diff --git a/Vagrant/scripts/configure-AuditingPolicyGPOs.ps1 b/Vagrant/scripts/configure-AuditingPolicyGPOs.ps1 index 87ed644..5708127 100644 --- a/Vagrant/scripts/configure-AuditingPolicyGPOs.ps1 +++ b/Vagrant/scripts/configure-AuditingPolicyGPOs.ps1 @@ -1,13 +1,49 @@ # Purpose: Installs the GPOs for the custom WinEventLog auditing policy. Write-Host "Configuring auditing policy GPOS..." -Write-Host "Importing Domain Controller Enhanced Auditing Policy..." -Import-GPO -BackupGpoName 'Domain Controllers Enhanced Auditing Policy' -Path "c:\vagrant\resources\GPO\Domain_Controllers_Enhanced_Auditing_Policy" -TargetName 'Domain Controllers Enhanced Auditing Policy' -CreateIfNeeded -New-GPLink -Name 'Domain Controllers Enhanced Auditing Policy' -Target "ou=Domain Controllers,dc=windomain,dc=local" -Enforced yes +$GPOName = 'Domain Controllers Enhanced Auditing Policy' +$OU = "ou=Domain Controllers,dc=windomain,dc=local" +Write-Host "Importing $GPOName..." +Import-GPO -BackupGpoName $GPOName -Path "c:\vagrant\resources\GPO\Domain_Controllers_Enhanced_Auditing_Policy" -TargetName $GPOName -CreateIfNeeded +$gpLinks = $null +$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions +$GPO = Get-GPO -Name $GPOName +If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path) +{ + New-GPLink -Name $GPOName -Target $OU -Enforced yes +} +else +{ + Write-Host "GpLink $GPOName already linked on $OU. Moving On." +} +$GPOName = 'Servers Enhanced Auditing Policy' +$OU = "ou=Servers,dc=windomain,dc=local" +Write-Host "Importing $GPOName..." +Import-GPO -BackupGpoName $GPOName -Path "c:\vagrant\resources\GPO\Servers_Enhanced_Auditing_Policy" -TargetName $GPOName -CreateIfNeeded +$gpLinks = $null +$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions +$GPO = Get-GPO -Name $GPOName +If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path) +{ + New-GPLink -Name $GPOName -Target $OU -Enforced yes +} +else +{ + Write-Host "GpLink $GPOName already linked on $OU. Moving On." +} -Write-Host "Importing Servers Enhanced Auditing Policy..." -Import-GPO -BackupGpoName 'Servers Enhanced Auditing Policy' -Path "c:\vagrant\resources\GPO\Servers_Enhanced_Auditing_Policy" -TargetName 'Servers Enhanced Auditing Policy' -CreateIfNeeded -New-GPLink -Name 'Servers Enhanced Auditing Policy' -Target "ou=Servers,dc=windomain,dc=local" -Enforced yes +$GPOName = 'Workstations Enhanced Auditing Policy' +$OU = "ou=Workstations,dc=windomain,dc=local" +Write-Host "Importing $GPOName..." +Import-GPO -BackupGpoName $GPOName -Path "c:\vagrant\resources\GPO\Workstations_Enhanced_Auditing_Policy" -TargetName $GPOName -CreateIfNeeded +$gpLinks = $null +$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions +$GPO = Get-GPO -Name $GPOName +If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path) +{ + New-GPLink -Name $GPOName -Target $OU -Enforced yes +} +else +{ + Write-Host "GpLink $GPOName already linked on $OU. Moving On." +} -Write-Host "Importing Workstations Enhanced Auditing Policy..." -Import-GPO -BackupGpoName 'Workstations Enhanced Auditing Policy' -Path "c:\vagrant\resources\GPO\Workstations_Enhanced_Auditing_Policy" -TargetName 'Workstations Enhanced Auditing Policy' -CreateIfNeeded -New-GPLink -Name 'Workstations Enhanced Auditing Policy' -Target "ou=Workstations,dc=windomain,dc=local" -Enforced yes diff --git a/Vagrant/scripts/configure-ou.ps1 b/Vagrant/scripts/configure-ou.ps1 index d980fd4..07ae82f 100644 --- a/Vagrant/scripts/configure-ou.ps1 +++ b/Vagrant/scripts/configure-ou.ps1 @@ -2,10 +2,23 @@ Write-Host "Sleeping for 30 seconds, then creating Server and Workstation OUs" Start-Sleep 30 Write-Host "Creating Servers OU" -New-ADOrganizationalUnit -Name "Servers" -Server "dc.windomain.local" +if (!([ADSI]::Exists("LDAP://OU=Servers,DC=windomain,DC=local"))) +{ + New-ADOrganizationalUnit -Name "Servers" -Server "dc.windomain.local" +} +else +{ + Write-Host "Servers OU already exists. Moving On." +} Write-Host "Creating Workstations OU" -New-ADOrganizationalUnit -Name "Workstations" -Server "dc.windomain.local" - +if (!([ADSI]::Exists("LDAP://OU=Workstations,DC=windomain,DC=local"))) +{ + New-ADOrganizationalUnit -Name "Workstations" -Server "dc.windomain.local" +} +else +{ + Write-Host "Workstations OU already exists. Moving On." +} # Sysprep breaks auto-login. Let's restore it here: Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -Value 1 Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Value "vagrant" diff --git a/Vagrant/scripts/configure-powershelllogging.ps1 b/Vagrant/scripts/configure-powershelllogging.ps1 index ec691bd..86628fd 100755 --- a/Vagrant/scripts/configure-powershelllogging.ps1 +++ b/Vagrant/scripts/configure-powershelllogging.ps1 @@ -1,6 +1,39 @@ # Purpose: Install the GPO that specifies the WEF collector Write-Host "Importing the GPO to enable Powershell Module, ScriptBlock and Transcript logging..." Import-GPO -BackupGpoName 'Powershell Logging' -Path "c:\vagrant\resources\GPO\powershell_logging" -TargetName 'Powershell Logging' -CreateIfNeeded -New-GPLink -Name 'Powershell Logging' -Target "dc=windomain,dc=local" -Enforced yes -New-GPLink -Name 'Powershell Logging' -Target "ou=Domain Controllers,dc=windomain,dc=local" -Enforced yes +$OU = "ou=Workstations,dc=windomain,dc=local" +$gPLinks = $null +$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions +$GPO = Get-GPO -Name 'Powershell Logging' +If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path) +{ + New-GPLink -Name 'Powershell Logging' -Target $OU -Enforced yes +} +else +{ + Write-Host "Powershell Loggin was already linked at $OU. Moving On." +} +$OU = "ou=Servers,dc=windomain,dc=local" +$gPLinks = $null +$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions +$GPO = Get-GPO -Name 'Powershell Logging' +If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path) +{ + New-GPLink -Name 'Powershell Logging' -Target $OU -Enforced yes +} +else +{ + Write-Host "Powershell Loggin was already linked at $OU. Moving On." +} +$OU = "ou=Domain Controllers,dc=windomain,dc=local" +$gPLinks = $null +$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions +If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path) +{ + New-GPLink -Name 'Powershell Logging' -Target $OU -Enforced yes +} +else +{ + Write-Host "Powershell Loggin was already linked at $OU. Moving On." +} gpupdate /force diff --git a/Vagrant/scripts/configure-pslogstranscriptsshare.ps1 b/Vagrant/scripts/configure-pslogstranscriptsshare.ps1 index 9bfd0ad..e76da63 100755 --- a/Vagrant/scripts/configure-pslogstranscriptsshare.ps1 +++ b/Vagrant/scripts/configure-pslogstranscriptsshare.ps1 @@ -1,7 +1,10 @@ # Purpose: Configure an SMB share for Powershell transcription logs to be written to # Source: https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/ Write-Host "Configuring the Powershell Transcripts Share" -md c:\pslogs +If (-not (Test-Path c:\pslogs)) +{ + md c:\pslogs +} ## Kill all inherited permissions @@ -39,4 +42,7 @@ $acl | Set-Acl c:\pslogs\ ## Create the SMB Share, granting Everyone the right to read and write files. Specific ## actions will actually be enforced by the ACL on the file folder. -New-SmbShare -Name pslogs -Path c:\pslogs -ChangeAccess Everyone +if ((Get-SmbShare -Name pslogs -ea silent) -eq $null) +{ + New-SmbShare -Name pslogs -Path c:\pslogs -ChangeAccess Everyone +} diff --git a/Vagrant/scripts/configure-wef-gpo.ps1 b/Vagrant/scripts/configure-wef-gpo.ps1 index 0268a86..bc4ed20 100644 --- a/Vagrant/scripts/configure-wef-gpo.ps1 +++ b/Vagrant/scripts/configure-wef-gpo.ps1 @@ -1,14 +1,71 @@ # Purpose: Installs the GPOs needed to specify a Windows Event Collector and makes certain event channels readable by Event Logger Write-Host "Importing the GPO to specify the WEF collector" -Import-GPO -BackupGpoName 'Windows Event Forwarding Server' -Path "c:\vagrant\resources\GPO\wef_configuration" -TargetName 'Windows Event Forwarding Server' -CreateIfNeeded -New-GPLink -Name 'Windows Event Forwarding Server' -Target "dc=windomain,dc=local" -Enforced yes -New-GPLink -Name 'Windows Event Forwarding Server' -Target "ou=Domain Controllers,dc=windomain,dc=local" -Enforced yes +$GPOName = 'Windows Event Forwarding Server' +Import-GPO -BackupGpoName $GPOName -Path "c:\vagrant\resources\GPO\wef_configuration" -TargetName $GPOName -CreateIfNeeded +$gpLinks = $null +$OU = "OU=Servers,dc=windomain,dc=local" +$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions +$GPO = Get-GPO -Name $GPOName +If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path) +{ + New-GPLink -Name $GPOName -Target $OU -Enforced yes +} +else +{ + Write-Host "GpLink $GPOName already linked on $OU. Moving On." +} +$OU = "ou=Domain Controllers,dc=windomain,dc=local" +$gpLinks = $null +$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions +$GPO = Get-GPO -Name $GPOName +If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path) +{ + New-GPLink -Name $GPOName -Target $OU -Enforced yes +} +else +{ + Write-Host "GpLink $GPOName already linked on $OU. Moving On." +} + Write-Host "Importing the GPO to modify ACLs on Custom Event Channels" -Import-GPO -BackupGPOName 'Custom Event Channel Permissions' -Path "c:\vagrant\resources\GPO\wef_configuration" -TargetName 'Custom Event Channel Permissions' -CreateIfNeeded -New-GPLink -Name 'Custom Event Channel Permissions' -Target "dc=windomain,dc=local" -Enforced yes -New-GPLink -Name 'Custom Event Channel Permissions' -Target "ou=Domain Controllers,dc=windomain,dc=local" -Enforced yes -New-GPLink -Name 'Custom Event Channel Permissions' -Target "ou=Servers,dc=windomain,dc=local" -Enforced yes -New-GPLink -Name 'Custom Event Channel Permissions' -Target "ou=Workstations,dc=windomain,dc=local" -Enforced yes + +$GPOName = 'Custom Event Channel Permissions' +Import-GPO -BackupGpoName $GPOName -Path "c:\vagrant\resources\GPO\wef_configuration" -TargetName $GPOName -CreateIfNeeded +$gpLinks = $null +$OU = "OU=Servers,dc=windomain,dc=local" +$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions +$GPO = Get-GPO -Name $GPOName +If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path) +{ + New-GPLink -Name $GPOName -Target $OU -Enforced yes +} +else +{ + Write-Host "GpLink $GPOName already linked on $OU. Moving On." +} +$OU = "ou=Domain Controllers,dc=windomain,dc=local" +$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions +$GPO = Get-GPO -Name $GPOName +If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path) +{ + New-GPLink -Name $GPOName -Target $OU -Enforced yes +} +else +{ + Write-Host "GpLink $GPOName already linked on $OU. Moving On." +} +$OU = "ou=Workstations,dc=windomain,dc=local" +$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions +$GPO = Get-GPO -Name $GPOName +If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path) +{ + New-GPLink -Name $GPOName -Target $OU -Enforced yes +} +else +{ + Write-Host "GpLink $GPOName already linked on $OU. Moving On." +} + gpupdate /force # Enable WinRM Write-Host "Enabling WinRM" diff --git a/Vagrant/scripts/download_palantir_osquery.ps1 b/Vagrant/scripts/download_palantir_osquery.ps1 index 1d03e1f..8018732 100644 --- a/Vagrant/scripts/download_palantir_osquery.ps1 +++ b/Vagrant/scripts/download_palantir_osquery.ps1 @@ -2,8 +2,15 @@ Write-Host "Downloading and unzipping the Palantir osquery Repo from Github..." $osqueryRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\osquery-Master.zip' - -# GitHub requires TLS 1.2 as of 2/1/2018 -[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -Invoke-WebRequest -Uri "https://github.com/palantir/osquery-configuration/archive/master.zip" -OutFile $osqueryRepoPath -Expand-Archive -path "$osqueryRepoPath" -destinationpath 'c:\Users\vagrant\AppData\Local\Temp' -Force +if (-not (Test-Path $osqueryRepoPath)) +{ + # GitHub requires TLS 1.2 as of 2/1/2018 + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + Invoke-WebRequest -Uri "https://github.com/palantir/osquery-configuration/archive/master.zip" -OutFile $osqueryRepoPath + Expand-Archive -path "$osqueryRepoPath" -destinationpath 'c:\Users\vagrant\AppData\Local\Temp' -Force +} +else +{ + Write-Host "$osqueryRepoPath already exists. Moving On." +} +Write-Host "Palantir OSQuery download complete!" \ No newline at end of file diff --git a/Vagrant/scripts/download_palantir_wef.ps1 b/Vagrant/scripts/download_palantir_wef.ps1 index dc71750..8d026f2 100644 --- a/Vagrant/scripts/download_palantir_wef.ps1 +++ b/Vagrant/scripts/download_palantir_wef.ps1 @@ -4,7 +4,15 @@ Write-Host "Downloading and unzipping the Palantir Windows Event Forwarding Repo $wefRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\wef-Master.zip' -# GitHub requires TLS 1.2 as of 2/1/2018 -[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -Invoke-WebRequest -Uri "https://github.com/palantir/windows-event-forwarding/archive/master.zip" -OutFile $wefRepoPath -Expand-Archive -path "$wefRepoPath" -destinationpath 'c:\Users\vagrant\AppData\Local\Temp' -Force +If (-not (Test-Path $wefRepoPath)) +{ + # GitHub requires TLS 1.2 as of 2/1/2018 + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + Invoke-WebRequest -Uri "https://github.com/palantir/windows-event-forwarding/archive/master.zip" -OutFile $wefRepoPath + Expand-Archive -path "$wefRepoPath" -destinationpath 'c:\Users\vagrant\AppData\Local\Temp' -Force +} +else +{ + Write-Host "$wefRepoPath already exists. Moving On." +} +Write-Host "Palantir WEF download complete!" \ No newline at end of file diff --git a/Vagrant/scripts/install-autorunstowineventlog.ps1 b/Vagrant/scripts/install-autorunstowineventlog.ps1 index 2b02c8b..5df09a4 100644 --- a/Vagrant/scripts/install-autorunstowineventlog.ps1 +++ b/Vagrant/scripts/install-autorunstowineventlog.ps1 @@ -1,7 +1,19 @@ # Purpose: Installs AutorunsToWinEventLog from the Palantir WEF repo: (https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog) # TL;DR - Logs all entries from Autoruns to the Windows event log to be indexed by Splunk Write-Host "Installing AutorunsToWinEventLog..." -cd "c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\AutorunsToWinEventLog" -.\Install.ps1 -Write-Host "AutorunsToWinEventLog installed. Starting the scheduled task. Future runs will begin at 11am" -Start-ScheduledTask -TaskName "AutorunsToWinEventLog" +If ((Get-ScheduledTask -TaskName "AutorunsToWinEventLog" -ea silent) -eq $null) +{ + cd "c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\AutorunsToWinEventLog" + .\Install.ps1 + Write-Host "AutorunsToWinEventLog installed. Starting the scheduled task. Future runs will begin at 11am" + Start-ScheduledTask -TaskName "AutorunsToWinEventLog" + $Tsk = Get-ScheduledTask -TaskName "AutorunsToWinEventLog" + if ($Tsk.State -ne "Running") + { + throw "AutorunsToWinEventLog scheduled tasks wasn't running after starting it" + } +} +else +{ + Write-Host "AutorunsToWinEventLog already installed. Moving On." +} diff --git a/Vagrant/scripts/install-caldera-agent.ps1 b/Vagrant/scripts/install-caldera-agent.ps1 index f59133b..ead4bf0 100644 --- a/Vagrant/scripts/install-caldera-agent.ps1 +++ b/Vagrant/scripts/install-caldera-agent.ps1 @@ -1,16 +1,17 @@ # Purpose: Installs the Caldera agent on the host -# Add /etc/hosts entry -Add-Content "c:\windows\system32\drivers\etc\hosts" " 192.168.38.5 logger" +if (-not (Test-Path 'C:\Program Files\cagent\cagent.exe')) +{ + # Add /etc/hosts entry + Add-Content "c:\windows\system32\drivers\etc\hosts" " 192.168.38.5 logger" -# Make the directory -New-Item "c:\Program Files\cagent" -type directory + # Make the directory + New-Item "c:\Program Files\cagent" -type directory -# Install Visual Studio 2015 C++ Redistributable -choco install -y vcredist2015 + # Install Visual Studio 2015 C++ Redistributable + choco install -y vcredist2015 -# Download cagent and start the service -If (-not (Test-Path "C:\Program Files\cagent\cagent.exe")) { + # Download cagent and start the service Write-Host "Downloading Caldera Agent (cagent.exe)" $cagentPath = "C:\Program Files\cagent\cagent.exe" $cagentConfPath = "C:\Program Files\cagent\conf.yml" @@ -21,8 +22,12 @@ If (-not (Test-Path "C:\Program Files\cagent\cagent.exe")) { # https://stackoverflow.com/questions/34331206/ignore-ssl-warning-with-powershell-downloadstring [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;(New-Object System.Net.WebClient).DownloadFile('https://logger:8888/conf.yml', $cagentConfPath) Start-Process -FilePath $cagentPath -ArgumentList '--startup', 'auto', 'install' -Wait - Start-Process -FilePath $cagentPath -ArgumentList 'start' -Wait + Start-Process -FilePath $cagentPath -ArgumentList 'start' -Wait } Else { Write-Host "Caldera Agent is already installed. Moving on." } +If ((Get-Service -name cagent).Status -ne "Running") +{ + throw "Caldera Agent service not running" +} Write-Host "Cagent installation complete!" diff --git a/Vagrant/scripts/install-inputsconf.ps1 b/Vagrant/scripts/install-inputsconf.ps1 index 723bec3..1018ef2 100755 --- a/Vagrant/scripts/install-inputsconf.ps1 +++ b/Vagrant/scripts/install-inputsconf.ps1 @@ -1,16 +1,31 @@ # Purpose: Configures the inputs.conf for the Splunk forwarders on the Windows hosts Write-Host "Setting up Splunk Inputs for Sysmon & osquery" + $inputsPath = "C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf" +$currentContent = get-content $inputsPath +$targetContent = get-content c:\vagrant\resources\splunk_forwarder\inputs.conf -Write-Host "Stopping the Splunk forwarder" -Stop-Service splunkforwarder +if ($currentContent -ne $targetContent) +{ + Write-Host "Stopping the Splunk forwarder" + Stop-Service splunkforwarder -Write-Host "Deleting the default configuration" -Remove-Item $inputsPath + Write-Host "Deleting the default configuration" + Remove-Item $inputsPath -Write-Host "Copying over the custom configuration" -Copy-Item c:\vagrant\resources\splunk_forwarder\inputs.conf $inputsPath + Write-Host "Copying over the custom configuration" + Copy-Item c:\vagrant\resources\splunk_forwarder\inputs.conf $inputsPath -Write-Host "Starting the Splunk forwarder" -Start-Service splunkforwarder + Write-Host "Starting the Splunk forwarder" + Start-Service splunkforwarder +} +else +{ + Write-Host "Splunk forwarder already configured. Moving on." +} +If ((Get-Service -name splunkforwarder).Status -ne "Running") +{ + throw "splunkforwarder service was not running." +} +Write-Host "Splunk forwarder installation complete!" \ No newline at end of file diff --git a/Vagrant/scripts/install-microsoft-ata.ps1 b/Vagrant/scripts/install-microsoft-ata.ps1 index 31ecbcb..426972f 100644 --- a/Vagrant/scripts/install-microsoft-ata.ps1 +++ b/Vagrant/scripts/install-microsoft-ata.ps1 @@ -104,11 +104,30 @@ Invoke-Command -computername dc -Credential (new-object pscredential("windomain\ } [System.Net.ServicePointManager]::ServerCertificateValidationCallback = [SSLValidator]::GetDelegate() - Invoke-WebRequest -uri https://wef/api/management/softwareUpdates/gateways/deploymentPackage -UseBasicParsing -OutFile "$env:temp\gatewaysetup.zip" -Credential (new-object pscredential("wef\vagrant",(convertto-securestring -AsPlainText -Force -String "vagrant"))) - Expand-Archive -Path "$env:temp\gatewaysetup.zip" -DestinationPath "$env:temp\gatewaysetup" -Force - - Set-Location "$env:temp\gatewaysetup" - Start-Process -Wait -FilePath ".\Microsoft ATA Gateway Setup.exe" -ArgumentList "/q NetFrameworkCommandLineArguments=`"/q`" ConsoleAccountName=`"wef\vagrant`" ConsoleAccountPassword=`"vagrant`"" + If (-not (Test-Path "$env:temp\gatewaysetup.zip")) + { + Invoke-WebRequest -uri https://wef/api/management/softwareUpdates/gateways/deploymentPackage -UseBasicParsing -OutFile "$env:temp\gatewaysetup.zip" -Credential (new-object pscredential("wef\vagrant",(convertto-securestring -AsPlainText -Force -String "vagrant"))) + Expand-Archive -Path "$env:temp\gatewaysetup.zip" -DestinationPath "$env:temp\gatewaysetup" -Force + } + else + { + Write-Host "[$env:computername] Gateway setup already downloaded. Moving On." + } + if (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics")) + { + Set-Location "$env:temp\gatewaysetup" + Start-Process -Wait -FilePath ".\Microsoft ATA Gateway Setup.exe" -ArgumentList "/q NetFrameworkCommandLineArguments=`"/q`" ConsoleAccountName=`"wef\vagrant`" ConsoleAccountPassword=`"vagrant`"" + } + else + { + Write-Host "[$env:computername] ATA Gateway already installed. Moving On." + } + Write-Host "Sleeping 5 minutes to allow ATA gateway to start up..." + Start-Sleep -Seconds 300 + If ((Get-Service "ATAGateway").Status -ne "Running") + { + throw "ATA lightweight gateway not running" + } # Disable invalid web requests to endpoints with invalid SSL certs again [System.Net.ServicePointManager]::ServerCertificateValidationCallback = $null } @@ -120,4 +139,9 @@ $config[0].Configuration.DirectoryServicesResolverConfiguration.UpdateDirectoryE Invoke-RestMethod -Uri "https://localhost/api/management/systemProfiles/gateways/$($config[0].Id)" -UseDefaultCredentials -UseBasicParsing -Method Post -ContentType "application/json" -Body ($config[0] | convertto-json -depth 99) # Disable invalid web requests to endpoints with invalid SSL certs again -[System.Net.ServicePointManager]::ServerCertificateValidationCallback = $null \ No newline at end of file +[System.Net.ServicePointManager]::ServerCertificateValidationCallback = $null + +If ((Get-Service -name "ATACenter").Status -ne "Running") +{ + throw "MS ATA service was not running." +} \ No newline at end of file diff --git a/Vagrant/scripts/install-osquery.ps1 b/Vagrant/scripts/install-osquery.ps1 index b7cdc2e..6f9544f 100755 --- a/Vagrant/scripts/install-osquery.ps1 +++ b/Vagrant/scripts/install-osquery.ps1 @@ -36,5 +36,9 @@ If (-not ($service)) { Start-Service osqueryd } else { - Write-Host "osquery is already installed" + Write-Host "osquery is already installed. Moving On." +} +If ((Get-Service -name osqueryd).Status -ne "Running") +{ + throw "osqueryd service was not running" } diff --git a/Vagrant/scripts/install-splunkuf.ps1 b/Vagrant/scripts/install-splunkuf.ps1 index 2eb7b77..2c8449a 100755 --- a/Vagrant/scripts/install-splunkuf.ps1 +++ b/Vagrant/scripts/install-splunkuf.ps1 @@ -10,4 +10,8 @@ If (-not (Test-Path "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe")) } Else { Write-Host "Splunk is already installed. Moving on." } +If ((Get-Service -name splunkforwarder).Status -ne "Running") +{ + throw "Splunk forwarder service not running" +} Write-Host "Splunk installation complete!" diff --git a/Vagrant/scripts/install-utilities.ps1 b/Vagrant/scripts/install-utilities.ps1 index e5d8414..7b222fd 100755 --- a/Vagrant/scripts/install-utilities.ps1 +++ b/Vagrant/scripts/install-utilities.ps1 @@ -21,8 +21,14 @@ apm install language-docker # Disable Windows Defender realtime scanning before downloading Mimikatz If ($env:computername -eq "WIN10") { - set-MpPreference -DisableRealtimeMonitoring $true + If (Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender") + { + Remove-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Recurse -Force + } + gpupdate /force | Out-String Set-MpPreference -ExclusionPath C:\commander.exe, C:\Tools + set-MpPreference -DisableRealtimeMonitoring $true + } # Purpose: Downloads and unzips a copy of the latest Mimikatz trunk @@ -31,6 +37,19 @@ Write-Host "Determining latest release of Mimikatz..." [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $tag = (Invoke-WebRequest "https://api.github.com/repos/gentilkiwi/mimikatz/releases" -UseBasicParsing | ConvertFrom-Json)[0].tag_name $mimikatzDownloadUrl = "https://github.com/gentilkiwi/mimikatz/releases/download/$tag/mimikatz_trunk.zip" + $mimikatzRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\mimikatz_trunk.zip' -Invoke-WebRequest -Uri "$mimikatzDownloadUrl" -OutFile $mimikatzRepoPath -Expand-Archive -path "$mimikatzRepoPath" -destinationpath 'c:\Tools\Mimikatz' -Force +if (-not (Test-Path $mimikatzRepoPath)) +{ + Invoke-WebRequest -Uri "$mimikatzDownloadUrl" -OutFile $mimikatzRepoPath + Expand-Archive -path "$mimikatzRepoPath" -destinationpath 'c:\Tools\Mimikatz' -Force +} +else +{ + Write-Host "Mimikatz was already installed. Moving On." +} +# Enable realtime monitoring again, now that exclusion is set for mimikatz +If ($env:computername -eq "WIN10") { + set-MpPreference -DisableRealtimeMonitoring $false +} +Write-Host "Utilties installation complete!" \ No newline at end of file diff --git a/Vagrant/scripts/install-wefsubscriptions.ps1 b/Vagrant/scripts/install-wefsubscriptions.ps1 index 5af3111..3fbee76 100644 --- a/Vagrant/scripts/install-wefsubscriptions.ps1 +++ b/Vagrant/scripts/install-wefsubscriptions.ps1 @@ -4,24 +4,37 @@ Write-Host "Installing WEF Subscriptions" Write-Host "Copying Custom Event Channels DLL" -Copy-Item c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\windows-event-channels\CustomEventChannels.dll c:\windows\system32 -Copy-Item c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\windows-event-channels\CustomEventChannels.man c:\windows\system32 +if (-not (Test-Path "$env:windir\system32\CustomEventChannels.dll")) +{ + Copy-Item c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\windows-event-channels\CustomEventChannels.dll "$env:windir\system32" + Copy-Item c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\windows-event-channels\CustomEventChannels.man "$env:windir\system32" -Write-Host "Installing Custom Event Channels Manifest" -wevtutil im "c:\windows\system32\CustomEventChannels.man" -Write-Host "Resizing Channels to 4GB" -$xml = wevtutil el | select-string -pattern "WEC" -foreach ($subscription in $xml) { wevtutil sl $subscription /ms:4294967296 } + Write-Host "Installing Custom Event Channels Manifest" + wevtutil im "c:\windows\system32\CustomEventChannels.man" + Write-Host "Resizing Channels to 4GB" + $xml = wevtutil el | select-string -pattern "WEC" + foreach ($subscription in $xml) { wevtutil sl $subscription /ms:4294967296 } -Write-Host "Starting the Windows Event Collector Service" -net start wecsvc + Write-Host "Starting the Windows Event Collector Service" + net start wecsvc -Write-Host "Creating custom event subscriptions" -cd c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions -cmd /c "for /r %i in (*.xml) do wecutil cs %i" + Write-Host "Creating custom event subscriptions" + cd c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions + cmd /c "for /r %i in (*.xml) do wecutil cs %i" -Write-Host "Enabling custom event subscriptions" -cmd /c "for /r %i in (*.xml) do wecutil ss %~ni /e:true" + Write-Host "Enabling custom event subscriptions" + cmd /c "for /r %i in (*.xml) do wecutil ss %~ni /e:true" -Write-Host "Enabling WecUtil Quick Config" -wecutil qc /q:true + Write-Host "Enabling WecUtil Quick Config" + wecutil qc /q:true +} +else +{ + Write-Host "WEF Subscriptions already installed, moving on" + net start wecsvc +} +Start-Sleep -Seconds 60 +if ((Get-Service -Name wecsvc).Status -ne "Running") +{ + throw "Windows Event Collector service was not running" +} \ No newline at end of file