From 932f9143fc686b3cd903a5a5691599dae485038b Mon Sep 17 00:00:00 2001 From: "h.hofs" Date: Fri, 4 May 2018 13:15:42 +0200 Subject: [PATCH 1/4] added ata install script --- Vagrant/scripts/install_microsoft_ata.ps1 | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 Vagrant/scripts/install_microsoft_ata.ps1 diff --git a/Vagrant/scripts/install_microsoft_ata.ps1 b/Vagrant/scripts/install_microsoft_ata.ps1 new file mode 100644 index 0000000..77b1547 --- /dev/null +++ b/Vagrant/scripts/install_microsoft_ata.ps1 @@ -0,0 +1,11 @@ +# Purpose: Downloads and installs a copy of the Palantir WEF Github Repo. This includes WEF subscriptions and custom WEF channels. + +Write-Host "Downloading Microsoft ATA 1.9..." + +Invoke-WebRequest -Uri "http://download.microsoft.com/download/4/9/1/491394D1-3F28-4261-ABC6-C836A301290E/ATA1.9.iso" -OutFile $env:temp\ATA1.9.iso + +$Mount = Mount-DiskImage -ImagePath $env:temp\ATA1.9.iso -StorageType ISO -Access ReadOnly -PassThru +$Volume = $Mount | Get-Volume +Set-Location ($Volume.DriveLetter + ":") + +& '.\Microsoft ATA Center Setup.exe' /q --LicenseAccepted NetFrameworkCommandLineArguments="/q" --EnableMicrosoftUpdate \ No newline at end of file From 406fa8ca1f7a54590931891dd3527ccc78c6af31 Mon Sep 17 00:00:00 2001 From: Henk Hofs Date: Sat, 5 May 2018 23:04:03 +0200 Subject: [PATCH 2/4] added installation & configuration of ms_ata --- README.md | 8 ++++- Vagrant/Vagrantfile | 17 ++++----- Vagrant/scripts/install_microsoft_ata.ps1 | 11 ------ build.ps1 | 42 ++++++++++++++++++----- build.sh | 7 +++- 5 files changed, 56 insertions(+), 29 deletions(-) delete mode 100644 Vagrant/scripts/install_microsoft_ata.ps1 diff --git a/README.md b/README.md index 5c05327..4ac3018 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,7 @@ Read more about Detection Lab on Medium here: https://medium.com/@clong/introduc NOTE: This lab has not been hardened in any way and runs with default vagrant credentials. Please do not connect or bridge it to any networks you care about. This lab is deliberately designed to be insecure; the primary purpose of it is to provide visibility and introspection into each host. ## Primary Lab Features: +* Microsoft Advanced Threat Analytics (https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics) is installed on the WEF machine, with the lightweight ATA gateway installed on the DC * Splunk forwarders are pre-installed and all indexes are pre-created. Technology add-ons for Windows are also preconfigured. * A custom Windows auditing configuration is set via GPO to include command line process auditing and additional OS-level logging * [Palantir's Windows Event Forwarding](http://github.com/palantir/windows-event-forwarding) subscriptions and custom channels are implemented @@ -19,6 +20,7 @@ NOTE: This lab has not been hardened in any way and runs with default vagrant cr * All autostart items are logged to Windows Event Logs via [AutorunsToWinEventLog](https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog) * SMBv1 Auditing is enabled + ## Requirements * 55GB+ of free disk space * 16GB+ of RAM @@ -124,6 +126,7 @@ Vagrant commands must be run from the "Vagrant" folder. * Fleet login: https://192.168.38.5:8412 - admin:admin123# * Splunk login: https://192.168.38.5:8000 - admin:changeme * Caldera login: https://192.168.38.5:8888 - admin:caldera +* MS ATA login: https://192.168.38.3 - wef\vagrant:vagrant ## Lab Hosts * DC - Windows 2016 Domain Controller @@ -134,7 +137,9 @@ Vagrant commands must be run from the "Vagrant" folder. * osquery * Splunk Universal Forwarder (Forwards Sysmon & osquery) * Sysinternals Tools + * Microsft Advanced Threat Analytics Lightweight Gateway * WEF - Windows 2016 Server + * Microsoft Advanced Threat Analytics * Windows Event Collector * Windows Event Subscription Creation * Powershell transcription logging share @@ -235,7 +240,8 @@ Requests for tools and features will be reviewed on a case by case basis, but I ## Credits/Resources A sizable percentage of this code was borrowed and adapted from [Stefan Scherer](https://twitter.com/stefscherer)'s [packer-windows](https://github.com/StefanScherer/packer-windows) and [adfs2](https://github.com/StefanScherer/adfs2) Github repos. A huge thanks to him for building the foundation that allowed me to design this lab environment. -# Acknowledgements +# Acknowledgements +* [Microsoft Advanced Threat Analytics](https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics) * [Splunk](https://www.splunk.com) * [osquery](https://osquery.io) * [Fleet](https://kolide.co/fleet) diff --git a/Vagrant/Vagrantfile b/Vagrant/Vagrantfile index 68604cb..fc858fa 100644 --- a/Vagrant/Vagrantfile +++ b/Vagrant/Vagrantfile @@ -57,15 +57,15 @@ Vagrant.configure("2") do |config| cfg.vm.provider "vmware_fusion" do |v, override| override.vm.box = "../Boxes/windows_2016_vmware.box" - v.memory = 2048 - v.cpus = 1 + v.memory = 6144 + v.cpus = 2 v.gui = true end cfg.vm.provider "virtualbox" do |vb, override| vb.gui = true - vb.customize ["modifyvm", :id, "--memory", 2048] - vb.customize ["modifyvm", :id, "--cpus", 1] + vb.customize ["modifyvm", :id, "--memory", 6144] + vb.customize ["modifyvm", :id, "--cpus", 2] vb.customize ["modifyvm", :id, "--vram", "32"] vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"] vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ] @@ -96,18 +96,19 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", path: "scripts/configure-pslogstranscriptsshare.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: true cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: true + cfg.vm.provision "shell", path: "scripts/install-microsoft-ata.ps1", privileged: true cfg.vm.provider "vmware_fusion" do |v, override| override.vm.box = "../Boxes/windows_2016_vmware.box" - v.memory = 2048 - v.cpus = 1 + v.memory = 8192 + v.cpus = 2 v.gui = true end cfg.vm.provider "virtualbox" do |vb, override| vb.gui = true - vb.customize ["modifyvm", :id, "--memory", 2048] - vb.customize ["modifyvm", :id, "--cpus", 1] + vb.customize ["modifyvm", :id, "--memory", 8192] + vb.customize ["modifyvm", :id, "--cpus", 2] vb.customize ["modifyvm", :id, "--vram", "32"] vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"] vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ] diff --git a/Vagrant/scripts/install_microsoft_ata.ps1 b/Vagrant/scripts/install_microsoft_ata.ps1 deleted file mode 100644 index 77b1547..0000000 --- a/Vagrant/scripts/install_microsoft_ata.ps1 +++ /dev/null @@ -1,11 +0,0 @@ -# Purpose: Downloads and installs a copy of the Palantir WEF Github Repo. This includes WEF subscriptions and custom WEF channels. - -Write-Host "Downloading Microsoft ATA 1.9..." - -Invoke-WebRequest -Uri "http://download.microsoft.com/download/4/9/1/491394D1-3F28-4261-ABC6-C836A301290E/ATA1.9.iso" -OutFile $env:temp\ATA1.9.iso - -$Mount = Mount-DiskImage -ImagePath $env:temp\ATA1.9.iso -StorageType ISO -Access ReadOnly -PassThru -$Volume = $Mount | Get-Volume -Set-Location ($Volume.DriveLetter + ":") - -& '.\Microsoft ATA Center Setup.exe' /q --LicenseAccepted NetFrameworkCommandLineArguments="/q" --EnableMicrosoftUpdate \ No newline at end of file diff --git a/build.ps1 b/build.ps1 index cb99c99..0291e05 100644 --- a/build.ps1 +++ b/build.ps1 @@ -349,21 +349,39 @@ function vagrant_reload_host { function download { param( [string]$URL, - [string]$PatternToMatch + [string]$PatternToMatch, + [switch]$SuccessOn401 + ) Write-Verbose "[download] Running for $URL, looking for $PatternToMatch" [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true } [Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls" $wc = New-Object System.Net.WebClient - $result = $wc.DownloadString($URL) - if ($result -like "*$PatternToMatch*") { - Write-Verbose "[download] Found $PatternToMatch at $URL" - return $true + try + { + $result = $wc.DownloadString($URL) + if ($result -like "*$PatternToMatch*") { + Write-Verbose "[download] Found $PatternToMatch at $URL" + return $true + } + else { + Write-Verbose "[download] Could not find $PatternToMatch at $URL" + return $false + } } - else { - Write-Verbose "[download] Could not find $PatternToMatch at $URL" - return $false + catch + { + if ($_.Exception.InnerException.Response.StatusCode -eq 401 -and $SuccessOn401.IsPresent) + { + return $true + } + else + { + Write-Verbose "Error occured on webrequest: $_" + return $false + } + } } @@ -381,6 +399,11 @@ function post_build_checks { $FLEET_CHECK = download -URL 'https://192.168.38.5:8412' -PatternToMatch 'Kolide Fleet' Write-Verbose "[post_build_checks] Fleet Result: $FLEET_CHECK" + Write-Verbose '[post_build_checks] Running MS ATA Check.' + $ATA_CHECK = download -URL 'https://192.168.38.3' -SuccessOn401 + Write-Verbose "[post_build_checks] ATA Result: $ATA_CHECK" + + if ($CALDERA_CHECK -eq $false) { Write-Warning 'Caldera failed post-build tests and may not be functioning correctly.' } @@ -390,6 +413,9 @@ function post_build_checks { if ($FLEET_CHECK -eq $false) { Write-Warning 'Fleet failed post-build tests and may not be functioning correctly.' } + if ($ATA_CHECK -eq $false) { + Write-Warning 'MS ATA failed post-build tests and may not be functioning correctly.' + } } diff --git a/build.sh b/build.sh index 1915d75..c4e2751 100755 --- a/build.sh +++ b/build.sh @@ -253,12 +253,14 @@ post_build_checks() { CALDERA_CHECK=$(curl -ks -m 2 https://192.168.38.5:8888 | grep -c '302: Found' || echo "") SPLUNK_CHECK=$(curl -ks -m 2 https://192.168.38.5:8000/en-US/account/login?return_to=%2Fen-US%2F | grep -c 'This browser is not supported by Splunk' || echo "") FLEET_CHECK=$(curl -ks -m 2 https://192.168.38.5:8412 | grep -c 'Kolide Fleet' || echo "") + curl --fail -ks https://192.168.38.3 -m 2 + ATA_CHECK=$([[ $? == 22 ]] && echo 1) BASH_MAJOR_VERSION=$(/bin/bash --version | grep 'GNU bash' | grep -o version\.\.. | cut -d ' ' -f 2 | cut -d '.' -f 1) # Associative arrays are only supported in bash 4 and up if [ "$BASH_MAJOR_VERSION" -ge 4 ]; then declare -A SERVICES - SERVICES=(["caldera"]="$CALDERA_CHECK" ["splunk"]="$SPLUNK_CHECK" ["fleet"]="$FLEET_CHECK") + SERVICES=(["caldera"]="$CALDERA_CHECK" ["splunk"]="$SPLUNK_CHECK" ["fleet"]="$FLEET_CHECK" ["ms_ata"]="$ATA_CHECK") for SERVICE in "${!SERVICES[@]}"; do if [ "${SERVICES[$SERVICE]}" -lt 1 ]; then (echo >&2 "Warning: $SERVICE failed post-build tests and may not be functioning correctly.") @@ -274,6 +276,9 @@ post_build_checks() { if [ "$FLEET_CHECK" -lt 1 ]; then (echo >&2 "Warning: Fleet failed post-build tests and may not be functioning correctly.") fi + if [ "$ATA_CHECK" -lt 1 ]; then + (echo >&2 "Warning: MS ATA failed post-build tests and may not be functioning correctly.") + fi fi } From 6d1df521b8ff605441db05c2ea3eb94d26c36652 Mon Sep 17 00:00:00 2001 From: Henk Hofs Date: Sun, 6 May 2018 01:27:54 +0200 Subject: [PATCH 3/4] missed some files during commit --- .../microsoft_ata/microsoft-ata-config.json | 1 + Vagrant/scripts/install-microsoft-ata.ps1 | 102 ++++++++++++++++++ 2 files changed, 103 insertions(+) create mode 100644 Vagrant/resources/microsoft_ata/microsoft-ata-config.json create mode 100644 Vagrant/scripts/install-microsoft-ata.ps1 diff --git a/Vagrant/resources/microsoft_ata/microsoft-ata-config.json b/Vagrant/resources/microsoft_ata/microsoft-ata-config.json new file mode 100644 index 0000000..8327627 --- /dev/null +++ b/Vagrant/resources/microsoft_ata/microsoft-ata-config.json @@ -0,0 +1 @@ +{"Configuration":{"AbnormalBehaviorDetectorConfiguration":{"BuildModelsConfiguration":{"Interval":"1.00:00:00","IsEnabled":true},"MinActiveAccountCount":50,"ExcludedSourceAccountIds":[],"BlockConfiguration":{"BatchMaxSize":10000,"MaxDegreeOfParallelism":1,"MaxSize":10000},"IsEnabled":true,"UpsertProfileConfiguration":{"Interval":"00:10:00","IsEnabled":true}},"AbnormalKerberosDetectorConfiguration":{"ExcludedSourceComputerIds":[],"ExcludedSubnets":[],"BlockConfiguration":{"BatchMaxSize":10000,"MaxDegreeOfParallelism":1,"MaxSize":10000},"IsEnabled":true,"UpsertProfileConfiguration":{"Interval":"00:10:00","IsEnabled":true}},"AbnormalSensitiveGroupMembershipChangeDetectorConfiguration":{"LearningPeriod":"70.00:00:00","ExcludedSourceAccountIds":[],"BlockConfiguration":{"BatchMaxSize":10000,"MaxDegreeOfParallelism":1,"MaxSize":10000},"IsEnabled":true,"UpsertProfileConfiguration":{"Interval":"00:10:00","IsEnabled":true}},"AbnormalSmbDetectorConfiguration":{"ExcludedSourceComputerIds":[],"ExcludedSubnets":[],"BlockConfiguration":{"BatchMaxSize":10000,"MaxDegreeOfParallelism":1,"MaxSize":10000},"IsEnabled":true,"UpsertProfileConfiguration":{"Interval":"00:10:00","IsEnabled":true}},"AbnormalVpnDetectorConfiguration":{"ProfileCommonGeolocationsAndCarriersAsyncConfiguration":{"Interval":"1.00:00:00","IsEnabled":true},"BlockConfiguration":{"BatchMaxSize":10000,"MaxDegreeOfParallelism":1,"MaxSize":10000},"IsEnabled":true,"UpsertProfileConfiguration":{"Interval":"00:10:00","IsEnabled":true}},"AccountEnumerationDetectorConfiguration":{"ExcludedSourceComputerIds":[],"ExcludedSubnets":[],"BlockConfiguration":{"BatchMaxSize":10000,"MaxDegreeOfParallelism":1,"MaxSize":10000},"IsEnabled":true,"UpsertProfileConfiguration":{"Interval":"00:10:00","IsEnabled":true}},"ActivityProcessorConfiguration":{"ActivityBlockConfiguration":{"MaxDegreeOfParallelism":50,"MaxSize":50000},"ActivityPostponeBlockConfiguration":{"ActionConfiguration":{"Interval":"00:00:00.0500000","IsEnabled":true},"MaxSize":10000000,"Timeout":"00:02:00"},"PostponedActivityBlockConfiguration":{"MaxDegreeOfParallelism":100,"MaxSize":100000}},"ActivitySimulatorConfiguration":{"DatabaseServerEndpoint":{"Address":"localhost","Port":27017},"DelayInterval":"00:00:15","SimulationState":"Disabled"},"AppDomainManagerConfiguration":{"GcCollectConfiguration":{"Interval":"00:30:00","IsEnabled":true},"UpdateExceptionStatisticsConfiguration":{"Interval":"00:01:00","IsEnabled":true}},"BruteForceDetectorConfiguration":{"BlockConfiguration":{"BatchMaxSize":10000,"MaxDegreeOfParallelism":1,"MaxSize":10000},"IsEnabled":true,"UpsertProfileConfiguration":{"Interval":"00:10:00","IsEnabled":true}},"CenterTelemetryManagerConfiguration":{"IsEnabled":false,"ServiceUrl":"https://dc.applicationinsights.microsoft.com/v2/track","ClientInstrumentationKey":"fd3f5bd1-3d71-44a3-9209-d94633544903","ClientBufferMaxSize":450,"ClientSendInterval":"00:10:00","UnsentTelemetrySampleInterval":"01:00:00","UnsentTelemetryRetentionPeriod":"7.00:00:00","SendSystemTelemetryConfiguration":{"Interval":"1.00:00:00","IsEnabled":false},"SendPerformanceCounterTelemetryConfiguration":{"Interval":"00:10:00","IsEnabled":false},"SendAlertTelemetryConfiguration":{"Interval":"1.00:00:00","IsEnabled":false},"SendExceptionStatisticsTelemetryConfiguration":{"Interval":"1.00:00:00","IsEnabled":false},"SendUnsentTelemetriesConfiguration":{"Interval":"00:10:00","IsEnabled":false},"UnsentTelemetryBatchSize":20},"CenterWebApplicationConfiguration":{"ServiceListeningIpEndpoint":{"Address":"0.0.0.0","Port":443},"CommunicationCookieExpiration":"00:20:00"},"CenterWebClientConfiguration":{"RetryDelay":"00:00:01","ServiceEndpoints":[{"Address":"wef.windomain.local","Port":443}],"ServiceCertificateThumbprints":["{{THUMBPRINT}}"]},"ConfigurationManagerConfiguration":{"UpdateConfigurationConfiguration":{"Interval":"00:00:15","IsEnabled":true}},"DatabaseConfiguration":{"ServerEndpoint":{"Address":"localhost","Port":27017},"ClientConnectTimeout":"00:00:30","ClientServerSelectionTimeout":"00:00:30","ConnectionPoolMaxSize":100,"WaitQueueSize":1000,"BackupSystemProfileMaxCount":300,"CappedCollectionBlockConfiguration":{"BatchMaxSize":100,"MaxDegreeOfParallelism":8,"MaxSize":50000},"CappedCollectionHighEntityMaxCount":50000000,"CappedCollectionLowEntityMaxCount":1000000,"CappedCollectionUpdateCurrentCollectionEntityCountConfiguration":{"Interval":"00:01:00","IsEnabled":true},"DataDriveFreeSpaceCriticalPercentage":0.05,"DataDriveFreeSpaceCriticalSize":"50 GB","DataDriveFreeSpaceLowPercentage":0.2,"DataDriveFreeSpaceLowSize":"200 GB","WorkingSetPercentage":0.25,"LogFileMaxSize":"50 MB","LogFileMaxCount":10,"BackupSystemProfileConfiguration":{"Interval":"04:00:00","IsEnabled":true},"DeleteOldCappedCollectionsConfiguration":{"Interval":"00:01:00","IsEnabled":true},"DeleteOldIpAddressProfilesConfiguration":{"Interval":"1.00:00:00","IsEnabled":true},"MonitorDatabaseConfiguration":{"Interval":"00:01:00","IsEnabled":true}},"DetectionConfiguration":{"AlertConfiguration":{"IsMailEnabled":false,"IsSyslogEnabled":true,"To":[]},"NotificationVerbosity":"Low"},"DirectoryServicesReplicationDetectorConfiguration":{"ExcludedSourceComputerIds":[],"ExcludedSubnets":[],"BlockConfiguration":{"BatchMaxSize":10000,"MaxDegreeOfParallelism":1,"MaxSize":10000},"IsEnabled":true,"UpsertProfileConfiguration":{"Interval":"00:10:00","IsEnabled":true}},"DnsReconnaissanceDetectorConfiguration":{"ExcludedSourceComputerIds":[],"ExcludedSubnets":[],"BlockConfiguration":{"BatchMaxSize":10000,"MaxDegreeOfParallelism":1,"MaxSize":10000},"IsEnabled":true,"UpsertProfileConfiguration":{"Interval":"00:10:00","IsEnabled":true}},"EncryptedTimestampEncryptionDowngradeDetectorConfiguration":{"BlockConfiguration":{"BatchMaxSize":10000,"MaxDegreeOfParallelism":1,"MaxSize":10000},"IsEnabled":true,"UpsertProfileConfiguration":{"Interval":"00:10:00","IsEnabled":true}},"EntityProfilerConfiguration":{"UpdateDetectionProfileConfiguration":{"Interval":"00:05:00","IsEnabled":true},"UpdateDirectoryServicesTrafficSystemProfileConfiguration":{"Interval":"00:05:00","IsEnabled":true},"EventActivityBlockConfiguration":{"MaxDegreeOfParallelism":50,"MaxSize":100000},"LogicalActivityBlockConfiguration":{"MaxDegreeOfParallelism":50,"MaxSize":100000},"NetworkActivityBlockConfiguration":{"MaxDegreeOfParallelism":50,"MaxSize":100000}},"EntityReceiverConfiguration":{"ActivitiesDroppingEnabled":false,"EntityBatchBlockConfiguration":{"MaxSize":10000},"EntityBatchBlockSizeAccumulationQueueConfiguration":{"MaxSize":10,"Interval":"00:01:00"},"GatewayInactivityTimeout":"00:15:00","GetNatIpAddressesInternalConfiguration":{"Interval":"00:15:00","IsEnabled":true}},"EnumerateSessionsDetectorConfiguration":{"ExcludedSourceComputerIds":[],"ExcludedSubnets":[],"BlockConfiguration":{"BatchMaxSize":10000,"MaxDegreeOfParallelism":1,"MaxSize":10000},"IsEnabled":true,"UpsertProfileConfiguration":{"Interval":"00:10:00","IsEnabled":true}},"ExternalIpAddressResolverConfiguration":{"CacheConfiguration":{"ShardCount":1,"MultiLruDictionaryConfiguration":{"MaxSize":10000,"Policy":"SingleValue","Timeout":"01:00:00"},"BackgroundRemoveOldConfiguration":{"Interval":"00:01:00","IsEnabled":true}},"FailedResolutionsAccumulationQueueConfiguration":{"MaxSize":10,"Interval":"00:01:00"}},"ForgedPacDetectorConfiguration":{"BlockConfiguration":{"BatchMaxSize":10000,"MaxDegreeOfParallelism":1,"MaxSize":10000},"IsEnabled":true,"UpsertProfileConfiguration":{"Interval":"00:10:00","IsEnabled":true}},"GoldenTicketDetectorConfiguration":{"KerberosTicketLifetime":null,"ExcludedSourceAccountIds":[],"BlockConfiguration":{"BatchMaxSize":10000,"MaxDegreeOfParallelism":1,"MaxSize":10000},"IsEnabled":true,"UpsertProfileConfiguration":{"Interval":"00:10:00","IsEnabled":true}},"HoneytokenActivityDetectorConfiguration":{"BlockConfiguration":{"BatchMaxSize":10000,"MaxDegreeOfParallelism":1,"MaxSize":10000},"IsEnabled":true,"UpsertProfileConfiguration":{"Interval":"00:10:00","IsEnabled":true}},"HttpClientConfiguration":{"BufferMaxSize":"128 MB","Timeout":"00:10:00"},"IntelligenceProxyConfiguration":{"ConnectionLimit":50,"WebClientConfiguration":{"RetryDelay":"00:00:01","ServiceEndpoints":[{"Address":"ti.ata.azure.com","Port":443}],"ServiceCertificateThumbprints":[]}},"LdapBruteForceDetectorConfiguration":{"BlockConfiguration":{"BatchMaxSize":10000,"MaxDegreeOfParallelism":1,"MaxSize":10000},"IsEnabled":true,"UpsertProfileConfiguration":{"Interval":"00:10:00","IsEnabled":true}},"LdapCleartextPasswordDetectorConfiguration":{"BlockConfiguration":{"BatchMaxSize":10000,"MaxDegreeOfParallelism":1,"MaxSize":10000},"IsEnabled":true,"UpsertProfileConfiguration":{"Interval":"00:10:00","IsEnabled":true}},"LoadSimulatorRecorderConfiguration":{"IsEnabled":false,"UniqueEntityBatchBlockConfiguration":{"MaxSize":1000},"EntityBatchBlockConfiguration":{"MaxSize":1000},"FileSegmentSize":"5 MB"},"LocalizerConfiguration":{"LocaleId":"en-us"},"LogicalActivityTranslatorConfiguration":{"LogicalActivityCacheConfiguration":{"ShardCount":100,"MultiLruDictionaryConfiguration":{"MaxSize":100000,"Policy":"SingleValue","Timeout":"00:01:00"},"BackgroundRemoveOldConfiguration":{"Interval":"00:01:00","IsEnabled":true}},"EventActivityBlockConfiguration":{"MaxDegreeOfParallelism":50,"MaxSize":100000},"NetworkActivityBlockConfiguration":{"MaxDegreeOfParallelism":50,"MaxSize":100000},"UniqueEntityBlockConfiguration":{"MaxDegreeOfParallelism":50,"MaxSize":100000}},"MailClientConfiguration":{"IsEnabled":false,"From":null,"ServerEndpoint":null,"ServerSslEnabled":false,"ServerSslAcceptAnyServerCertificate":false,"AuthenticationEnabled":false,"AuthenticationAccountName":null,"AuthenticationAccountPasswordEncrypted":null},"MaliciousServiceCreationDetectorConfiguration":{"ExcludedSourceComputerIds":[],"ExcludedSubnets":[],"BlockConfiguration":{"BatchMaxSize":10000,"MaxDegreeOfParallelism":1,"MaxSize":10000},"IsEnabled":true,"UpsertProfileConfiguration":{"Interval":"00:10:00","IsEnabled":true}},"MassiveObjectDeletionDetectorConfiguration":{"DetectMassiveObjectDeletionConfiguration":{"Interval":"00:15:00","IsEnabled":true},"BlockConfiguration":{"BatchMaxSize":10000,"MaxDegreeOfParallelism":1,"MaxSize":10000},"IsEnabled":true,"UpsertProfileConfiguration":{"Interval":"00:10:00","IsEnabled":true}},"MemoryStreamPoolConfiguration":{"BlockSize":"128 KB","LargeBlockMultipleSize":"1 MB","BufferMaxSize":"128 MB"},"MonitoringClientConfiguration":{"AlertConfiguration":{"IsMailEnabled":false,"IsSyslogEnabled":true,"To":[]},"MonitoringAlertTypeNameToIsEnabledMapping":{"CenterDatabaseDataDriveFreeSpaceMonitoringAlert":true,"CenterDatabaseDisconnectedMonitoringAlert":true,"CenterExternalIpAddressResolutionFailureMonitoringAlert":true,"CenterMailMonitoringAlert":true,"CenterNotReceivingTrafficMonitoringAlert":true,"CenterOverloadedMonitoringAlert":true,"CenterSyslogMonitoringAlert":true,"CertificateExpiryMonitoringAlert":true,"GatewayCaptureNetworkAdapterFaultedMonitoringAlert":true,"GatewayCaptureNetworkAdapterMissingMonitoringAlert":true,"GatewayDirectoryServicesClientAccountPasswordExpiryMonitoringAlert":true,"GatewayDirectoryServicesClientConnectivityMonitoringAlert":true,"GatewayDisconnectedMonitoringAlert":true,"GatewayDomainSynchronizerNotAssignedMonitoringAlert":true,"GatewayLowMemoryMonitoringAlert":true,"GatewayOverloadedEventActivitiesMonitoringAlert":true,"GatewayOverloadedNetworkActivitiesMonitoringAlert":true,"GatewayRadiusEventListenerMonitoringAlert":true,"GatewaysOutdatedMonitoringAlert":true,"GatewayStartFailureMonitoringAlert":true,"GatewaySyslogEventListenerMonitoringAlert":true},"RenotificationInterval":"7.00:00:00"},"MonitoringEngineConfiguration":{"CenterNotReceivingTrafficTimeout":"01:00:00","GatewayInactivityTimeout":"00:05:00","GatewayStartFailureTimeout":"00:30:00","MonitoringAlertExpiration":"30.00:00:00","DeleteOldMonitoringAlertsConfiguration":{"Interval":"01:00:00","IsEnabled":true},"MonitoringCycleConfiguration":{"Interval":"00:01:00","IsEnabled":true}},"NetworkActivityProcessorConfiguration":{"ParentKerberosResponseTicketHashKeyToParentKerberosDataMappingConfiguration":{"ShardCount":100,"MultiLruDictionaryConfiguration":{"MaxSize":400000,"Policy":"SingleValue","Timeout":"10:00:00"},"BackgroundRemoveOldConfiguration":{"Interval":"00:01:00","IsEnabled":true}},"SaveParentKerberosBloomFiltersConfiguration":{"Interval":"00:15:00","IsEnabled":true},"SessionKeyToOperationsMappingConfiguration":{"ShardCount":100,"MultiLruDictionaryConfiguration":{"MaxSize":40000,"Policy":"MultiValue","Timeout":"00:03:00"},"BackgroundRemoveOldConfiguration":{"Interval":"00:01:00","IsEnabled":true}}},"NotificationEngineConfiguration":{"DeleteExpiredNotificationsConfiguration":{"Interval":"00:10:00","IsEnabled":true},"NotificationCycleConfiguration":{"Interval":"00:10:00","IsEnabled":true}},"PassTheHashDetectorConfiguration":{"BlockConfiguration":{"BatchMaxSize":10000,"MaxDegreeOfParallelism":1,"MaxSize":10000},"IsEnabled":true,"UpsertProfileConfiguration":{"Interval":"00:10:00","IsEnabled":true}},"PassTheTicketDetectorConfiguration":{"HandleInvisibleSuspiciousActivitiesConfiguration":{"Interval":"00:15:00","IsEnabled":true},"ValidateInvisibleSuspiciousActivitiesTimeout":"02:00:00","ExcludedSourceComputerIds":[],"ExcludedSubnets":[],"BlockConfiguration":{"BatchMaxSize":10000,"MaxDegreeOfParallelism":1,"MaxSize":10000},"IsEnabled":true,"UpsertProfileConfiguration":{"Interval":"00:10:00","IsEnabled":true}},"PrivilegeEscalationPathsDetectorConfiguration":{"MaxPrivilegeEscalationPathCount":20,"BlockConfiguration":{"BatchMaxSize":10000,"MaxDegreeOfParallelism":1,"MaxSize":10000},"IsEnabled":true,"UpsertProfileConfiguration":{"Interval":"00:10:00","IsEnabled":true}},"RemoteExecutionDetectorConfiguration":{"ExcludedSourceComputerIds":[],"ExcludedSubnets":[],"BlockConfiguration":{"BatchMaxSize":10000,"MaxDegreeOfParallelism":1,"MaxSize":10000},"IsEnabled":true,"UpsertProfileConfiguration":{"Interval":"00:10:00","IsEnabled":true}},"ReporterConfiguration":{"ReportTypeToConfigurationMapping":{},"SendPeriodicReportsConfiguration":{"Interval":"00:01:00","IsEnabled":true}},"RetrieveDataProtectionBackupKeyDetectorConfiguration":{"ExcludedSourceComputerIds":[],"ExcludedSubnets":[],"BlockConfiguration":{"BatchMaxSize":10000,"MaxDegreeOfParallelism":1,"MaxSize":10000},"IsEnabled":true,"UpsertProfileConfiguration":{"Interval":"00:10:00","IsEnabled":true}},"SamrReconnaissanceDetectorConfiguration":{"HandleInvisibleSuspiciousActivitiesConfiguration":{"Interval":"00:10:00","IsEnabled":true},"ExcludedSourceComputerIds":[],"ExcludedSubnets":[],"BlockConfiguration":{"BatchMaxSize":10000,"MaxDegreeOfParallelism":1,"MaxSize":10000},"IsEnabled":true,"UpsertProfileConfiguration":{"Interval":"00:10:00","IsEnabled":true}},"SecretManagerConfiguration":{"CertificateThumbprint":"{{THUMBPRINT}}"},"ServiceSystemProfileConfiguration":{"Id":"5aed5ee92bd5d60dd07c9586"},"SoftwareUpdaterConfiguration":{"IsEnabled":true,"IsGatewayAutomaticSoftwareUpdateEnabled":true,"IsLightweightGatewayAutomaticRestartEnabled":true,"MicrosoftUpdateCategoryId":"6ac905a5-286b-43eb-97e2-e23b3848c87d","CheckSoftwareUpdatesConfiguration":{"Interval":"01:00:00","IsEnabled":true}},"SourceAccountSupportedEncryptionTypesEncryptionDowngradeDetectorConfiguration":{"BlockConfiguration":{"BatchMaxSize":10000,"MaxDegreeOfParallelism":1,"MaxSize":10000},"IsEnabled":true,"UpsertProfileConfiguration":{"Interval":"00:10:00","IsEnabled":true}},"SourceComputerSupportedEncryptionTypesEncryptionDowngradeDetectorConfiguration":{"BlockConfiguration":{"BatchMaxSize":10000,"MaxDegreeOfParallelism":1,"MaxSize":10000},"IsEnabled":true,"UpsertProfileConfiguration":{"Interval":"00:10:00","IsEnabled":true}},"SyncManagerConfiguration":{"UpdateClientsConfiguration":{"Interval":"00:00:10","IsEnabled":true}},"SyslogClientConfiguration":{"IsEnabled":false,"ServerEndpoint":null,"ServerTransport":"Udp","ServerTransportTimeout":"00:00:10","Serializer":"Rfc5424"},"TgtEncryptionDowngradeDetectorConfiguration":{"BlockConfiguration":{"BatchMaxSize":10000,"MaxDegreeOfParallelism":1,"MaxSize":10000},"IsEnabled":true,"UpsertProfileConfiguration":{"Interval":"00:10:00","IsEnabled":true}},"UniqueEntityCacheConfiguration":{"CacheConfiguration":{"ShardCount":100,"MultiLruDictionaryConfiguration":{"MaxSize":10000,"Policy":"SingleValue","Timeout":"06:00:00"},"BackgroundRemoveOldConfiguration":{"Interval":"00:01:00","IsEnabled":true}}},"UniqueEntityProcessorConfiguration":{"HoneytokenAccountIds":[],"SensitiveAccountIds":[],"SensitiveGroupIds":[],"UniqueEntityBlockParallelismDegree":100,"GetHighFunctionalityDomainControlerIdsConfiguration":{"Interval":"00:10:00","IsEnabled":true}},"UniqueEntityProfileCacheConfiguration":{"CacheConfiguration":{"ShardCount":100,"MultiLruDictionaryConfiguration":{"MaxSize":10000,"Policy":"SingleValue","Timeout":"06:00:00"},"BackgroundRemoveOldConfiguration":{"Interval":"00:01:00","IsEnabled":true}},"UniqueEntityProfileBlockConfiguration":{"MaxDegreeOfParallelism":50,"MaxSize":50},"StoreUniqueEntityProfilesConfiguration":{"Interval":"00:10:00","IsEnabled":true}},"UserAccountClusterDetectorConfiguration":{"ClusterUserAccountsConfiguration":{"Interval":"01:00:00","IsEnabled":true}},"WindowsEventLogClientConfiguration":{"IsEnabled":true}},"GatewayCommonConfiguration":{"DirectoryServicesClientAccountDomainName":"windomain.local","DirectoryServicesClientAccountName":"vagrant","DirectoryServicesClientAccountPasswordEncrypted":{"Password":"vagrant"},"IsRadiusEventListenerEnabled":false,"IsSyslogEventListenerEnabled":false,"IsWindowsEventLogReaderEnabled":true,"RadiusEventListenerSharedSecretEncrypted":null},"SoftwareUpdates":[],"NetbiosName":"WEF","Version":"1.9.7312.32791","VersionUpdateTime":"2018-05-05T07:36:09.1352934Z","Id":"5aed5ee92bd5d60dd07c9586","UpdateTime":"2018-05-05T07:36:17.9090344Z","Type":"CenterSystemProfile"} \ No newline at end of file diff --git a/Vagrant/scripts/install-microsoft-ata.ps1 b/Vagrant/scripts/install-microsoft-ata.ps1 new file mode 100644 index 0000000..72e1b34 --- /dev/null +++ b/Vagrant/scripts/install-microsoft-ata.ps1 @@ -0,0 +1,102 @@ +# Purpose: Downloads, installs and configures Microsft ATA 1.9 +$title = "Microsoft ATA 1.9" +$downloadUrl = "http://download.microsoft.com/download/4/9/1/491394D1-3F28-4261-ABC6-C836A301290E/ATA1.9.iso" + +# Enable web requests to endpoints with invalid SSL certs (like self-signed certs) +if (-not("SSLValidator" -as [type])) { + add-type -TypeDefinition @" +using System; +using System.Net; +using System.Net.Security; +using System.Security.Cryptography.X509Certificates; + +public static class SSLValidator { + public static bool ReturnTrue(object sender, + X509Certificate certificate, + X509Chain chain, + SslPolicyErrors sslPolicyErrors) { return true; } + + public static RemoteCertificateValidationCallback GetDelegate() { + return new RemoteCertificateValidationCallback(SSLValidator.ReturnTrue); + } +} +"@ +} +[System.Net.ServicePointManager]::ServerCertificateValidationCallback = [SSLValidator]::GetDelegate() + +if (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center")) +{ + if (-not (Test-Path "$env:temp\$title.iso")) + { + Write-Host "Downloading $title..." + Invoke-WebRequest -Uri $downloadUrl -OutFile "$env:temp\$title.iso" + } + $Mount = Mount-DiskImage -ImagePath "$env:temp\$title.iso" -StorageType ISO -Access ReadOnly -PassThru + $Volume = $Mount | Get-Volume + Write-Host "Installing $title" + $Install = Start-Process -Wait -FilePath ($Volume.DriveLetter + ":\Microsoft ATA Center Setup.exe") -ArgumentList "/q --LicenseAccepted NetFrameworkCommandLineArguments=`"/q`" --EnableMicrosoftUpdate" -PassThru + $Install + $Mount | Dismount-DiskImage -Confirm:$false + $body = get-content "C:\vagrant\resources\microsoft_ata\microsoft-ata-config.json" + + $req = [System.Net.WebRequest]::CreateHttp("https://wef") + try + { + $req.GetResponse() + } + catch + { + # we don't care about errors here, we just want to get the cert ;) + } + $ThumbPrint = $req.ServicePoint.Certificate.GetCertHashString() + $body = $body -replace "{{THUMBPRINT}}", $ThumbPrint + + Invoke-RestMethod -uri https://localhost/api/management/systemProfiles/center -body $body -Method Post -UseBasicParsing -UseDefaultCredentials -ContentType "application/json" + +} + +Start-Sleep -Seconds 60 + +Invoke-Command -computername dc -Credential (new-object pscredential("windomain\vagrant",(ConvertTo-SecureString -AsPlainText -Force -String "vagrant"))) -ScriptBlock { + + Write-Host "[$env:computername] Installing ATA Lightweight gateway..." + + # Enable web requests to endpoints with invalid SSL certs (like self-signed certs) + if (-not("SSLValidator" -as [type])) { + add-type -TypeDefinition @" + using System; + using System.Net; + using System.Net.Security; + using System.Security.Cryptography.X509Certificates; + + public static class SSLValidator { + public static bool ReturnTrue(object sender, + X509Certificate certificate, + X509Chain chain, + SslPolicyErrors sslPolicyErrors) { return true; } + + public static RemoteCertificateValidationCallback GetDelegate() { + return new RemoteCertificateValidationCallback(SSLValidator.ReturnTrue); + } + } +"@ + } + [System.Net.ServicePointManager]::ServerCertificateValidationCallback = [SSLValidator]::GetDelegate() + + Invoke-WebRequest -uri https://wef/api/management/softwareUpdates/gateways/deploymentPackage -UseBasicParsing -OutFile "$env:temp\gatewaysetup.zip" -Credential (new-object pscredential("wef\vagrant",(convertto-securestring -AsPlainText -Force -String "vagrant"))) + Expand-Archive -Path "$env:temp\gatewaysetup.zip" -DestinationPath "$env:temp\gatewaysetup" -Force + + Set-Location "$env:temp\gatewaysetup" + Start-Process -Wait -FilePath ".\Microsoft ATA Gateway Setup.exe" -ArgumentList "/q NetFrameworkCommandLineArguments=`"/q`" ConsoleAccountName=`"wef\vagrant`" ConsoleAccountPassword=`"vagrant`"" + # Disable invalid web requests to endpoints with invalid SSL certs again + [System.Net.ServicePointManager]::ServerCertificateValidationCallback = $null +} + +# set dc as domain synchronizer +$config = Invoke-RestMethod -Uri "https://localhost/api/management/systemProfiles/gateways" -UseDefaultCredentials -UseBasicParsing +$config[0].Configuration.DirectoryServicesResolverConfiguration.UpdateDirectoryEntityChangesConfiguration.IsEnabled = $true + +Invoke-RestMethod -Uri "https://localhost/api/management/systemProfiles/gateways/$($config[0].Id)" -UseDefaultCredentials -UseBasicParsing -Method Post -ContentType "application/json" -Body ($config[0] | convertto-json -depth 99) + +# Disable invalid web requests to endpoints with invalid SSL certs again +[System.Net.ServicePointManager]::ServerCertificateValidationCallback = $null \ No newline at end of file From 0e898af33f48d37e3340bf2c5273ecc999e3eef5 Mon Sep 17 00:00:00 2001 From: hhofs Date: Fri, 11 May 2018 23:59:17 +0200 Subject: [PATCH 4/4] added verification of iso download, changed memory for wef and dc, fixed issue with post-build tests --- Vagrant/Vagrantfile | 8 ++++---- Vagrant/scripts/install-microsoft-ata.ps1 | 23 ++++++++++++++++++++++- build.sh | 4 ++-- 3 files changed, 28 insertions(+), 7 deletions(-) diff --git a/Vagrant/Vagrantfile b/Vagrant/Vagrantfile index fc858fa..6bbc466 100644 --- a/Vagrant/Vagrantfile +++ b/Vagrant/Vagrantfile @@ -57,14 +57,14 @@ Vagrant.configure("2") do |config| cfg.vm.provider "vmware_fusion" do |v, override| override.vm.box = "../Boxes/windows_2016_vmware.box" - v.memory = 6144 + v.memory = 2560 v.cpus = 2 v.gui = true end cfg.vm.provider "virtualbox" do |vb, override| vb.gui = true - vb.customize ["modifyvm", :id, "--memory", 6144] + vb.customize ["modifyvm", :id, "--memory", 2560] vb.customize ["modifyvm", :id, "--cpus", 2] vb.customize ["modifyvm", :id, "--vram", "32"] vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"] @@ -100,14 +100,14 @@ Vagrant.configure("2") do |config| cfg.vm.provider "vmware_fusion" do |v, override| override.vm.box = "../Boxes/windows_2016_vmware.box" - v.memory = 8192 + v.memory = 2048 v.cpus = 2 v.gui = true end cfg.vm.provider "virtualbox" do |vb, override| vb.gui = true - vb.customize ["modifyvm", :id, "--memory", 8192] + vb.customize ["modifyvm", :id, "--memory", 2048] vb.customize ["modifyvm", :id, "--cpus", 2] vb.customize ["modifyvm", :id, "--vram", "32"] vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"] diff --git a/Vagrant/scripts/install-microsoft-ata.ps1 b/Vagrant/scripts/install-microsoft-ata.ps1 index 72e1b34..31ecbcb 100644 --- a/Vagrant/scripts/install-microsoft-ata.ps1 +++ b/Vagrant/scripts/install-microsoft-ata.ps1 @@ -1,6 +1,7 @@ # Purpose: Downloads, installs and configures Microsft ATA 1.9 $title = "Microsoft ATA 1.9" $downloadUrl = "http://download.microsoft.com/download/4/9/1/491394D1-3F28-4261-ABC6-C836A301290E/ATA1.9.iso" +$fileHash = "DC1070A9E8F84E75198A920A2E00DDC3CA8D12745AF64F6B161892D9F3975857" # Use Get-FileHash on a correct downloaded file to get the hash # Enable web requests to endpoints with invalid SSL certs (like self-signed certs) if (-not("SSLValidator" -as [type])) { @@ -26,10 +27,30 @@ public static class SSLValidator { if (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center")) { - if (-not (Test-Path "$env:temp\$title.iso")) + $download = $false + if (-not (Test-Path "$env:temp\$title.iso")) + { + Write-Host "$title.iso doesn't exist yet, downloading..." + $download = $true + } + else + { + $actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash + If (-not ($actualHash -eq $fileHash)) + { + Write-Host "$title.iso exists, but has wrong hash, downloading..." + $download = $true + } + } + if ($download -eq $true) { Write-Host "Downloading $title..." Invoke-WebRequest -Uri $downloadUrl -OutFile "$env:temp\$title.iso" + $actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash + If (-not ($actualHash -eq $fileHash)) + { + throw "$title.iso was not downloaded correctly: hash from downloaded file: $actualHash, should've been: $fileHash" + } } $Mount = Mount-DiskImage -ImagePath "$env:temp\$title.iso" -StorageType ISO -Access ReadOnly -PassThru $Volume = $Mount | Get-Volume diff --git a/build.sh b/build.sh index c4e2751..7754755 100755 --- a/build.sh +++ b/build.sh @@ -253,8 +253,8 @@ post_build_checks() { CALDERA_CHECK=$(curl -ks -m 2 https://192.168.38.5:8888 | grep -c '302: Found' || echo "") SPLUNK_CHECK=$(curl -ks -m 2 https://192.168.38.5:8000/en-US/account/login?return_to=%2Fen-US%2F | grep -c 'This browser is not supported by Splunk' || echo "") FLEET_CHECK=$(curl -ks -m 2 https://192.168.38.5:8412 | grep -c 'Kolide Fleet' || echo "") - curl --fail -ks https://192.168.38.3 -m 2 - ATA_CHECK=$([[ $? == 22 ]] && echo 1) + ATA_CHECK=$(curl --fail --write-out "%{http_code}" -ks https://192.168.38.3 -m 2) + [[ $ATA_CHECK == 401 ]] && ATA_CHECK=1 BASH_MAJOR_VERSION=$(/bin/bash --version | grep 'GNU bash' | grep -o version\.\.. | cut -d ' ' -f 2 | cut -d '.' -f 1) # Associative arrays are only supported in bash 4 and up