trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added pre and post checks for installations

Browse Source
This commit is contained in:
hhofs
2018-05-16 14:56:12 +02:00
parent 6f185b558a
commit 387682e809
15 changed files with 336 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
Vagrant/scripts/configure-AuditingPolicyGPOs.ps1
View File

@@ -1,13 +1,49 @@
# Purpose: Installs the GPOs for the custom WinEventLog auditing policy. # Purpose: Installs the GPOs for the custom WinEventLog auditing policy.
Write-Host "Configuring auditing policy GPOS..." Write-Host "Configuring auditing policy GPOS..."
Write-Host "Importing Domain Controller Enhanced Auditing Policy..." $GPOName = 'Domain Controllers Enhanced Auditing Policy'
Import-GPO -BackupGpoName 'Domain Controllers Enhanced Auditing Policy' -Path "c:\vagrant\resources\GPO\Domain_Controllers_Enhanced_Auditing_Policy" -TargetName 'Domain Controllers Enhanced Auditing Policy' -CreateIfNeeded $OU = "ou=Domain Controllers,dc=windomain,dc=local"
New-GPLink -Name 'Domain Controllers Enhanced Auditing Policy' -Target "ou=Domain Controllers,dc=windomain,dc=local" -Enforced yes Write-Host "Importing $GPOName..."
Import-GPO -BackupGpoName $GPOName -Path "c:\vagrant\resources\GPO\Domain_Controllers_Enhanced_Auditing_Policy" -TargetName $GPOName -CreateIfNeeded
$gpLinks = $null
$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
$GPO = Get-GPO -Name $GPOName
If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path)
{
New-GPLink -Name $GPOName -Target $OU -Enforced yes
}
else
{
Write-Host "GpLink $GPOName already linked on $OU. Moving On."
}
$GPOName = 'Servers Enhanced Auditing Policy'
$OU = "ou=Servers,dc=windomain,dc=local"
Write-Host "Importing $GPOName..."
Import-GPO -BackupGpoName $GPOName -Path "c:\vagrant\resources\GPO\Servers_Enhanced_Auditing_Policy" -TargetName $GPOName -CreateIfNeeded
$gpLinks = $null
$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
$GPO = Get-GPO -Name $GPOName
If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path)
{
New-GPLink -Name $GPOName -Target $OU -Enforced yes
}
else
{
Write-Host "GpLink $GPOName already linked on $OU. Moving On."
}
Write-Host "Importing Servers Enhanced Auditing Policy..." $GPOName = 'Workstations Enhanced Auditing Policy'
Import-GPO -BackupGpoName 'Servers Enhanced Auditing Policy' -Path "c:\vagrant\resources\GPO\Servers_Enhanced_Auditing_Policy" -TargetName 'Servers Enhanced Auditing Policy' -CreateIfNeeded $OU = "ou=Workstations,dc=windomain,dc=local"
New-GPLink -Name 'Servers Enhanced Auditing Policy' -Target "ou=Servers,dc=windomain,dc=local" -Enforced yes Write-Host "Importing $GPOName..."
Import-GPO -BackupGpoName $GPOName -Path "c:\vagrant\resources\GPO\Workstations_Enhanced_Auditing_Policy" -TargetName $GPOName -CreateIfNeeded
$gpLinks = $null
$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
$GPO = Get-GPO -Name $GPOName
If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path)
{
New-GPLink -Name $GPOName -Target $OU -Enforced yes
}
else
{
Write-Host "GpLink $GPOName already linked on $OU. Moving On."
}
Write-Host "Importing Workstations Enhanced Auditing Policy..."
Import-GPO -BackupGpoName 'Workstations Enhanced Auditing Policy' -Path "c:\vagrant\resources\GPO\Workstations_Enhanced_Auditing_Policy" -TargetName 'Workstations Enhanced Auditing Policy' -CreateIfNeeded
New-GPLink -Name 'Workstations Enhanced Auditing Policy' -Target "ou=Workstations,dc=windomain,dc=local" -Enforced yes

19
Vagrant/scripts/configure-ou.ps1
View File

@@ -2,10 +2,23 @@
Write-Host "Sleeping for 30 seconds, then creating Server and Workstation OUs" Write-Host "Sleeping for 30 seconds, then creating Server and Workstation OUs"
Start-Sleep 30 Start-Sleep 30
Write-Host "Creating Servers OU" Write-Host "Creating Servers OU"
New-ADOrganizationalUnit -Name "Servers" -Server "dc.windomain.local" if (!([ADSI]::Exists("LDAP://OU=Servers,DC=windomain,DC=local")))
{
New-ADOrganizationalUnit -Name "Servers" -Server "dc.windomain.local"
}
else
{
Write-Host "Servers OU already exists. Moving On."
}
Write-Host "Creating Workstations OU" Write-Host "Creating Workstations OU"
New-ADOrganizationalUnit -Name "Workstations" -Server "dc.windomain.local" if (!([ADSI]::Exists("LDAP://OU=Workstations,DC=windomain,DC=local")))
{
New-ADOrganizationalUnit -Name "Workstations" -Server "dc.windomain.local"
}
else
{
Write-Host "Workstations OU already exists. Moving On."
}
# Sysprep breaks auto-login. Let's restore it here: # Sysprep breaks auto-login. Let's restore it here:
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -Value 1 Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -Value 1
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Value "vagrant" Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Value "vagrant"

37
Vagrant/scripts/configure-powershelllogging.ps1
View File

@@ -1,6 +1,39 @@
# Purpose: Install the GPO that specifies the WEF collector # Purpose: Install the GPO that specifies the WEF collector
Write-Host "Importing the GPO to enable Powershell Module, ScriptBlock and Transcript logging..." Write-Host "Importing the GPO to enable Powershell Module, ScriptBlock and Transcript logging..."
Import-GPO -BackupGpoName 'Powershell Logging' -Path "c:\vagrant\resources\GPO\powershell_logging" -TargetName 'Powershell Logging' -CreateIfNeeded Import-GPO -BackupGpoName 'Powershell Logging' -Path "c:\vagrant\resources\GPO\powershell_logging" -TargetName 'Powershell Logging' -CreateIfNeeded
New-GPLink -Name 'Powershell Logging' -Target "dc=windomain,dc=local" -Enforced yes $OU = "ou=Workstations,dc=windomain,dc=local"
New-GPLink -Name 'Powershell Logging' -Target "ou=Domain Controllers,dc=windomain,dc=local" -Enforced yes $gPLinks = $null
$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
$GPO = Get-GPO -Name 'Powershell Logging'
If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path)
{
New-GPLink -Name 'Powershell Logging' -Target $OU -Enforced yes
}
else
{
Write-Host "Powershell Loggin was already linked at $OU. Moving On."
}
$OU = "ou=Servers,dc=windomain,dc=local"
$gPLinks = $null
$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
$GPO = Get-GPO -Name 'Powershell Logging'
If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path)
{
New-GPLink -Name 'Powershell Logging' -Target $OU -Enforced yes
}
else
{
Write-Host "Powershell Loggin was already linked at $OU. Moving On."
}
$OU = "ou=Domain Controllers,dc=windomain,dc=local"
$gPLinks = $null
$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path)
{
New-GPLink -Name 'Powershell Logging' -Target $OU -Enforced yes
}
else
{
Write-Host "Powershell Loggin was already linked at $OU. Moving On."
}
gpupdate /force gpupdate /force

10
Vagrant/scripts/configure-pslogstranscriptsshare.ps1
View File

@@ -1,7 +1,10 @@
# Purpose: Configure an SMB share for Powershell transcription logs to be written to # Purpose: Configure an SMB share for Powershell transcription logs to be written to
# Source: https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/ # Source: https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/
Write-Host "Configuring the Powershell Transcripts Share" Write-Host "Configuring the Powershell Transcripts Share"
md c:\pslogs If (-not (Test-Path c:\pslogs))
{
md c:\pslogs
}
## Kill all inherited permissions ## Kill all inherited permissions
@@ -39,4 +42,7 @@ $acl | Set-Acl c:\pslogs\
## Create the SMB Share, granting Everyone the right to read and write files. Specific ## Create the SMB Share, granting Everyone the right to read and write files. Specific
## actions will actually be enforced by the ACL on the file folder. ## actions will actually be enforced by the ACL on the file folder.
New-SmbShare -Name pslogs -Path c:\pslogs -ChangeAccess Everyone if ((Get-SmbShare -Name pslogs -ea silent) -eq $null)
{
New-SmbShare -Name pslogs -Path c:\pslogs -ChangeAccess Everyone
}

73
Vagrant/scripts/configure-wef-gpo.ps1
View File

@@ -1,14 +1,71 @@
# Purpose: Installs the GPOs needed to specify a Windows Event Collector and makes certain event channels readable by Event Logger # Purpose: Installs the GPOs needed to specify a Windows Event Collector and makes certain event channels readable by Event Logger
Write-Host "Importing the GPO to specify the WEF collector" Write-Host "Importing the GPO to specify the WEF collector"
Import-GPO -BackupGpoName 'Windows Event Forwarding Server' -Path "c:\vagrant\resources\GPO\wef_configuration" -TargetName 'Windows Event Forwarding Server' -CreateIfNeeded $GPOName = 'Windows Event Forwarding Server'
New-GPLink -Name 'Windows Event Forwarding Server' -Target "dc=windomain,dc=local" -Enforced yes Import-GPO -BackupGpoName $GPOName -Path "c:\vagrant\resources\GPO\wef_configuration" -TargetName $GPOName -CreateIfNeeded
New-GPLink -Name 'Windows Event Forwarding Server' -Target "ou=Domain Controllers,dc=windomain,dc=local" -Enforced yes $gpLinks = $null
$OU = "OU=Servers,dc=windomain,dc=local"
$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
$GPO = Get-GPO -Name $GPOName
If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path)
{
New-GPLink -Name $GPOName -Target $OU -Enforced yes
}
else
{
Write-Host "GpLink $GPOName already linked on $OU. Moving On."
}
$OU = "ou=Domain Controllers,dc=windomain,dc=local"
$gpLinks = $null
$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
$GPO = Get-GPO -Name $GPOName
If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path)
{
New-GPLink -Name $GPOName -Target $OU -Enforced yes
}
else
{
Write-Host "GpLink $GPOName already linked on $OU. Moving On."
}
Write-Host "Importing the GPO to modify ACLs on Custom Event Channels" Write-Host "Importing the GPO to modify ACLs on Custom Event Channels"
Import-GPO -BackupGPOName 'Custom Event Channel Permissions' -Path "c:\vagrant\resources\GPO\wef_configuration" -TargetName 'Custom Event Channel Permissions' -CreateIfNeeded
New-GPLink -Name 'Custom Event Channel Permissions' -Target "dc=windomain,dc=local" -Enforced yes $GPOName = 'Custom Event Channel Permissions'
New-GPLink -Name 'Custom Event Channel Permissions' -Target "ou=Domain Controllers,dc=windomain,dc=local" -Enforced yes Import-GPO -BackupGpoName $GPOName -Path "c:\vagrant\resources\GPO\wef_configuration" -TargetName $GPOName -CreateIfNeeded
New-GPLink -Name 'Custom Event Channel Permissions' -Target "ou=Servers,dc=windomain,dc=local" -Enforced yes $gpLinks = $null
New-GPLink -Name 'Custom Event Channel Permissions' -Target "ou=Workstations,dc=windomain,dc=local" -Enforced yes $OU = "OU=Servers,dc=windomain,dc=local"
$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
$GPO = Get-GPO -Name $GPOName
If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path)
{
New-GPLink -Name $GPOName -Target $OU -Enforced yes
}
else
{
Write-Host "GpLink $GPOName already linked on $OU. Moving On."
}
$OU = "ou=Domain Controllers,dc=windomain,dc=local"
$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
$GPO = Get-GPO -Name $GPOName
If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path)
{
New-GPLink -Name $GPOName -Target $OU -Enforced yes
}
else
{
Write-Host "GpLink $GPOName already linked on $OU. Moving On."
}
$OU = "ou=Workstations,dc=windomain,dc=local"
$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
$GPO = Get-GPO -Name $GPOName
If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path)
{
New-GPLink -Name $GPOName -Target $OU -Enforced yes
}
else
{
Write-Host "GpLink $GPOName already linked on $OU. Moving On."
}
gpupdate /force gpupdate /force
# Enable WinRM # Enable WinRM
Write-Host "Enabling WinRM" Write-Host "Enabling WinRM"

17
Vagrant/scripts/download_palantir_osquery.ps1
View File

@@ -2,8 +2,15 @@
Write-Host "Downloading and unzipping the Palantir osquery Repo from Github..." Write-Host "Downloading and unzipping the Palantir osquery Repo from Github..."
$osqueryRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\osquery-Master.zip' $osqueryRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\osquery-Master.zip'
if (-not (Test-Path $osqueryRepoPath))
# GitHub requires TLS 1.2 as of 2/1/2018 {
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 # GitHub requires TLS 1.2 as of 2/1/2018
Invoke-WebRequest -Uri "https://github.com/palantir/osquery-configuration/archive/master.zip" -OutFile $osqueryRepoPath [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Expand-Archive -path "$osqueryRepoPath" -destinationpath 'c:\Users\vagrant\AppData\Local\Temp' -Force Invoke-WebRequest -Uri "https://github.com/palantir/osquery-configuration/archive/master.zip" -OutFile $osqueryRepoPath
Expand-Archive -path "$osqueryRepoPath" -destinationpath 'c:\Users\vagrant\AppData\Local\Temp' -Force
}
else
{
Write-Host "$osqueryRepoPath already exists. Moving On."
}
Write-Host "Palantir OSQuery download complete!"

16
Vagrant/scripts/download_palantir_wef.ps1
View File

@@ -4,7 +4,15 @@ Write-Host "Downloading and unzipping the Palantir Windows Event Forwarding Repo
$wefRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\wef-Master.zip' $wefRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\wef-Master.zip'
# GitHub requires TLS 1.2 as of 2/1/2018 If (-not (Test-Path $wefRepoPath))
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 {
Invoke-WebRequest -Uri "https://github.com/palantir/windows-event-forwarding/archive/master.zip" -OutFile $wefRepoPath # GitHub requires TLS 1.2 as of 2/1/2018
Expand-Archive -path "$wefRepoPath" -destinationpath 'c:\Users\vagrant\AppData\Local\Temp' -Force [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri "https://github.com/palantir/windows-event-forwarding/archive/master.zip" -OutFile $wefRepoPath
Expand-Archive -path "$wefRepoPath" -destinationpath 'c:\Users\vagrant\AppData\Local\Temp' -Force
}
else
{
Write-Host "$wefRepoPath already exists. Moving On."
}
Write-Host "Palantir WEF download complete!"

20
Vagrant/scripts/install-autorunstowineventlog.ps1
View File

@@ -1,7 +1,19 @@
# Purpose: Installs AutorunsToWinEventLog from the Palantir WEF repo: (https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog) # Purpose: Installs AutorunsToWinEventLog from the Palantir WEF repo: (https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog)
# TL;DR - Logs all entries from Autoruns to the Windows event log to be indexed by Splunk # TL;DR - Logs all entries from Autoruns to the Windows event log to be indexed by Splunk
Write-Host "Installing AutorunsToWinEventLog..." Write-Host "Installing AutorunsToWinEventLog..."
cd "c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\AutorunsToWinEventLog" If ((Get-ScheduledTask -TaskName "AutorunsToWinEventLog" -ea silent) -eq $null)
.\Install.ps1 {
Write-Host "AutorunsToWinEventLog installed. Starting the scheduled task. Future runs will begin at 11am" cd "c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\AutorunsToWinEventLog"
Start-ScheduledTask -TaskName "AutorunsToWinEventLog" .\Install.ps1
Write-Host "AutorunsToWinEventLog installed. Starting the scheduled task. Future runs will begin at 11am"
Start-ScheduledTask -TaskName "AutorunsToWinEventLog"
$Tsk = Get-ScheduledTask -TaskName "AutorunsToWinEventLog"
if ($Tsk.State -ne "Running")
{
throw "AutorunsToWinEventLog scheduled tasks wasn't running after starting it"
}
}
else
{
Write-Host "AutorunsToWinEventLog already installed. Moving On."
}

23
Vagrant/scripts/install-caldera-agent.ps1
View File

@@ -1,16 +1,17 @@
# Purpose: Installs the Caldera agent on the host # Purpose: Installs the Caldera agent on the host
# Add /etc/hosts entry if (-not (Test-Path 'C:\Program Files\cagent\cagent.exe'))
Add-Content "c:\windows\system32\drivers\etc\hosts" " 192.168.38.5 logger" {
# Add /etc/hosts entry
Add-Content "c:\windows\system32\drivers\etc\hosts" " 192.168.38.5 logger"
# Make the directory # Make the directory
New-Item "c:\Program Files\cagent" -type directory New-Item "c:\Program Files\cagent" -type directory
# Install Visual Studio 2015 C++ Redistributable # Install Visual Studio 2015 C++ Redistributable
choco install -y vcredist2015 choco install -y vcredist2015
# Download cagent and start the service # Download cagent and start the service
If (-not (Test-Path "C:\Program Files\cagent\cagent.exe")) {
Write-Host "Downloading Caldera Agent (cagent.exe)" Write-Host "Downloading Caldera Agent (cagent.exe)"
$cagentPath = "C:\Program Files\cagent\cagent.exe" $cagentPath = "C:\Program Files\cagent\cagent.exe"
$cagentConfPath = "C:\Program Files\cagent\conf.yml" $cagentConfPath = "C:\Program Files\cagent\conf.yml"
@@ -21,8 +22,12 @@ If (-not (Test-Path "C:\Program Files\cagent\cagent.exe")) {
# https://stackoverflow.com/questions/34331206/ignore-ssl-warning-with-powershell-downloadstring # https://stackoverflow.com/questions/34331206/ignore-ssl-warning-with-powershell-downloadstring
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;(New-Object System.Net.WebClient).DownloadFile('https://logger:8888/conf.yml', $cagentConfPath) [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;(New-Object System.Net.WebClient).DownloadFile('https://logger:8888/conf.yml', $cagentConfPath)
Start-Process -FilePath $cagentPath -ArgumentList '--startup', 'auto', 'install' -Wait Start-Process -FilePath $cagentPath -ArgumentList '--startup', 'auto', 'install' -Wait
Start-Process -FilePath $cagentPath -ArgumentList 'start' -Wait Start-Process -FilePath $cagentPath -ArgumentList 'start' -Wait
} Else { } Else {
Write-Host "Caldera Agent is already installed. Moving on." Write-Host "Caldera Agent is already installed. Moving on."
} }
If ((Get-Service -name cagent).Status -ne "Running")
{
throw "Caldera Agent service not running"
}
Write-Host "Cagent installation complete!" Write-Host "Cagent installation complete!"

31
Vagrant/scripts/install-inputsconf.ps1
View File

@@ -1,16 +1,31 @@
# Purpose: Configures the inputs.conf for the Splunk forwarders on the Windows hosts # Purpose: Configures the inputs.conf for the Splunk forwarders on the Windows hosts
Write-Host "Setting up Splunk Inputs for Sysmon & osquery" Write-Host "Setting up Splunk Inputs for Sysmon & osquery"
$inputsPath = "C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf" $inputsPath = "C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf"
$currentContent = get-content $inputsPath
$targetContent = get-content c:\vagrant\resources\splunk_forwarder\inputs.conf
Write-Host "Stopping the Splunk forwarder" if ($currentContent -ne $targetContent)
Stop-Service splunkforwarder {
Write-Host "Stopping the Splunk forwarder"
Stop-Service splunkforwarder
Write-Host "Deleting the default configuration" Write-Host "Deleting the default configuration"
Remove-Item $inputsPath Remove-Item $inputsPath
Write-Host "Copying over the custom configuration" Write-Host "Copying over the custom configuration"
Copy-Item c:\vagrant\resources\splunk_forwarder\inputs.conf $inputsPath Copy-Item c:\vagrant\resources\splunk_forwarder\inputs.conf $inputsPath
Write-Host "Starting the Splunk forwarder" Write-Host "Starting the Splunk forwarder"
Start-Service splunkforwarder Start-Service splunkforwarder
}
else
{
Write-Host "Splunk forwarder already configured. Moving on."
}
If ((Get-Service -name splunkforwarder).Status -ne "Running")
{
throw "splunkforwarder service was not running."
}
Write-Host "Splunk forwarder installation complete!"

36
Vagrant/scripts/install-microsoft-ata.ps1
View File

@@ -104,11 +104,30 @@ Invoke-Command -computername dc -Credential (new-object pscredential("windomain\
} }
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = [SSLValidator]::GetDelegate() [System.Net.ServicePointManager]::ServerCertificateValidationCallback = [SSLValidator]::GetDelegate()
Invoke-WebRequest -uri https://wef/api/management/softwareUpdates/gateways/deploymentPackage -UseBasicParsing -OutFile "$env:temp\gatewaysetup.zip" -Credential (new-object pscredential("wef\vagrant",(convertto-securestring -AsPlainText -Force -String "vagrant"))) If (-not (Test-Path "$env:temp\gatewaysetup.zip"))
Expand-Archive -Path "$env:temp\gatewaysetup.zip" -DestinationPath "$env:temp\gatewaysetup" -Force {
Invoke-WebRequest -uri https://wef/api/management/softwareUpdates/gateways/deploymentPackage -UseBasicParsing -OutFile "$env:temp\gatewaysetup.zip" -Credential (new-object pscredential("wef\vagrant",(convertto-securestring -AsPlainText -Force -String "vagrant")))
Set-Location "$env:temp\gatewaysetup" Expand-Archive -Path "$env:temp\gatewaysetup.zip" -DestinationPath "$env:temp\gatewaysetup" -Force
Start-Process -Wait -FilePath ".\Microsoft ATA Gateway Setup.exe" -ArgumentList "/q NetFrameworkCommandLineArguments=`"/q`" ConsoleAccountName=`"wef\vagrant`" ConsoleAccountPassword=`"vagrant`"" }
else
{
Write-Host "[$env:computername] Gateway setup already downloaded. Moving On."
}
if (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics"))
{
Set-Location "$env:temp\gatewaysetup"
Start-Process -Wait -FilePath ".\Microsoft ATA Gateway Setup.exe" -ArgumentList "/q NetFrameworkCommandLineArguments=`"/q`" ConsoleAccountName=`"wef\vagrant`" ConsoleAccountPassword=`"vagrant`""
}
else
{
Write-Host "[$env:computername] ATA Gateway already installed. Moving On."
}
Write-Host "Sleeping 5 minutes to allow ATA gateway to start up..."
Start-Sleep -Seconds 300
If ((Get-Service "ATAGateway").Status -ne "Running")
{
throw "ATA lightweight gateway not running"
}
# Disable invalid web requests to endpoints with invalid SSL certs again # Disable invalid web requests to endpoints with invalid SSL certs again
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = $null [System.Net.ServicePointManager]::ServerCertificateValidationCallback = $null
} }
@@ -120,4 +139,9 @@ $config[0].Configuration.DirectoryServicesResolverConfiguration.UpdateDirectoryE
Invoke-RestMethod -Uri "https://localhost/api/management/systemProfiles/gateways/$($config[0].Id)" -UseDefaultCredentials -UseBasicParsing -Method Post -ContentType "application/json" -Body ($config[0] | convertto-json -depth 99) Invoke-RestMethod -Uri "https://localhost/api/management/systemProfiles/gateways/$($config[0].Id)" -UseDefaultCredentials -UseBasicParsing -Method Post -ContentType "application/json" -Body ($config[0] | convertto-json -depth 99)
# Disable invalid web requests to endpoints with invalid SSL certs again # Disable invalid web requests to endpoints with invalid SSL certs again
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = $null [System.Net.ServicePointManager]::ServerCertificateValidationCallback = $null
If ((Get-Service -name "ATACenter").Status -ne "Running")
{
throw "MS ATA service was not running."
}

6
Vagrant/scripts/install-osquery.ps1
View File

@@ -36,5 +36,9 @@ If (-not ($service)) {
Start-Service osqueryd Start-Service osqueryd
} }
else { else {
Write-Host "osquery is already installed" Write-Host "osquery is already installed. Moving On."
}
If ((Get-Service -name osqueryd).Status -ne "Running")
{
throw "osqueryd service was not running"
} }

4
Vagrant/scripts/install-splunkuf.ps1
View File

@@ -10,4 +10,8 @@ If (-not (Test-Path "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"))
} Else { } Else {
Write-Host "Splunk is already installed. Moving on." Write-Host "Splunk is already installed. Moving on."
} }
If ((Get-Service -name splunkforwarder).Status -ne "Running")
{
throw "Splunk forwarder service not running"
}
Write-Host "Splunk installation complete!" Write-Host "Splunk installation complete!"

25
Vagrant/scripts/install-utilities.ps1
View File

@@ -21,8 +21,14 @@ apm install language-docker
# Disable Windows Defender realtime scanning before downloading Mimikatz # Disable Windows Defender realtime scanning before downloading Mimikatz
If ($env:computername -eq "WIN10") { If ($env:computername -eq "WIN10") {
set-MpPreference -DisableRealtimeMonitoring $true If (Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender")
{
Remove-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Recurse -Force
}
gpupdate /force | Out-String
Set-MpPreference -ExclusionPath C:\commander.exe, C:\Tools Set-MpPreference -ExclusionPath C:\commander.exe, C:\Tools
set-MpPreference -DisableRealtimeMonitoring $true
} }
# Purpose: Downloads and unzips a copy of the latest Mimikatz trunk # Purpose: Downloads and unzips a copy of the latest Mimikatz trunk
@@ -31,6 +37,19 @@ Write-Host "Determining latest release of Mimikatz..."
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$tag = (Invoke-WebRequest "https://api.github.com/repos/gentilkiwi/mimikatz/releases" -UseBasicParsing | ConvertFrom-Json)[0].tag_name $tag = (Invoke-WebRequest "https://api.github.com/repos/gentilkiwi/mimikatz/releases" -UseBasicParsing | ConvertFrom-Json)[0].tag_name
$mimikatzDownloadUrl = "https://github.com/gentilkiwi/mimikatz/releases/download/$tag/mimikatz_trunk.zip" $mimikatzDownloadUrl = "https://github.com/gentilkiwi/mimikatz/releases/download/$tag/mimikatz_trunk.zip"
$mimikatzRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\mimikatz_trunk.zip' $mimikatzRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\mimikatz_trunk.zip'
Invoke-WebRequest -Uri "$mimikatzDownloadUrl" -OutFile $mimikatzRepoPath if (-not (Test-Path $mimikatzRepoPath))
Expand-Archive -path "$mimikatzRepoPath" -destinationpath 'c:\Tools\Mimikatz' -Force {
Invoke-WebRequest -Uri "$mimikatzDownloadUrl" -OutFile $mimikatzRepoPath
Expand-Archive -path "$mimikatzRepoPath" -destinationpath 'c:\Tools\Mimikatz' -Force
}
else
{
Write-Host "Mimikatz was already installed. Moving On."
}
# Enable realtime monitoring again, now that exclusion is set for mimikatz
If ($env:computername -eq "WIN10") {
set-MpPreference -DisableRealtimeMonitoring $false
}
Write-Host "Utilties installation complete!"

45
Vagrant/scripts/install-wefsubscriptions.ps1
View File

@@ -4,24 +4,37 @@
Write-Host "Installing WEF Subscriptions" Write-Host "Installing WEF Subscriptions"
Write-Host "Copying Custom Event Channels DLL" Write-Host "Copying Custom Event Channels DLL"
Copy-Item c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\windows-event-channels\CustomEventChannels.dll c:\windows\system32 if (-not (Test-Path "$env:windir\system32\CustomEventChannels.dll"))
Copy-Item c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\windows-event-channels\CustomEventChannels.man c:\windows\system32 {
Copy-Item c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\windows-event-channels\CustomEventChannels.dll "$env:windir\system32"
Copy-Item c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\windows-event-channels\CustomEventChannels.man "$env:windir\system32"
Write-Host "Installing Custom Event Channels Manifest" Write-Host "Installing Custom Event Channels Manifest"
wevtutil im "c:\windows\system32\CustomEventChannels.man" wevtutil im "c:\windows\system32\CustomEventChannels.man"
Write-Host "Resizing Channels to 4GB" Write-Host "Resizing Channels to 4GB"
$xml = wevtutil el | select-string -pattern "WEC" $xml = wevtutil el | select-string -pattern "WEC"
foreach ($subscription in $xml) { wevtutil sl $subscription /ms:4294967296 } foreach ($subscription in $xml) { wevtutil sl $subscription /ms:4294967296 }
Write-Host "Starting the Windows Event Collector Service" Write-Host "Starting the Windows Event Collector Service"
net start wecsvc net start wecsvc
Write-Host "Creating custom event subscriptions" Write-Host "Creating custom event subscriptions"
cd c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions cd c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions
cmd /c "for /r %i in (*.xml) do wecutil cs %i" cmd /c "for /r %i in (*.xml) do wecutil cs %i"
Write-Host "Enabling custom event subscriptions" Write-Host "Enabling custom event subscriptions"
cmd /c "for /r %i in (*.xml) do wecutil ss %~ni /e:true" cmd /c "for /r %i in (*.xml) do wecutil ss %~ni /e:true"
Write-Host "Enabling WecUtil Quick Config" Write-Host "Enabling WecUtil Quick Config"
wecutil qc /q:true wecutil qc /q:true
}
else
{
Write-Host "WEF Subscriptions already installed, moving on"
net start wecsvc
}
Start-Sleep -Seconds 60
if ((Get-Service -Name wecsvc).Status -ne "Running")
{
throw "Windows Event Collector service was not running"
}