diff --git a/Vagrant/bootstrap.sh b/Vagrant/bootstrap.sh index 379d366..36a80ed 100644 --- a/Vagrant/bootstrap.sh +++ b/Vagrant/bootstrap.sh @@ -84,8 +84,8 @@ install_splunk() { # Get Splunk.com into the DNS cache. Sometimes resolution randomly fails during wget below dig @8.8.8.8 splunk.com # Download Splunk - wget --progress=bar:force -O splunk-7.1.2-a0c72a66db66-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.1.2&product=splunk&filename=splunk-7.1.2-a0c72a66db66-linux-2.6-amd64.deb&wget=true' - dpkg -i splunk-7.1.2-a0c72a66db66-linux-2.6-amd64.deb + wget --progress=bar:force -O splunk-7.2.1-be11b2c46e23-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.1&product=splunk&filename=splunk-7.2.1-be11b2c46e23-linux-2.6-amd64.deb&wget=true' + dpkg -i splunk-7.2.1-be11b2c46e23-linux-2.6-amd64.deb /opt/splunk/bin/splunk start --accept-license --answer-yes --no-prompt --seed-passwd changeme /opt/splunk/bin/splunk add index wineventlog -auth 'admin:changeme' /opt/splunk/bin/splunk add index osquery -auth 'admin:changeme' @@ -94,9 +94,17 @@ install_splunk() { /opt/splunk/bin/splunk add index powershell -auth 'admin:changeme' /opt/splunk/bin/splunk add index bro -auth 'admin:changeme' /opt/splunk/bin/splunk add index suricata -auth 'admin:changeme' + /opt/splunk/bin/splunk add index threathunting -auth 'admin:changeme' /opt/splunk/bin/splunk install app /vagrant/resources/splunk_forwarder/splunk-add-on-for-microsoft-windows_500.tgz -auth 'admin:changeme' /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/add-on-for-microsoft-sysmon_800.tgz -auth 'admin:changeme' /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/asn-lookup-generator_012.tgz -auth 'admin:changeme' + /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/force-directed-app-for-splunk_200.tgz -auth 'admin:changeme' + /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/punchcard-custom-visualization_130.tgz -auth 'admin:changeme' + /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/sankey-diagram-custom-visualization_130.tgz -auth 'admin:changeme' + /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_11.tgz -auth 'admin:changeme' + # Add custom Macro definitions for ThreatHunting App + cp /vagrant/resources/splunk_server/macros.conf /opt/splunk/etc/apps/ThreatHunting/local + # Add a Splunk TCP input on port 9997 echo -e "[splunktcp://9997]\nconnection_host = ip" > /opt/splunk/etc/apps/search/local/inputs.conf # Add props.conf and transforms.conf @@ -105,6 +113,7 @@ install_splunk() { cp /opt/splunk/etc/system/default/limits.conf /opt/splunk/etc/system/local/limits.conf # Bump the memtable limits to allow for the ASN lookup table sed -i.bak 's/max_memtable_bytes = 10000000/max_memtable_bytes = 30000000/g' /opt/splunk/etc/system/local/limits.conf + # Skip Splunk Tour and Change Password Dialog touch /opt/splunk/etc/.ui_login # Enable SSL Login for Splunk diff --git a/Vagrant/resources/fleet/server.crt b/Vagrant/resources/fleet/server.crt index 8fa748b..5c07317 100644 --- a/Vagrant/resources/fleet/server.crt +++ b/Vagrant/resources/fleet/server.crt @@ -1,17 +1,17 @@ -----BEGIN CERTIFICATE----- -MIICnjCCAYYCCQD3m5L/nC/akjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZr -b2xpZGUwHhcNMTcxMTAxMjAxMDIxWhcNMTgxMTAxMjAxMDIxWjARMQ8wDQYDVQQD -DAZrb2xpZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDahfD8pVJN -KSdE+GoYIPsteyHvyQXXGcCIlrt+EFI5TXKBcHE8Vyyi1xw7hTpGKA3DGbLBf43E -j26w7NS0hGhbJHwjx5EBujWhDskbH8GTzhQllVoYOOwuU85MWiISQOAWhaytIFYg -6wnBaA0EtNEOeYPD1J5t1Bt4k9pwS+ATJxAag9BSesMdmU6Uz2zCxSavsDMGepiv -kaOAzT4Bhy3aVhq56mNayLT2fCdmyEyKlou9gUzteY0dp010ZNfqyxgcsnhogUij -6LaEsVzsxDRH7HFPtCeGBb8CjnnPhMbAU9nzhn+9EEtiIUvN0Dl0G/DmgziTpKgD -EEmddbqEK6g9AgMBAAEwDQYJKoZIhvcNAQELBQADggEBALVH183jm9WeKXd3Uhqn -jyOZ8H4+RhaADm4rkABmVHUAIoqLQOfpnTuvcp/eiAAUBNaRk8B5T+yWosx+IP4u -SUoRR949zdn5kd/BkoHE5rcJh169goJlKLtKGXkPyCRgcakXC/kDSZtWrIyw/vYu -6WYjScDLiEDlgVQQuEdI3S5lDm9D0UMvCmiVsUyWYcTic2WgO9vaOErWS5UQMaPV -crzxIJKxd1eK0++gdyiwWwakWBtHpDQnpjamfFBqltvXKdpY1cIVJsyXROlZ6xNk -NqbzMLDLt/4zvGjG88zrpwqU2egigX2VkAgOMa8BEnnkvZMuCcgoYkCXbY3CXsts -YOM= +MIICnjCCAYYCCQCwK8/9PtNo1TANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZr +b2xpZGUwHhcNMTgxMjExMDg0NjUxWhcNMjEwOTA2MDg0NjUxWjARMQ8wDQYDVQQD +DAZrb2xpZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDO6RiMkjD1 +LJmcTR3oiUXrN4Kz+2KWCm3RrM6UanxhmVG12DrX1VPzsFkmzPdc74LKVUqPFJfV +oAt3U2RQ4oPmMdS9yuvYz9NprbZ8Qe+Toue5reUqyDU9RQhoiYMuCvIdoOS35Zg4 +gHrP8fMkDNLSE3egqHNxtQ0lCTHiIOB3+Lr2MDiuSLP2WM+JLc7tt95Vg4zAU0VG +38Q/SfET3OhCUIOu2OR/XlpqbKORRHqrc7/0wzuZGxSsw+bei8d/OOfKdvL3WhFd +35F0OduEa0PGphKt0ePT6R2NtjtGg5GIQ3QhC222qAeYXLOOeNIS2RB42h6rr/Fr +vXUl/Gj4HGxNAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJu06ushu+H4gBzH65pR +caBkH7OKbmOUxmVwkZMmHGaTWnHvUmvSNaR70466Sd25YHn1MyNmi3rI0h2LwUjU +wEXoDbQRUpbKrF410L114D5g5lZ78eMRXN5ItzJluGVHOpdBWCJslpvoksW7ovPD +awbD2hPNDIOAjVTXC3fgyEST+VSLripjhg6yhgZWVYRNgfcjDl3IG3AIg3Gpr7mu +ClqTYP27vL4EYTIp+waYhYIc/CEI/lao7/X++5Gp2bJsMscFuSfJDJ3kLvbCebyL +1GSnkKbtokUFqsDWnG9IoodHCSL/lj8fhTeXJZsi5Zky9yZC7BiIKmGn5/vcOTO6 +oDs= -----END CERTIFICATE----- diff --git a/Vagrant/resources/fleet/server.key b/Vagrant/resources/fleet/server.key index f696ba8..902729c 100644 --- a/Vagrant/resources/fleet/server.key +++ b/Vagrant/resources/fleet/server.key @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEA2oXw/KVSTSknRPhqGCD7LXsh78kF1xnAiJa7fhBSOU1ygXBx -PFcsotccO4U6RigNwxmywX+NxI9usOzUtIRoWyR8I8eRAbo1oQ7JGx/Bk84UJZVa -GDjsLlPOTFoiEkDgFoWsrSBWIOsJwWgNBLTRDnmDw9SebdQbeJPacEvgEycQGoPQ -UnrDHZlOlM9swsUmr7AzBnqYr5GjgM0+AYct2lYauepjWsi09nwnZshMipaLvYFM -7XmNHadNdGTX6ssYHLJ4aIFIo+i2hLFc7MQ0R+xxT7QnhgW/Ao55z4TGwFPZ84Z/ -vRBLYiFLzdA5dBvw5oM4k6SoAxBJnXW6hCuoPQIDAQABAoIBAGaidD5lc5NUGeKV -/laY3wBMjfLuarTNnpVInoUmK0hIrNhItJaPpyJQgC0gdO9Qjq4s2r1xKGfCqk2k -3n5ulgkAyOGRMPUrvVaI+EGqF6RRLTs9u5QW4C8eI43O46PJHrbVT/X8cxeA7RMO -yNaGCo6O2ilXKpYRAloOr5EAwhyb5OeNrxe/XkngzU2/Sy/XPqqa/gUZGReJzEW1 -/M/iJULNSo2smKftdzDkiSVxH4x5En3q/ri7EUs6NMJZ9V7mUI7LJABeDOBYNta6 -e43b9f6sVfoecFU71FmrXx6QUvUJATNUPEqCwQqp4LfmUrv/Rnty/d39ktQqkpkV -u4CQ700CgYEA9c6WoE7sK+M4ySmnc08ol0RxoUX4gp9oHbIUe+8fN4al6uLawvc1 -zgPjsev9kMGsw9Ejm2ID+PcuyQirJcE+MkT6Jdj6S39hE0umnFfxytF8vssqVcrG -bSWS3fLgQ+5k7/IbWFJiQxRW7Y/4qjlOqeHE9tAbPMUyH+viT6nu6w8CgYEA45W3 -fSHVrr72h7WettUwb/dJLSjIj7MbMcMGrq2bStwHkZikXr1tgBtxFBTiOoc2p1JK -+bII0cilAyobp1wk6spOt501QeciYxnCgHBuenC4TDmzPdgwQvBOHQoMe8oS/ZBd -SwGpuEBCfBnODnDrWNgAye9rxV1pAXwUTns45/MCgYEAqhLbs2WIEUGxS7ZvbuAp -ZKhturlwHejvoARUGgA0aDXY3PFDjbyAVN/qDnQLSLpIsGAnM96Ygw18KIq/6GqR -fzSso71CSTSEVVZ1nB1ZZgyWNGjcDOo1atWhjcH7m+T5n++zLeQqquEK2GpSEm1+ -WRqmLmOFRQHoEaAjQR2B+s8CgYBe5WvISpZuMgRcHBgdBpIW7dbedLYEbVt2iWq8 -5XjuYwbo5+wJ8RS6qTaid/7JBt58MG1A5sKUrwRXaHR1eY+PM2JVX8D4ROdqyS/4 -HGmEtoGyjxC1RfMBxm/b3ffMmjsG7e5ouz3IrUrLsnrgPKd1uUPC8AlRF50UWGej -PfBBjwKBgDqk/kpJ7aYfJB/lB5F+v+V1YucNyCgxj6cQ/aiBxOq3pN7wi8/vra2K -/cGiz4JWrSS3PeUmiu7eCsYbItxyi1yjNOcfI1/gJTjm8Mgoh7WT39a8IfPefsLD -MpJ3ISw+VcV1Vcr8g7/LsZZNfRcTVEZbCWSdPH69KgdDn8vLU1O0 +MIIEowIBAAKCAQEAzukYjJIw9SyZnE0d6IlF6zeCs/tilgpt0azOlGp8YZlRtdg6 +19VT87BZJsz3XO+CylVKjxSX1aALd1NkUOKD5jHUvcrr2M/Taa22fEHvk6Lnua3l +Ksg1PUUIaImDLgryHaDkt+WYOIB6z/HzJAzS0hN3oKhzcbUNJQkx4iDgd/i69jA4 +rkiz9ljPiS3O7bfeVYOMwFNFRt/EP0nxE9zoQlCDrtjkf15aamyjkUR6q3O/9MM7 +mRsUrMPm3ovHfzjnynby91oRXd+RdDnbhGtDxqYSrdHj0+kdjbY7RoORiEN0IQtt +tqgHmFyzjnjSEtkQeNoeq6/xa711Jfxo+BxsTQIDAQABAoIBACil/G+pTLrtzyO4 +trZ3OWgzWJcZPM3zMI3voAniPZtC7p2F5FGAlGSccXdA7xuv5gbv6JzhU87hCT+g +/2Uwiu8PPRcoJVtLwOHTAbW5kmJzr4h31DyqZmMqC7PVyBKkjdoqQKSsE1KOUxJF +Gxoq9sPUlTzXuw5Mnk93Vfhxswd+WFaajrwnZWV+nWG436Y6QtrP241E5AS+SrPo +CoaiXPNsvJjdGlF6yRYyUCYlZKQItPXjGgTI+TC3gfiZHwv6y86ylBHT5uObIDeu +hvc1pVOf73vPLrpwvqmY/6y+RLzMqPByyuas/8V/RrZScDKgA0FQ1fL6IHxC6yim +DFhL6cECgYEA8pTZ0VE2UdYuXTxvkiGsdgebkh3kxiy25PwjSzW18q7WThoZrErv ++ggzYY6DKLH430lbmVeDUl9yBasr8AeJMgI+lcxDkqUyUJiWJEQtW2pLVjcv3JHE +0ixK5knzEEDsZUZa9DsCx3PVmylJw64qk+QnRjFXfxkTo+nWpbZrxTECgYEA2lsd +tY0blBM9xpRHYu58C7muMLwm7hlgxpAlG7lFQAYr7XOghAx7r+sDoAzx0f7w5/mQ +y2W9vKlJeaU0nzwohsSIt7/bU81+lx3MBtR2DEjsTRTF4zJ760HFf4raFZGEeiS4 +j2e5Z02lVXw+5J3m8DJkjxyNtIwPGHJEKiquAd0CgYB7baWOzaW36iTZJ+EVF7Eq +tSBBLpizBRliVbCXmhKkErXUM4+QjOih7f5Gyz6NPFEHO8oxsceN6CaaH8hRb2Qt +X9r8WVyghxGc1KbAeTgi5WjDy3y83CarUgIiPspAIOindy7cShJV7ehn9JAl0r6z +VUlue7irYNUPd/HRi4o2YQKBgHrPXHpMDwLNf6U8qJngACyoFmyaplqsM136nKRn +I6fK0NIQgmtCih57U+Kk5S1y8hPGrcV4R6rgm86rOFmHAFQsHakbY0RTA6wCuknt +HSfzq9P+pv4N2tyKdYYylk4jNhtso9EkSYbsiNz3sHfsx4K5FQ3YxWqSi7r4KZZ9 +wriRAoGBAK6huxSeKGqwh/w/QNmdMQPgJU2nso4ZAQZ0hrvhq0frwMRzfrdVktCB +KfxwCasNgyg7faVoAPlzAiraNkRnPHGRYqnXs2qX0rf3KU1VT6974dU2j8tOhBQ9 +qr+nDCPe9thRzkGZcRNIQllznWVo0iwi+yXew0jxBPLhxIMVbx1c -----END RSA PRIVATE KEY----- diff --git a/Vagrant/resources/splunk_server/force-directed-app-for-splunk_200.tgz b/Vagrant/resources/splunk_server/force-directed-app-for-splunk_200.tgz new file mode 100644 index 0000000..67793bb Binary files /dev/null and b/Vagrant/resources/splunk_server/force-directed-app-for-splunk_200.tgz differ diff --git a/Vagrant/resources/splunk_server/lookup-file-editor_305.tgz b/Vagrant/resources/splunk_server/lookup-file-editor_305.tgz new file mode 100644 index 0000000..8158830 Binary files /dev/null and b/Vagrant/resources/splunk_server/lookup-file-editor_305.tgz differ diff --git a/Vagrant/resources/splunk_server/macros.conf b/Vagrant/resources/splunk_server/macros.conf new file mode 100644 index 0000000..a029ed7 --- /dev/null +++ b/Vagrant/resources/splunk_server/macros.conf @@ -0,0 +1,71 @@ +[sysmon] +definition = index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" +iseval = 0 + +[windows-app] +definition = index=wineventlog source="WinEventLog:Application" +iseval = 0 + +[powershell] +definition = index=powershell OR (index=wineventlog source="WinEventLog:Windows PowerShell" OR source="WinEventLog:Microsoft-Windows-PowerShell/Operational") +iseval = 0 + +[windows-security] +definition = index=wineventlog source="WinEventLog:Security" +iseval = 0 + +[pan_threat] +definition = index=pan_logs sourcetype="pan:threat" +iseval = 0 + +[domain] +definition = WINDOMAIN +iseval = 0 + +[windows] +definition = index=wineventlog source="WinEventLog:System" OR source="WinEventLog:Security" +iseval = 0 + +[windows-system] +definition = index=wineventlog source="WinEventLog:System" +iseval = 0 + +[no-domain] +definition = "WINDOMAIN\\*" +iseval = 0 + +[process_create_whitelist] +definition = search NOT [| inputlookup threathunting_process_create_whitelist.csv | fields mitre_technique_id host_fqdn user_name process_path process_parent_path process_command_line hash_sha256] +iseval = 0 + +[network_whitelist] +definition = search NOT [| inputlookup threathunting_network_whitelist.csv | fields mitre_technique_id host_fqdn user_name dst_ip dst_port src_ip process_path] +iseval = 0 + +[process_access_whitelist] +definition = search NOT [| inputlookup threathunting_process_access_whitelist.csv | fields mitre_technique_id host_fqdn process_path target_process_path process_granted_access] +iseval = 0 + +[image_load_whitelist] +definition = search NOT [| inputlookup threathunting_image_load_whitelist.csv | fields mitre_technique_id host_fqdn process_path driver_loaded driver_is_signed driver_signature driver_signatureStatus] +iseval = 0 + +[file_access_whitelist] +definition = search NOT [| inputlookup threathunting_file_access_whitelist.csv | fields mitre_technique_id host_fqdn process_path file_path] +iseval = 0 + +[registry_whitelist] +definition = search NOT [| inputlookup threathunting_registry_whitelist.csv | fields mitre_technique_id host_fqdn event_type process_path registry_key_path registry_key_details] +iseval = 0 + +[pipe_created_whitelist] +definition = search NOT [| inputlookup threathunting_pipe_created_whitelist.csv | fields mitre_technique_id host_fqdn process_path pipe_name] +iseval = 0 + +[wmi_whitelist] +definition = search NOT [| inputlookup threathunting_wmi_whitelist.csv | fields mitre_technique_id host_fqdn process_path pipe_name] +iseval = 0 + +[remote_thread_whitelist] +definition = search NOT [| inputlookup threathunting_remote_thread_whitelist.csv | fields mitre_technique_id host_fqdn process_name target_process_path target_process_address] +iseval = 0 diff --git a/Vagrant/resources/splunk_server/punchcard-custom-visualization_130.tgz b/Vagrant/resources/splunk_server/punchcard-custom-visualization_130.tgz new file mode 100644 index 0000000..c7b6bbc Binary files /dev/null and b/Vagrant/resources/splunk_server/punchcard-custom-visualization_130.tgz differ diff --git a/Vagrant/resources/splunk_server/sankey-diagram-custom-visualization_130.tgz b/Vagrant/resources/splunk_server/sankey-diagram-custom-visualization_130.tgz new file mode 100644 index 0000000..cdcaf63 Binary files /dev/null and b/Vagrant/resources/splunk_server/sankey-diagram-custom-visualization_130.tgz differ diff --git a/Vagrant/resources/splunk_server/threathunting_11.tgz b/Vagrant/resources/splunk_server/threathunting_11.tgz new file mode 100644 index 0000000..6d12c72 Binary files /dev/null and b/Vagrant/resources/splunk_server/threathunting_11.tgz differ diff --git a/Vagrant/scripts/install-sysinternals.ps1 b/Vagrant/scripts/install-sysinternals.ps1 index 00df8c5..6d9df52 100755 --- a/Vagrant/scripts/install-sysinternals.ps1 +++ b/Vagrant/scripts/install-sysinternals.ps1 @@ -41,11 +41,12 @@ Write-Host "Downloading Tcpview.exe..." (New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Tcpview.exe', $tcpviewPath) Copy-Item $sysmonPath $sysmonDir -# Download SwiftOnSecurity's Sysmon config -Write-Host "Downloading SwiftOnSecurity's Sysmon config..." -(New-Object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml', "$sysmonConfigPath") -# Alternative: Download Olaf Hartongs Sysmon config (more CPU intensive) -# (New-Object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml, "$sysmonConfigPath" +# Download Olaf Hartongs Sysmon config +Write-Host "Downloading Olaf Hartong's Sysmon config..." +(New-Object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml', "$sysmonConfigPath") +# Alternative: Download SwiftOnSecurity's Sysmon config +# Write-Host "Downloading SwiftOnSecurity's Sysmon config..." +# (New-Object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml', "$sysmonConfigPath") # Start Sysmon Write-Host "Starting Sysmon..." diff --git a/Vagrant/scripts/join-domain.ps1 b/Vagrant/scripts/join-domain.ps1 index 8c34472..304ace3 100755 --- a/Vagrant/scripts/join-domain.ps1 +++ b/Vagrant/scripts/join-domain.ps1 @@ -27,3 +27,10 @@ If ($hostname -eq "wef") { Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -Value 1 Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Value "vagrant" Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Value "vagrant" + +# Stop Windows Update +Write-Host "Disabling Windows Updates and Windows Module Services" +Set-Service wuauserv -StartupType Disabled +Stop-Service wuauserv +Set-Service TrustedInstaller -StartupType Disabled +Stop-Service TrustedInstaller diff --git a/build.ps1 b/build.ps1 index c908d6b..0e98c81 100644 --- a/build.ps1 +++ b/build.ps1 @@ -108,37 +108,37 @@ function check_vagrant { # Returns false if not installed or true if installed function check_virtualbox_installed { - Write-Verbose '[check_virtualbox_installed] Running..' + Write-Host '[check_virtualbox_installed] Running..' if (install_checker -Name "VirtualBox") { - Write-Verbose '[check_virtualbox_installed] Virtualbox found.' + Write-Host '[check_virtualbox_installed] Virtualbox found.' return $true } else { - Write-Verbose '[check_virtualbox_installed] Virtualbox not found.' + Write-Host '[check_virtualbox_installed] Virtualbox not found.' return $false } } function check_vmware_workstation_installed { - Write-Verbose '[check_vmware_workstation_installed] Running..' + Write-Host '[check_vmware_workstation_installed] Running..' if (install_checker -Name "VMware Workstation") { - Write-Verbose '[check_vmware_workstation_installed] VMware Workstation found.' + Write-Host '[check_vmware_workstation_installed] VMware Workstation found.' return $true } else { - Write-Verbose '[check_vmware_workstation_installed] VMware Workstation not found.' + Write-Host '[check_vmware_workstation_installed] VMware Workstation not found.' return $false } } function check_vmware_vagrant_plugin_installed { - Write-Verbose '[check_vmware_vagrant_plugin_installed] Running..' + Write-Host '[check_vmware_vagrant_plugin_installed] Running..' if (vagrant plugin list | Select-String 'vagrant-vmware-desktop') { - Write-Verbose 'The vagrant VMware Workstation plugin is no longer supported.' - Write-Verbose 'Please upgrade to the VMware Desktop plugin: https://www.vagrantup.com/docs/vmware/installation.html' + Write-Host 'The vagrant VMware Workstation plugin is no longer supported.' + Write-Host 'Please upgrade to the VMware Desktop plugin: https://www.vagrantup.com/docs/vmware/installation.html' return $false } if (vagrant plugin list | Select-String 'vagrant-vmware-desktop') { - Write-Verbose '[check_vmware_vagrant_plugin_installed] Vagrant VMware Desktop plugin found.' + Write-Host '[check_vmware_vagrant_plugin_installed] Vagrant VMware Desktop plugin found.' return $true } else { @@ -178,7 +178,7 @@ function list_providers { } function download_boxes { - Write-Verbose '[download_boxes] Running..' + Write-Host '[download_boxes] Running..' if ($PackerProvider -eq 'virtualbox') { $win10Hash = '94c1ff7264e67af3d7df6d19275086ac' $win2016Hash = '2a0b5dbc432e27a0223da026cc1f378b' @@ -192,9 +192,9 @@ function download_boxes { $win2016Filename = "windows_2016_$PackerProvider.box" $wc = New-Object System.Net.WebClient - Write-Verbose "[download_boxes] Downloading $win10Filename" + Write-Host "[download_boxes] Downloading $win10Filename" $wc.DownloadFile("https://www.detectionlab.network/$win10Filename", "$DL_DIR\Boxes\$win10Filename") - Write-Verbose "[download_boxes] Downloading $win2016Filename" + Write-Host "[download_boxes] Downloading $win2016Filename" $wc.DownloadFile("https://www.detectionlab.network/$win2016Filename", "$DL_DIR\Boxes\$win2016Filename") $wc.Dispose() @@ -207,12 +207,12 @@ function download_boxes { break } - Write-Verbose "[download_boxes] Getting filehash for: $win10Filename" + Write-Host "[download_boxes] Getting filehash for: $win10Filename" $win10Filehash = (Get-FileHash -Path "$DL_DIR\Boxes\$win10Filename" -Algorithm MD5).Hash - Write-Verbose "[download_boxes] Getting filehash for: $win2016Filename" + Write-Host "[download_boxes] Getting filehash for: $win2016Filename" $win2016Filehash = (Get-FileHash -Path "$DL_DIR\Boxes\$win2016Filename" -Algorithm MD5).Hash - Write-Verbose '[download_boxes] Checking Filehashes..' + Write-Host '[download_boxes] Checking Filehashes..' if ($win10hash -ne $win10Filehash) { Write-Error 'Hash mismatch on windows_10_virtualbox.box' break @@ -221,18 +221,18 @@ function download_boxes { Write-Error 'Hash mismatch on windows_2016_virtualbox.box' break } - Write-Verbose '[download_boxes] Finished.' + Write-Host '[download_boxes] Finished.' } function preflight_checks { - Write-Verbose '[preflight_checks] Running..' + Write-Host '[preflight_checks] Running..' # Check to see that no boxes exist if (-Not ($VagrantOnly)) { - Write-Verbose '[preflight_checks] Checking if Packer is installed' + Write-Host '[preflight_checks] Checking if Packer is installed' check_packer # Check Packer Version against known bad - Write-Verbose '[preflight_checks] Checking for bad packer version..' + Write-Host '[preflight_checks] Checking for bad packer version..' [System.Version]$PackerVersion = $(& $PackerPath "--version") [System.Version]$PackerKnownBad = 1.1.2 @@ -241,16 +241,16 @@ function preflight_checks { break } } - Write-Verbose '[preflight_checks] Checking if Vagrant is installed' + Write-Host '[preflight_checks] Checking if Vagrant is installed' check_vagrant - Write-Verbose '[preflight_checks] Checking for pre-existing boxes..' + Write-Host '[preflight_checks] Checking for pre-existing boxes..' if ((Get-ChildItem "$DL_DIR\Boxes\*.box").Count -gt 0) { Write-Host 'You seem to have at least one .box file present in the Boxes directory already. If you would like fresh boxes downloaded, please remove all files from the Boxes directory and re-run this script.' } # Check to see that no vagrant instances exist - Write-Verbose '[preflight_checks] Checking for vagrant instances..' + Write-Host '[preflight_checks] Checking for vagrant instances..' $CurrentDir = Get-Location Set-Location "$DL_DIR\Vagrant" if (($(vagrant status) | Select-String -Pattern "not[ _]created").Count -ne 4) { @@ -260,7 +260,7 @@ function preflight_checks { Set-Location $CurrentDir # Check available disk space. Recommend 80GB free, warn if less - Write-Verbose '[preflight_checks] Checking disk space..' + Write-Host '[preflight_checks] Checking disk space..' $drives = Get-PSDrive | Where-Object {$_.Provider -like '*FileSystem*'} $drivesList = @() @@ -279,7 +279,7 @@ function preflight_checks { } # Ensure the vagrant-reload plugin is installed - Write-Verbose '[preflight_checks] Checking if vagrant-reload is installed..' + Write-Host '[preflight_checks] Checking if vagrant-reload is installed..' if (-Not (vagrant plugin list | Select-String 'vagrant-reload')) { Write-Output 'The vagrant-reload plugin is required and not currently installed. This script will attempt to install it now.' (vagrant plugin install 'vagrant-reload') @@ -288,7 +288,7 @@ function preflight_checks { break } } - Write-Verbose '[preflight_checks] Finished.' + Write-Host '[preflight_checks] Finished.' } function packer_build_box { @@ -296,12 +296,12 @@ function packer_build_box { [string]$Box ) - Write-Verbose "[packer_build_box] Running for $Box" + Write-Host "[packer_build_box] Running for $Box" $CurrentDir = Get-Location Set-Location "$DL_DIR\Packer" Write-Output "Using Packer to build the $BOX Box. This can take 90-180 minutes depending on bandwidth and hardware." &$PackerPath @('build', "--only=$PackerProvider-iso", "$box.json") - Write-Verbose "[packer_build_box] Finished for $Box. Got exit code: $LASTEXITCODE" + Write-Host "[packer_build_box] Finished for $Box. Got exit code: $LASTEXITCODE" if ($LASTEXITCODE -ne 0) { Write-Error "Something went wrong while attempting to build the $BOX box." @@ -312,7 +312,7 @@ function packer_build_box { } function move_boxes { - Write-Verbose "[move_boxes] Running.." + Write-Host "[move_boxes] Running.." Move-Item -Path $DL_DIR\Packer\*.box -Destination $DL_DIR\Boxes if (-Not (Test-Path "$DL_DIR\Boxes\windows_10_$PackerProvider.box")) { Write-Error "Windows 10 box is missing from the Boxes directory. Qutting." @@ -322,20 +322,21 @@ function move_boxes { Write-Error "Windows 2016 box is missing from the Boxes directory. Qutting." break } - Write-Verbose "[move_boxes] Finished." + Write-Host "[move_boxes] Finished." } function vagrant_up_host { param( [string]$VagrantHost ) - Write-Verbose "[vagrant_up_host] Running for $VagrantHost" + Write-Host "[vagrant_up_host] Running for $VagrantHost" Write-Host "Attempting to bring up the $VagrantHost host using Vagrant" $CurrentDir = Get-Location Set-Location "$DL_DIR\Vagrant" - &vagrant.exe @('up', $VagrantHost, '--provider', "$ProviderName") + set VAGRANT_LOG=info + &vagrant.exe @('up', $VagrantHost, '--provider', "$ProviderName") 2>&1 | Out-File -FilePath ".\vagrant_up_$VagrantHost.log" Set-Location $CurrentDir - Write-Verbose "[vagrant_up_host] Finished for $VagrantHost. Got exit code: $LASTEXITCODE" + Write-Host "[vagrant_up_host] Finished for $VagrantHost. Got exit code: $LASTEXITCODE" return $LASTEXITCODE } @@ -343,12 +344,12 @@ function vagrant_reload_host { param( [string]$VagrantHost ) - Write-Verbose "[vagrant_reload_host] Running for $VagrantHost" + Write-Host "[vagrant_reload_host] Running for $VagrantHost" $CurrentDir = Get-Location Set-Location "$DL_DIR\Vagrant" - &vagrant.exe @('reload', $VagrantHost, '--provision') | Out-Null + &vagrant.exe @('reload', $VagrantHost, '--provision') 2>&1 | Out-File -FilePath ".\vagrant_up_$VagrantHost.log" -Append Set-Location $CurrentDir - Write-Verbose "[vagrant_reload_host] Finished for $VagrantHost. Got exit code: $LASTEXITCODE" + Write-Host "[vagrant_reload_host] Finished for $VagrantHost. Got exit code: $LASTEXITCODE" return $LASTEXITCODE } @@ -359,7 +360,7 @@ function download { [switch]$SuccessOn401 ) - Write-Verbose "[download] Running for $URL, looking for $PatternToMatch" + Write-Host "[download] Running for $URL, looking for $PatternToMatch" [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true } [Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls" @@ -368,11 +369,11 @@ function download { { $result = $wc.DownloadString($URL) if ($result -like "*$PatternToMatch*") { - Write-Verbose "[download] Found $PatternToMatch at $URL" + Write-Host "[download] Found $PatternToMatch at $URL" return $true } else { - Write-Verbose "[download] Could not find $PatternToMatch at $URL" + Write-Host "[download] Could not find $PatternToMatch at $URL" return $false } } @@ -384,7 +385,7 @@ function download { } else { - Write-Verbose "Error occured on webrequest: $_" + Write-Host "Error occured on webrequest: $_" return $false } @@ -393,21 +394,21 @@ function download { function post_build_checks { - Write-Verbose '[post_build_checks] Running Caldera Check.' + Write-Host '[post_build_checks] Running Caldera Check.' $CALDERA_CHECK = download -URL 'https://192.168.38.105:8888' -PatternToMatch 'CALDERA' - Write-Verbose "[post_build_checks] Cladera Result: $CALDERA_CHECK" + Write-Host "[post_build_checks] Cladera Result: $CALDERA_CHECK" - Write-Verbose '[post_build_checks] Running Splunk Check.' + Write-Host '[post_build_checks] Running Splunk Check.' $SPLUNK_CHECK = download -URL 'https://192.168.38.105:8000/en-US/account/login?return_to=%2Fen-US%2F' -PatternToMatch 'This browser is not supported by Splunk' - Write-Verbose "[post_build_checks] Splunk Result: $SPLUNK_CHECK" + Write-Host "[post_build_checks] Splunk Result: $SPLUNK_CHECK" - Write-Verbose '[post_build_checks] Running Fleet Check.' + Write-Host '[post_build_checks] Running Fleet Check.' $FLEET_CHECK = download -URL 'https://192.168.38.105:8412' -PatternToMatch 'Kolide Fleet' - Write-Verbose "[post_build_checks] Fleet Result: $FLEET_CHECK" + Write-Host "[post_build_checks] Fleet Result: $FLEET_CHECK" - Write-Verbose '[post_build_checks] Running MS ATA Check.' + Write-Host '[post_build_checks] Running MS ATA Check.' $ATA_CHECK = download -URL 'https://192.168.38.103' -SuccessOn401 - Write-Verbose "[post_build_checks] ATA Result: $ATA_CHECK" + Write-Host "[post_build_checks] ATA Result: $ATA_CHECK" if ($CALDERA_CHECK -eq $false) { @@ -455,26 +456,26 @@ else { # Vagrant up each box and attempt to reload one time if it fails forEach ($VAGRANT_HOST in $LAB_HOSTS) { - Write-Verbose "[main] Running vagrant_up_host for: $VAGRANT_HOST" + Write-Host "[main] Running vagrant_up_host for: $VAGRANT_HOST" $result = vagrant_up_host -VagrantHost $VAGRANT_HOST - Write-Verbose "[main] vagrant_up_host finished. Exitcode: $result" + Write-Host "[main] vagrant_up_host finished. Exitcode: $result" if ($result -eq '0') { Write-Output "Good news! $VAGRANT_HOST was built successfully!" } else { Write-Warning "Something went wrong while attempting to build the $VAGRANT_HOST box." Write-Output "Attempting to reload and reprovision the host..." - Write-Verbose "[main] Running vagrant_reload_host for: $VAGRANT_HOST" + Write-Host "[main] Running vagrant_reload_host for: $VAGRANT_HOST" $retryResult = vagrant_reload_host -VagrantHost $VAGRANT_HOST if ($retryResult -ne 0) { Write-Error "Failed to bring up $VAGRANT_HOST after a reload. Exiting" break } } - Write-Verbose "[main] Finished for: $VAGRANT_HOST" + Write-Host "[main] Finished for: $VAGRANT_HOST" } -Write-Verbose "[main] Running post_build_checks" +Write-Host "[main] Running post_build_checks" post_build_checks -Write-Verbose "[main] Finished post_build_checks" +Write-Host "[main] Finished post_build_checks"