ItemProperty -LiteralPath 'HKLM:\SYSTEM\CurrentControlSet\Control' -Name 'WaitToKillServiceTimeout' -Value '500' -Type String -Force -ea SilentlyContinue
+ New-ItemProperty -LiteralPath 'HKCU:\Control Panel\Desktop' -Name 'AutoEndTasks' -Value 1 -PropertyType DWord -Force -ea SilentlyContinue
+ Set-ItemProperty -LiteralPath 'HKLM:\SYSTEM\CurrentControlSet\Control\SessionManager\Power' -Name 'HiberbootEnabled' -Value 0 -Type DWord -Force -ea SilentlyContinue
} ElseIf ($hostname -eq "win10") {
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Adding Win10 to the domain. Sometimes this step times out. If that happens, just run 'vagrant reload win10 --provision'" #debug
Add-Computer -DomainName "windomain.local" -credential $DomainCred -OUPath "ou=Workstations,dc=windomain,dc=local"
@@ -25,6 +32,7 @@ If ($hostname -eq "wef") {
Add-Computer -DomainName "windomain.local" -credential $DomainCred -PassThru
}
+# Set auto login
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -Value 1
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Value "vagrant"
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Value "vagrant"
@@ -36,8 +44,6 @@ Stop-Service wuauserv
Set-Service TrustedInstaller -StartupType Disabled
Stop-Service TrustedInstaller
-
-
# Uninstall Windows Defender from WEF
# This command isn't supported on WIN10
If ($hostname -ne "win10" -And (Get-Service -Name WinDefend -ErrorAction SilentlyContinue).status -eq 'Running') {
@@ -50,4 +56,4 @@ If ($hostname -ne "win10" -And (Get-Service -Name WinDefend -ErrorAction Silentl
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Windows Defender did not uninstall successfully..."
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) We'll try again during install-red-team.ps1"
}
-}
\ No newline at end of file
+}
diff --git a/ci/build_machine_bootstrap.sh b/ci/build_machine_bootstrap.sh
index 3369c4e..40c6ed0 100755
--- a/ci/build_machine_bootstrap.sh
+++ b/ci/build_machine_bootstrap.sh
@@ -1,4 +1,4 @@
-#! /bin/bash
+#! /usr/bin/env bash
# This script is run on the Packet.net baremetal server for CI tests.
# While building, the server will start a webserver on Port 80 that contains
@@ -110,7 +110,101 @@ if [ $BOXES_PRESENT -eq 1 ]; then
sed -i 's#"detectionlab/win10"#"/mnt/windows_10_virtualbox.box"#g' /opt/DetectionLab/Vagrant/Vagrantfile
fi
+# Recreate a barebones version of the build script so we have some sense of return codes
+cat << 'EOF' > /opt/DetectionLab/build.sh
+#! /usr/bin/env bash
+
+# Brings up a single host using Vagrant
+vagrant_up_host() {
+ HOST="$1"
+ (echo >&2 "Attempting to bring up the $HOST host using Vagrant")
+ cd "$DL_DIR"/Vagrant || exit 1
+ $(which vagrant) up "$HOST" &> "$DL_DIR/Vagrant/vagrant_up_$HOST.log"
+ echo "$?"
+}
+
+# Attempts to reload and re-provision a host if the intial "vagrant up" fails
+vagrant_reload_host() {
+ HOST="$1"
+ cd "$DL_DIR"/Vagrant || exit 1
+ # Attempt to reload the host if the vagrant up command didn't exit cleanly
+ $(which vagrant) reload "$HOST" --provision >>"$DL_DIR/Vagrant/vagrant_up_$HOST.log" 2>&1
+ echo "$?"
+}
+
+# A series of checks to ensure important services are responsive after the build completes.
+post_build_checks() {
+ # If the curl operation fails, we'll just leave the variable equal to 0
+ # This is needed to prevent the script from exiting if the curl operation fails
+ SPLUNK_CHECK=$(curl -ks -m 2 https://192.168.38.105:8000/en-US/account/login?return_to=%2Fen-US%2F | grep -c 'This browser is not supported by Splunk' || echo "")
+ FLEET_CHECK=$(curl -ks -m 2 https://192.168.38.105:8412 | grep -c 'Kolide Fleet' || echo "")
+ ATA_CHECK=$(curl --fail --write-out "%{http_code}" -ks https://192.168.38.103 -m 2)
+ [[ $ATA_CHECK == 401 ]] && ATA_CHECK=1
+
+ BASH_MAJOR_VERSION=$(/bin/bash --version | grep 'GNU bash' | grep -oi version\.\.. | cut -d ' ' -f 2 | cut -d '.' -f 1)
+ # Associative arrays are only supported in bash 4 and up
+ if [ "$BASH_MAJOR_VERSION" -ge 4 ]; then
+ declare -A SERVICES
+ SERVICES=(["splunk"]="$SPLUNK_CHECK" ["fleet"]="$FLEET_CHECK" ["ms_ata"]="$ATA_CHECK")
+ for SERVICE in "${!SERVICES[@]}"; do
+ if [ "${SERVICES[$SERVICE]}" -lt 1 ]; then
+ (echo >&2 "Warning: $SERVICE failed post-build tests and may not be functioning correctly.")
+ fi
+ done
+ else
+ if [ "$SPLUNK_CHECK" -lt 1 ]; then
+ (echo >&2 "Warning: Splunk failed post-build tests and may not be functioning correctly.")
+ fi
+ if [ "$FLEET_CHECK" -lt 1 ]; then
+ (echo >&2 "Warning: Fleet failed post-build tests and may not be functioning correctly.")
+ fi
+ if [ "$ATA_CHECK" -lt 1 ]; then
+ (echo >&2 "Warning: MS ATA failed post-build tests and may not be functioning correctly.")
+ fi
+ fi
+}
+
+build_vagrant_hosts() {
+ LAB_HOSTS=("logger" "dc" "wef" "win10")
+
+ # Vagrant up each box and attempt to reload one time if it fails
+ for VAGRANT_HOST in "${LAB_HOSTS[@]}"; do
+ RET=$(vagrant_up_host "$VAGRANT_HOST")
+ if [ "$RET" -eq 0 ]; then
+ (echo >&2 "Good news! $VAGRANT_HOST was built successfully!")
+ fi
+ # Attempt to recover if the intial "vagrant up" fails
+ if [ "$RET" -ne 0 ]; then
+ (echo >&2 "Something went wrong while attempting to build the $VAGRANT_HOST box.")
+ (echo >&2 "Attempting to reload and reprovision the host...")
+ RETRY_STATUS=$(vagrant_reload_host "$VAGRANT_HOST")
+ if [ "$RETRY_STATUS" -eq 0 ]; then
+ (echo >&2 "Good news! $VAGRANT_HOST was built successfully after a reload!")
+ else
+ (echo >&2 "Failed to bring up $VAGRANT_HOST after a reload. Exiting.")
+ exit 1
+ fi
+ fi
+ done
+}
+
+main() {
+ # Get location of build.sh
+ # https://stackoverflow.com/questions/59895/getting-the-source-directory-of-a-bash-script-from-within
+ DL_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+ # Build and Test Vagrant hosts
+ cd Vagrant
+ build_vagrant_hosts
+ post_build_checks
+}
+
+main
+exit 0
+EOF
+chmod +x /opt/DetectionLab/build.sh
+
# Start the build in a tmux session
sn=tmuxsession
tmux new-session -s "$sn" -d
-tmux send-keys -t "$sn:0" 'cd /opt/DetectionLab/Vagrant && vagrant up | tee -a vagrant_up_all.log && echo "success" > /var/www/html/index.html || echo "failed" > /var/www/html/index.html; umount /mnt && /usr/local/bin/packet-block-storage-detach' Enter
+tmux send-keys -t "$sn:0" 'cd /opt/DetectionLab && ./build.sh && echo "success" > /var/www/html/index.html || echo "failed" > /var/www/html/index.html; umount /mnt && /usr/local/bin/packet-block-storage-detach' Enter
diff --git a/ci/manual_machine_bootstrap.sh b/ci/manual_machine_bootstrap.sh
index 63683d9..266ddc4 100644
--- a/ci/manual_machine_bootstrap.sh
+++ b/ci/manual_machine_bootstrap.sh
@@ -1,4 +1,4 @@
-#! /bin/bash
+#! /usr/bin/env bash
# This script is used to manually prepare an Ubuntu 16.04 server for DetectionLab building
export DEBIAN_FRONTEND=noninteractive
@@ -40,8 +40,8 @@ sed -i 's/vb.gui = true/vb.gui = false/g' Vagrantfile
# Install Packer
mkdir /opt/packer
cd /opt/packer || exit 1
-wget --progress=bar:force https://releases.hashicorp.com/packer/1.6.0/packer_1.6.0_linux_amd64.zip
-unzip packer_1.6.0_linux_amd64.zip
+wget --progress=bar:force https://releases.hashicorp.com/packer/1.6.3/packer_1.6.3_linux_amd64.zip
+unzip packer_1.6.3_linux_amd64.zip
cp packer /usr/local/bin/packer
# Make the Packer images headless
diff --git a/ci/manual_machine_bootstrap_vmware.sh b/ci/manual_machine_bootstrap_vmware.sh
index 5001b13..1daa3d3 100644
--- a/ci/manual_machine_bootstrap_vmware.sh
+++ b/ci/manual_machine_bootstrap_vmware.sh
@@ -1,4 +1,4 @@
-#! /bin/bash
+#! /usr/bin/env bash
# This script is used to manually prepare an Ubuntu 16.04 server for DetectionLab building
@@ -14,9 +14,9 @@ apt-get install -y linux-headers-"$(uname -r)" build-essential unzip git ufw apa
pip install awscli --upgrade --user
cp /root/.local/bin/aws /usr/local/bin/aws && chmod +x /usr/local/bin/aws
-wget -O VMware-Workstation-Full-15.5.6-16341506.x86_64.bundle "https://download3.vmware.com/software/wkst/file/VMware-Workstation-Full-15.5.6-16341506.x86_64.bundle"
-chmod +x VMware-Workstation-Full-15.5.6-16341506.x86_64.bundle
-sudo sh VMware-Workstation-Full-15.5.6-16341506.x86_64.bundle --console --required --eulas-agreed --set-setting vmware-workstation serialNumber $SERIALNUMBER
+wget -O VMware-Workstation-Full-16.0.0-16894299.x86_64.bundle "https://download3.vmware.com/software/wkst/file/VMware-Workstation-Full-16.0.0-16894299.x86_64.bundle"
+chmod +x VMware-Workstation-Full-16.0.0-16894299.x86_64.bundle
+sudo sh VMware-Workstation-Full-16.0.0-16894299.x86_64.bundle --console --required --eulas-agreed --set-setting vmware-workstation serialNumber $SERIALNUMBER
# Set up firewall
ufw allow ssh
@@ -37,8 +37,8 @@ vagrant plugin install vagrant-reload
vagrant plugin install vagrant-vmware-desktop
echo $LICENSEFILE | base64 -d > /tmp/license.lic
vagrant plugin license vagrant-vmware-desktop /tmp/license.lic
-wget --progress=bar:force "https://releases.hashicorp.com/vagrant-vmware-utility/1.0.11/vagrant-vmware-utility_1.0.11_x86_64.deb"
-dpkg -i vagrant-vmware-utility_1.0.11_x86_64.deb
+wget --progress=bar:force "https://releases.hashicorp.com/vagrant-vmware-utility/1.0.12/vagrant-vmware-utility_1.0.12_x86_64.deb"
+dpkg -i vagrant-vmware-utility_1.0.12_x86_64.deb
# Make the Vagrant instances headless
cd /opt/DetectionLab/Vagrant || exit 1
@@ -47,8 +47,8 @@ sed -i 's/v.gui = true/v.gui = false/g' Vagrantfile
# Install Packer
mkdir /opt/packer
cd /opt/packer || exit 1
-wget --progress=bar:force https://releases.hashicorp.com/packer/1.6.0/packer_1.6.0_linux_amd64.zip
-unzip packer_1.6.0_linux_amd64.zip
+wget --progress=bar:force https://releases.hashicorp.com/packer/1.6.3/packer_1.6.3_linux_amd64.zip
+unzip packer_1.6.3_linux_amd64.zip
cp packer /usr/local/bin/packer
# Make the Packer images headless
@@ -56,3 +56,12 @@ cd /opt/DetectionLab/Packer || exit 1
for file in *.json; do
sed -i 's/"headless": false,/"headless": true,/g' "$file";
done
+
+echo '# This file is automatically generated.
+# Hand-editing this file is not recommended.
+network0.name = "Bridged"
+network0.device = "vmnet0"
+network1.name = "HostOnly"
+network1.device = "vmnet1"
+network2.name = "NAT"
+network2.device = "vmnet8"' > /etc/vmware/netmap.conf
\ No newline at end of file