diff --git a/README.md b/README.md index 7d813aa..6abc762 100644 --- a/README.md +++ b/README.md @@ -45,16 +45,10 @@ NOTE: This lab has not been hardened in any way and runs with default vagrant cr --- ## Quickstart -DetectionLab now contains build scripts for \*NIX, MacOS, and Windows users! - -There is a single build script that supports 3 different options: -- `./build.sh ` - Builds the entire lab from scratch. Takes 3-5 hours depending on hardware resources and bandwidth -- `./build.sh --vagrant-only` - Downloads pre-built Packer boxes from Vagrant Cloud and builds the lab from those boxes. This option is recommended if you have more bandwidth than time or are having trouble building boxes. -- `./build.sh --packer-only` - This option only builds the Packer boxes and will not use Vagrant to start up the lab. - -Windows users will want to use the following script: -- `./build.ps1 -ProviderName ` - Builds the entire lab from scratch. Takes 3-5 hours depending on hardware resources and bandwidth -- `./build.ps1 -ProviderName -VagrantOnly` - Downloads pre-built Packer boxes from Vagrant Cloud and builds the lab from those boxes. This option is recommended if you have more bandwidth than time or are having trouble building boxes. +* [AWS](https://github.com/clong/DetectionLab/wiki/Quickstart---AWS-(Terraform)) +* [MacOS](https://github.com/clong/DetectionLab/wiki/Quickstart---MacOS) +* [Windows](https://github.com/clong/DetectionLab/wiki/Quickstart---Windows) +* [Linux](https://github.com/clong/DetectionLab/wiki/Quickstart-Linux) --- @@ -109,134 +103,20 @@ $ packer build --only=[vmware|virtualbox]-iso windows_2016.json --- ## Basic Vagrant Usage -Vagrant commands must be run from the "Vagrant" folder. -* Bring up all Detection Lab hosts: `vagrant up` (optional `--provider=[virtualbox|vmware_desktop]`) -* Bring up a specific host: `vagrant up ` -* Restart a specific host: `vagrant reload ` -* Restart a specific host and re-run the provision process: `vagrant reload --provision` -* Destroy a specific host `vagrant destroy ` -* Destroy the entire Detection Lab environment: `vagrant destroy` (Adding `-f` forces it without a prompt) -* SSH into a host (only works with Logger): `vagrant ssh logger` -* Check the status of each host: `vagrant status` -* Suspend the lab environment: `vagrant suspend` -* Resume the lab environment: `vagrant resume` +Moved to the wiki: [Basic Vagrant Usage](https://github.com/clong/DetectionLab/wiki/Vagrant-Usage) --- ## Lab Information -* Domain Name: windomain.local -* Admininstrator login: vagrant:vagrant -* Fleet login: https://192.168.38.105:8412 - admin:admin123# -* Splunk login: https://192.168.38.105:8000 - admin:changeme -* MS ATA login: https://192.168.38.103 - wef\vagrant:vagrant -## Lab Hosts -* DC - Windows 2016 Domain Controller - * WEF Server Configuration GPO - * Powershell logging GPO - * Enhanced Windows Auditing policy GPO - * Sysmon - * osquery - * Splunk Universal Forwarder (Forwards Sysmon & osquery) - * Sysinternals Tools - * Microsft Advanced Threat Analytics Lightweight Gateway -* WEF - Windows 2016 Server - * Microsoft Advanced Threat Analytics - * Windows Event Collector - * Windows Event Subscription Creation - * Powershell transcription logging share - * Sysmon - * osquery - * Splunk Universal Forwarder (Forwards WinEventLog & Powershell & Sysmon & osquery) - * Sysinternals tools -* Win10 - Windows 10 Workstation - * Simulates employee workstation - * Sysmon - * osquery - * Splunk Universal Forwarder (Forwards Sysmon & osquery) - * Sysinternals Tools -* Logger - Ubuntu 16.04 - * Splunk Enterprise - * Fleet osquery Manager - * Bro - * Suricata - -## Splunk Indexes -Index Name | Description ------------|------------ -osquery | osquery/Fleet result logs -osquery-status | osquery/fleet INFO/WARN/ERROR logs -powershell | Powershell transcription logs -sysmon | Logs from the Sysmon service -wineventlog | Windows Event Logs -bro | Bro network traffic logs -suricata | Suricata IDS logs -threathunting | Used for the ThreatHunting app - -## Installed Tools on Windows - * Sysmon - * osquery - * AutorunsToWinEventLog - * Process Monitor - * Process Explorer - * PsExec - * TCPView - * Notepad++ - * Google Chrome - * WinRar - * Mimikatz - * Wireshark - * Powersploit - * Atomic Red Team - -## Applied GPOs -* [Custom Event Channel Permissions](https://rawgit.com/clong/DetectionLab/master/Vagrant/resources/GPO/reports/Custom%20Event%20Channel%20Permissions.htm) -* [Default Domain Controllers Policy](https://rawgit.com/clong/DetectionLab/master/Vagrant/resources/GPO/reports/Default%20Domain%20Controllers%20Policy.htm) -* [Default Domain Policy](https://rawgit.com/clong/DetectionLab/master/Vagrant/resources/GPO/reports/Default%20Domain%20Policy.htm) -* [Domain Controllers Enhanced Auditing Policy](https://rawgit.com/clong/DetectionLab/master/Vagrant/resources/GPO/reports/Domain%20Controllers%20Enhanced%20Auditing%20Policy.htm) -* [Powershell Logging](https://rawgit.com/clong/DetectionLab/master/Vagrant/resources/GPO/reports/Powershell%20Logging.htm) -* [Servers Enhanced Auditing Policy](https://rawgit.com/clong/DetectionLab/master/Vagrant/resources/GPO/reports/Servers%20Enhanced%20Auditing%20Policy.htm) -* [Windows Event Forwarding Server](https://rawgit.com/clong/DetectionLab/master/Vagrant/resources/GPO/reports/Windows%20Event%20Forwarding%20Server.htm) -* [Workstations Enhanced Auditing Policy](https://rawgit.com/clong/DetectionLab/master/Vagrant/resources/GPO/reports/Workstations%20Enhanced%20Auditing%20Policy.htm) +Moved to the wiki: [Lab Information & Credentials](https://github.com/clong/DetectionLab/wiki/Lab-Information-&-Credentials) --- ## Known Issues and Workarounds -**Issue:** Vagrant reports: `Message: HTTPClient::KeepAliveDisconnected:` while provisioning. -**Workaround:** Run `$ vagrant reload --provision` - ---- - -**Issue:** `Vagrant timed out while attempting to connect via WinRM` after Win10 host joins the domain. -**Workaround** Documented in [#21](https://github.com/clong/detectionlab/issues/21). Just run `$ vagrant reload win10 --provision` - ---- - -**Issue:** Vagrant is unable to forward a port for you -**Workaround:** Documented in [#11](https://github.com/clong/detectionlab/issues/11). There are a few possibilities: -1. Try a `vagrant reload --provision`. For whatever reason `vagrant up` doesn't fix conflicts but reload does. -2. Check if something is legitimately occupying the port via `sudo lsof -n -iTCP:` -3. Follow the instructions from this comment: https://github.com/hashicorp/vagrant/issues/8130#issuecomment-272963103 - ---- - -**Issue:** Fleet server becomes unreachable after VM is suspended and resumed - -**Workaround:** Documented in [#22](https://github.com/clong/detectionlab/issues/22). The following commands should make it reachable without deleting data: -``` -$ docker stop $(docker ps -aq) -$ service docker restart -$ cd /home/vagrant/kolide-quickstart -$ docker-compose start -d -``` - ---- - -**Issue:** Your primary hard drive doesn't have enough space for DetectionLab - -**Workaround:** Documented in [#48](https://github.com/clong/detectionlab/issues/48). You can change the default location for Vagrant by using the [VAGRANT_HOME](https://www.vagrantup.com/docs/other/environmental-variables.html#vagrant_home) environment variable. +Moved to the wiki: [Known Issues and Workarounds](https://github.com/clong/DetectionLab/wiki/Known-Issues-and-Workarounds) --- diff --git a/img/packer_wiki.png b/img/packer_wiki.png new file mode 100644 index 0000000..1bfa4a9 Binary files /dev/null and b/img/packer_wiki.png differ diff --git a/img/vagrant_wiki.png b/img/vagrant_wiki.png new file mode 100644 index 0000000..d1c70c0 Binary files /dev/null and b/img/vagrant_wiki.png differ