added installation & configuration of ms_ata
This commit is contained in:
Henk Hofs
@@ -9,6 +9,7 @@ Read more about Detection Lab on Medium here: https://medium.com/@clong/introduc
|
||||
NOTE: This lab has not been hardened in any way and runs with default vagrant credentials. Please do not connect or bridge it to any networks you care about. This lab is deliberately designed to be insecure; the primary purpose of it is to provide visibility and introspection into each host.
|
||||
|
||||
## Primary Lab Features:
|
||||
* Microsoft Advanced Threat Analytics (https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics) is installed on the WEF machine, with the lightweight ATA gateway installed on the DC
|
||||
* Splunk forwarders are pre-installed and all indexes are pre-created. Technology add-ons for Windows are also preconfigured.
|
||||
* A custom Windows auditing configuration is set via GPO to include command line process auditing and additional OS-level logging
|
||||
* [Palantir's Windows Event Forwarding](http://github.com/palantir/windows-event-forwarding) subscriptions and custom channels are implemented
|
||||
@@ -19,6 +20,7 @@ NOTE: This lab has not been hardened in any way and runs with default vagrant cr
|
||||
* All autostart items are logged to Windows Event Logs via [AutorunsToWinEventLog](https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog)
|
||||
* SMBv1 Auditing is enabled
|
||||
|
||||
|
||||
## Requirements
|
||||
* 55GB+ of free disk space
|
||||
* 16GB+ of RAM
|
||||
@@ -124,6 +126,7 @@ Vagrant commands must be run from the "Vagrant" folder.
|
||||
* Fleet login: https://192.168.38.5:8412 - admin:admin123#
|
||||
* Splunk login: https://192.168.38.5:8000 - admin:changeme
|
||||
* Caldera login: https://192.168.38.5:8888 - admin:caldera
|
||||
* MS ATA login: https://192.168.38.3 - wef\vagrant:vagrant
|
||||
|
||||
## Lab Hosts
|
||||
* DC - Windows 2016 Domain Controller
|
||||
@@ -134,7 +137,9 @@ Vagrant commands must be run from the "Vagrant" folder.
|
||||
* osquery
|
||||
* Splunk Universal Forwarder (Forwards Sysmon & osquery)
|
||||
* Sysinternals Tools
|
||||
* Microsft Advanced Threat Analytics Lightweight Gateway
|
||||
* WEF - Windows 2016 Server
|
||||
* Microsoft Advanced Threat Analytics
|
||||
* Windows Event Collector
|
||||
* Windows Event Subscription Creation
|
||||
* Powershell transcription logging share
|
||||
@@ -235,7 +240,8 @@ Requests for tools and features will be reviewed on a case by case basis, but I
|
||||
## Credits/Resources
|
||||
A sizable percentage of this code was borrowed and adapted from [Stefan Scherer](https://twitter.com/stefscherer)'s [packer-windows](https://github.com/StefanScherer/packer-windows) and [adfs2](https://github.com/StefanScherer/adfs2) Github repos. A huge thanks to him for building the foundation that allowed me to design this lab environment.
|
||||
|
||||
# Acknowledgements
|
||||
# Acknowledgements
|
||||
* [Microsoft Advanced Threat Analytics](https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics)
|
||||
* [Splunk](https://www.splunk.com)
|
||||
* [osquery](https://osquery.io)
|
||||
* [Fleet](https://kolide.co/fleet)
|
||||
|
||||
17
Vagrant/Vagrantfile
vendored
17
Vagrant/Vagrantfile
vendored
@@ -57,15 +57,15 @@ Vagrant.configure("2") do |config|
|
||||
|
||||
cfg.vm.provider "vmware_fusion" do |v, override|
|
||||
override.vm.box = "../Boxes/windows_2016_vmware.box"
|
||||
v.memory = 2048
|
||||
v.cpus = 1
|
||||
v.memory = 6144
|
||||
v.cpus = 2
|
||||
v.gui = true
|
||||
end
|
||||
|
||||
cfg.vm.provider "virtualbox" do |vb, override|
|
||||
vb.gui = true
|
||||
vb.customize ["modifyvm", :id, "--memory", 2048]
|
||||
vb.customize ["modifyvm", :id, "--cpus", 1]
|
||||
vb.customize ["modifyvm", :id, "--memory", 6144]
|
||||
vb.customize ["modifyvm", :id, "--cpus", 2]
|
||||
vb.customize ["modifyvm", :id, "--vram", "32"]
|
||||
vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
|
||||
vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
|
||||
@@ -96,18 +96,19 @@ Vagrant.configure("2") do |config|
|
||||
cfg.vm.provision "shell", path: "scripts/configure-pslogstranscriptsshare.ps1", privileged: true
|
||||
cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: true
|
||||
cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: true
|
||||
cfg.vm.provision "shell", path: "scripts/install-microsoft-ata.ps1", privileged: true
|
||||
|
||||
cfg.vm.provider "vmware_fusion" do |v, override|
|
||||
override.vm.box = "../Boxes/windows_2016_vmware.box"
|
||||
v.memory = 2048
|
||||
v.cpus = 1
|
||||
v.memory = 8192
|
||||
v.cpus = 2
|
||||
v.gui = true
|
||||
end
|
||||
|
||||
cfg.vm.provider "virtualbox" do |vb, override|
|
||||
vb.gui = true
|
||||
vb.customize ["modifyvm", :id, "--memory", 2048]
|
||||
vb.customize ["modifyvm", :id, "--cpus", 1]
|
||||
vb.customize ["modifyvm", :id, "--memory", 8192]
|
||||
vb.customize ["modifyvm", :id, "--cpus", 2]
|
||||
vb.customize ["modifyvm", :id, "--vram", "32"]
|
||||
vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
|
||||
vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
|
||||
|
||||
@@ -1,11 +0,0 @@
|
||||
# Purpose: Downloads and installs a copy of the Palantir WEF Github Repo. This includes WEF subscriptions and custom WEF channels.
|
||||
|
||||
Write-Host "Downloading Microsoft ATA 1.9..."
|
||||
|
||||
Invoke-WebRequest -Uri "http://download.microsoft.com/download/4/9/1/491394D1-3F28-4261-ABC6-C836A301290E/ATA1.9.iso" -OutFile $env:temp\ATA1.9.iso
|
||||
|
||||
$Mount = Mount-DiskImage -ImagePath $env:temp\ATA1.9.iso -StorageType ISO -Access ReadOnly -PassThru
|
||||
$Volume = $Mount | Get-Volume
|
||||
Set-Location ($Volume.DriveLetter + ":")
|
||||
|
||||
& '.\Microsoft ATA Center Setup.exe' /q --LicenseAccepted NetFrameworkCommandLineArguments="/q" --EnableMicrosoftUpdate
|
||||
42
build.ps1
42
build.ps1
@@ -349,21 +349,39 @@ function vagrant_reload_host {
|
||||
function download {
|
||||
param(
|
||||
[string]$URL,
|
||||
[string]$PatternToMatch
|
||||
[string]$PatternToMatch,
|
||||
[switch]$SuccessOn401
|
||||
|
||||
)
|
||||
Write-Verbose "[download] Running for $URL, looking for $PatternToMatch"
|
||||
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
|
||||
[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"
|
||||
|
||||
$wc = New-Object System.Net.WebClient
|
||||
$result = $wc.DownloadString($URL)
|
||||
if ($result -like "*$PatternToMatch*") {
|
||||
Write-Verbose "[download] Found $PatternToMatch at $URL"
|
||||
return $true
|
||||
try
|
||||
{
|
||||
$result = $wc.DownloadString($URL)
|
||||
if ($result -like "*$PatternToMatch*") {
|
||||
Write-Verbose "[download] Found $PatternToMatch at $URL"
|
||||
return $true
|
||||
}
|
||||
else {
|
||||
Write-Verbose "[download] Could not find $PatternToMatch at $URL"
|
||||
return $false
|
||||
}
|
||||
}
|
||||
else {
|
||||
Write-Verbose "[download] Could not find $PatternToMatch at $URL"
|
||||
return $false
|
||||
catch
|
||||
{
|
||||
if ($_.Exception.InnerException.Response.StatusCode -eq 401 -and $SuccessOn401.IsPresent)
|
||||
{
|
||||
return $true
|
||||
}
|
||||
else
|
||||
{
|
||||
Write-Verbose "Error occured on webrequest: $_"
|
||||
return $false
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
@@ -381,6 +399,11 @@ function post_build_checks {
|
||||
$FLEET_CHECK = download -URL 'https://192.168.38.5:8412' -PatternToMatch 'Kolide Fleet'
|
||||
Write-Verbose "[post_build_checks] Fleet Result: $FLEET_CHECK"
|
||||
|
||||
Write-Verbose '[post_build_checks] Running MS ATA Check.'
|
||||
$ATA_CHECK = download -URL 'https://192.168.38.3' -SuccessOn401
|
||||
Write-Verbose "[post_build_checks] ATA Result: $ATA_CHECK"
|
||||
|
||||
|
||||
if ($CALDERA_CHECK -eq $false) {
|
||||
Write-Warning 'Caldera failed post-build tests and may not be functioning correctly.'
|
||||
}
|
||||
@@ -390,6 +413,9 @@ function post_build_checks {
|
||||
if ($FLEET_CHECK -eq $false) {
|
||||
Write-Warning 'Fleet failed post-build tests and may not be functioning correctly.'
|
||||
}
|
||||
if ($ATA_CHECK -eq $false) {
|
||||
Write-Warning 'MS ATA failed post-build tests and may not be functioning correctly.'
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
7
build.sh
7
build.sh
@@ -253,12 +253,14 @@ post_build_checks() {
|
||||
CALDERA_CHECK=$(curl -ks -m 2 https://192.168.38.5:8888 | grep -c '302: Found' || echo "")
|
||||
SPLUNK_CHECK=$(curl -ks -m 2 https://192.168.38.5:8000/en-US/account/login?return_to=%2Fen-US%2F | grep -c 'This browser is not supported by Splunk' || echo "")
|
||||
FLEET_CHECK=$(curl -ks -m 2 https://192.168.38.5:8412 | grep -c 'Kolide Fleet' || echo "")
|
||||
curl --fail -ks https://192.168.38.3 -m 2
|
||||
ATA_CHECK=$([[ $? == 22 ]] && echo 1)
|
||||
|
||||
BASH_MAJOR_VERSION=$(/bin/bash --version | grep 'GNU bash' | grep -o version\.\.. | cut -d ' ' -f 2 | cut -d '.' -f 1)
|
||||
# Associative arrays are only supported in bash 4 and up
|
||||
if [ "$BASH_MAJOR_VERSION" -ge 4 ]; then
|
||||
declare -A SERVICES
|
||||
SERVICES=(["caldera"]="$CALDERA_CHECK" ["splunk"]="$SPLUNK_CHECK" ["fleet"]="$FLEET_CHECK")
|
||||
SERVICES=(["caldera"]="$CALDERA_CHECK" ["splunk"]="$SPLUNK_CHECK" ["fleet"]="$FLEET_CHECK" ["ms_ata"]="$ATA_CHECK")
|
||||
for SERVICE in "${!SERVICES[@]}"; do
|
||||
if [ "${SERVICES[$SERVICE]}" -lt 1 ]; then
|
||||
(echo >&2 "Warning: $SERVICE failed post-build tests and may not be functioning correctly.")
|
||||
@@ -274,6 +276,9 @@ post_build_checks() {
|
||||
if [ "$FLEET_CHECK" -lt 1 ]; then
|
||||
(echo >&2 "Warning: Fleet failed post-build tests and may not be functioning correctly.")
|
||||
fi
|
||||
if [ "$ATA_CHECK" -lt 1 ]; then
|
||||
(echo >&2 "Warning: MS ATA failed post-build tests and may not be functioning correctly.")
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user