diff --git a/ESXi/ansible/roles/logger/tasks/main.yml b/ESXi/ansible/roles/logger/tasks/main.yml index 40bf5f3..757b040 100644 --- a/ESXi/ansible/roles/logger/tasks/main.yml +++ b/ESXi/ansible/roles/logger/tasks/main.yml @@ -221,7 +221,7 @@ /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/punchcard-custom-visualization_130.tgz -auth 'admin:changeme' /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/sankey-diagram-custom-visualization_130.tgz -auth 'admin:changeme' /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/link-analysis-app-for-splunk_161.tgz -auth 'admin:changeme' - /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_144.tgz -auth 'admin:changeme' + /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_1492.tgz -auth 'admin:changeme' # Fix ASNGen App - https://github.com/doksu/TA-asngen/issues/18#issuecomment-685691630 echo 'python.version = python2' >> /opt/splunk/etc/apps/TA-asngen/default/commands.conf diff --git a/Vagrant/logger_bootstrap.sh b/Vagrant/logger_bootstrap.sh index ccbd341..694acac 100644 --- a/Vagrant/logger_bootstrap.sh +++ b/Vagrant/logger_bootstrap.sh @@ -169,7 +169,7 @@ install_splunk() { /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/punchcard-custom-visualization_130.tgz -auth 'admin:changeme' /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/sankey-diagram-custom-visualization_130.tgz -auth 'admin:changeme' /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/link-analysis-app-for-splunk_161.tgz -auth 'admin:changeme' - /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_144.tgz -auth 'admin:changeme' + /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_1492.tgz -auth 'admin:changeme' # Fix ASNGen App - https://github.com/doksu/TA-asngen/issues/18#issuecomment-685691630 echo 'python.version = python2' >> /opt/splunk/etc/apps/TA-asngen/default/commands.conf diff --git a/Vagrant/resources/splunk_server/threathunting_144.tgz b/Vagrant/resources/splunk_server/threathunting_144.tgz deleted file mode 100644 index c2035c0..0000000 Binary files a/Vagrant/resources/splunk_server/threathunting_144.tgz and /dev/null differ diff --git a/Vagrant/resources/splunk_server/threathunting_1492.tgz b/Vagrant/resources/splunk_server/threathunting_1492.tgz new file mode 100644 index 0000000..fbc6d53 Binary files /dev/null and b/Vagrant/resources/splunk_server/threathunting_1492.tgz differ diff --git a/Vagrant/scripts/install-exchange.ps1 b/Vagrant/scripts/install-exchange.ps1 new file mode 100644 index 0000000..0b5ff5d --- /dev/null +++ b/Vagrant/scripts/install-exchange.ps1 @@ -0,0 +1,199 @@ +# Purpose: Downloads and installs Microsoft Exchange and its prerequisites + +# README +# 1. Provide the WEF VM with 4GB+ of RAM +# 2. Run this script from an elevated powershell prompt to install pre-reqs, then reboot +# 3. Run this script again to download and begin installing exchange +# 4. You MUST manually close each exchange cmd.exe window after completion for installation to continue. +# This allows you to verify that each step in the installation process was successful +# 5. Once installation is successful, reboot once more. + +$exchangeFolder = "C:\exchange2016" +$exchangeISOPath = "C:\exchange2016\ExchangeServer2016-x64-cu12.iso" +$exchangeDownloadUrl = "https://download.microsoft.com/download/2/5/8/258D30CF-CA4C-433A-A618-FB7E6BCC4EEE/ExchangeServer2016-x64-cu12.iso" +$username = 'windomain.local\administrator' +$password = 'vagrant' +$securePassword = ConvertTo-SecureString $password -AsPlainText -Force +$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword +$dotNetInstallerUrl = 'https://download.microsoft.com/download/9/E/6/9E63300C-0941-4B45-A0EC-0008F96DD480/NDP471-KB4033342-x86-x64-AllOS-ENU.exe' +$dotNetInstallerPath = "$env:TEMP/NDP471-KB4033342-x86-x64-AllOS-ENU.exe" +$dotNetInstallLog = "$env:TEMP/dotnet_install_log.txt" +$cplusplusInstallerUrl = "https://download.microsoft.com/download/2/E/6/2E61CFA4-993B-4DD4-91DA-3737CD5CD6E3/vcredist_x64.exe" +$cplusplusInstallerPath = "$env:TEMP/vcredist_x64.exe" +$cplusplusLogPath = "$env:TEMP/cplusplus_install_log.txt" +$maxSleepTime = 900 +$physicalMemory = get-ciminstance -class "cim_physicalmemory" | % { $_.Capacity } + +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [+] Attempting to install Microsoft exchange." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [+] Please note, you will have to reboot and re-run this script after the prerequisites have been installed." +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [+] Failure to reboot will cause the Exchange installation to fail." + +# Warn the user if less than 4GB of memory +If ($physicalMemory -lt 4000000000) { + Write-Host "It is STRONGLY recommended that you provide this host with 4GB+ of memory before continuing or it is highly likely that it will run out of memory while installing Exchange." + $ignore = Read-Host "Type 'ignore' to continue anyways, otherwise this script will exit." + If ($ignore -ne "ignore") { + Write-Host "Exiting." + } +} + +If (-not(Test-Path c:\exchange_prereqs_complete.txt)) { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Beginning installation of prerequisites..." + # Install Prerequisites + If (-not(choco list -lo | Where-object { $_.ToLower().StartsWith("ucma4".ToLower()) })) { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing UCMA4 from Chocolatey..." + choco install -y --limit-output --no-progress ucma4 + } Else { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) UCMA4 is already installed. Moving on..." + } + + If ((Get-WindowsOptionalFeature -Online -FeatureName "RSAT-AD-Tools-Feature").State -ne "Enabled") { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing a bunch of items from Microsoft Optional Components..." + # Gotta temporarily re-enable these services + Set-Service TrustedInstaller -StartupType Automatic + Start-Service TrustedInstaller + Set-Service wuauserv -StartupType Automatic + Start-Service wuauserv + Install-WindowsFeature ` + NET-Framework-45-Features, + RPC-over-HTTP-proxy, + RSAT-Clustering, + RSAT-Clustering-CmdInterface, + RSAT-Clustering-Mgmt, + RSAT-Clustering-PowerShell, + Web-Mgmt-Console, + WAS-Process-Model, + Web-Asp-Net45, + Web-Basic-Auth, + Web-Client-Auth, + Web-Digest-Auth, + Web-Dir-Browsing, + Web-Dyn-Compression, + Web-Http-Errors, + Web-Http-Logging, + Web-Http-Redirect, + Web-Http-Tracing, + Web-ISAPI-Ext, + Web-ISAPI-Filter, + Web-Lgcy-Mgmt-Console, + Web-Metabase, + Web-Mgmt-Console, + Web-Mgmt-Service, + Web-Net-Ext45, + Web-Request-Monitor, + Web-Server, + Web-Stat-Compression, + Web-Static-Content, + Web-Windows-Auth, + Web-WMI, + Windows-Identity-Foundation, + RSAT-ADDS + } Else { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) The Windows Feature prerequisites are already installed" + } + # Install .NET 4.7.1 + If (-not(Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full").Release -le 461310) { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing .NET 4.7.1..." + $secondsPassed = 0 + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading .NET 4.7.1..." + $ProgressPreference = 'SilentlyContinue' + Invoke-WebRequest -Uri "$dotNetInstallerUrl" -OutFile $dotNetInstallerPath + Invoke-WebRequest -Uri "$cplusplusInstallerUrl" -OutFile $cplusplusInstallerPath + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Running .NET 4.7.1 installer..." + . $dotNetInstallerPath /q /norestart /log $dotNetInstallLog -Wait + while (-not(Test-Path $dotNetInstallLog)) { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Waiting for the .NET install log to appear..." + If ($secondsPassed -eq 0) { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) This usually takes about a minute or so." + } + Start-Sleep -Seconds 10 + $secondsPassed += 10 + } + $secondsPassed = 0 + while (-not(Select-String -Path $dotNetInstallLog -Pattern "Final Result: Installation completed successfully") -and ($secondsPassed -lt $maxSleepTime)) { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Waiting for .NET installation to complete. $secondsPassed seconds elapsed..." + If ($secondsPassed -eq 0) { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) This usually takes about 2-3 minutes." + } + Start-Sleep -Seconds 10 + $secondsPassed += 10 + } + If ($secondsPassed -ge $MaxSleepTime) { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Timed out waiting for .NET installation to complete." + exit + } Else { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) .NET installation successfully completed!" + } + } + # Install C++ 2013 + If (-not(Get-WmiObject -Class Win32_Product | Where-Object Name -like "Microsoft Visual C++ 2013*")) { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing .NET C++ 2013 Redistributable Package..." + . $cplusplusInstallerPath /q /norestart /log $cplusplusLogPath -Wait + while (-not(Test-Path $cplusplusLogPath)) { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Waiting for the C++ 2013 install log to appear..." + Start-Sleep -Seconds 5 + } + $secondsPassed = 0 + while (-not(Select-String -Path $cplusplusLogPath -Pattern "Exit code: 0x0, restarting: No") -and ($secondsPassed -lt $maxSleepTime)) { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Waiting for C++ 2013 installation to complete. $secondsPassed elapsed..." + Start-Sleep -Seconds 3 + $secondsPassed += 3 + } + If ($secondsPassed -ge $MaxSleepTime) { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Timed out waiting for C++ 2013 installation to complete." + exit + } Else { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) C++ 2013 Redistributable installation successfully completed!" + } + } + Stop-Service wuauserv + Set-Service wuauserv -StartupType Disabled + Set-Service TrustedInstaller -StartupType Disabled + Stop-Service TrustedInstaller + # Create a file so this script knows to skip pre-req installation upon next run. + New-Item -Path "c:\exchange_prereqs_complete.txt" -ItemType "file" + Write-Host "A reboot is required to continue installation of exchange." + $reboot = Read-Host "Would you like to reboot now? [y/n]" + If ($reboot -eq "y") { + Write-Host "Rebooting in 3 seconds..." + Start-Sleep -Seconds 3 + shutdown /r /t 1 + exit + } Else { + Write-Host "Okay, exiting." + exit + } +} Else { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) It appears the Exchange prerequisites have been installed already. Continuing installation..." + Remove-Item "c:\exchange_prereqs_complete.txt" -Force +} + +If (-not (Test-Path $exchangeFolder)) { + mkdir $exchangeFolder +} +Set-Location -Path $exchangeFolder + + +# Download and install Exchange +$ProgressPreference = 'SilentlyContinue' +If (-not (Test-Path $exchangeISOPath)) { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading the Exchange 2016 ISO..." + Invoke-WebRequest -Uri "$exchangeDownloadUrl" -OutFile $exchangeISOPath +} Else { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) The Exchange ISO was already downloaded. Moving On." +} +If (-not (Test-Path "E:\Setup.EXE")) { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Mounting the Exchange 2016 ISO..." + Mount-DiskImage -ImagePath $exchangeISOPath +} + +If (Test-Path "E:\Setup.exe") { + Start-Process cmd.exe -ArgumentList "/k", "e:\setup.exe", "/PrepareSchema", "/IAcceptExchangeServerLicenseTerms" -Credential $credential -Wait + Start-Process cmd.exe -ArgumentList "/k", "e:\setup.exe", "/PrepareAD", "/OrganizationName:`"Detection Lab`"", "/IAcceptExchangeServerLicenseTerms" -Credential $credential -Wait + Start-Process cmd.exe -ArgumentList "/k", "e:\setup.exe", "/Mode:Install", "/Role:Mailbox", "/IAcceptExchangeServerLicenseTerms" -Credential $credential -Wait +} +Else { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Something went wrong downloading or mounting the ISO..." +} + +