trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #431 from clong/update_readme_esxi

Browse Source 
Update README.md and ESXi logger code
This commit is contained in:
Chris Long
2020-04-23 19:38:06 -07:00
committed by GitHub
parent 9f14610928 1cb90374f6
commit 7ba7b6904b
5 changed files with 45 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
ESXi/ansible/inventory.yml
View File

@@ -2,7 +2,7 @@
logger:
hosts:
192.168.3.158:
192.168.3.205:
ansible_user: vagrant
ansible_password: vagrant
ansible_port: 22
@@ -11,13 +11,13 @@ logger:
dc:
hosts:
192.168.3.189:
192.168.3.202:
wef:
hosts:
192.168.3.194:
192.168.3.203:
win10:
hosts:
192.168.3.193:
192.168.3.204:

36
ESXi/ansible/roles/logger/tasks/main.yml
View File

@@ -160,6 +160,14 @@
executable: /bin/bash
become: yes
shell: |
# Get a free Maxmind license here: https://www.maxmind.com/en/geolite2/signup
# Required for the ASNgen app to work: https://splunkbase.splunk.com/app/3531/
export MAXMIND_LICENSE=
if [ -z $MAXMIND_LICENSE ]; then
echo "Note: You have not entered a MaxMind license key on line 5 of bootstrap.sh, so the ASNgen Splunk app may not work correctly."
echo "However, it is not required and everything else should function correctly."
fi
# Check if Splunk is already installed
if [ -f "/opt/splunk/bin/splunk" ]; then
echo "[$(date +%H:%M:%S)]: Splunk is already installed"
@@ -183,7 +191,14 @@
# Download Hardcoded Splunk
wget --progress=bar:force -O /opt/splunk-8.0.2-a7f645ddaf91-linux-2.6-amd64.deb 'https://download.splunk.com/products/splunk/releases/8.0.2/linux/splunk-8.0.2-a7f645ddaf91-linux-2.6-amd64.deb&wget=true'
fi
dpkg -i /opt/splunk*.deb
if ! ls /opt/splunk*.deb 1> /dev/null 2>&1; then
echo "Something went wrong while trying to download Splunk. This script cannot continue. Exiting."
exit 1
fi
if ! dpkg -i /opt/splunk*.deb > /dev/null; then
echo "Something went wrong while trying to install Splunk. This script cannot continue. Exiting."
exit 1
fi
/opt/splunk/bin/splunk start --accept-license --answer-yes --no-prompt --seed-passwd changeme
/opt/splunk/bin/splunk add index wineventlog -auth 'admin:changeme'
/opt/splunk/bin/splunk add index osquery -auth 'admin:changeme'
@@ -193,9 +208,9 @@
/opt/splunk/bin/splunk add index zeek -auth 'admin:changeme'
/opt/splunk/bin/splunk add index suricata -auth 'admin:changeme'
/opt/splunk/bin/splunk add index threathunting -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_forwarder/splunk-add-on-for-microsoft-windows_500.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/add-on-for-microsoft-sysmon_800.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/asn-lookup-generator_101.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_forwarder/splunk-add-on-for-microsoft-windows_700.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-microsoft-sysmon_1062.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/asn-lookup-generator_110.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/lookup-file-editor_331.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-zeek-aka-bro_400.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/force-directed-app-for-splunk_200.tgz -auth 'admin:changeme'
@@ -204,6 +219,13 @@
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/link-analysis-app-for-splunk_161.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_141.tgz -auth 'admin:changeme'
# Install the Maxmind license key for the ASNgen App
if [ ! -z $MAXMIND_LICENSE ]; then
mkdir /opt/splunk/etc/apps/TA-asngen/local
cp /opt/splunk/etc/apps/TA-asngen/default/asngen.conf /opt/splunk/etc/apps/TA-asngen/local/asngen.conf
sed -i "s/license_key =/license_key = $MAXMIND_LICENSE/g" /opt/splunk/etc/apps/TA-asngen/local/asngen.conf
fi
# Add custom Macro definitions for ThreatHunting App
cp /vagrant/resources/splunk_server/macros.conf /opt/splunk/etc/apps/ThreatHunting/default/macros.conf
# Fix Windows TA macros
@@ -385,7 +407,7 @@
echo "[$(date +%H:%M:%S)]: Installing Zeek..."
sh -c "echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_18.04/ /' > /etc/apt/sources.list.d/security:zeek.list"
wget -nv https://download.opensuse.org/repositories/security:zeek/xUbuntu_18.04/Release.key -O /tmp/Release.key
apt-key add - </tmp/Release.key
apt-key add - </tmp/Release.key &>/dev/null
- name: Install Zeek Packages
become: yes
@@ -483,7 +505,7 @@
cd /opt
apt-get -qq install -y libcairo2-dev libjpeg62-dev libpng-dev libossp-uuid-dev libfreerdp-dev libpango1.0-dev libssh2-1-dev libssh-dev tomcat8 tomcat8-admin tomcat8-user
wget --progress=bar:force "http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/1.0.0/source/guacamole-server-1.0.0.tar.gz" -O guacamole-server-1.0.0.tar.gz
tar -xvf guacamole-server-1.0.0.tar.gz && cd guacamole-server-1.0.0
tar -xf guacamole-server-1.0.0.tar.gz && cd guacamole-server-1.0.0
./configure &>/dev/null && make --quiet &>/dev/null && make --quiet install &>/dev/null || echo "[-] An error occurred while installing Guacamole."
ldconfig
cd /var/lib/tomcat8/webapps
@@ -510,6 +532,6 @@
# Include Splunk and Zeek in the PATH
echo export PATH="$PATH:/opt/splunk/bin:/opt/zeek/bin" >>~/.bashrc
# Ping DetectionLab server for usage statistics
curl -A "DetectionLab-logger" "https://detectionlab.network/logger"
curl -s -A "DetectionLab-logger" "https://detectionlab.network/logger"

61
README.md
View File

@@ -34,71 +34,24 @@ NOTE: This lab has not been hardened in any way and runs with default vagrant cr
* All autostart items are logged to Windows Event Logs via [AutorunsToWinEventLog](https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog)
* SMBv1 Auditing is enabled
## Requirements
* 55GB+ of free disk space
* 16GB+ of RAM
* Packer 1.3.2 or newer
* Vagrant 2.2.2 or newer
* Vagrant 2.2.7 or newer
* Virtualbox or VMWare Fusion/Workstation
---
## Quickstart
* [AWS](https://github.com/clong/DetectionLab/wiki/Quickstart---AWS-(Terraform))
## Building Detection Lab
Please view the quickstart guides based on the operating system you are using. The AWS/Terraform DetectionLab can be launched from any operating system.
* [AWS via Terraform](https://github.com/clong/DetectionLab/wiki/Quickstart---AWS-(Terraform))
* [MacOS](https://github.com/clong/DetectionLab/wiki/Quickstart---MacOS)
* [Windows](https://github.com/clong/DetectionLab/wiki/Quickstart---Windows)
* [Linux](https://github.com/clong/DetectionLab/wiki/Quickstart-Linux)
---
## Building DetectionLab from Scratch
1. Determine which Vagrant provider you want to use. Current supported providers are:
- Virtualbox
- VMware Workstation & Fusion
- Note: Virtualbox is free, the [VMWare Desktop Vagrant plugin](https://www.vagrantup.com/vmware/#buy-now) is $80 and is required to use Vagrant with VMware.
There are currently three ways to build the lab:
* **Recommended**: Use the boxes hosted on [Vagrant Cloud](https://app.vagrantup.com/detectionlab). This method should take **~1 hour 20 minutes** total to download the boxes and provision the lab.
* Build the boxes yourself using Packer. This method will take ~1-2 hours to build the boxes and another ~90-120 minutes to provision them for a total of **2.5 - 4 hours**.
* [Provision the lab in AWS using Terraform](Terraform/README.md). The lab can be brought online in under **30 minutes**.
If you choose to use the boxes hosted on Vagrant Cloud, you may skip steps 2 and 3. If you don't trust pre-built boxes, I recommend following steps 2 and 3 to build them on your machine.
2. `cd` to the Packer directory and build the Windows 10 and Windows Server 2016 boxes using the commands below. Each build will take about 45 minutes.
```
$ cd detectionlab/Packer
$ packer build --only=[vmware|virtualbox]-iso windows_10.json
$ packer build --only=[vmware|virtualbox]-iso windows_2016.json
```
3. Once both boxes have built successfully, move the resulting boxes (.box files) in the Packer folder to the Boxes folder:
`mv *.box ../Boxes`
4. `cd` into the Vagrant directory: `cd ../Vagrant` and edit the `Vagrantfile`. Change the lines `cfg.vm.box = "detectionlab/win2016"` and `cfg.vm.box = "detectionlab/win10` to `cfg.vm.box = "../Boxes/windows_2016_<provider>.box"` and "`cfg.vm.box = "../Boxes/windows_10_<provider>.box"` respectively.
5. Install the Vagrant-Reload plugin: `vagrant plugin install vagrant-reload`
6. **VMware Only:**
* [Buy a license](https://www.vagrantup.com/vmware/index.html#buy-now) for the VMware plugin
* Install it with `vagrant plugin install vagrant-vmware-desktop`.
* License it with `vagrant plugin license vagrant-vmware-desktop <path_to_.lic>`.
* Download and install the VMware Vagrant utility: https://www.vagrantup.com/vmware/downloads.html
7. Ensure you are in the base DetectionLab folder and run `./build.sh` (Mac & Linux) or `./build.ps1` (Windows). This script will do the following:
* Provision the logger host. This host will run the [Fleet](https://kolide.co/fleet) osquery manager and a fully featured pre-configured Splunk instance.
* Provision the DC host and configure it as a Domain Controller
* Provision the WEF host and configure it as a Windows Event Collector in the Servers OU
* Provision the Win10 host and configure it as a computer in the Workstations OU
8. Build logs will be present in the `Vagrant` folder as `vagrant_up_<host>.log`. If filing an issue, please paste the contents of that log into a Gist to help with debugging efforts.
9. Navigate to https://192.168.38.105:8000 in a browser to access the Splunk instance on logger. Default credentials are admin:changeme (you will have the option to change them on the next screen)
10. Navigate to https://192.168.38.105:8412 in a browser to access the Fleet server on logger. Default credentials are admin:admin123#. Query packs are pre-configured with queries from [palantir/osquery-configuration](https://github.com/palantir/osquery-configuration).
* [ESXi](https://github.com/clong/DetectionLab/tree/master/ESXi)
---

6
build.ps1
View File

@@ -98,12 +98,12 @@ function check_vagrant {
break
}
# Check Vagrant version >= 2.2.2
# Check Vagrant version >= 2.2.7
[System.Version]$vagrant_version = $(vagrant --version).Split(' ')[1]
[System.Version]$version_comparison = 2.2.2
[System.Version]$version_comparison = 2.2.7
if ($vagrant_version -lt $version_comparison) {
Write-Warning 'It is highly recommended to use Vagrant 2.2.2 or above before continuing'
Write-Warning 'It is highly recommended to use Vagrant 2.2.7 or above before continuing'
}
}

4
build.sh
View File

@@ -29,10 +29,10 @@ check_vagrant_path() {
(echo >&2 "Please correct this before continuing. Quitting.")
exit 1
fi
# Ensure Vagrant >= 2.2.2
# Ensure Vagrant >= 2.2.7
# https://unix.stackexchange.com/a/285928
VAGRANT_VERSION="$(vagrant --version | cut -d ' ' -f 2)"
REQUIRED_VERSION="2.2.2"
REQUIRED_VERSION="2.2.7"
# If the version of Vagrant is not greater than the required version
if ! [ "$(printf '%s\n' "$REQUIRED_VERSION" "$VAGRANT_VERSION" | sort -V | head -n1)" = "$REQUIRED_VERSION" ]; then
(echo >&2 "WARNING: It is highly recommended to use Vagrant $REQUIRED_VERSION or above before continuing")