Update README.md and ESXi logger code
This commit is contained in:
Chris Long
61
README.md
61
README.md
@@ -34,71 +34,24 @@ NOTE: This lab has not been hardened in any way and runs with default vagrant cr
|
||||
* All autostart items are logged to Windows Event Logs via [AutorunsToWinEventLog](https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog)
|
||||
* SMBv1 Auditing is enabled
|
||||
|
||||
|
||||
## Requirements
|
||||
* 55GB+ of free disk space
|
||||
* 16GB+ of RAM
|
||||
* Packer 1.3.2 or newer
|
||||
* Vagrant 2.2.2 or newer
|
||||
* Vagrant 2.2.7 or newer
|
||||
* Virtualbox or VMWare Fusion/Workstation
|
||||
|
||||
---
|
||||
|
||||
## Quickstart
|
||||
* [AWS](https://github.com/clong/DetectionLab/wiki/Quickstart---AWS-(Terraform))
|
||||
## Building Detection Lab
|
||||
|
||||
Please view the quickstart guides based on the operating system you are using. The AWS/Terraform DetectionLab can be launched from any operating system.
|
||||
|
||||
* [AWS via Terraform](https://github.com/clong/DetectionLab/wiki/Quickstart---AWS-(Terraform))
|
||||
* [MacOS](https://github.com/clong/DetectionLab/wiki/Quickstart---MacOS)
|
||||
* [Windows](https://github.com/clong/DetectionLab/wiki/Quickstart---Windows)
|
||||
* [Linux](https://github.com/clong/DetectionLab/wiki/Quickstart-Linux)
|
||||
|
||||
---
|
||||
|
||||
## Building DetectionLab from Scratch
|
||||
1. Determine which Vagrant provider you want to use. Current supported providers are:
|
||||
|
||||
- Virtualbox
|
||||
- VMware Workstation & Fusion
|
||||
- Note: Virtualbox is free, the [VMWare Desktop Vagrant plugin](https://www.vagrantup.com/vmware/#buy-now) is $80 and is required to use Vagrant with VMware.
|
||||
|
||||
There are currently three ways to build the lab:
|
||||
* **Recommended**: Use the boxes hosted on [Vagrant Cloud](https://app.vagrantup.com/detectionlab). This method should take **~2 hours** total to download the boxes and provision the lab.
|
||||
* Build the boxes yourself using Packer. This method will take ~4 hours to build the boxes and another ~90-120 minutes to provision them for a total of **5-6 hours**.
|
||||
* [Provision the lab in AWS using Terraform](Terraform/README.md). The lab can be brought online in under **30 minutes**.
|
||||
|
||||
If you choose to use the boxes hosted on Vagrant Cloud, you may skip steps 2 and 3. If you don't trust pre-built boxes, I recommend following steps 2 and 3 to build them on your machine.
|
||||
|
||||
|
||||
2. `cd` to the Packer directory and build the Windows 10 and Windows Server 2016 boxes using the commands below. Each build will take about 1 hour. As far as I know, you can only build one box at a time.
|
||||
|
||||
```
|
||||
$ cd detectionlab/Packer
|
||||
$ packer build --only=[vmware|virtualbox]-iso windows_10.json
|
||||
$ packer build --only=[vmware|virtualbox]-iso windows_2016.json
|
||||
```
|
||||
|
||||
3. Once both boxes have built successfully, move the resulting boxes (.box files) in the Packer folder to the Boxes folder:
|
||||
|
||||
`mv *.box ../Boxes`
|
||||
|
||||
4. `cd` into the Vagrant directory: `cd ../Vagrant` and edit the `Vagrantfile`. Change the lines `cfg.vm.box = "detectionlab/win2016"` and `cfg.vm.box = "detectionlab/win10` to `cfg.vm.box = "../Boxes/windows_2016_<provider>.box"` and "`cfg.vm.box = "../Boxes/windows_10_<provider>.box"` respectively.
|
||||
|
||||
5. Install the Vagrant-Reload plugin: `vagrant plugin install vagrant-reload`
|
||||
|
||||
6. **VMware Only:**
|
||||
* [Buy a license](https://www.vagrantup.com/vmware/index.html#buy-now) for the VMware plugin
|
||||
* Install it with `vagrant plugin install vagrant-vmware-desktop`.
|
||||
* License it with `vagrant plugin license vagrant-vmware-desktop <path_to_.lic>`.
|
||||
* Download and install the VMware Vagrant utility: https://www.vagrantup.com/vmware/downloads.html
|
||||
|
||||
7. Ensure you are in the base DetectionLab folder and run `./build.sh` (Mac & Linux) or `./build.ps1` (Windows). This script will do the following:
|
||||
* Provision the logger host. This host will run the [Fleet](https://kolide.co/fleet) osquery manager and a fully featured pre-configured Splunk instance.
|
||||
* Provision the DC host and configure it as a Domain Controller
|
||||
* Provision the WEF host and configure it as a Windows Event Collector in the Servers OU
|
||||
* Provision the Win10 host and configure it as a computer in the Workstations OU
|
||||
|
||||
8. Build logs will be present in the `Vagrant` folder as `vagrant_up_<host>.log`. If filing an issue, please paste the contents of that log into a Gist to help with debugging efforts.
|
||||
|
||||
9. Navigate to https://192.168.38.105:8000 in a browser to access the Splunk instance on logger. Default credentials are admin:changeme (you will have the option to change them on the next screen)
|
||||
10. Navigate to https://192.168.38.105:8412 in a browser to access the Fleet server on logger. Default credentials are admin:admin123#. Query packs are pre-configured with queries from [palantir/osquery-configuration](https://github.com/palantir/osquery-configuration).
|
||||
* [ESXi](https://github.com/clong/DetectionLab/tree/master/ESXi)
|
||||
|
||||
---
|
||||
|
||||
|
||||
Reference in New Issue
Block a user