trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge branch 'master' into patch-3

Browse Source
This commit is contained in:
Chris Long
2018-09-25 22:44:47 -07:00
committed by GitHub
parent 4d21d2e885 63e4b29e4a
commit 3af54d5003
15 changed files with 317 additions and 254 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
Vagrant/Vagrantfile vendored
View File

@@ -4,15 +4,17 @@ Vagrant.configure("2") do |config|
cfg.vm.box = "bento/ubuntu-16.04"
cfg.vm.hostname = "logger"
config.vm.provision :shell, path: "bootstrap.sh"
cfg.vm.network :private_network, ip: "192.168.38.5", gateway: "192.168.38.1", dns: "8.8.8.8"
cfg.vm.network :private_network, ip: "192.168.38.105", gateway: "192.168.38.1", dns: "8.8.8.8"
cfg.vm.provider "vmware_fusion" do |v, override|
v.vmx["displayname"] = "logger"
v.memory = 2048
v.cpus = 1
v.gui = true
end
cfg.vm.provider "vmware_desktop" do |v, override|
v.vmx["displayname"] = "logger"
v.memory = 4096
v.cpus = 2
v.gui = true
@@ -20,6 +22,7 @@ Vagrant.configure("2") do |config|
cfg.vm.provider "virtualbox" do |vb, override|
vb.gui = true
vb.name = "logger"
vb.customize ["modifyvm", :id, "--memory", 4096]
vb.customize ["modifyvm", :id, "--cpus", 2]
vb.customize ["modifyvm", :id, "--vram", "32"]
@@ -42,9 +45,9 @@ Vagrant.configure("2") do |config|
cfg.winrm.basic_auth_only = true
cfg.winrm.timeout = 300
cfg.winrm.retry_limit = 20
cfg.vm.network :private_network, ip: "192.168.38.2", gateway: "192.168.38.1"
cfg.vm.network :private_network, ip: "192.168.38.102", gateway: "192.168.38.1"
cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "192.168.38.2"
cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "192.168.38.102"
cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
cfg.vm.provision "reload"
cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
@@ -61,10 +64,12 @@ Vagrant.configure("2") do |config|
cfg.vm.provision "shell", path: "scripts/configure-powershelllogging.ps1", privileged: true
cfg.vm.provision "shell", path: "scripts/configure-AuditingPolicyGPOs.ps1", privileged: true
cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: true
cfg.vm.provision "shell", inline: 'wevtutil el | Foreach-Object {wevtutil cl "$_"}', privileged: true
cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: true
cfg.vm.provider "vmware_fusion" do |v, override|
override.vm.box = "../Boxes/windows_2016_vmware.box"
v.vmx["displayname"] = "dc.windomain.local"
v.memory = 2560
v.cpus = 2
v.gui = true
@@ -72,6 +77,7 @@ Vagrant.configure("2") do |config|
cfg.vm.provider "vmware_desktop" do |v, override|
override.vm.box = "../Boxes/windows_2016_vmware.box"
v.vmx["displayname"] = "dc.windomain.local"
v.memory = 2560
v.cpus = 2
v.gui = true
@@ -80,6 +86,7 @@ Vagrant.configure("2") do |config|
cfg.vm.provider "virtualbox" do |vb, override|
vb.gui = true
vb.name = "dc.windomain.local"
vb.customize ["modifyvm", :id, "--memory", 2560]
vb.customize ["modifyvm", :id, "--cpus", 2]
vb.customize ["modifyvm", :id, "--vram", "32"]
@@ -96,14 +103,15 @@ Vagrant.configure("2") do |config|
cfg.winrm.basic_auth_only = true
cfg.winrm.timeout = 300
cfg.winrm.retry_limit = 20
cfg.vm.network :private_network, ip: "192.168.38.3", gateway: "192.168.38.1", dns: "192.168.38.2"
cfg.vm.network :private_network, ip: "192.168.38.103", gateway: "192.168.38.1", dns: "192.168.38.102"
cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.3 -dns 192.168.38.2"
cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.103 -dns 192.168.38.102"
cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
cfg.vm.provision "reload"
cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: true
cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: true
cfg.vm.provision "shell", inline: 'wevtutil el | Foreach-Object {wevtutil cl "$_"}', privileged: true
cfg.vm.provision "shell", path: "scripts/install-wefsubscriptions.ps1", privileged: true
cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: true
cfg.vm.provision "shell", path: "scripts/install-windows_ta.ps1", privileged: true
@@ -119,6 +127,7 @@ Vagrant.configure("2") do |config|
cfg.vm.provider "vmware_fusion" do |v, override|
override.vm.box = "../Boxes/windows_2016_vmware.box"
v.vmx["displayname"] = "wef.windomain.local"
v.memory = 2048
v.cpus = 2
v.gui = true
@@ -126,6 +135,7 @@ Vagrant.configure("2") do |config|
cfg.vm.provider "vmware_desktop" do |v, override|
override.vm.box = "../Boxes/windows_2016_vmware.box"
v.vmx["displayname"] = "wef.windomain.local"
v.memory = 2048
v.cpus = 2
v.gui = true
@@ -134,6 +144,7 @@ Vagrant.configure("2") do |config|
cfg.vm.provider "virtualbox" do |vb, override|
vb.gui = true
vb.name = "wef.windomain.local"
vb.customize ["modifyvm", :id, "--memory", 2048]
vb.customize ["modifyvm", :id, "--cpus", 2]
vb.customize ["modifyvm", :id, "--vram", "32"]
@@ -145,19 +156,21 @@ Vagrant.configure("2") do |config|
config.vm.define "win10" do |cfg|
cfg.vm.box = "../Boxes/windows_10_virtualbox.box"
cfg.vm.hostname = "win10"
cfg.vm.boot_timeout = 600
cfg.vm.communicator = "winrm"
cfg.winrm.basic_auth_only = true
cfg.winrm.timeout = 300
cfg.winrm.retry_limit = 20
cfg.vm.network :private_network, ip: "192.168.38.4", gateway: "192.168.38.1", dns: "192.168.38.2"
cfg.vm.network :private_network, ip: "192.168.38.104", gateway: "192.168.38.1", dns: "192.168.38.102"
cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.4 -dns 192.168.38.2"
cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.104 -dns 192.168.38.102"
cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
cfg.vm.provision "reload"
cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: true
cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: true
cfg.vm.provision "shell", path: "scripts/MakeWindows10GreatAgain.ps1", privileged: true
cfg.vm.provision "shell", inline: 'wevtutil el | Foreach-Object {wevtutil cl "$_"}', privileged: true
cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: true
cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: true
cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: true
@@ -168,6 +181,7 @@ Vagrant.configure("2") do |config|
cfg.vm.provider "vmware_fusion" do |v, override|
override.vm.box = "../Boxes/windows_10_vmware.box"
v.vmx["displayname"] = "win10.windomain.local"
v.vmx["gui.fullscreenatpoweron"] = "FALSE"
v.vmx["gui.viewModeAtPowerOn"] = "windowed"
v.vmx["gui.fitguestusingnativedisplayresolution"] = "FALSE"
@@ -178,6 +192,7 @@ Vagrant.configure("2") do |config|
cfg.vm.provider "vmware_desktop" do |v, override|
override.vm.box = "../Boxes/windows_10_vmware.box"
v.vmx["displayname"] = "win10.windomain.local"
v.vmx["gui.fullscreenatpoweron"] = "FALSE"
v.vmx["gui.viewModeAtPowerOn"] = "windowed"
v.memory = 2048
@@ -188,6 +203,7 @@ Vagrant.configure("2") do |config|
cfg.vm.provider "virtualbox" do |vb, override|
vb.gui = true
vb.name = "win10.windomain.local"
vb.customize ["modifyvm", :id, "--memory", 2048]
vb.customize ["modifyvm", :id, "--cpus", 1]
vb.customize ["modifyvm", :id, "--vram", "32"]

293
Vagrant/bootstrap.sh
View File

@@ -14,19 +14,22 @@ apt_install_prerequisites() {
fix_eth1_static_ip() {
# There's a fun issue where dhclient keeps messing with eth1 despite the fact
# that eth1 has a static IP set. We workaround this by telling dhclient to leave it alone.
echo 'interface "eth1" {}' >> /etc/dhcp/dhclient.conf
systemctl restart networking.service
# that eth1 has a static IP set. We workaround this by setting a static DHCP lease.
echo -e 'interface "eth1" {
send host-name = gethostname();
send dhcp-requested-address 192.168.38.105;
}' >> /etc/dhcp/dhclient.conf
service networking restart
# Fix eth1 if the IP isn't set correctly
ETH1_IP=$(ifconfig eth1 | grep 'inet addr' | cut -d ':' -f 2 | cut -d ' ' -f 1)
if [ "$ETH1_IP" != "192.168.38.5" ]; then
if [ "$ETH1_IP" != "192.168.38.105" ]; then
echo "Incorrect IP Address settings detected. Attempting to fix."
ifdown eth1
ip addr flush dev eth1
ifup eth1
ETH1_IP=$(ifconfig eth1 | grep 'inet addr' | cut -d ':' -f 2 | cut -d ' ' -f 1)
if [ "$ETH1_IP" == "192.168.38.5" ]; then
echo "The static IP has been fixed and set to 192.168.38.5"
if [ "$ETH1_IP" == "192.168.38.105" ]; then
echo "The static IP has been fixed and set to 192.168.38.105"
else
echo "Failed to fix the broken static IP for eth1. Exiting because this will cause problems with other VMs."
exit 1
@@ -35,17 +38,17 @@ fix_eth1_static_ip() {
}
install_python() {
# Install Python 3.6.4
if ! which /usr/local/bin/python3.6 > /dev/null; then
echo "Installing Python v3.6.4..."
wget https://www.python.org/ftp/python/3.6.4/Python-3.6.4.tgz
tar -xvf Python-3.6.4.tgz
cd Python-3.6.4 || exit
./configure && make && make install
cd /home/vagrant || exit
else
echo "Python seems to be downloaded already.. Skipping."
fi
# Install Python 3.6.4
if ! which /usr/local/bin/python3.6 > /dev/null; then
echo "Installing Python v3.6.4..."
wget https://www.python.org/ftp/python/3.6.4/Python-3.6.4.tgz
tar -xvf Python-3.6.4.tgz
cd Python-3.6.4 || exit
./configure && make && make install
cd /home/vagrant || exit
else
echo "Python seems to be downloaded already.. Skipping."
fi
}
install_golang() {
@@ -62,6 +65,7 @@ install_golang() {
echo 'export GOROOT=/usr/local/go' >> /home/vagrant/.bashrc
echo 'export GOPATH=$HOME/.go' >> /root/.bashrc
echo 'export GOROOT=/usr/local/go' >> /root/.bashrc
echo 'export PATH=$PATH:/opt/splunk/bin' >> /root/.bashrc
source /root/.bashrc
sudo update-alternatives --install "/usr/bin/go" "go" "/usr/local/go/bin/go" 0
sudo update-alternatives --set go /usr/local/go/bin/go
@@ -92,11 +96,15 @@ install_splunk() {
/opt/splunk/bin/splunk add index suricata -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_forwarder/splunk-add-on-for-microsoft-windows_500.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/add-on-for-microsoft-sysmon_800.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/asn-lookup-generator_012.tgz -auth 'admin:changeme'
# Add a Splunk TCP input on port 9997
echo -e "[splunktcp://9997]\nconnection_host = ip" > /opt/splunk/etc/apps/search/local/inputs.conf
# Add props.conf and transforms.conf
cp /vagrant/resources/splunk_server/props.conf /opt/splunk/etc/apps/search/local/
cp /vagrant/resources/splunk_server/transforms.conf /opt/splunk/etc/apps/search/local/
cp /opt/splunk/etc/system/default/limits.conf /opt/splunk/etc/system/local/limits.conf
# Bump the memtable limits to allow for the ASN lookup table
sed -i.bak 's/max_memtable_bytes = 10000000/max_memtable_bytes = 30000000/g' /opt/splunk/etc/system/local/limits.conf
# Skip Splunk Tour and Change Password Dialog
touch /opt/splunk/etc/.ui_login
# Enable SSL Login for Splunk
@@ -105,6 +113,8 @@ install_splunk() {
# Reboot Splunk to make changes take effect
/opt/splunk/bin/splunk restart
/opt/splunk/bin/splunk enable boot-start
# Generate the ASN lookup table
/opt/splunk/bin/splunk search "|asngen | outputlookup asn" -auth 'admin:changeme'
fi
}
@@ -158,30 +168,30 @@ import_osquery_config_into_fleet() {
cd /home/vagrant/osquery-configuration/Endpoints/Windows/ || exit
# Fleet requires you to login before importing packs
# Login
curl 'https://192.168.38.5:8412/api/v1/kolide/login' -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/login' -H 'authority: 192.168.38.5:8412' --data-binary '{"username":"admin","password":"admin123#"}' --compressed --insecure
curl 'https://192.168.38.105:8412/api/v1/kolide/login' -H 'origin: https://192.168.38.105:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.105:8412/login' -H 'authority: 192.168.38.105:8412' --data-binary '{"username":"admin","password":"admin123#"}' --compressed --insecure
sleep 1
curl 'https://192.168.38.5:8412/setup' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'upgrade-insecure-requests: 1' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' -H 'authority: 192.168.38.5:8412' --compressed --insecure
curl 'https://192.168.38.105:8412/setup' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'upgrade-insecure-requests: 1' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' -H 'authority: 192.168.38.105:8412' --compressed --insecure
sleep 1
# Setup organization name and email address
curl 'https://192.168.38.5:8412/api/v1/setup' -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/setup' -H 'authority: 192.168.38.5:8412' --data-binary '{"kolide_server_url":"https://192.168.38.5:8412","org_info":{"org_name":"detectionlab"},"admin":{"admin":true,"email":"example@example.com","password":"admin123#","password_confirmation":"admin123#","username":"admin"}}' --compressed --insecure
curl 'https://192.168.38.105:8412/api/v1/setup' -H 'origin: https://192.168.38.105:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.105:8412/setup' -H 'authority: 192.168.38.105:8412' --data-binary '{"kolide_server_url":"https://192.168.38.105:8412","org_info":{"org_name":"detectionlab"},"admin":{"admin":true,"email":"example@example.com","password":"admin123#","password_confirmation":"admin123#","username":"admin"}}' --compressed --insecure
sleep 3
# Import all Windows configs
/home/vagrant/configimporter/configimporter -host https://localhost:8412 -user 'admin' -config osquery_to_import.conf
# Get auth token
TOKEN=$(curl 'https://192.168.38.5:8412/api/v1/kolide/login' -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/login' -H 'authority: 192.168.38.5:8412' --data-binary '{"username":"admin","password":"admin123#"}' --compressed --insecure | grep token | cut -d '"' -f 4)
TOKEN=$(curl 'https://192.168.38.105:8412/api/v1/kolide/login' -H 'origin: https://192.168.38.105:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.105:8412/login' -H 'authority: 192.168.38.105:8412' --data-binary '{"username":"admin","password":"admin123#"}' --compressed --insecure | grep token | cut -d '"' -f 4)
# Set all packs to be targeted to Windows hosts
curl 'https://192.168.38.5:8412/api/v1/kolide/packs/1' -X PATCH -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/packs/3/edit' -H 'authority: 192.168.38.5:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure
curl 'https://192.168.38.105:8412/api/v1/kolide/packs/1' -X PATCH -H 'origin: https://192.168.38.105:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.105:8412/packs/3/edit' -H 'authority: 192.168.38.105:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure
sleep 1
curl 'https://192.168.38.5:8412/api/v1/kolide/packs/2' -X PATCH -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/packs/3/edit' -H 'authority: 192.168.38.5:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure
curl 'https://192.168.38.105:8412/api/v1/kolide/packs/2' -X PATCH -H 'origin: https://192.168.38.105:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.105:8412/packs/3/edit' -H 'authority: 192.168.38.105:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure
sleep 1
curl 'https://192.168.38.5:8412/api/v1/kolide/packs/3' -X PATCH -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/packs/3/edit' -H 'authority: 192.168.38.5:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure
curl 'https://192.168.38.105:8412/api/v1/kolide/packs/3' -X PATCH -H 'origin: https://192.168.38.105:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.105:8412/packs/3/edit' -H 'authority: 192.168.38.105:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure
sleep 1
curl 'https://192.168.38.5:8412/api/v1/kolide/packs/4' -X PATCH -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/packs/3/edit' -H 'authority: 192.168.38.5:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure
curl 'https://192.168.38.105:8412/api/v1/kolide/packs/4' -X PATCH -H 'origin: https://192.168.38.105:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.105:8412/packs/3/edit' -H 'authority: 192.168.38.105:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure
sleep 1
curl 'https://192.168.38.5:8412/api/v1/kolide/packs/5' -X PATCH -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/packs/3/edit' -H 'authority: 192.168.38.5:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure
curl 'https://192.168.38.105:8412/api/v1/kolide/packs/5' -X PATCH -H 'origin: https://192.168.38.105:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.105:8412/packs/3/edit' -H 'authority: 192.168.38.105:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure
# Rename primary pack
curl 'https://192.168.38.5:8412/api/v1/kolide/packs/5' -X PATCH -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/packs/5/edit' -H 'authority: 192.168.38.5:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"name":"windows-pack"}' --compressed --insecure
curl 'https://192.168.38.105:8412/api/v1/kolide/packs/5' -X PATCH -H 'origin: https://192.168.38.105:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.105:8412/packs/5/edit' -H 'authority: 192.168.38.105:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"name":"windows-pack"}' --compressed --insecure
# Add Splunk monitors for Fleet
/opt/splunk/bin/splunk add monitor "/home/vagrant/kolide-quickstart/osquery_result" -index osquery -sourcetype 'osquery:json' -auth 'admin:changeme'
/opt/splunk/bin/splunk add monitor "/home/vagrant/kolide-quickstart/osquery_status" -index osquery-status -sourcetype 'osquery:status' -auth 'admin:changeme'
@@ -218,126 +228,145 @@ install_caldera() {
}
install_bro() {
# environment variables
NODECFG=/opt/bro/etc/node.cfg
SPLUNK_BRO_JSON=/opt/splunk/etc/apps/TA-bro_json
SPLUNK_BRO_MONITOR='monitor:///opt/bro/spool/manager'
SPLUNK_SURICATA_MONITOR='monitor:///var/log/suricata'
echo "deb http://download.opensuse.org/repositories/network:/bro/xUbuntu_16.04/ /" > /etc/apt/sources.list.d/bro.list
curl -s http://download.opensuse.org/repositories/network:/bro/xUbuntu_16.04/Release.key |apt-key add -
# update APT repositories
apt-get -qq -ym update
apt-get -qq -ym install \
bro \
crudini \
# install tools to build and configure bro
# Environment variables
NODECFG=/opt/bro/etc/node.cfg
SPLUNK_BRO_JSON=/opt/splunk/etc/apps/TA-bro_json
SPLUNK_BRO_MONITOR='monitor:///opt/bro/spool/manager'
SPLUNK_SURICATA_MONITOR='monitor:///var/log/suricata'
echo "deb http://download.opensuse.org/repositories/network:/bro/xUbuntu_16.04/ /" > /etc/apt/sources.list.d/bro.list
curl -s http://download.opensuse.org/repositories/network:/bro/xUbuntu_16.04/Release.key |apt-key add -
# load bro scripts
cat<<EOF >> /opt/bro/share/bro/site/local.bro
# Update APT repositories
apt-get -qq -ym update
# Install tools to build and configure bro
apt-get -qq -ym install bro crudini
# Load bro scripts
echo '
@load protocols/ftp/software
@load protocols/smtp/software
@load protocols/ssh/software
@load protocols/http/software
@load tuning/json-logs
@load policy/integration/collective-intel
@load policy/frameworks/intel/do_notice
@load frameworks/intel/seen
@load frameworks/intel/do_notice
@load frameworks/files/hash-all-files
@load policy/protocols/smb
@load policy/protocols/conn/vlan-logging
@load policy/protocols/conn/mac-logging
@load protocols/ftp/software
@load protocols/smtp/software
@load protocols/ssh/software
@load protocols/http/software
redef Intel::read_files += {
"/opt/bro/etc/intel.dat"
};
' >> /opt/bro/share/bro/site/local.bro
@load tuning/json-logs
@load policy/integration/collective-intel
@load policy/frameworks/intel/do_notice
# Configure Bro
crudini --del $NODECFG bro
crudini --set $NODECFG manager type manager
crudini --set $NODECFG manager host localhost
crudini --set $NODECFG proxy type proxy
crudini --set $NODECFG proxy host localhost
@load frameworks/intel/seen
@load frameworks/intel/do_notice
@load frameworks/files/hash-all-files
# Setup $CPUS numbers of bro workers
crudini --set $NODECFG worker-eth1 type worker
crudini --set $NODECFG worker-eth1 host localhost
crudini --set $NODECFG worker-eth1 interface eth1
crudini --set $NODECFG worker-eth1 lb_method pf_ring
crudini --set $NODECFG worker-eth1 lb_procs "$(nproc)"
@load policy/protocols/smb
# Setup bro to run at boot
cp /vagrant/resources/bro/bro.service /lib/systemd/system/bro.service
systemctl enable bro
systemctl start bro
@load policy/protocols/conn/vlan-logging
# Setup splunk TA to ingest bro and suricata data
git clone https://github.com/jahshuah/splunk-ta-bro-json $SPLUNK_BRO_JSON
@load policy/protocols/conn/mac-logging
mkdir -p $SPLUNK_BRO_JSON/local
cp $SPLUNK_BRO_JSON/default/inputs.conf $SPLUNK_BRO_JSON/local/inputs.conf
redef Intel::read_files += {
"/opt/bro/etc/intel.dat"
};
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR index bro
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR sourcetype json_bro
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR whitelist '.*\.log$'
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR blacklist '.*(communication|stderr)\.log$'
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR disabled 0
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR index suricata
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR sourcetype json_suricata
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR whitelist 'eve.json'
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR disabled 0
EOF
# Ensure permissions are correct and restart splunk
chown -R splunk $SPLUNK_BRO_JSON
/opt/splunk/bin/splunk restart
# configure bro
crudini --del $NODECFG bro
crudini --set $NODECFG manager type manager
crudini --set $NODECFG manager host localhost
crudini --set $NODECFG proxy type proxy
crudini --set $NODECFG proxy host localhost
CPUS=$(lscpu -e |awk /yes/'{print $1'} |wc -l)
# setup $CPUS numbers of bro workers
for i in eth1
do
crudini --set $NODECFG worker-$i type worker
crudini --set $NODECFG worker-$i host localhost
crudini --set $NODECFG worker-$i interface $i
crudini --set $NODECFG worker-$i lb_method pf_ring
crudini --set $NODECFG worker-$i lb_procs $CPUS
done
# setup bro to run at boot
cp /vagrant/resources/bro/bro.service /lib/systemd/system/bro.service
for i in bro
do
systemctl enable $i
systemctl start $i
done
# setup splunk TA to ingest bro and suricata data
git clone https://github.com/jahshuah/splunk-ta-bro-json $SPLUNK_BRO_JSON
mkdir -p $SPLUNK_BRO_JSON/local
cp $SPLUNK_BRO_JSON/default/inputs.conf $SPLUNK_BRO_JSON/local/inputs.conf
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR index bro
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR sourcetype json_bro
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR whitelist '.*\.log$'
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR blacklist '.*(communication|stderr)\.log$'
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR disabled 0
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR index suricata
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR sourcetype json_suricata
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR whitelist 'eve.json'
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR disabled 0
# ensure permissions are correct and restart splunk
chown -R splunk $SPLUNK_BRO_JSON
/opt/splunk/bin/splunk restart
# Verify that Bro is running
if ! pgrep -f bro > /dev/null; then
echo "Bro attempted to start but is not running. Exiting"
exit 1
fi
}
install_suricata() {
# install yq to maniuplate the suricata.yaml inline
/usr/bin/go get -u github.com/mikefarah/yq
# install suricata
add-apt-repository -y ppa:oisf/suricata-stable
apt-get -qq -y update && apt-get -qq -y install suricata crudini
# install suricata-update
pip3.6 install --pre --upgrade suricata-update
# add DC_SERVERS variable to suricata.yaml in support et-open signatures
/root/go/bin/yq w -i /etc/suricata/suricata.yaml vars.address-groups.DC_SERVERS '$HOME_NET'
crudini --set --format=sh /etc/default/suricata '' iface eth1
# update suricata signature sources
suricata-update update-sources
# disable protocol decode as it is duplicative of bro
echo re:protocol-command-decode >> /etc/suricata/disable.conf
# enable et-open and attackdetection sources
for i in et/open ptresearch/attackdetection
do
suricata-update enable-source $i
# Run iwr -Uri testmyids.com -UserAgent "BlackSun" in Powershell to generate test alerts
done
# update suricata and restart
suricata-update
systemctl restart suricata
# Install yq to maniuplate the suricata.yaml inline
/usr/bin/go get -u github.com/mikefarah/yq
# Install suricata
add-apt-repository -y ppa:oisf/suricata-stable
apt-get -qq -y update && apt-get -qq -y install suricata crudini
# Install suricata-update
cd /home/vagrant || exit 1
git clone https://github.com/OISF/suricata-update.git
cd /home/vagrant/suricata-update || exit 1
python setup.py install
# Add DC_SERVERS variable to suricata.yaml in support et-open signatures
/root/go/bin/yq w -i /etc/suricata/suricata.yaml vars.address-groups.DC_SERVERS '$HOME_NET'
# It may make sense to store the suricata.yaml file as a resource file if this begins to become too complex
# Add more verbose alert logging
/root/go/bin/yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.payload true
/root/go/bin/yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.payload-buffer-size 4kb
/root/go/bin/yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.payload-printable yes
/root/go/bin/yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.packet yes
/root/go/bin/yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.http yes
/root/go/bin/yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.tls yes
/root/go/bin/yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.ssh yes
/root/go/bin/yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.smtp yes
# Turn off traffic flow logging (duplicative of Bro and wrecks Splunk trial license)
/root/go/bin/yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.1 # Remove HTTP
/root/go/bin/yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.1 # Remove DNS
/root/go/bin/yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.1 # Remove TLS
/root/go/bin/yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.2 # Remove SMTP
/root/go/bin/yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.2 # Remove SSH
/root/go/bin/yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.2 # Remove Stats
/root/go/bin/yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.2 # Remove Flow
# AF packet monitoring should be set to eth1
/root/go/bin/yq w -i /etc/suricata/suricata.yaml af-packet.0.interface eth1
crudini --set --format=sh /etc/default/suricata '' iface eth1
# update suricata signature sources
suricata-update update-sources
# disable protocol decode as it is duplicative of bro
echo re:protocol-command-decode >> /etc/suricata/disable.conf
# enable et-open and attackdetection sources
suricata-update enable-source et/open
suricata-update enable-source ptresearch/attackdetection
# Add the YAML header to the top of the suricata config
echo "Adding the YAML header to /etc/suricata/suricata.yaml"
echo -e "%YAML 1.1\n---\n$(cat /etc/suricata/suricata.yaml)" > /etc/suricata/suricata.yaml
# Update suricata and restart
suricata-update
service suricata stop
service suricata start
sleep 3
# Verify that Suricata is running
if ! pgrep -f suricata > /dev/null; then
echo "Suricata attempted to start but is not running. Exiting"
exit 1
fi
}
main() {

BIN
Vagrant/resources/splunk_server/asn-lookup-generator_012.tgz Normal file
View File

Binary file not shown.

2
Vagrant/scripts/install-caldera-agent.ps1
View File

@@ -2,7 +2,7 @@
If (-not (Test-Path 'C:\Program Files\cagent\cagent.exe')) {
# Add /etc/hosts entry
Add-Content "c:\windows\system32\drivers\etc\hosts" " 192.168.38.5 logger"
Add-Content "c:\windows\system32\drivers\etc\hosts" " 192.168.38.105 logger"
# Make the directory
New-Item "c:\Program Files\cagent" -type directory

2
Vagrant/scripts/install-osquery.ps1
View File

@@ -19,7 +19,7 @@ If (-not ($service)) {
### --- TLS CONFIG BEGINS ---
### COMMENT ALL LINES BELOW UNTIL "TLS CONFIG ENDS" if using local configuration
## Add entry to hosts file for Kolide for SSL validation
Add-Content "c:\windows\system32\drivers\etc\hosts" " 192.168.38.5 kolide"
Add-Content "c:\windows\system32\drivers\etc\hosts" " 192.168.38.105 kolide"
## Add kolide secret and avoid BOM
$Utf8NoBomEncoding = New-Object System.Text.UTF8Encoding $False
[System.IO.File]::WriteAllLines("c:\ProgramData\osquery\kolide_secret.txt", "enrollmentsecret", $Utf8NoBomEncoding)

2
Vagrant/scripts/install-splunkuf.ps1
View File

@@ -6,7 +6,7 @@ If (-not (Test-Path "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"))
Write-Host "Installing & Starting Splunk"
(New-Object System.Net.WebClient).DownloadFile('https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=windows&version=7.1.0&product=universalforwarder&filename=splunkforwarder-7.1.0-2e75b3406c5b-x64-release.msi&wget=true', $msiFile)
Start-Process -FilePath "c:\windows\system32\msiexec.exe" -ArgumentList '/i', "$msiFile", 'RECEIVING_INDEXER="192.168.38.5:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_APP_ENABLE=1 AGREETOLICENSE=Yes SERVICESTARTTYPE=1 LAUNCHSPLUNK=1 SPLUNKPASSWORD=changeme /quiet' -Wait
Start-Process -FilePath "c:\windows\system32\msiexec.exe" -ArgumentList '/i', "$msiFile", 'RECEIVING_INDEXER="192.168.38.105:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_APP_ENABLE=1 AGREETOLICENSE=Yes SERVICESTARTTYPE=1 LAUNCHSPLUNK=1 SPLUNKPASSWORD=changeme /quiet' -Wait
} Else {
Write-Host "Splunk is already installed. Moving on."
}

2
Vagrant/scripts/join-domain.ps1
View File

@@ -4,7 +4,7 @@
Write-Host 'Join the domain'
Write-Host "First, set DNS to DC to join the domain"
$newDNSServers = "192.168.38.2"
$newDNSServers = "192.168.38.102"
$adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.IPAddress -match "192.168.38."}
$adapters | ForEach-Object {$_.SetDNSServerSearchOrder($newDNSServers)}

2
Vagrant/scripts/provision.ps1
View File

@@ -26,7 +26,7 @@ if ($env:COMPUTERNAME -imatch 'vagrant') {
}
if ($env:COMPUTERNAME -imatch 'dc') {
. c:\vagrant\scripts\create-domain.ps1 192.168.38.2
. c:\vagrant\scripts\create-domain.ps1 192.168.38.102
} else {
. c:\vagrant\scripts\join-domain.ps1
}