From 55aa80294a299e8dc32a0cedafb09409172bdc2d Mon Sep 17 00:00:00 2001 From: Jonathan Moss Date: Sun, 27 Sep 2020 15:27:15 -0400 Subject: [PATCH 01/26] Updated iso_name & SHA256 --- ESXi/Packer/ubuntu1804_esxi.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ESXi/Packer/ubuntu1804_esxi.json b/ESXi/Packer/ubuntu1804_esxi.json index a6b6747..77d8a3d 100644 --- a/ESXi/Packer/ubuntu1804_esxi.json +++ b/ESXi/Packer/ubuntu1804_esxi.json @@ -90,8 +90,8 @@ "esxi_password": "", "headless": "false", "guest_additions_url": "", - "iso_checksum": "sha256:e2ecdace33c939527cbc9e8d23576381c493b071107207d2040af72595f8990b", - "iso_name": "ubuntu-18.04.4-server-amd64.iso", + "iso_checksum": "sha256:8c5fc24894394035402f66f3824beb7234b757dd2b5531379cb310cedfdf0996", + "iso_name": "ubuntu-18.04.5-server-amd64.iso", "memory": "4096", "mirror": "http://cdimage.ubuntu.com", "mirror_directory": "ubuntu/releases/18.04.4/release", From 2e900f59511f5ea573f503e83c894bb1c82742c0 Mon Sep 17 00:00:00 2001 From: ZeArioch <16936254+ZeArioch@users.noreply.github.com> Date: Mon, 28 Sep 2020 15:48:29 +0200 Subject: [PATCH 02/26] delete old RDP GPO files --- Vagrant/resources/GPO/rdp_users/manifest.xml | 1 - .../Backup.xml | 20 ------------------ .../microsoft/windows nt/SecEdit/GptTmpl.inf | Bin 384 -> 0 bytes .../bkupInfo.xml | 1 - .../gpreport.xml | Bin 18348 -> 0 bytes 5 files changed, 22 deletions(-) delete mode 100644 Vagrant/resources/GPO/rdp_users/manifest.xml delete mode 100644 Vagrant/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/Backup.xml delete mode 100644 Vagrant/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf delete mode 100644 Vagrant/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/bkupInfo.xml delete mode 100644 Vagrant/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/gpreport.xml diff --git a/Vagrant/resources/GPO/rdp_users/manifest.xml b/Vagrant/resources/GPO/rdp_users/manifest.xml deleted file mode 100644 index fd766e0..0000000 --- a/Vagrant/resources/GPO/rdp_users/manifest.xml +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/Vagrant/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/Backup.xml b/Vagrant/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/Backup.xml deleted file mode 100644 index ab953e5..0000000 --- a/Vagrant/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/Backup.xml +++ /dev/null @@ -1,20 +0,0 @@ - - 01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 11 ba 8e 91 83 90 50 4c a7 e8 f6 a4 e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 11 ba 8e 91 83 90 50 4c a7 e8 f6 a4 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 11 ba 8e 91 83 90 50 4c a7 e8 f6 a4 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00 - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/Vagrant/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf b/Vagrant/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf deleted file mode 100644 index ef38d8a0c2fdacc3333de6534f69f3a457d3b6ff..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 384 zcma)$y9&ZU5JgWd_zxmhf{?^lEK-PtT8N-%BO<;{p%Gu;&#O1X3Th?8E_3(JxwFs5 zgb@c~mL#lLGbKyr=Plwc=WNb|vHFu#EaKqiQ?-?vbKxp?O+=moEjn~{H)+$C&RfPn z{!PR?Bf@vtZLx_Gj^yZRYR|%L+iCvjwiOvt5>uk8Qzo#kDm7DmatRwHMV9_Qbv7o) qHxbyzfQl->(>704vp@KH38l*NLiG(dTbG}nlnLcF?B6Np*`Ho+5;i{o diff --git a/Vagrant/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/bkupInfo.xml b/Vagrant/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/bkupInfo.xml deleted file mode 100644 index 88e7503..0000000 --- a/Vagrant/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/bkupInfo.xml +++ /dev/null @@ -1 +0,0 @@ - diff --git a/Vagrant/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/gpreport.xml b/Vagrant/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/gpreport.xml deleted file mode 100644 index 58ca288641ebf1235457423758e6bdc8122f3e3e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 18348 zcmeHPZEqS!5T4JK`X5j~wNf1ee#g`i0XMZ28_U>DTjdKjcH+hu7jRxw^{=;mo|$g% z_Sl1i5O9(c;yB;!?!3?J&d&OuzpL_C-bq((q#$qPQu;EGYw5|Y{2<>*NghcNzXiOx zl?y!Y;O(uv)VKFClq*?5t4*|dEPL{`d?i(RD#y}99~<`;BUW%fKwpme3cZGMhi9w! zyw%SmT-N}r2ly}Xv<#?4jJqno$e}!w7GS>u4qa(0Hp!8%=Q8q&(l!8gZKd`y0V^H* zE_z-7_a3P1fhR-ILT+_I!Bc&H4~mcRnyLDXG@OB078o1lR z-4>+U&^ARpsmYJ%zbPB?7pPs$L~lbm+E$J&iq5wRtrLU%2r}$Jx^4Ut^Eg(KgeKEe zl_QMN1xNS5jT;^HEo2`buOMgOw^?ODPVnwnVMaY^aZVd(p*M1`np0PdIXZP{02o7P z&^`V(%*MBkMy;dQCGZ^L+L2Rm!!V|WmQ=1qNP7jc-Nai;wu0-HUP}rqZG;HMA#kN% zF+I-;r3CmDeAg99`WO+M6Qv~k_}fawHf(tlP$n#2j9!^G z%Qj_jgYsU-ZyDUNwp)15FZ+;NwEU9xE5Z|2K;ap_73gsdHvcVP)?^o+;y|w_xKhvB z;MEm=w{cy;_e#z&7Dp=KDIuL>eBRUR6w$tj9`ru!v7>NzF;)%Gz5^7(Ae1^_*TLgD z=zI=)I>z-F&rb2IiDwNwtK(S%-=_B2{iqyqxH#CT6?e9jx4Zf>+FN}t2tj(|%OD;3)R zk-Wf4s*QC_A6L%4h_A!S$Cz&-ZAre1Rt}4xB|Ini9QBA%X-%clQeWxw{o!a)+Dc%& zK1EvN(^W+TqEF&lb%2kp@&|az89rAT)Yau_T6}$y1=DQQEsvg2%Q*mtnZ>YG!2l~@ zW(>NJKwD)%{_i2ea%D+*P|n%$b}j$@?6%IKkY5-#6T9*)e5jto=r` zIKR6HJz(5B0{04t184aC3BLUV5C!mnz{17feril7XM8MW;BA! z70@4ZB}}i-1P;Gr|!?>e#e$uR`9IEvBUUs&k>SO}dsBkK!{mum+i4K(dU;`=IU~@n8>D z&zxIFEkAp&5M)x74acg7%OT(o zYiTpSMMZ=7Du|hKlSX*uLi`Lz=j#`RWqQnFmZYUo>oAW($^jP*!#b8nALeu=E^x=h2^U-?(;4p{)J-CX!H%o z&O8D(V|6*{>##fmCbPw(k?iwdxy>sA+HUx#6aScx;C!!-To`lKoaHgM+0i`&*7cDV zw^|+544b*+F)@#ci;9W)nlPG+X3P4Sjb>k~r1|z`jUJV zH+~hzXq}}3g|V9F?YK*NjcnOV^m-W8wEphEcr2sLoy}7Gy(c2Ue2t ztQ{-HHZ)dGZs%Zz#%*Dw0chjQFg&8)!XJzIRL2iiC&sf?$#=<~@07#Lxmw+}t^IzI2H$RF6zo$uLTRz1egGKbC*5Qou8|5t9yALb>mUW(nXHa=UlOMC#@fBr8r=u&b3-i?i zf6n~`HP8pBVLru`XJS~>$f^-ahjq`~t9*^Wda&y0GB8HZ>VLAIMsiMH4iy)kg-d!8 zCtvrwOgYbMrIO{`l%v;pyJ%ertyi+1q4F_zS}|F|v>da2YUXs_gMCN6?5M|xpYc!n zIF8}??Dq_hKI-w=E Date: Mon, 28 Sep 2020 15:50:53 +0200 Subject: [PATCH 03/26] add GPO file with 'Domain Users' as RDP group members --- Vagrant/resources/GPO/rdp_users/manifest.xml | 1 + .../Backup.xml | 20 ++++++++++++++++++ .../microsoft/windows nt/SecEdit/GptTmpl.inf | Bin 0 -> 380 bytes .../bkupInfo.xml | 1 + .../gpreport.xml | Bin 0 -> 17634 bytes 5 files changed, 22 insertions(+) create mode 100644 Vagrant/resources/GPO/rdp_users/manifest.xml create mode 100644 Vagrant/resources/GPO/rdp_users/{02BF61B9-4ECA-4D86-B20B-323CF53B1E9F}/Backup.xml create mode 100644 Vagrant/resources/GPO/rdp_users/{02BF61B9-4ECA-4D86-B20B-323CF53B1E9F}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf create mode 100644 Vagrant/resources/GPO/rdp_users/{02BF61B9-4ECA-4D86-B20B-323CF53B1E9F}/bkupInfo.xml create mode 100644 Vagrant/resources/GPO/rdp_users/{02BF61B9-4ECA-4D86-B20B-323CF53B1E9F}/gpreport.xml diff --git a/Vagrant/resources/GPO/rdp_users/manifest.xml b/Vagrant/resources/GPO/rdp_users/manifest.xml new file mode 100644 index 0000000..c8f230f --- /dev/null +++ b/Vagrant/resources/GPO/rdp_users/manifest.xml @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/Vagrant/resources/GPO/rdp_users/{02BF61B9-4ECA-4D86-B20B-323CF53B1E9F}/Backup.xml b/Vagrant/resources/GPO/rdp_users/{02BF61B9-4ECA-4D86-B20B-323CF53B1E9F}/Backup.xml new file mode 100644 index 0000000..93964de --- /dev/null +++ b/Vagrant/resources/GPO/rdp_users/{02BF61B9-4ECA-4D86-B20B-323CF53B1E9F}/Backup.xml @@ -0,0 +1,20 @@ + + 01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 ee 96 fb b4 65 f1 fa 2b 36 e3 31 df e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 ee 96 fb b4 65 f1 fa 2b 36 e3 31 df 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 ee 96 fb b4 65 f1 fa 2b 36 e3 31 df 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00 + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/Vagrant/resources/GPO/rdp_users/{02BF61B9-4ECA-4D86-B20B-323CF53B1E9F}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf b/Vagrant/resources/GPO/rdp_users/{02BF61B9-4ECA-4D86-B20B-323CF53B1E9F}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf new file mode 100644 index 0000000000000000000000000000000000000000..667c750b250b013443fb1c7201dd477724a2431b GIT binary patch literal 380 zcma)&PY=OB6vTgLiSHndlcY(hY8`qI2OLB~xQK}VdeDj@@#QgHmEa_s-F@@s&CF&W z_bFpyB32}<*)XF>;ingJ6O$Td%0%@^D3T)1=QFeuT5#qfc0-6onKoT|I$LxY2wTQu zDE=zN+asi!dv~Nwp{$2_gV2wNH(PurztDo<#x^{GqP$|*GN|Ep4? uDeAtY9PD9Jl{d$)#uC6*Tou diff --git a/Vagrant/resources/GPO/rdp_users/{02BF61B9-4ECA-4D86-B20B-323CF53B1E9F}/gpreport.xml b/Vagrant/resources/GPO/rdp_users/{02BF61B9-4ECA-4D86-B20B-323CF53B1E9F}/gpreport.xml new file mode 100644 index 0000000000000000000000000000000000000000..cd2bc5a7125ab5f446232b8c1ebeac82b061707b GIT binary patch literal 17634 zcmeHOZBrsg5bn>Z%738pDOVK~#W#?6#eun4b&4gJOH%g*@#V}38W-bPsr>aM&ok}R z>@2geC_&F`Q7p^s%=CNrbkFQRf7j%-e3rgkNJ0LP6S0%Ujz>2~o;%;Q)&2~DP{CVQBp z4~}kuix+0rTgW~>UqKGRZ?(#T9N^i$f$2ul;;c5%LNDaTXimdm%-N|!5nv3VK{xoX zn2qo2W^G{93Gf`^dMq7qLoud>@>|50vR{T4bYQVdu;hN%71i_X zP|AQsKS3zzb2vB$hLY^_ubBDi16M%bs`-%4Uk$|3*&HO=b`RXX2314YO%wkkwDA8G zTIlDTuBiOl=+%U;n}=qr_laXjn{I*LHe|Vk@2Zh0@5w!L9mD!6hs%BTcCSOtBD_*S9Cby)njfLNDJXvmJa9^gtX>w;6K_}##@ zi0`Q!0UBpoLMw4P0uAEq4*jC}?!)070S8*x zI;^d0ti1&LJ3))ZoHTSz9H8$|yQF23k`nB-g5Jvy#GHQMp`4mE=8QJhS0{aV3+vbc z=)8VHFK(j{ql%3z)W&(l6-JTS`w|;Ll=Gy;=etsA*F^K8^F6F>54g0j_Mr9e$p>Um zUF0vVuuoR`x>&oPn|pF93|;M{13PCW-~!g|*I)c6A((CkTRWhqW^PP> z(E<*?Vdft0S=;fw2WQVRYI?Y=DiOZc;IuB46?%B=Bpl9-k0hNTiXw1g0RB=AAs%EO z9m0cJHm&4qkhs>5DXVLvb)mUczFH}Fv70(rhg5rzEu-}|sJlU|*uotvWJCE5v6^|; z1-|t1{NIOEw0?Gne~cmV$_}Z>4kv^wXUIlX&BJ~d9Eju-u-6)0oHF+;2~lnPA#p4j z!$N+A){=y1Z7mKn+)I1v`f*f>T#$lBFP(&A(| zQpGcs=|)b%AbXU0*)h)UsN@mL&(*`RC>ia-y;RemE@CaC>hkzKB;8HWbx64W=VHRV zV_zs=og0 zY`Knl*6f*8p1~z+(4+n=8Pi@~2DgNr+~*m`(sMZOn72(9x0}Z;!vPy{M>SZzLY|f7 zSsC}&veYd@*&#hdUU}rMR9<k@L~CFF6-_fq{5@;HAlKF{BrE~;(jaqzk9!R7gz z)y;ed&g~z%UABA&Zkl&PU5r4mgROJ;( zEBQRL3!kXa_gM1%wwI9E*$k7XM%)>c0?uQ(_Y~LMpS=8i^s_ zuj5IabL{b)Vbt?DN9*qlkH^yaHjQNdc_DkwD*Ucm4d+*R`b~GYnmFOZ(@u4B@}2EG z9mlgt{&}~oW32wva3+LjWUox*;y#+gSu1QmncX#ep1BE}Y`ul=*6}=;p7oyG&%zAN z+r~^0Xrn!ZXY_mcb8#2Y@`I-j<7@Qfv*gInhQr(`)Dzp5(>@;*=WU$bq&!^j_}QeY z{EjutY~KausmA!b%b|A&!n={gg>M=9I+vU;?QChy&{D8%c~d>4i? z;>koxhbO)$u}}DS39FuN-Kq2}-phU($yt5bHMsB%xTGgh>ALI7sIiTI&&5&8D$cz1 zBy?WFud}&#-l^>tzfsR;>0mFl>dA6;eW&*!96Rc3NAYqz<=b$+r%R_OJo~8MXTS95 vSc4Tt0X?tD Date: Mon, 28 Sep 2020 15:52:39 +0200 Subject: [PATCH 04/26] add migration table for the domain groups to be updated on import --- .../resources/GPO/rdp_users/rdp_users.migtable | Bin 0 -> 2150 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 Vagrant/resources/GPO/rdp_users/rdp_users.migtable diff --git a/Vagrant/resources/GPO/rdp_users/rdp_users.migtable b/Vagrant/resources/GPO/rdp_users/rdp_users.migtable new file mode 100644 index 0000000000000000000000000000000000000000..b18a27863d2bec328c584bee7402d2a7f9b783bc GIT binary patch literal 2150 zcmchZOHTqp5QOV&;(yq1=b6A+E5PwrGB=JGsm?#c0afr1FE9<%3YDZrN3 z3mgxsp{NgL0J>>hNA~xEoOKmXP}g)Gbl14j)d#F>qdlU^2&bmhVjc!maPQ`4R9t0d z=rR{>zN#mlk=u*J!3nXye9e5j@8N^(Kof+KQ{G#O#L>DI4!?woA?z)(hf9iza3wjm zr?xI$TO)sl_BQ%Ts<>*Jj>pq2ducV>-rlfxHtH;8& literal 0 HcmV?d00001 From c80063c4b39776f1bc36e7bd91d0028e50c9c6ab Mon Sep 17 00:00:00 2001 From: ZeArioch <16936254+ZeArioch@users.noreply.github.com> Date: Mon, 28 Sep 2020 15:55:41 +0200 Subject: [PATCH 05/26] add migration table target to RDP GPO import script --- Vagrant/scripts/configure-rdp-user-gpo.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Vagrant/scripts/configure-rdp-user-gpo.ps1 b/Vagrant/scripts/configure-rdp-user-gpo.ps1 index 1fbea02..a51a203 100644 --- a/Vagrant/scripts/configure-rdp-user-gpo.ps1 +++ b/Vagrant/scripts/configure-rdp-user-gpo.ps1 @@ -1,6 +1,6 @@ # Purpose: Install the GPO that allows windomain\vagrant to RDP Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Importing the GPO to allow windomain/vagrant to RDP..." -Import-GPO -BackupGpoName 'Allow Domain Users RDP' -Path "c:\vagrant\resources\GPO\rdp_users" -TargetName 'Allow Domain Users RDP' -CreateIfNeeded +Import-GPO -BackupGpoName 'Allow Domain Users RDP' -Path "c:\vagrant\resources\GPO\rdp_users" -MigrationTable "c:\vagrant\resources\GPO\rdp_users\rdp_users.migtable" -TargetName 'Allow Domain Users RDP' -CreateIfNeeded $OU = "ou=Workstations,dc=windomain,dc=local" $gPLinks = $null From ff3e595235e087fb13c7eac316e975d6bdd42b32 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Tue, 29 Sep 2020 17:36:32 -0700 Subject: [PATCH 06/26] Adding ATA to Packer image, adding evtx-attack-samples --- Packer/scripts/download-microsoft-ata.ps1 | 44 ++++++++++++ Packer/scripts/vm-guest-tools.ps1 | 11 ++- Packer/windows_2016.json | 3 +- Vagrant/Vagrantfile | 3 +- .../scripts/install-evtx-attack-samples.ps1 | 70 +++++++++++++++++++ Vagrant/scripts/install-microsoft-ata.ps1 | 16 ++--- Vagrant/scripts/install-utilities.ps1 | 2 +- ci/manual_machine_bootstrap.sh | 4 +- ci/manual_machine_bootstrap_vmware.sh | 23 ++++-- 9 files changed, 155 insertions(+), 21 deletions(-) create mode 100644 Packer/scripts/download-microsoft-ata.ps1 create mode 100644 Vagrant/scripts/install-evtx-attack-samples.ps1 diff --git a/Packer/scripts/download-microsoft-ata.ps1 b/Packer/scripts/download-microsoft-ata.ps1 new file mode 100644 index 0000000..af6e0fb --- /dev/null +++ b/Packer/scripts/download-microsoft-ata.ps1 @@ -0,0 +1,44 @@ +# Purpose: Downloads, installs and configures Microsft ATA 1.9 +$title = "Microsoft ATA 1.9" +$downloadUrl = "http://download.microsoft.com/download/4/9/1/491394D1-3F28-4261-ABC6-C836A301290E/ATA1.9.iso" +$fileHash = "DC1070A9E8F84E75198A920A2E00DDC3CA8D12745AF64F6B161892D9F3975857" # Use Get-FileHash on a correct downloaded file to get the hash + +# Enable web requests to endpoints with invalid SSL certs (like self-signed certs) +If (-not("SSLValidator" -as [type])) { + add-type -TypeDefinition @" +using System; +using System.Net; +using System.Net.Security; +using System.Security.Cryptography.X509Certificates; + +public static class SSLValidator { + public static bool ReturnTrue(object sender, + X509Certificate certificate, + X509Chain chain, + SslPolicyErrors sslPolicyErrors) { return true; } + + public static RemoteCertificateValidationCallback GetDelegate() { + return new RemoteCertificateValidationCallback(SSLValidator.ReturnTrue); + } +} +"@ +} +[System.Net.ServicePointManager]::ServerCertificateValidationCallback = [SSLValidator]::GetDelegate() + + +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading $title..." +# Disabling the progress bar speeds up IWR https://github.com/PowerShell/PowerShell/issues/2138 +$ProgressPreference = 'SilentlyContinue' +Invoke-WebRequest -Uri $downloadUrl -OutFile "c:\$title.iso" +$actualHash = (Get-FileHash -Algorithm SHA256 -Path "c:\$title.iso").Hash +If (-not ($actualHash -eq $fileHash)) { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso was not downloaded correctly: hash from downloaded file: $actualHash, should've been: $fileHash. Re-trying using BitsAdmin now..." + Remove-Item -Path "c:\$title.iso" -Force + bitsadmin /Transfer ATA $downloadUrl "c:\$title.iso" + $actualHash = (Get-FileHash -Algorithm SHA256 -Path "c:\$title.iso").Hash + If (-not ($actualHash -eq $fileHash)) { + Throw "$title.iso was not downloaded correctly after a retry: hash from downloaded file: $actualHash, should've been: $fileHash - Giving up." + } +} + +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Microsoft ATA sucessfully downloaded to c:\$title.iso !" \ No newline at end of file diff --git a/Packer/scripts/vm-guest-tools.ps1 b/Packer/scripts/vm-guest-tools.ps1 index 7148696..9771cd1 100644 --- a/Packer/scripts/vm-guest-tools.ps1 +++ b/Packer/scripts/vm-guest-tools.ps1 @@ -38,7 +38,16 @@ if ("$env:PACKER_BUILDER_TYPE" -eq "vmware-iso") { } cmd /c "C:\PROGRA~1\7-Zip\7z.exe" x "C:\Windows\Temp\windows.iso" -oC:\Windows\Temp\VMWare - cmd /c C:\Windows\Temp\VMWare\setup.exe /S /v"/qn REBOOT=R\" + cmd /c C:\Windows\Temp\VMWare\setup.exe /S /v "/qn REBOOT=R" + $software = "VMware Tools"; + $installed = (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where { $_.DisplayName -eq $software }) -ne $null + + If (-Not $installed) { + Write-Host "'$software' did not install successfully. Quitting."; + exit 1 + } Else { + Write-Host "'$software' was installed successfully." + } Remove-Item -Force "C:\Windows\Temp\vmware-tools.tar" Remove-Item -Force "C:\Windows\Temp\windows.iso" diff --git a/Packer/windows_2016.json b/Packer/windows_2016.json index d549ddb..83a7716 100644 --- a/Packer/windows_2016.json +++ b/Packer/windows_2016.json @@ -143,7 +143,8 @@ "type": "powershell", "scripts": [ "./scripts/vm-guest-tools.ps1", - "./scripts/debloat-windows.ps1" + "./scripts/debloat-windows.ps1", + "./scripts/download-microsoft-ata.ps1" ] }, { diff --git a/Vagrant/Vagrantfile b/Vagrant/Vagrantfile index 3601edb..74c12e2 100644 --- a/Vagrant/Vagrantfile +++ b/Vagrant/Vagrantfile @@ -136,6 +136,7 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", path: "scripts/install-windows_ta.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/install-evtx-attack-samples.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false @@ -170,7 +171,7 @@ Vagrant.configure("2") do |config| lv.graphics_type = "spice" lv.video_type = "qxl" lv.input :type => "tablet", :bus => "usb" - override.vm.box = "../Boxes/windows_2016_libvirt.box" + override.vm.box = "../Boxes/windows_2016_libvirt.box" lv.video_vram = 32768 lv.memory = 2048 lv.cpus = 2 diff --git a/Vagrant/scripts/install-evtx-attack-samples.ps1 b/Vagrant/scripts/install-evtx-attack-samples.ps1 new file mode 100644 index 0000000..1045be5 --- /dev/null +++ b/Vagrant/scripts/install-evtx-attack-samples.ps1 @@ -0,0 +1,70 @@ +# Purpose: Downloads and indexes the EVTX samples from https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/ into Splunk + +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Indexing EVTX Attack Samples into Splunk..." + +# Disabling the progress bar speeds up IWR https://github.com/PowerShell/PowerShell/issues/2138 +$ProgressPreference = 'SilentlyContinue' +# GitHub requires TLS 1.2 as of 2/27 +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + +$inputsConf = "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf" + +# Download and unzip a copy of EVTX Attack Samples +$evtxAttackDownloadUrl = "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/archive/master.zip" +$evtxAttackRepoPath = "C:\Users\vagrant\AppData\Local\Temp\evtxattack.zip" +If (-not (Test-Path "C:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master")) { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading EVTX Attack Samples" + Invoke-WebRequest -Uri "$evtxAttackDownloadUrl" -OutFile "$evtxAttackRepoPath" + Expand-Archive -path "$evtxAttackRepoPath" -destinationpath 'c:\Tools\EVTX-ATTACK-SAMPLES' -Force + # Add stanzas to Splunk inputs.conf to index the evtx files + # Huge thanks to https://www.cloud-response.com/2019/07/importing-windows-event-log-files-into.html for showing how to do this! + If (!(Select-String -Path $inputsConf -Pattern "evtx_attack_sample")) { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Splunk inputs.conf has not yet been modified. Adding stanzas for these evtx files now..." + Add-Content -Path "$inputsConf" -Value ' +[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\AutomatedTestingTools\*.evtx] +index = evtx_attack_samples +sourcetype = preprocess-winevt + +[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Command and Control\*.evtx] +index = evtx_attack_samples +sourcetype = preprocess-winevt + +[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Credential Access\*.evtx] +index = evtx_attack_samples +sourcetype = preprocess-winevt + +[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Defense Evasion\*.evtx] +index = evtx_attack_samples +sourcetype = preprocess-winevt + +[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Discovery\*.evtx] +index = evtx_attack_samples +sourcetype = preprocess-winevt + +[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Execution\*.evtx] +index = evtx_attack_samples +sourcetype = preprocess-winevt + +[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Lateral Movement\*.evtx] +index = evtx_attack_samples +sourcetype = preprocess-winevt + +[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Other\*.evtx] +index = evtx_attack_samples +sourcetype = preprocess-winevt + +[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Persistence\*.evtx] +index = evtx_attack_samples +sourcetype = preprocess-winevt + +[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Privilege Escalation\*.evtx] +index = evtx_attack_samples +sourcetype = preprocess-winevt' + # Restart the forwarder to pick up changes + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Restarting the Splunk Forwarder..." + Restart-Service SplunkForwarder + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Done! Look in 'index=EVTX-ATTACK-SAMPLES' in Splunk to query these samples." + } +} Else { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) EVTX attack samples were already installed. Moving On." +} \ No newline at end of file diff --git a/Vagrant/scripts/install-microsoft-ata.ps1 b/Vagrant/scripts/install-microsoft-ata.ps1 index 6d64cdb..8af36db 100644 --- a/Vagrant/scripts/install-microsoft-ata.ps1 +++ b/Vagrant/scripts/install-microsoft-ata.ps1 @@ -28,14 +28,14 @@ public static class SSLValidator { If (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center")) { $download = $false - If (-not (Test-Path "$env:temp\$title.iso")) + If (-not (Test-Path "c:\$title.iso")) { Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso doesn't exist yet, downloading..." $download = $true } Else { - $actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash + $actualHash = (Get-FileHash -Algorithm SHA256 -Path "c:\$title.iso").Hash If (-not ($actualHash -eq $fileHash)) { Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso exists, but the hash did not validate successfully. Downloading a new copy..." @@ -47,21 +47,21 @@ If (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading $title..." # Disabling the progress bar speeds up IWR https://github.com/PowerShell/PowerShell/issues/2138 $ProgressPreference = 'SilentlyContinue' - Invoke-WebRequest -Uri $downloadUrl -OutFile "$env:temp\$title.iso" - $actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash + Invoke-WebRequest -Uri $downloadUrl -OutFile "c:\$title.iso" + $actualHash = (Get-FileHash -Algorithm SHA256 -Path "c:\$title.iso").Hash If (-not ($actualHash -eq $fileHash)) { Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso was not downloaded correctly: hash from downloaded file: $actualHash, should've been: $fileHash. Re-trying using BitsAdmin now..." - Remove-Item -Path "$env:temp\$title.iso" -Force - bitsadmin /Transfer ATA $downloadUrl "$env:temp\$title.iso" - $actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash + Remove-Item -Path "c:\$title.iso" -Force + bitsadmin /Transfer ATA $downloadUrl "c:\$title.iso" + $actualHash = (Get-FileHash -Algorithm SHA256 -Path "c:\$title.iso").Hash If (-not ($actualHash -eq $fileHash)) { Throw "$title.iso was not downloaded correctly after a retry: hash from downloaded file: $actualHash, should've been: $fileHash - Giving up." } } } - $Mount = Mount-DiskImage -ImagePath "$env:temp\$title.iso" -StorageType ISO -Access ReadOnly -PassThru + $Mount = Mount-DiskImage -ImagePath "c:\$title.iso" -StorageType ISO -Access ReadOnly -PassThru $Volume = $Mount | Get-Volume Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing $title" $Install = Start-Process -Wait -FilePath ($Volume.DriveLetter + ":\Microsoft ATA Center Setup.exe") -ArgumentList "/q --LicenseAccepted NetFrameworkCommandLineArguments=`"/q`" --EnableMicrosoftUpdate" -PassThru diff --git a/Vagrant/scripts/install-utilities.ps1 b/Vagrant/scripts/install-utilities.ps1 index 5859699..c3b20e9 100755 --- a/Vagrant/scripts/install-utilities.ps1 +++ b/Vagrant/scripts/install-utilities.ps1 @@ -3,7 +3,7 @@ If (-not (Test-Path "C:\ProgramData\chocolatey")) { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing Chocolatey" - iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1')) + Invoke-Expression ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1')) } else { Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Chocolatey is already installed." } diff --git a/ci/manual_machine_bootstrap.sh b/ci/manual_machine_bootstrap.sh index 63683d9..b61c2dd 100644 --- a/ci/manual_machine_bootstrap.sh +++ b/ci/manual_machine_bootstrap.sh @@ -40,8 +40,8 @@ sed -i 's/vb.gui = true/vb.gui = false/g' Vagrantfile # Install Packer mkdir /opt/packer cd /opt/packer || exit 1 -wget --progress=bar:force https://releases.hashicorp.com/packer/1.6.0/packer_1.6.0_linux_amd64.zip -unzip packer_1.6.0_linux_amd64.zip +wget --progress=bar:force https://releases.hashicorp.com/packer/1.6.3/packer_1.6.3_linux_amd64.zip +unzip packer_1.6.3_linux_amd64.zip cp packer /usr/local/bin/packer # Make the Packer images headless diff --git a/ci/manual_machine_bootstrap_vmware.sh b/ci/manual_machine_bootstrap_vmware.sh index 5001b13..c50aeae 100644 --- a/ci/manual_machine_bootstrap_vmware.sh +++ b/ci/manual_machine_bootstrap_vmware.sh @@ -14,9 +14,9 @@ apt-get install -y linux-headers-"$(uname -r)" build-essential unzip git ufw apa pip install awscli --upgrade --user cp /root/.local/bin/aws /usr/local/bin/aws && chmod +x /usr/local/bin/aws -wget -O VMware-Workstation-Full-15.5.6-16341506.x86_64.bundle "https://download3.vmware.com/software/wkst/file/VMware-Workstation-Full-15.5.6-16341506.x86_64.bundle" -chmod +x VMware-Workstation-Full-15.5.6-16341506.x86_64.bundle -sudo sh VMware-Workstation-Full-15.5.6-16341506.x86_64.bundle --console --required --eulas-agreed --set-setting vmware-workstation serialNumber $SERIALNUMBER +wget -O VMware-Workstation-Full-16.0.0-16894299.x86_64.bundle "https://download3.vmware.com/software/wkst/file/VMware-Workstation-Full-16.0.0-16894299.x86_64.bundle" +chmod +x VMware-Workstation-Full-16.0.0-16894299.x86_64.bundle +sudo sh VMware-Workstation-Full-16.0.0-16894299.x86_64.bundle --console --required --eulas-agreed --set-setting vmware-workstation serialNumber $SERIALNUMBER # Set up firewall ufw allow ssh @@ -37,8 +37,8 @@ vagrant plugin install vagrant-reload vagrant plugin install vagrant-vmware-desktop echo $LICENSEFILE | base64 -d > /tmp/license.lic vagrant plugin license vagrant-vmware-desktop /tmp/license.lic -wget --progress=bar:force "https://releases.hashicorp.com/vagrant-vmware-utility/1.0.11/vagrant-vmware-utility_1.0.11_x86_64.deb" -dpkg -i vagrant-vmware-utility_1.0.11_x86_64.deb +wget --progress=bar:force "https://releases.hashicorp.com/vagrant-vmware-utility/1.0.12/vagrant-vmware-utility_1.0.12_x86_64.deb" +dpkg -i vagrant-vmware-utility_1.0.12_x86_64.deb # Make the Vagrant instances headless cd /opt/DetectionLab/Vagrant || exit 1 @@ -47,8 +47,8 @@ sed -i 's/v.gui = true/v.gui = false/g' Vagrantfile # Install Packer mkdir /opt/packer cd /opt/packer || exit 1 -wget --progress=bar:force https://releases.hashicorp.com/packer/1.6.0/packer_1.6.0_linux_amd64.zip -unzip packer_1.6.0_linux_amd64.zip +wget --progress=bar:force https://releases.hashicorp.com/packer/1.6.3/packer_1.6.3_linux_amd64.zip +unzip packer_1.6.3_linux_amd64.zip cp packer /usr/local/bin/packer # Make the Packer images headless @@ -56,3 +56,12 @@ cd /opt/DetectionLab/Packer || exit 1 for file in *.json; do sed -i 's/"headless": false,/"headless": true,/g' "$file"; done + +echo '# This file is automatically generated. +# Hand-editing this file is not recommended. +network0.name = "Bridged" +network0.device = "vmnet0" +network1.name = "HostOnly" +network1.device = "vmnet1" +network2.name = "NAT" +network2.device = "vmnet8"' > /etc/vmware/netmap.conf \ No newline at end of file From 456124149ef76c12fa5077c64509f98973108672 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Wed, 30 Sep 2020 16:59:01 -0700 Subject: [PATCH 07/26] Adding evtx_attack_samples Splunk index --- Vagrant/bootstrap.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/Vagrant/bootstrap.sh b/Vagrant/bootstrap.sh index e93bfb7..24bf7f5 100644 --- a/Vagrant/bootstrap.sh +++ b/Vagrant/bootstrap.sh @@ -154,6 +154,7 @@ install_splunk() { /opt/splunk/bin/splunk add index zeek -auth 'admin:changeme' /opt/splunk/bin/splunk add index suricata -auth 'admin:changeme' /opt/splunk/bin/splunk add index threathunting -auth 'admin:changeme' + /opt/splunk/bin/splunk add index evtx_attack_samples -auth 'admin:changeme' /opt/splunk/bin/splunk install app /vagrant/resources/splunk_forwarder/splunk-add-on-for-microsoft-windows_700.tgz -auth 'admin:changeme' /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-microsoft-sysmon_1062.tgz -auth 'admin:changeme' /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/asn-lookup-generator_110.tgz -auth 'admin:changeme' From ea64a14371b69aa4122fb89df2d56ef0055f122a Mon Sep 17 00:00:00 2001 From: Chris Long Date: Wed, 30 Sep 2020 17:01:02 -0700 Subject: [PATCH 08/26] Adding EVTX-ATTACK-SAMPLES acknowledgement --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 1ba94c2..84793df 100644 --- a/README.md +++ b/README.md @@ -100,6 +100,7 @@ A sizable percentage of this code was borrowed and adapted from [Stefan Scherer] * [Velociraptor](https://github.com/Velocidex/velociraptor) * [BadBlood](https://github.com/davidprowe/BadBlood) * [PurpleSharp](https://github.com/mvelazc0/PurpleSharp) +* [EVTX-ATTACK-SAMPLES](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES) # DetectionLab Sponsors #### Lated updated: 9/16/2020 From 483a8f7d138513495ece839ea926d8968e27c817 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Sun, 4 Oct 2020 11:36:44 -0700 Subject: [PATCH 09/26] Update WEF ansible role for evtx-event-samples --- Azure/Ansible/roles/wef/tasks/main.yml | 9 +++++++++ ESXi/ansible/roles/wef/tasks/main.yml | 9 +++++++++ 2 files changed, 18 insertions(+) diff --git a/Azure/Ansible/roles/wef/tasks/main.yml b/Azure/Ansible/roles/wef/tasks/main.yml index 3681b50..d1bed68 100644 --- a/Azure/Ansible/roles/wef/tasks/main.yml +++ b/Azure/Ansible/roles/wef/tasks/main.yml @@ -92,6 +92,15 @@ - debug: msg="{{ pstranscriptshare.stdout_lines }}" +- name: Installing the EVTX Event Samples + win_shell: ".\\install-evtx-attack-samples.ps1" + args: + chdir: 'c:\vagrant\scripts' + register: evtxeventsamples + failed_when: "'Exception' in evtxeventsamples.stdout" + +- debug: msg="{{ evtxeventsamples.stdout_lines }}" + - name: Installing Microsoft Advanced Threat Analytics win_shell: ".\\install-microsoft-ata.ps1" args: diff --git a/ESXi/ansible/roles/wef/tasks/main.yml b/ESXi/ansible/roles/wef/tasks/main.yml index 6c8b91a..8ff4567 100644 --- a/ESXi/ansible/roles/wef/tasks/main.yml +++ b/ESXi/ansible/roles/wef/tasks/main.yml @@ -106,6 +106,15 @@ - debug: msg="{{ pstranscriptshare.stdout_lines }}" +- name: Installing the EVTX Event Samples + win_shell: ".\\install-evtx-attack-samples.ps1" + args: + chdir: 'c:\vagrant\scripts' + register: evtxeventsamples + failed_when: "'Exception' in evtxeventsamples.stdout" + +- debug: msg="{{ evtxeventsamples.stdout_lines }}" + - name: Installing Microsoft Advanced Threat Analytics win_shell: ".\\install-microsoft-ata.ps1" args: From aef71a10d119e9c4347658f75f17cd0502b97053 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Wed, 14 Oct 2020 23:04:53 -0700 Subject: [PATCH 10/26] Attempt to fix issue 517 --- Vagrant/scripts/join-domain.ps1 | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/Vagrant/scripts/join-domain.ps1 b/Vagrant/scripts/join-domain.ps1 index 30822b8..f3df98b 100755 --- a/Vagrant/scripts/join-domain.ps1 +++ b/Vagrant/scripts/join-domain.ps1 @@ -1,6 +1,8 @@ # Purpose: Joins a Windows host to the windomain.local domain which was created with "create-domain.ps1". # Source: https://github.com/StefanScherer/adfs2 +$hostsFile = "c:\Windows\System32\drivers\etc\hosts" + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Joining the domain..." Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) First, set DNS to DC to join the domain..." @@ -9,6 +11,11 @@ $adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.I # Don't do this in Azure. If the network adatper description contains "Hyper-V", this won't apply changes. $adapters | ForEach-Object {if (!($_.Description).Contains("Hyper-V")) {$_.SetDNSServerSearchOrder($newDNSServers)}} +# Hardcoding DNS domain name in hosts file to sidestep any DNS issues +If (!(Select-String -Path $hostsFile -Pattern "192.168.38.102")) { + Add-Content $hostsFile " 192.168.38.102 windomain.local" +} + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Now join the domain..." $hostname = $(hostname) $user = "windomain.local\vagrant" @@ -18,6 +25,10 @@ $DomainCred = New-Object System.Management.Automation.PSCredential $user, $pass # Place the computer in the correct OU based on hostname If ($hostname -eq "wef") { Add-Computer -DomainName "windomain.local" -credential $DomainCred -OUPath "ou=Servers,dc=windomain,dc=local" -PassThru + # Attempt to fix Issue #517 + Set-ItemProperty -LiteralPath 'HKLM:\SYSTEM\CurrentControlSet\Control' -Name 'WaitToKillServiceTimeout' -Value '500' -Type String -Force -ea SilentlyContinue + New-ItemProperty -LiteralPath 'HKCU:\Control Panel\Desktop' -Name 'AutoEndTasks' -Value 1 -PropertyType DWord -Force -ea SilentlyContinue + Set-ItemProperty -LiteralPath 'HKLM:\SYSTEM\CurrentControlSet\Control\SessionManager\Power' -Name 'HiberbootEnabled' -Value 0 -PropertyType DWord -Force -ea SilentlyContinue } ElseIf ($hostname -eq "win10") { Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Adding Win10 to the domain. Sometimes this step times out. If that happens, just run 'vagrant reload win10 --provision'" #debug Add-Computer -DomainName "windomain.local" -credential $DomainCred -OUPath "ou=Workstations,dc=windomain,dc=local" @@ -25,6 +36,7 @@ If ($hostname -eq "wef") { Add-Computer -DomainName "windomain.local" -credential $DomainCred -PassThru } +# Set auto login Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -Value 1 Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Value "vagrant" Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Value "vagrant" @@ -36,8 +48,6 @@ Stop-Service wuauserv Set-Service TrustedInstaller -StartupType Disabled Stop-Service TrustedInstaller - - # Uninstall Windows Defender from WEF # This command isn't supported on WIN10 If ($hostname -ne "win10" -And (Get-Service -Name WinDefend -ErrorAction SilentlyContinue).status -eq 'Running') { From be516588029d07fdcb8c41026c8573029a19d24c Mon Sep 17 00:00:00 2001 From: Aan <6284204+aancw@users.noreply.github.com> Date: Thu, 15 Oct 2020 23:03:28 +0700 Subject: [PATCH 11/26] Update README packer for ESXI 7.0 support Updating packer build for ESXI 7.0 support --- ESXi/README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/ESXi/README.md b/ESXi/README.md index ca916a0..08aea0d 100644 --- a/ESXi/README.md +++ b/ESXi/README.md @@ -23,6 +23,15 @@ NOTE: This is an early release and it's possible that certain features may not w 1. **(5 Minutes)** Edit the variables in `DetectionLab/ESXi/Packer/variables.json` to match your ESXi configuration. The `esxi_network_with_dhcp_and_internet` variable refers to any ESXi network that will be able to provide DHCP and internet access to the VM while it's being built in Packer. +Note: As per ESXI 7.x, built-in VNC server has been removed from distribution (https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-vcenter-server-70-release-notes.html). If you are using ESXI 7.x, you need to: +* Upgrade Packer to 1.6.3+, we need to use `vnc_over_websocket` instead of old vnc configuration : [see packer issue](https://github.com/hashicorp/packer/issues/8984), [changelog](https://github.com/hashicorp/packer/blob/master/CHANGELOG.md) +* Add two config to windows_10_esxi.json, windows_2016_esxi.json, ubuntu1804_esxi.json like this: +``` +"vnc_over_websocket": true, +"insecure_connection": true, +``` +Ref: https://www.virtuallyghetto.com/2020/10/quick-tip-vmware-iso-builder-for-packer-now-supported-with-esxi-7-0.html + 2. **(45 Minutes)** From the `DetectionLab/ESXi/Packer` directory, run: * `PACKER_CACHE_DIR=../../Packer/packer_cache packer build -var-file variables.json windows_10_esxi.json` * `PACKER_CACHE_DIR=../../Packer/packer_cache packer build -var-file variables.json windows_2016_esxi.json` From 51b6599c39b72d99737e81f04caba1bd70419261 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Thu, 15 Oct 2020 18:52:49 -0700 Subject: [PATCH 12/26] Add WINS server config --- Vagrant/scripts/join-domain.ps1 | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/Vagrant/scripts/join-domain.ps1 b/Vagrant/scripts/join-domain.ps1 index f3df98b..c9a2094 100755 --- a/Vagrant/scripts/join-domain.ps1 +++ b/Vagrant/scripts/join-domain.ps1 @@ -9,12 +9,8 @@ Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) First, set DNS to DC to join the doma $newDNSServers = "192.168.38.102" $adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.IPAddress -match "192.168.38."} # Don't do this in Azure. If the network adatper description contains "Hyper-V", this won't apply changes. -$adapters | ForEach-Object {if (!($_.Description).Contains("Hyper-V")) {$_.SetDNSServerSearchOrder($newDNSServers)}} - -# Hardcoding DNS domain name in hosts file to sidestep any DNS issues -If (!(Select-String -Path $hostsFile -Pattern "192.168.38.102")) { - Add-Content $hostsFile " 192.168.38.102 windomain.local" -} +# Specify the DC as a WINS server to help with connectivity as well +$adapters | ForEach-Object {if (!($_.Description).Contains("Hyper-V")) {$_.SetDNSServerSearchOrder($newDNSServers); $_.SetWINSServer($newDNSServers, "")}} Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Now join the domain..." $hostname = $(hostname) @@ -60,4 +56,4 @@ If ($hostname -ne "win10" -And (Get-Service -Name WinDefend -ErrorAction Silentl Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Windows Defender did not uninstall successfully..." Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) We'll try again during install-red-team.ps1" } -} \ No newline at end of file +} From 023b9acd8d574ac56eaa369d201445bb56e29a12 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Fri, 16 Oct 2020 15:31:11 -0700 Subject: [PATCH 13/26] Fix typo --- Vagrant/scripts/join-domain.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Vagrant/scripts/join-domain.ps1 b/Vagrant/scripts/join-domain.ps1 index c9a2094..f0bc59e 100755 --- a/Vagrant/scripts/join-domain.ps1 +++ b/Vagrant/scripts/join-domain.ps1 @@ -24,7 +24,7 @@ If ($hostname -eq "wef") { # Attempt to fix Issue #517 Set-ItemProperty -LiteralPath 'HKLM:\SYSTEM\CurrentControlSet\Control' -Name 'WaitToKillServiceTimeout' -Value '500' -Type String -Force -ea SilentlyContinue New-ItemProperty -LiteralPath 'HKCU:\Control Panel\Desktop' -Name 'AutoEndTasks' -Value 1 -PropertyType DWord -Force -ea SilentlyContinue - Set-ItemProperty -LiteralPath 'HKLM:\SYSTEM\CurrentControlSet\Control\SessionManager\Power' -Name 'HiberbootEnabled' -Value 0 -PropertyType DWord -Force -ea SilentlyContinue + Set-ItemProperty -LiteralPath 'HKLM:\SYSTEM\CurrentControlSet\Control\SessionManager\Power' -Name 'HiberbootEnabled' -Value 0 -Type DWord -Force -ea SilentlyContinue } ElseIf ($hostname -eq "win10") { Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Adding Win10 to the domain. Sometimes this step times out. If that happens, just run 'vagrant reload win10 --provision'" #debug Add-Computer -DomainName "windomain.local" -credential $DomainCred -OUPath "ou=Workstations,dc=windomain,dc=local" From f75231b76ede81b571ad32236e4f83b70fc6afdf Mon Sep 17 00:00:00 2001 From: Chris Long Date: Fri, 16 Oct 2020 22:43:56 -0700 Subject: [PATCH 14/26] Fixing Issue #535 --- Azure/Terraform/main.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Azure/Terraform/main.tf b/Azure/Terraform/main.tf index 7e3fb0c..ebcf9c3 100644 --- a/Azure/Terraform/main.tf +++ b/Azure/Terraform/main.tf @@ -266,8 +266,10 @@ resource "azurerm_virtual_machine" "logger" { } inline = [ "sudo add-apt-repository universe && sudo apt-get -qq update && sudo apt-get -qq install -y git", + "sudo sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/g' /etc/ssh/sshd_config && sudo service ssh restart", "echo 'logger' | sudo tee /etc/hostname && sudo hostnamectl set-hostname logger", "sudo adduser --disabled-password --gecos \"\" vagrant && echo 'vagrant:vagrant' | sudo chpasswd", + "echo 'vagrant:vagrant' | sudo chpasswd", "sudo mkdir /home/vagrant/.ssh && sudo cp /home/ubuntu/.ssh/authorized_keys /home/vagrant/.ssh/authorized_keys && sudo chown -R vagrant:vagrant /home/vagrant/.ssh", "echo 'vagrant ALL=(ALL:ALL) NOPASSWD:ALL' | sudo tee -a /etc/sudoers", "sudo git clone https://github.com/clong/DetectionLab.git /opt/DetectionLab", From 0c9a096c173d39609f3d7968c33883f16e1990bb Mon Sep 17 00:00:00 2001 From: Sean Ryan Date: Sun, 18 Oct 2020 19:08:57 -0700 Subject: [PATCH 15/26] added missing commands from bootstrap file for threathunting app to work --- ESXi/ansible/roles/logger/tasks/main.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/ESXi/ansible/roles/logger/tasks/main.yml b/ESXi/ansible/roles/logger/tasks/main.yml index 89b72e2..295e052 100644 --- a/ESXi/ansible/roles/logger/tasks/main.yml +++ b/ESXi/ansible/roles/logger/tasks/main.yml @@ -231,8 +231,17 @@ sed -i "s/license_key =/license_key = $MAXMIND_LICENSE/g" /opt/splunk/etc/apps/TA-asngen/local/asngen.conf fi + # Replace the props.conf for Sysmon TA and Windows TA + # Removed all the 'rename = xmlwineventlog' directives + # I know youre not supposed to modify files in "default", + # but for some reason adding them to "local" wasnt working + cp /vagrant/resources/splunk_server/windows_ta_props.conf /opt/splunk/etc/apps/Splunk_TA_windows/default/props.conf + cp /vagrant/resources/splunk_server/sysmon_ta_props.conf /opt/splunk/etc/apps/TA-microsoft-sysmon/default/props.conf + # Add custom Macro definitions for ThreatHunting App cp /vagrant/resources/splunk_server/macros.conf /opt/splunk/etc/apps/ThreatHunting/default/macros.conf + # Fix props.conf in ThreatHunting App + sed -i 's/EVAL-host_fqdn = Computer/EVAL-host_fqdn = ComputerName/g' /opt/splunk/etc/apps/ThreatHunting/default/props.conf # Fix Windows TA macros mkdir /opt/splunk/etc/apps/Splunk_TA_windows/local cp /opt/splunk/etc/apps/Splunk_TA_windows/default/macros.conf /opt/splunk/etc/apps/Splunk_TA_windows/local From 61118d371eb7c961fd3895aceae4c371a75f1e4d Mon Sep 17 00:00:00 2001 From: Aan <6284204+aancw@users.noreply.github.com> Date: Fri, 30 Oct 2020 02:42:10 +0700 Subject: [PATCH 16/26] Update ESXi Provider to josenk Update ESXi provider to josenk from hashicorp/esxi ``` DetectionLab/ESXi terraform init && terraform apply Initializing the backend... Initializing provider plugins... - Finding latest version of hashicorp/esxi... Error: Failed to install provider Error while installing hashicorp/esxi: provider registry registry.terraform.io does not have a provider named registry.terraform.io/hashicorp/esxi ``` --- ESXi/versions.tf | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 ESXi/versions.tf diff --git a/ESXi/versions.tf b/ESXi/versions.tf new file mode 100644 index 0000000..f4d2f64 --- /dev/null +++ b/ESXi/versions.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + esxi = { + source = "josenk/esxi" + version = "1.8.0" + } + } +} From fce294c7b06d5d0797848c0bfda883681217b110 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Thu, 29 Oct 2020 23:28:51 -0700 Subject: [PATCH 17/26] Fixing CircleCI Build Steps --- Vagrant/Vagrantfile | 3 +++ Vagrant/bootstrap.sh | 1 + ci/build_machine_bootstrap.sh | 23 ++++++++++++++++++++++- 3 files changed, 26 insertions(+), 1 deletion(-) diff --git a/Vagrant/Vagrantfile b/Vagrant/Vagrantfile index 74c12e2..056eeb8 100644 --- a/Vagrant/Vagrantfile +++ b/Vagrant/Vagrantfile @@ -79,6 +79,7 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: false cfg.vm.provision "shell", inline: 'cscript c:\windows\system32\slmgr.vbs /dlv', privileged: false + cfg.vm.provision "shell", inline: 'Write-Host "DC Provisioning Complete!"', privileged: false cfg.vm.provider "vmware_desktop" do |v, override| v.vmx["displayname"] = "dc.windomain.local" @@ -146,6 +147,7 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: false cfg.vm.provision "shell", path: "scripts/install-microsoft-ata.ps1", privileged: false cfg.vm.provision "shell", inline: 'cscript c:\windows\system32\slmgr.vbs /dlv', privileged: false + cfg.vm.provision "shell", inline: 'Write-Host "WEF Provisioning Complete!"', privileged: false cfg.vm.provider "vmware_desktop" do |v, override| v.vmx["displayname"] = "wef.windomain.local" @@ -204,6 +206,7 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", path: "scripts/install-velociraptor.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false cfg.vm.provision "shell", inline: 'cscript c:\windows\system32\slmgr.vbs /dlv', privileged: false + cfg.vm.provision "shell", inline: 'Write-Host "WIN10 Provisioning Complete!"', privileged: false cfg.vm.provider "vmware_desktop" do |v, override| v.vmx["displayname"] = "win10.windomain.local" diff --git a/Vagrant/bootstrap.sh b/Vagrant/bootstrap.sh index 24bf7f5..6b3b32d 100644 --- a/Vagrant/bootstrap.sh +++ b/Vagrant/bootstrap.sh @@ -550,6 +550,7 @@ main() { install_zeek install_guacamole postinstall_tasks + echo "Logger Provisioning Complete!" } main diff --git a/ci/build_machine_bootstrap.sh b/ci/build_machine_bootstrap.sh index 3369c4e..bf786f3 100755 --- a/ci/build_machine_bootstrap.sh +++ b/ci/build_machine_bootstrap.sh @@ -113,4 +113,25 @@ fi # Start the build in a tmux session sn=tmuxsession tmux new-session -s "$sn" -d -tmux send-keys -t "$sn:0" 'cd /opt/DetectionLab/Vagrant && vagrant up | tee -a vagrant_up_all.log && echo "success" > /var/www/html/index.html || echo "failed" > /var/www/html/index.html; umount /mnt && /usr/local/bin/packet-block-storage-detach' Enter +tmux send-keys -t "$sn:0" 'for host in logger dc wef win10; do vagrant up $host | tee -a vagrant_up_$host.log; COMPLETE="$(grep -ci "$host Provisioning Complete" vagrant_up_$host.log)"; echo "Complete is $COMPLETE for $host" ; if [ "$COMPLETE" -lt 1 ]; then echo "failed" > /var/www/html/index.html; break; fi; done; ALL_SUCCESS="$(grep -ci "Provisioning Complete" vagrant_up_*.log | cut -d : -f 2 | awk '"'"'{ sum += $1 } END { print sum }'"'"')"; echo "All success is $ALL_SUCCESS"; if [ "$ALL_SUCCESS" -eq 4 ]; then echo "success" > /var/www/html/index.html; else echo "failed" > /var/www/html/index.html; fi' Enter + + +# Expanding the send-keys command +# Vagrant isn't great about return codes, so we'll hack this up for now +# for host in logger dc wef win10; +# do +# vagrant up $host | tee -a vagrant_up_$host.log +# COMPLETE="$(grep -ci "$host Provisioning Complete" vagrant_up_$host.log)" +# echo "Complete is $COMPLETE for $host" +# if [ "$COMPLETE" -lt 1 ]; then +# echo "failed" > /var/www/html/index.html +# break +# fi +# done +# ALL_SUCCESS="$(grep -ci "Provisioning Complete" vagrant_up_*.log | cut -d : -f 2 | awk '"'"'{ sum += $1 } END { print sum }'"'"')" +# echo "All success is $ALL_SUCCESS" +# if [ "$ALL_SUCCESS" -eq 4 ]; then +# echo "success" > /var/www/html/index.html +# else +# echo "failed" > /var/www/html/index.html +# fi \ No newline at end of file From 3df9a91becbc227cd627efb603c87eb8a657c616 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Sat, 31 Oct 2020 14:58:41 -0700 Subject: [PATCH 18/26] Simplify this --- Vagrant/Vagrantfile | 3 - Vagrant/bootstrap.sh | 1 - ci/build_machine_bootstrap.sh | 115 +++++++++++++++++++++++++++------- 3 files changed, 93 insertions(+), 26 deletions(-) diff --git a/Vagrant/Vagrantfile b/Vagrant/Vagrantfile index 056eeb8..74c12e2 100644 --- a/Vagrant/Vagrantfile +++ b/Vagrant/Vagrantfile @@ -79,7 +79,6 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: false cfg.vm.provision "shell", inline: 'cscript c:\windows\system32\slmgr.vbs /dlv', privileged: false - cfg.vm.provision "shell", inline: 'Write-Host "DC Provisioning Complete!"', privileged: false cfg.vm.provider "vmware_desktop" do |v, override| v.vmx["displayname"] = "dc.windomain.local" @@ -147,7 +146,6 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: false cfg.vm.provision "shell", path: "scripts/install-microsoft-ata.ps1", privileged: false cfg.vm.provision "shell", inline: 'cscript c:\windows\system32\slmgr.vbs /dlv', privileged: false - cfg.vm.provision "shell", inline: 'Write-Host "WEF Provisioning Complete!"', privileged: false cfg.vm.provider "vmware_desktop" do |v, override| v.vmx["displayname"] = "wef.windomain.local" @@ -206,7 +204,6 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", path: "scripts/install-velociraptor.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false cfg.vm.provision "shell", inline: 'cscript c:\windows\system32\slmgr.vbs /dlv', privileged: false - cfg.vm.provision "shell", inline: 'Write-Host "WIN10 Provisioning Complete!"', privileged: false cfg.vm.provider "vmware_desktop" do |v, override| v.vmx["displayname"] = "win10.windomain.local" diff --git a/Vagrant/bootstrap.sh b/Vagrant/bootstrap.sh index 6b3b32d..24bf7f5 100644 --- a/Vagrant/bootstrap.sh +++ b/Vagrant/bootstrap.sh @@ -550,7 +550,6 @@ main() { install_zeek install_guacamole postinstall_tasks - echo "Logger Provisioning Complete!" } main diff --git a/ci/build_machine_bootstrap.sh b/ci/build_machine_bootstrap.sh index bf786f3..723fe44 100755 --- a/ci/build_machine_bootstrap.sh +++ b/ci/build_machine_bootstrap.sh @@ -110,28 +110,99 @@ if [ $BOXES_PRESENT -eq 1 ]; then sed -i 's#"detectionlab/win10"#"/mnt/windows_10_virtualbox.box"#g' /opt/DetectionLab/Vagrant/Vagrantfile fi +# Recreate a barebones version of the build script so we have some sense of return codes +cat << EOF > /opt/DetectionLab/Vagrant/build.sh +#! /bin/bash + +# Brings up a single host using Vagrant +vagrant_up_host() { + HOST="$1" + (echo >&2 "Attempting to bring up the $HOST host using Vagrant") + cd "$DL_DIR"/Vagrant || exit 1 + $(which vagrant) up "$HOST" --provider="$PROVIDER" &> "$DL_DIR/Vagrant/vagrant_up_$HOST.log" + echo "$?" +} + +# Attempts to reload and re-provision a host if the intial "vagrant up" fails +vagrant_reload_host() { + HOST="$1" + cd "$DL_DIR"/Vagrant || exit 1 + # Attempt to reload the host if the vagrant up command didn't exit cleanly + $(which vagrant) reload "$HOST" --provision >>"$DL_DIR/Vagrant/vagrant_up_$HOST.log" 2>&1 + echo "$?" +} + +# A series of checks to ensure important services are responsive after the build completes. +post_build_checks() { + # If the curl operation fails, we'll just leave the variable equal to 0 + # This is needed to prevent the script from exiting if the curl operation fails + SPLUNK_CHECK=$(curl -ks -m 2 https://192.168.38.105:8000/en-US/account/login?return_to=%2Fen-US%2F | grep -c 'This browser is not supported by Splunk' || echo "") + FLEET_CHECK=$(curl -ks -m 2 https://192.168.38.105:8412 | grep -c 'Kolide Fleet' || echo "") + ATA_CHECK=$(curl --fail --write-out "%{http_code}" -ks https://192.168.38.103 -m 2) + [[ $ATA_CHECK == 401 ]] && ATA_CHECK=1 + + BASH_MAJOR_VERSION=$(/bin/bash --version | grep 'GNU bash' | grep -oi version\.\.. | cut -d ' ' -f 2 | cut -d '.' -f 1) + # Associative arrays are only supported in bash 4 and up + if [ "$BASH_MAJOR_VERSION" -ge 4 ]; then + declare -A SERVICES + SERVICES=(["splunk"]="$SPLUNK_CHECK" ["fleet"]="$FLEET_CHECK" ["ms_ata"]="$ATA_CHECK") + for SERVICE in "${!SERVICES[@]}"; do + if [ "${SERVICES[$SERVICE]}" -lt 1 ]; then + (echo >&2 "Warning: $SERVICE failed post-build tests and may not be functioning correctly.") + fi + done + else + if [ "$SPLUNK_CHECK" -lt 1 ]; then + (echo >&2 "Warning: Splunk failed post-build tests and may not be functioning correctly.") + fi + if [ "$FLEET_CHECK" -lt 1 ]; then + (echo >&2 "Warning: Fleet failed post-build tests and may not be functioning correctly.") + fi + if [ "$ATA_CHECK" -lt 1 ]; then + (echo >&2 "Warning: MS ATA failed post-build tests and may not be functioning correctly.") + fi + fi +} + +build_vagrant_hosts() { + LAB_HOSTS=("logger" "dc" "wef" "win10") + + # Vagrant up each box and attempt to reload one time if it fails + for VAGRANT_HOST in "${LAB_HOSTS[@]}"; do + RET=$(vagrant_up_host "$VAGRANT_HOST") + if [ "$RET" -eq 0 ]; then + (echo >&2 "Good news! $VAGRANT_HOST was built successfully!") + fi + # Attempt to recover if the intial "vagrant up" fails + if [ "$RET" -ne 0 ]; then + (echo >&2 "Something went wrong while attempting to build the $VAGRANT_HOST box.") + (echo >&2 "Attempting to reload and reprovision the host...") + RETRY_STATUS=$(vagrant_reload_host "$VAGRANT_HOST") + if [ "$RETRY_STATUS" -eq 0 ]; then + (echo >&2 "Good news! $VAGRANT_HOST was built successfully after a reload!") + else + (echo >&2 "Failed to bring up $VAGRANT_HOST after a reload. Exiting.") + exit 1 + fi + fi + done +} + +main() { + # Get location of build.sh + # https://stackoverflow.com/questions/59895/getting-the-source-directory-of-a-bash-script-from-within + DL_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + + # Build and Test Vagrant hosts + build_vagrant_hosts + post_build_checks +} + +main +exit 0 +EOF + # Start the build in a tmux session sn=tmuxsession tmux new-session -s "$sn" -d -tmux send-keys -t "$sn:0" 'for host in logger dc wef win10; do vagrant up $host | tee -a vagrant_up_$host.log; COMPLETE="$(grep -ci "$host Provisioning Complete" vagrant_up_$host.log)"; echo "Complete is $COMPLETE for $host" ; if [ "$COMPLETE" -lt 1 ]; then echo "failed" > /var/www/html/index.html; break; fi; done; ALL_SUCCESS="$(grep -ci "Provisioning Complete" vagrant_up_*.log | cut -d : -f 2 | awk '"'"'{ sum += $1 } END { print sum }'"'"')"; echo "All success is $ALL_SUCCESS"; if [ "$ALL_SUCCESS" -eq 4 ]; then echo "success" > /var/www/html/index.html; else echo "failed" > /var/www/html/index.html; fi' Enter - - -# Expanding the send-keys command -# Vagrant isn't great about return codes, so we'll hack this up for now -# for host in logger dc wef win10; -# do -# vagrant up $host | tee -a vagrant_up_$host.log -# COMPLETE="$(grep -ci "$host Provisioning Complete" vagrant_up_$host.log)" -# echo "Complete is $COMPLETE for $host" -# if [ "$COMPLETE" -lt 1 ]; then -# echo "failed" > /var/www/html/index.html -# break -# fi -# done -# ALL_SUCCESS="$(grep -ci "Provisioning Complete" vagrant_up_*.log | cut -d : -f 2 | awk '"'"'{ sum += $1 } END { print sum }'"'"')" -# echo "All success is $ALL_SUCCESS" -# if [ "$ALL_SUCCESS" -eq 4 ]; then -# echo "success" > /var/www/html/index.html -# else -# echo "failed" > /var/www/html/index.html -# fi \ No newline at end of file +tmux send-keys -t "$sn:0" './build.sh virtualbox --vagrant-only && echo "success" > /var/www/html/index.html || echo "failed" > /var/www/html/index.html; umount /mnt && /usr/local/bin/packet-block-storage-detach' Enter From 9315f80370d8740a479fa9574ace5eb03820403d Mon Sep 17 00:00:00 2001 From: Chris Long Date: Sat, 31 Oct 2020 15:14:54 -0700 Subject: [PATCH 19/26] Fix path --- ci/build_machine_bootstrap.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ci/build_machine_bootstrap.sh b/ci/build_machine_bootstrap.sh index 723fe44..c596423 100755 --- a/ci/build_machine_bootstrap.sh +++ b/ci/build_machine_bootstrap.sh @@ -111,7 +111,7 @@ if [ $BOXES_PRESENT -eq 1 ]; then fi # Recreate a barebones version of the build script so we have some sense of return codes -cat << EOF > /opt/DetectionLab/Vagrant/build.sh +cat << EOF > /opt/DetectionLab/build.sh #! /bin/bash # Brings up a single host using Vagrant @@ -201,6 +201,7 @@ main() { main exit 0 EOF +chmod +x /opt/DetectionLab/build.sh # Start the build in a tmux session sn=tmuxsession From 1a84e03d476ef7e1efea99050a0808ddb14328b9 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Sat, 31 Oct 2020 16:30:00 -0700 Subject: [PATCH 20/26] Remove args --- ci/build_machine_bootstrap.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/build_machine_bootstrap.sh b/ci/build_machine_bootstrap.sh index c596423..9a6f82b 100755 --- a/ci/build_machine_bootstrap.sh +++ b/ci/build_machine_bootstrap.sh @@ -206,4 +206,4 @@ chmod +x /opt/DetectionLab/build.sh # Start the build in a tmux session sn=tmuxsession tmux new-session -s "$sn" -d -tmux send-keys -t "$sn:0" './build.sh virtualbox --vagrant-only && echo "success" > /var/www/html/index.html || echo "failed" > /var/www/html/index.html; umount /mnt && /usr/local/bin/packet-block-storage-detach' Enter +tmux send-keys -t "$sn:0" './build.sh && echo "success" > /var/www/html/index.html || echo "failed" > /var/www/html/index.html; umount /mnt && /usr/local/bin/packet-block-storage-detach' Enter From fa0bc1cbbd3f22582cda5de298e4618c3eded8a8 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Sat, 31 Oct 2020 17:32:51 -0700 Subject: [PATCH 21/26] EOF needs to be in quotes --- ci/build_machine_bootstrap.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ci/build_machine_bootstrap.sh b/ci/build_machine_bootstrap.sh index 9a6f82b..71408d5 100755 --- a/ci/build_machine_bootstrap.sh +++ b/ci/build_machine_bootstrap.sh @@ -111,7 +111,7 @@ if [ $BOXES_PRESENT -eq 1 ]; then fi # Recreate a barebones version of the build script so we have some sense of return codes -cat << EOF > /opt/DetectionLab/build.sh +cat << 'EOF' > /opt/DetectionLab/build.sh #! /bin/bash # Brings up a single host using Vagrant @@ -194,6 +194,7 @@ main() { DL_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" # Build and Test Vagrant hosts + cd Vagrant build_vagrant_hosts post_build_checks } @@ -206,4 +207,4 @@ chmod +x /opt/DetectionLab/build.sh # Start the build in a tmux session sn=tmuxsession tmux new-session -s "$sn" -d -tmux send-keys -t "$sn:0" './build.sh && echo "success" > /var/www/html/index.html || echo "failed" > /var/www/html/index.html; umount /mnt && /usr/local/bin/packet-block-storage-detach' Enter +tmux send-keys -t "$sn:0" 'cd /opt/DetectionLab && ./build.sh && echo "success" > /var/www/html/index.html || echo "failed" > /var/www/html/index.html; umount /mnt && /usr/local/bin/packet-block-storage-detach' Enter From 2c1f422da69d38b8272054ccf33d6d256eadc833 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Sun, 1 Nov 2020 09:36:48 -0800 Subject: [PATCH 22/26] Update build_machine_bootstrap.sh --- ci/build_machine_bootstrap.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/build_machine_bootstrap.sh b/ci/build_machine_bootstrap.sh index 71408d5..5dfbf02 100755 --- a/ci/build_machine_bootstrap.sh +++ b/ci/build_machine_bootstrap.sh @@ -119,7 +119,7 @@ vagrant_up_host() { HOST="$1" (echo >&2 "Attempting to bring up the $HOST host using Vagrant") cd "$DL_DIR"/Vagrant || exit 1 - $(which vagrant) up "$HOST" --provider="$PROVIDER" &> "$DL_DIR/Vagrant/vagrant_up_$HOST.log" + $(which vagrant) up "$HOST" &> "$DL_DIR/Vagrant/vagrant_up_$HOST.log" echo "$?" } From c68da5ca44cdbc5e2b95e29bdf93fba4c02abae5 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Tue, 3 Nov 2020 12:38:04 -0800 Subject: [PATCH 23/26] Update ESXi docs Note about MacOS Ansible fork() error from https://github.com/clong/DetectionLab/issues/543 --- ESXi/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ESXi/README.md b/ESXi/README.md index 08aea0d..8e2a464 100644 --- a/ESXi/README.md +++ b/ESXi/README.md @@ -50,7 +50,7 @@ These commands can be run in parallel from three separate terminal sessions. 8. **(3 Minute)s** Edit `DetectionLab/ESXi/resources/01-netcfg.yaml`. These are the IP addresses that will be applied to the logger network interfaces. These should be be able to be found in your ESXi console or from the Terraform outputs. 9. **(3 Minute)** Before running any Ansible playbooks, I highly recommend taking snapshots of all your VMs! If anything goes wrong with provisioning, you can simply restore the snapshot and easily debug the issue. 10. Change your directory to `DetectionLab/ESXi/Ansible` -11. **(30 Minutes)** Run `ansible-playbook -vvv detectionlab.yml` +11. **(30 Minutes)** Run `ansible-playbook -vvv detectionlab.yml` - If running Ansible causes a `fork()` related error message, set the following environment variable before running Ansible: `export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES`. More on this [here](https://github.com/clong/DetectionLab/issues/543). 12. If all goes well, you should see the following and your lab is complete! ![Ansible](https://github.com/clong/DetectionLab/blob/master/img/esxi_ansible.png?raw=true) From 60e0697329bdbe48a2c5bea91842bb8a8d92ab0c Mon Sep 17 00:00:00 2001 From: Matt <803645+znb@users.noreply.github.com> Date: Wed, 4 Nov 2020 17:13:40 +0000 Subject: [PATCH 24/26] Small addition for the Ansible fork() issue --- Azure/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Azure/README.md b/Azure/README.md index e0a6a3b..7703d0a 100644 --- a/Azure/README.md +++ b/Azure/README.md @@ -85,6 +85,7 @@ If you run into any issues along the way, please open an issue on Github and I'l * If an Ansible playbook fails (and they sometimes do), you can pick up where it left off with `ansible-playbook -vvv detectionlab.yml --tags="hostname-goes-here" --start-at-task="taskname"` * "Installing Red Team Tooling" hangs if AV isn't disabled successfully * It seems like sometimes the logger provisioning "errors" somewhere and causes the box to become tained, despite the provision being successful. Work around this by untainting it: `terraform untaint azurerm_virtual_machine.dc` +* If running Ansible causes a `fork()` related error message, set the following environment variable before running Ansible: `export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES`. More on this [here](https://github.com/clong/DetectionLab/issues/543). ## Future work required * It probably makes sense to abstract all of the logic in `bootstrap.sh` into individual Ansible tasks From 0d250b679fba78dba855bb6ce58fbea6b2038629 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Thu, 5 Nov 2020 14:36:37 -0800 Subject: [PATCH 25/26] ESXi Bugfixes - Use only 2 network adapters instead of 3 --- ESXi/ansible/roles/dc/tasks/main.yml | 4 ++-- ESXi/ansible/roles/logger/tasks/main.yml | 9 --------- ESXi/ansible/roles/wef/tasks/main.yml | 4 ++-- ESXi/ansible/roles/win10/tasks/main.yml | 4 ++-- ESXi/main.tf | 18 ------------------ ESXi/variables.tf | 4 ---- 6 files changed, 6 insertions(+), 37 deletions(-) diff --git a/ESXi/ansible/roles/dc/tasks/main.yml b/ESXi/ansible/roles/dc/tasks/main.yml index 72b1a74..c16bb9e 100644 --- a/ESXi/ansible/roles/dc/tasks/main.yml +++ b/ESXi/ansible/roles/dc/tasks/main.yml @@ -10,10 +10,10 @@ when: res.reboot_required - name: Set HostOnly IP Address - win_shell: "New-NetIPAddress –InterfaceAlias Ethernet2 –AddressFamily IPv4 -IPAddress 192.168.38.102 –PrefixLength 24 -DefaultGateway 192.168.38.1" + win_shell: "New-NetIPAddress –InterfaceAlias Ethernet1 –AddressFamily IPv4 -IPAddress 192.168.38.102 –PrefixLength 24 -DefaultGateway 192.168.38.1" - name: Set DNS Address - win_shell: "Set-DnsClientServerAddress -InterfaceAlias Ethernet2 -ServerAddresses 127.0.0.1,8.8.8.8" + win_shell: "Set-DnsClientServerAddress -InterfaceAlias Ethernet1 -ServerAddresses 127.0.0.1,8.8.8.8" - name: Install git win_chocolatey: diff --git a/ESXi/ansible/roles/logger/tasks/main.yml b/ESXi/ansible/roles/logger/tasks/main.yml index 295e052..30f5681 100644 --- a/ESXi/ansible/roles/logger/tasks/main.yml +++ b/ESXi/ansible/roles/logger/tasks/main.yml @@ -219,11 +219,6 @@ /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/link-analysis-app-for-splunk_161.tgz -auth 'admin:changeme' /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_144.tgz -auth 'admin:changeme' - ## Fix a bug with the ThreatHunting App (https://github.com/olafhartong/ThreatHunting/pull/57) - mv /opt/splunk/etc/apps/ThreatHunting/lookups/sysmonevencodes.csv /opt/splunk/etc/apps/ThreatHunting/lookups/sysmoneventcodes.csv - sed -i 's/= sysmoneventcode /= sysmoneventcodes.csv /g' /opt/splunk/etc/apps/ThreatHunting/default/props.conf - sed -i 's/sysmoneventcode.csv/sysmoneventcodes.csv/g' /opt/splunk/etc/apps/ThreatHunting/default/props.conf - # Install the Maxmind license key for the ASNgen App if [ ! -z $MAXMIND_LICENSE ]; then mkdir /opt/splunk/etc/apps/TA-asngen/local @@ -272,8 +267,6 @@ dismissedInstrumentationOptInVersion = 4 notification_python_3_impact = false display.page.home.dashboardId = /servicesNS/nobody/search/data/ui/views/logger_dashboard' > /opt/splunk/etc/users/admin/user-prefs/local/user-prefs.conf - # Disable the instrumentation popup - echo -e "showOptInModal = 0\noptInVersionAcknowledged = 4" >>/opt/splunk/etc/apps/splunk_instrumentation/local/telemetry.conf # Enable SSL Login for Splunk echo -e "[settings]\nenableSplunkWebSSL = true" >/opt/splunk/etc/system/local/web.conf # Copy over the Logger Dashboard @@ -284,8 +277,6 @@ # Reboot Splunk to make changes take effect /opt/splunk/bin/splunk restart /opt/splunk/bin/splunk enable boot-start - # Generate the ASN lookup table - /opt/splunk/bin/splunk search "|asngen | outputlookup asn" -auth 'admin:changeme' fi register: install_splunk changed_when: "'The Splunk web interface is at https://logger:8000' in install_splunk.stdout" diff --git a/ESXi/ansible/roles/wef/tasks/main.yml b/ESXi/ansible/roles/wef/tasks/main.yml index 8ff4567..bc8cbf6 100644 --- a/ESXi/ansible/roles/wef/tasks/main.yml +++ b/ESXi/ansible/roles/wef/tasks/main.yml @@ -11,11 +11,11 @@ # This needs to be made idempodent - name: Set HostOnly IP Address - win_shell: "New-NetIPAddress –InterfaceAlias Ethernet2 –AddressFamily IPv4 -IPAddress 192.168.38.103 –PrefixLength 24 -DefaultGateway 192.168.38.1" + win_shell: "New-NetIPAddress –InterfaceAlias Ethernet1 –AddressFamily IPv4 -IPAddress 192.168.38.103 –PrefixLength 24 -DefaultGateway 192.168.38.1" # This needs to be made idempodent - name: Set HostOnly DNS Address - win_shell: "Set-DnsClientServerAddress -InterfaceAlias Ethernet2 -ServerAddresses 192.168.38.102,8.8.8.8" + win_shell: "Set-DnsClientServerAddress -InterfaceAlias Ethernet1 -ServerAddresses 192.168.38.102,8.8.8.8" - name: Install git win_chocolatey: diff --git a/ESXi/ansible/roles/win10/tasks/main.yml b/ESXi/ansible/roles/win10/tasks/main.yml index e277e43..03f443a 100644 --- a/ESXi/ansible/roles/win10/tasks/main.yml +++ b/ESXi/ansible/roles/win10/tasks/main.yml @@ -10,10 +10,10 @@ when: res.reboot_required - name: Set HostOnly IP Address - win_shell: "New-NetIPAddress –InterfaceAlias Ethernet2 –AddressFamily IPv4 -IPAddress 192.168.38.104 –PrefixLength 24 -DefaultGateway 192.168.38.1" + win_shell: "New-NetIPAddress –InterfaceAlias Ethernet1 –AddressFamily IPv4 -IPAddress 192.168.38.104 –PrefixLength 24 -DefaultGateway 192.168.38.1" - name: Set HostOnly DNS Address - win_shell: "Set-DnsClientServerAddress -InterfaceAlias Ethernet2 -ServerAddresses 192.168.38.102,8.8.8.8" + win_shell: "Set-DnsClientServerAddress -InterfaceAlias Ethernet1 -ServerAddresses 192.168.38.102,8.8.8.8" - name: Install git win_chocolatey: diff --git a/ESXi/main.tf b/ESXi/main.tf index 8e58641..1714a99 100644 --- a/ESXi/main.tf +++ b/ESXi/main.tf @@ -86,12 +86,6 @@ resource "esxi_guest" "dc" { mac_address = "00:50:56:a1:b1:c2" nic_type = "e1000" } - # OPTIONAL: You can comment out this interface stanza if your vm_network provides internet access - network_interfaces { - virtual_network = var.nat_network - mac_address = "00:50:56:a1:b1:c3" - nic_type = "e1000" - } # This is the local network that will be used for 192.168.38.x addressing network_interfaces { virtual_network = var.hostonly_network @@ -121,12 +115,6 @@ resource "esxi_guest" "wef" { mac_address = "00:50:56:a1:b2:c2" nic_type = "e1000" } - # OPTIONAL: You can comment out this interface stanza if your vm_network provides internet access - network_interfaces { - virtual_network = var.nat_network - mac_address = "00:50:56:a1:b3:c3" - nic_type = "e1000" - } # This is the local network that will be used for 192.168.38.x addressing network_interfaces { virtual_network = var.hostonly_network @@ -156,12 +144,6 @@ resource "esxi_guest" "win10" { mac_address = "00:50:56:a2:b1:c2" nic_type = "e1000" } - # OPTIONAL: You can comment out this interface stanza if your vm_network provides internet access - network_interfaces { - virtual_network = var.nat_network - mac_address = "00:50:56:a2:b1:c3" - nic_type = "e1000" - } # This is the local network that will be used for 192.168.38.x addressing network_interfaces { virtual_network = var.hostonly_network diff --git a/ESXi/variables.tf b/ESXi/variables.tf index 369626a..41a23b3 100644 --- a/ESXi/variables.tf +++ b/ESXi/variables.tf @@ -22,10 +22,6 @@ variable "vm_network" { default = "VM Network" } -variable "nat_network" { - default = "NAT Network" -} - variable "hostonly_network" { default = "HostOnly Network" } From 3fb36effed6cb102a73b9d2f062b917771bf193f Mon Sep 17 00:00:00 2001 From: Chris Long Date: Thu, 5 Nov 2020 22:32:03 -0800 Subject: [PATCH 26/26] Use /usr/bin/env bash instead of /bin/bash for scripts --- Azure/build_ansible_inventory.sh | 2 +- HyperV/bootstrap.sh | 2 +- Vagrant/bootstrap.sh | 2 +- Vagrant/post_build_checks.sh | 2 +- Vagrant/prepare.sh | 2 +- Vagrant/scripts/install-botsv2.sh | 2 +- Vagrant/scripts/install-botsv3.sh | 2 +- ci/build_machine_bootstrap.sh | 4 ++-- ci/manual_machine_bootstrap.sh | 2 +- ci/manual_machine_bootstrap_vmware.sh | 2 +- 10 files changed, 11 insertions(+), 11 deletions(-) diff --git a/Azure/build_ansible_inventory.sh b/Azure/build_ansible_inventory.sh index d0ed6a0..516cdc6 100755 --- a/Azure/build_ansible_inventory.sh +++ b/Azure/build_ansible_inventory.sh @@ -1,4 +1,4 @@ -#! /bin/bash +#! /usr/bin/env bash # This script is used to populate the Azure Ansible inventory.yml with # the results of "terraform output" diff --git a/HyperV/bootstrap.sh b/HyperV/bootstrap.sh index 59476a0..738125e 100644 --- a/HyperV/bootstrap.sh +++ b/HyperV/bootstrap.sh @@ -1,4 +1,4 @@ -#! /bin/bash +#! /usr/bin/env bash # Override existing DNS Settings using netplan, but don't do it for Terraform builds if ! curl -s 169.254.169.254 --connect-timeout 2 >/dev/null; then diff --git a/Vagrant/bootstrap.sh b/Vagrant/bootstrap.sh index 24bf7f5..99c9080 100644 --- a/Vagrant/bootstrap.sh +++ b/Vagrant/bootstrap.sh @@ -1,4 +1,4 @@ -#! /bin/bash +#! /usr/bin/env bash # Override existing DNS Settings using netplan, but don't do it for Terraform builds if ! curl -s 169.254.169.254 --connect-timeout 2 >/dev/null; then diff --git a/Vagrant/post_build_checks.sh b/Vagrant/post_build_checks.sh index 6d7935b..c66280f 100755 --- a/Vagrant/post_build_checks.sh +++ b/Vagrant/post_build_checks.sh @@ -1,4 +1,4 @@ -#! /bin/bash +#! /usr/bin/env bash # This script is meant to verify that DetectionLab was built successfully. # Only MacOS and Linux are supported. Use post_build_checks.ps1 for Windows. diff --git a/Vagrant/prepare.sh b/Vagrant/prepare.sh index c90a116..090dfcd 100755 --- a/Vagrant/prepare.sh +++ b/Vagrant/prepare.sh @@ -1,4 +1,4 @@ -#! /bin/bash +#! /usr/bin/env bash # This script is meant to verify that your system is configured to # build DetectionLab successfully. diff --git a/Vagrant/scripts/install-botsv2.sh b/Vagrant/scripts/install-botsv2.sh index d0a90c6..d17c1d9 100644 --- a/Vagrant/scripts/install-botsv2.sh +++ b/Vagrant/scripts/install-botsv2.sh @@ -1,4 +1,4 @@ -#! /bin/bash +#! /usr/bin/env bash # Thanks to @MHaggis for this addition! # It is recommended to only uncomment the attack-only dataset comment block. diff --git a/Vagrant/scripts/install-botsv3.sh b/Vagrant/scripts/install-botsv3.sh index c694a6b..6081a64 100644 --- a/Vagrant/scripts/install-botsv3.sh +++ b/Vagrant/scripts/install-botsv3.sh @@ -1,4 +1,4 @@ -#! /bin/bash +#! /usr/bin/env bash #Thanks to @MHaggis for this addition! #More information on BOTSv3 can be found at https://github.com/splunk/botsv3 diff --git a/ci/build_machine_bootstrap.sh b/ci/build_machine_bootstrap.sh index 5dfbf02..40c6ed0 100755 --- a/ci/build_machine_bootstrap.sh +++ b/ci/build_machine_bootstrap.sh @@ -1,4 +1,4 @@ -#! /bin/bash +#! /usr/bin/env bash # This script is run on the Packet.net baremetal server for CI tests. # While building, the server will start a webserver on Port 80 that contains @@ -112,7 +112,7 @@ fi # Recreate a barebones version of the build script so we have some sense of return codes cat << 'EOF' > /opt/DetectionLab/build.sh -#! /bin/bash +#! /usr/bin/env bash # Brings up a single host using Vagrant vagrant_up_host() { diff --git a/ci/manual_machine_bootstrap.sh b/ci/manual_machine_bootstrap.sh index b61c2dd..266ddc4 100644 --- a/ci/manual_machine_bootstrap.sh +++ b/ci/manual_machine_bootstrap.sh @@ -1,4 +1,4 @@ -#! /bin/bash +#! /usr/bin/env bash # This script is used to manually prepare an Ubuntu 16.04 server for DetectionLab building export DEBIAN_FRONTEND=noninteractive diff --git a/ci/manual_machine_bootstrap_vmware.sh b/ci/manual_machine_bootstrap_vmware.sh index c50aeae..1daa3d3 100644 --- a/ci/manual_machine_bootstrap_vmware.sh +++ b/ci/manual_machine_bootstrap_vmware.sh @@ -1,4 +1,4 @@ -#! /bin/bash +#! /usr/bin/env bash # This script is used to manually prepare an Ubuntu 16.04 server for DetectionLab building