Adding final ESXI deployment code

2020-03-09 14:42:58 -07:00
parent e78b08a901
commit 4e850a5ee6
35 changed files with 988 additions and 168 deletions
--- a/ESXi/ansible/ansible.cfg
+++ b/ESXi/ansible/ansible.cfg
@@ -1,2 +1,3 @@
 [defaults]
 inventory = inventory.yml
+host_key_checking = False
--- a/ESXi/ansible/dc/tasks/main.yml
+++ b/ESXi/ansible/dc/tasks/main.yml
@@ -1,41 +0,0 @@
---
-
- name: Hostname -> DC
-  win_hostname:
-    name: dc
-  register: res
-
- name: Reboot
-  win_reboot:
-  when: res.reboot_required
-
- name: Install git
-  win_chocolatey:
-    name: git
-    state: present
-
- name: Check if existing DetectionLab directory
-  win_stat:
-    path: 'c:\DetectionLab'
-  register: dir
-
- name: Git clone Detectionlab
-  win_shell: git clone https://github.com/clong/DetectionLab.git
-  args:
-    chdir: 'c:\'
-  when: not dir.stat.exists
-
- name: Copy scripts to c:\vagrant
-  win_shell: Copy-Item -Recurse c:\DetectionLab\Vagrant c:\vagrant
-
- name: Provision
-  win_shell: .\\provision.ps1
-  args:
-    chdir: 'c:\vagrant\scripts'
-
- name: reboot server
-  win_reboot:
-    msg: "Installing AD. Rebooting..."
-    pre_reboot_delay: 15
-    reboot_timeout: 600
-    post_reboot_delay: 420
--- a/ESXi/ansible/detectionlab.yml
+++ b/ESXi/ansible/detectionlab.yml
@@ -1,4 +1,19 @@
 ---
+- hosts: logger
+  roles:
+    - logger
+
 - hosts: dc
  roles:
    - dc
+    - common
+
+- hosts: wef
+  roles:
+    - wef
+    - common
+
+- hosts: win10
+  roles:
+    - win10
+    - common
--- a/ESXi/ansible/group_vars/linux.yml
+++ b/ESXi/ansible/group_vars/linux.yml
@@ -0,0 +1,4 @@
+ansible_user: vagrant
+ansible_password: vagrant
+ansible_port: 22
+ansible_connection: ssh
--- a/ESXi/ansible/inventory.yml
+++ b/ESXi/ansible/inventory.yml
@@ -1,4 +1,23 @@
 ---
+
+logger:
+  hosts:
+    192.168.3.151:
+      ansible_user: vagrant
+      ansible_password: vagrant
+      ansible_port: 22
+      ansible_connection: ssh
+      ansible_ssh_common_args: '-o StrictHostKeyChecking=no'
+
 dc:
  hosts:
    192.168.3.189:
+
+wef:
+  hosts:
+    192.168.3.194:
+
+win10:
+  hosts:
+    192.168.3.193:
+
--- a/ESXi/ansible/roles/common/tasks/main.yml
+++ b/ESXi/ansible/roles/common/tasks/main.yml
@@ -0,0 +1,36 @@
+---
+
+- name: Run Common Tasks
+  win_shell: ".\\{{ item }}"
+  args:
+    chdir: 'c:\vagrant\scripts'
+  with_items:
+    - "download_palantir_wef.ps1"
+    - "download_palantir_osquery.ps1"
+    - "install-osquery.ps1"
+    - "install-sysinternals.ps1"
+    - "install-autorunstowineventlog.ps1"
+    - "install-redteam.ps1"
+
+- name: Install utilities 
+  win_chocolatey:
+    name:
+    - NotepadPlusPlus
+    - GoogleChrome
+    - WinRar
+    - wireshark
+    - winpcap
+    state: present
+
+- name: Install classic-shell with chocolatey
+  win_chocolatey:
+    name:
+      - classic-shell
+    state: present
+    install_args: "ADDLOCAL=ClassicStartMenu"
+
+- name: DetectionLab Menu
+  win_shell: "\"C:\\Program Files\\Classic Shell\\ClassicStartMenu.exe -xml c:\\vagrant\\resources\\windows\\MenuSettings.xml\""
+
+
+
--- a/ESXi/ansible/roles/dc/tasks/main.yml
+++ b/ESXi/ansible/roles/dc/tasks/main.yml
@@ -0,0 +1,67 @@
+---
+
+- name: Hostname -> DC
+  win_hostname:
+    name: dc
+  register: res
+
+- name: Reboot
+  win_reboot:
+  when: res.reboot_required
+
+- name: Set HostOnly IP Address
+  win_shell: "New-NetIPAddress –InterfaceAlias Ethernet2 –AddressFamily IPv4 -IPAddress 192.168.38.102 –PrefixLength 24 -DefaultGateway 192.168.38.1"
+
+- name: Set DNS Address
+  win_shell: "Set-DnsClientServerAddress -InterfaceAlias Ethernet2 -ServerAddresses 127.0.0.1,8.8.8.8"
+
+- name: Install git
+  win_chocolatey:
+    name: git
+    state: present
+
+- name: Check if existing DetectionLab directory
+  win_stat:
+    path: 'c:\DetectionLab'
+  register: dir
+
+- name: Git clone Detectionlab
+  win_shell: git clone https://github.com/clong/DetectionLab.git
+  args:
+    chdir: 'c:\'
+  when: not dir.stat.exists
+
+- name: Copy scripts to c:\vagrant
+  win_shell: Copy-Item -Recurse c:\DetectionLab\Vagrant c:\vagrant
+
+- name: Create the Domain
+  win_shell: .\\provision.ps1
+  args:
+    chdir: 'c:\vagrant\scripts'
+
+- name: reboot server
+  win_reboot:
+    msg: "Installing AD. Rebooting..."
+    pre_reboot_delay: 15
+    reboot_timeout: 600
+    post_reboot_delay: 60
+
+- name: Configure DC Host
+  win_shell: ".\\{{ item }}"
+  args:
+    chdir: 'c:\vagrant\scripts'
+  with_items:
+    - "configure-ou.ps1"
+    - "configure-wef-gpo.ps1"
+    - "configure-powershelllogging.ps1"
+    - "configure-AuditingPolicyGPOs.ps1"
+    - "configure-disable-windows-defender-gpo.ps1"
+    - "configure-rdp-user-gpo.ps1"
+
+- name: Configure DC with raw Commands
+  win_shell: "{{ item }}"
+  with_items:
+    - "wevtutil el | Select-String -notmatch \"Microsoft-Windows-LiveId\" | Foreach-Object {wevtutil cl \"$_\"}"
+    - "Set-SmbServerConfiguration -AuditSmb1Access $true -Force"
+
+
--- a/ESXi/ansible/roles/logger/tasks/main.yml
+++ b/ESXi/ansible/roles/logger/tasks/main.yml
@@ -0,0 +1,48 @@
+---
+
+- name: Set hostname to logger
+  hostname:
+    name: logger
+  become: yes
+
+- name: Create a directory if it does not exist
+  file:
+    path: /vagrant
+    state: directory
+    mode: '0755'
+  become: yes
+
+- name: Copy vagrant resources
+  synchronize:
+    src: ../../Vagrant/resources
+    dest: /vagrant/
+  become: yes
+
+- name: Copy bootstrap file
+  copy:
+    src: ../../Vagrant/bootstrap.sh
+    dest: /home/vagrant
+    owner: vagrant
+    group: vagrant
+    mode: u+x,g+x
+
+- name: Copy netplan file
+  copy:
+    src: ../resources/01-netcfg.yaml
+    dest: /tmp
+    owner: vagrant
+    group: vagrant
+
+- name: Copy the netplan file over as root
+  shell: "mv /tmp/01-netcfg.yaml /etc/netplan/01-netcfg.yaml"
+  become: yes
+
+- name: Apply the new netplan
+  shell: netplan apply
+  become: yes
+
+- name: Run bootstrap.sh
+  shell: /home/vagrant/bootstrap.sh | tee -a /home/vagrant/bootstrap.log
+  args: 
+    executable: /bin/bash
+  become: yes
--- a/ESXi/ansible/roles/wef/tasks/main.yml
+++ b/ESXi/ansible/roles/wef/tasks/main.yml
@@ -0,0 +1,72 @@
+---
+
+- name: Hostname -> WEF
+  win_hostname:
+    name: wef
+  register: res
+
+- name: Reboot
+  win_reboot:
+  when: res.reboot_required
+
+# This needs to be made idempodent
+- name: Set HostOnly IP Address
+  win_shell: "New-NetIPAddress –InterfaceAlias Ethernet2 –AddressFamily IPv4 -IPAddress 192.168.38.103 –PrefixLength 24 -DefaultGateway 192.168.38.1"
+
+# This needs to be made idempodent
+- name: Set HostOnly DNS Address
+  win_shell: "Set-DnsClientServerAddress -InterfaceAlias Ethernet2 -ServerAddresses 192.168.38.102,8.8.8.8"
+
+- name: Install git
+  win_chocolatey:
+    name: git
+    state: present
+
+- name: Check if existing DetectionLab directory
+  win_stat:
+    path: 'c:\DetectionLab'
+  register: dir
+
+- name: Git clone Detectionlab
+  win_shell: git clone https://github.com/clong/DetectionLab.git
+  args:
+    chdir: 'c:\'
+  when: not dir.stat.exists
+
+- name: Copy scripts to c:\vagrant
+  win_shell: Copy-Item -Recurse c:\DetectionLab\Vagrant c:\vagrant
+
+- name: Join the Domain
+  win_shell: .\\provision.ps1
+  args:
+    chdir: 'c:\vagrant\scripts'
+
+- name: reboot server
+  win_reboot:
+    msg: "Joining the domain. Rebooting..."
+    pre_reboot_delay: 15
+    reboot_timeout: 600
+    post_reboot_delay: 60
+
+- name: Clear Event Logs
+  win_shell: "wevtutil el | Select-String -notmatch \"Microsoft-Windows-LiveId\" | Foreach-Object {wevtutil cl \"$_\"}"
+
+- name: Configure WEF Host
+  win_shell: ".\\{{ item }}"
+  args:
+    chdir: 'c:\vagrant\scripts'
+  with_items:
+    - "download_palantir_wef.ps1"
+    - "install-wefsubscriptions.ps1"
+    - "install-splunkuf.ps1"
+    - "install-windows_ta.ps1"
+    - "configure-pslogstranscriptsshare.ps1"
+    - "install-microsoft-ata.ps1"
+
+- name: Configure WEF with raw Commands
+  win_shell: "{{ item }}"
+  with_items:
+    - "wevtutil el | Select-String -notmatch \"Microsoft-Windows-LiveId\" | Foreach-Object {wevtutil cl \"$_\"}"
+    - "Set-SmbServerConfiguration -AuditSmb1Access $true -Force"
+
+
--- a/ESXi/ansible/roles/win10/tasks/main.yml
+++ b/ESXi/ansible/roles/win10/tasks/main.yml
@@ -0,0 +1,61 @@
+---
+
+- name: Hostname -> WIN10
+  win_hostname:
+    name: win10
+  register: res
+
+- name: Reboot
+  win_reboot:
+  when: res.reboot_required
+
+- name: Set HostOnly IP Address
+  win_shell: "New-NetIPAddress –InterfaceAlias Ethernet2 –AddressFamily IPv4 -IPAddress 192.168.38.104 –PrefixLength 24 -DefaultGateway 192.168.38.1"
+
+- name: Set HostOnly DNS Address
+  win_shell: "Set-DnsClientServerAddress -InterfaceAlias Ethernet2 -ServerAddresses 192.168.38.102,8.8.8.8"
+
+- name: Install git
+  win_chocolatey:
+    name: git
+    state: present
+
+- name: Check if existing DetectionLab directory
+  win_stat:
+    path: 'c:\DetectionLab'
+  register: dir
+
+- name: Git clone Detectionlab
+  win_shell: git clone https://github.com/clong/DetectionLab.git
+  args:
+    chdir: 'c:\'
+  when: not dir.stat.exists
+
+- name: Copy scripts to c:\vagrant
+  win_shell: Copy-Item -Recurse c:\DetectionLab\Vagrant c:\vagrant
+
+- name: Making Windows10 Great Again
+  win_shell:  .\\MakeWindows10GreatAgain.ps1
+  args:
+    chdir: 'c:\vagrant\scripts'
+
+- name: Join the Domain
+  win_shell: .\\provision.ps1
+  args:
+    chdir: 'c:\vagrant\scripts'
+
+- name: Update group policy
+  win_shell: "gpupdate /force"
+
+- name: Reboot Server
+  win_reboot:
+    msg: "Joined the domain. Rebooting..."
+    pre_reboot_delay: 15
+    reboot_timeout: 600
+    post_reboot_delay: 60
+
+- name: Clear Event Logs
+  win_shell: "wevtutil el | Select-String -notmatch \"Microsoft-Windows-LiveId\" | Foreach-Object {wevtutil cl \"$_\"}"
+
+
+