trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Removing Caldera

Browse Source
This commit is contained in:
Chris Long
2019-04-27 22:36:06 -07:00
parent 614af67405
commit 7d844fd988
14 changed files with 6 additions and 234 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
README.md
View File

@@ -28,7 +28,6 @@ NOTE: This lab has not been hardened in any way and runs with default vagrant cr
* Powershell transcript logging is enabled. All logs are saved to `\\wef\pslogs` * Powershell transcript logging is enabled. All logs are saved to `\\wef\pslogs`
* osquery comes installed on each host and is pre-configured to connect to a [Fleet](https://kolide.co/fleet) server via TLS. Fleet is preconfigured with the configuration from [Palantir's osquery Configuration](https://github.com/palantir/osquery-configuration) * osquery comes installed on each host and is pre-configured to connect to a [Fleet](https://kolide.co/fleet) server via TLS. Fleet is preconfigured with the configuration from [Palantir's osquery Configuration](https://github.com/palantir/osquery-configuration)
* Sysmon is installed and configured using SwiftOnSecuritys open-sourced configuration * Sysmon is installed and configured using SwiftOnSecuritys open-sourced configuration
* Mitre's [Caldera](https://github.com/mitre/caldera) server is built on the logger host and the Caldera agent gets pre-installed on all Windows hosts
* All autostart items are logged to Windows Event Logs via [AutorunsToWinEventLog](https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog) * All autostart items are logged to Windows Event Logs via [AutorunsToWinEventLog](https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog)
* SMBv1 Auditing is enabled * SMBv1 Auditing is enabled
@@ -93,7 +92,7 @@ $ packer build --only=[vmware|virtualbox]-iso windows_2016.json
4. cd into the Vagrant directory: `cd ../Vagrant` 4. cd into the Vagrant directory: `cd ../Vagrant`
5. Install the Vagrant-Reload plugin: `vagrant plugin install vagrant-reload` 5. Install the Vagrant-Reload plugin: `vagrant plugin install vagrant-reload`
6. Ensure you are in the Vagrant folrder and run `vagrant up`. This command will do the following: 6. Ensure you are in the Vagrant folder and run `vagrant up`. This command will do the following:
* Provision the logger host. This host will run the [Fleet](https://kolide.co/fleet) osquery manager and a fully featured pre-configured Splunk instance. * Provision the logger host. This host will run the [Fleet](https://kolide.co/fleet) osquery manager and a fully featured pre-configured Splunk instance.
* Provision the DC host and configure it as a Domain Controller * Provision the DC host and configure it as a Domain Controller
* Provision the WEF host and configure it as a Windows Event Collector in the Servers OU * Provision the WEF host and configure it as a Windows Event Collector in the Servers OU
@@ -101,7 +100,6 @@ $ packer build --only=[vmware|virtualbox]-iso windows_2016.json
7. Navigate to https://192.168.38.105:8000 in a browser to access the Splunk instance on logger. Default credentials are admin:changeme (you will have the option to change them on the next screen) 7. Navigate to https://192.168.38.105:8000 in a browser to access the Splunk instance on logger. Default credentials are admin:changeme (you will have the option to change them on the next screen)
8. Navigate to https://192.168.38.105:8412 in a browser to access the Fleet server on logger. Default credentials are admin:admin123#. Query packs are pre-configured with queries from [palantir/osquery-configuration](https://github.com/palantir/osquery-configuration). 8. Navigate to https://192.168.38.105:8412 in a browser to access the Fleet server on logger. Default credentials are admin:admin123#. Query packs are pre-configured with queries from [palantir/osquery-configuration](https://github.com/palantir/osquery-configuration).
9. Navigate to https://192.168.38.105:8888 in a browser to access the Caldera server on logger. Default credentials are admin:caldera.
## Basic Vagrant Usage ## Basic Vagrant Usage
Vagrant commands must be run from the "Vagrant" folder. Vagrant commands must be run from the "Vagrant" folder.
@@ -122,9 +120,8 @@ Vagrant commands must be run from the "Vagrant" folder.
## Lab Information ## Lab Information
* Domain Name: windomain.local * Domain Name: windomain.local
* Admininstrator login: vagrant:vagrant * Admininstrator login: vagrant:vagrant
* Fleet login: https://192.168.38.105:8412 - admin@:admin123# * Fleet login: https://192.168.38.105:8412 - admin:admin123#
* Splunk login: https://192.168.38.105:8000 - admin:changeme * Splunk login: https://192.168.38.105:8000 - admin:changeme
* Caldera login: https://192.168.38.105:8888 - admin:admin
* MS ATA login: https://192.168.38.103 - wef\vagrant:vagrant * MS ATA login: https://192.168.38.103 - wef\vagrant:vagrant
## Lab Hosts ## Lab Hosts
@@ -155,7 +152,6 @@ Vagrant commands must be run from the "Vagrant" folder.
* Logger - Ubuntu 16.04 * Logger - Ubuntu 16.04
* Splunk Enterprise * Splunk Enterprise
* Fleet osquery Manager * Fleet osquery Manager
* Mitre's Caldera Server
* Bro * Bro
* Suricata * Suricata
@@ -174,7 +170,6 @@ suricata | Suricata IDS logs
* Sysmon * Sysmon
* osquery * osquery
* AutorunsToWinEventLog * AutorunsToWinEventLog
* Caldera Agent
* Process Monitor * Process Monitor
* Process Explorer * Process Explorer
* PsExec * PsExec
@@ -184,6 +179,7 @@ suricata | Suricata IDS logs
* WinRar * WinRar
* Mimikatz * Mimikatz
* Wireshark * Wireshark
* Powersploit
## Applied GPOs ## Applied GPOs
* [Custom Event Channel Permissions](https://rawgit.com/clong/DetectionLab/master/Vagrant/resources/GPO/reports/Custom%20Event%20Channel%20Permissions.htm) * [Custom Event Channel Permissions](https://rawgit.com/clong/DetectionLab/master/Vagrant/resources/GPO/reports/Custom%20Event%20Channel%20Permissions.htm)
@@ -255,7 +251,6 @@ A sizable percentage of this code was borrowed and adapted from [Stefan Scherer]
* [Splunk](https://www.splunk.com) * [Splunk](https://www.splunk.com)
* [osquery](https://osquery.io) * [osquery](https://osquery.io)
* [Fleet](https://kolide.co/fleet) * [Fleet](https://kolide.co/fleet)
* [Caldera](https://github.com/mitre/caldera)
* [Windows Event Forwarding for Network Defense](https://medium.com/@palantir/windows-event-forwarding-for-network-defense-cb208d5ff86f) * [Windows Event Forwarding for Network Defense](https://medium.com/@palantir/windows-event-forwarding-for-network-defense-cb208d5ff86f)
* [palantir/windows-event-forwarding](http://github.com/palantir/windows-event-forwarding) * [palantir/windows-event-forwarding](http://github.com/palantir/windows-event-forwarding)
* [osquery Across the Enterprise](https://medium.com/@palantir/osquery-across-the-enterprise-3c3c9d13ec55) * [osquery Across the Enterprise](https://medium.com/@palantir/osquery-across-the-enterprise-3c3c9d13ec55)

11
Terraform/main.tf
View File

@@ -71,14 +71,6 @@ resource "aws_security_group" "logger" {
cidr_blocks = "${var.ip_whitelist}" cidr_blocks = "${var.ip_whitelist}"
} }
# Caldera access
ingress {
from_port = 8888
to_port = 8888
protocol = "tcp"
cidr_blocks = "${var.ip_whitelist}"
}
# Allow all traffic from the private subnet # Allow all traffic from the private subnet
ingress { ingress {
from_port = 0 from_port = 0
@@ -166,7 +158,6 @@ resource "aws_instance" "logger" {
"sudo mkdir /home/vagrant/.ssh && sudo cp /home/ubuntu/.ssh/authorized_keys /home/vagrant/.ssh/authorized_keys && sudo chown -R vagrant:vagrant /home/vagrant/.ssh", "sudo mkdir /home/vagrant/.ssh && sudo cp /home/ubuntu/.ssh/authorized_keys /home/vagrant/.ssh/authorized_keys && sudo chown -R vagrant:vagrant /home/vagrant/.ssh",
"echo 'vagrant ALL=(ALL:ALL) NOPASSWD:ALL' | sudo tee -a /etc/sudoers", "echo 'vagrant ALL=(ALL:ALL) NOPASSWD:ALL' | sudo tee -a /etc/sudoers",
"sudo git clone https://github.com/clong/DetectionLab.git /opt/DetectionLab", "sudo git clone https://github.com/clong/DetectionLab.git /opt/DetectionLab",
"sudo sed -i \"s#sed -i 's/archive.ubuntu.com/us.archive.ubuntu.com/g' /etc/apt/sources.list##g\" /opt/DetectionLab/Vagrant/bootstrap.sh",
"sudo sed -i 's/eth1/eth0/g' /opt/DetectionLab/Vagrant/bootstrap.sh", "sudo sed -i 's/eth1/eth0/g' /opt/DetectionLab/Vagrant/bootstrap.sh",
"sudo sed -i 's/ETH1/ETH0/g' /opt/DetectionLab/Vagrant/bootstrap.sh", "sudo sed -i 's/ETH1/ETH0/g' /opt/DetectionLab/Vagrant/bootstrap.sh",
"sudo sed -i 's#/usr/local/go/bin/go get -u#GOPATH=/root/go /usr/local/go/bin/go get -u#g' /opt/DetectionLab/Vagrant/bootstrap.sh", "sudo sed -i 's#/usr/local/go/bin/go get -u#GOPATH=/root/go /usr/local/go/bin/go get -u#g' /opt/DetectionLab/Vagrant/bootstrap.sh",
@@ -174,8 +165,6 @@ resource "aws_instance" "logger" {
"sudo chmod +x /opt/DetectionLab/Vagrant/bootstrap.sh", "sudo chmod +x /opt/DetectionLab/Vagrant/bootstrap.sh",
"sudo apt-get update", "sudo apt-get update",
"sudo /opt/DetectionLab/Vagrant/bootstrap.sh", "sudo /opt/DetectionLab/Vagrant/bootstrap.sh",
"sudo pip3.6 install --upgrade --force-reinstall pip==9.0.3 && sudo pip3.6 install -r /home/vagrant/caldera/caldera/requirements.txt && sudo pip3.6 install --upgrade pip",
"sudo service caldera stop && sudo service caldera start",
] ]
connection { connection {
type = "ssh" type = "ssh"

3
Vagrant/Vagrantfile vendored
View File

@@ -48,7 +48,6 @@ Vagrant.configure("2") do |config|
cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/configure-ou.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/configure-ou.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/configure-wef-gpo.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/configure-wef-gpo.ps1", privileged: false
@@ -104,7 +103,6 @@ Vagrant.configure("2") do |config|
cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/configure-pslogstranscriptsshare.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/configure-pslogstranscriptsshare.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false
@@ -154,7 +152,6 @@ Vagrant.configure("2") do |config|
cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false

3
Vagrant/Vagrantfile_Minimum
View File

@@ -46,7 +46,6 @@ Vagrant.configure("2") do |config|
cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/configure-ou.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/configure-ou.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/configure-wef-gpo.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/configure-wef-gpo.ps1", privileged: false
@@ -100,7 +99,6 @@ Vagrant.configure("2") do |config|
cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/configure-pslogstranscriptsshare.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/configure-pslogstranscriptsshare.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false
@@ -147,7 +145,6 @@ Vagrant.configure("2") do |config|
cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false

41
Vagrant/bootstrap.sh
View File

@@ -5,26 +5,17 @@ echo "apt-fast apt-fast/maxdownloads string 10" | debconf-set-selections;
echo "apt-fast apt-fast/dlflag boolean true" | debconf-set-selections; echo "apt-fast apt-fast/dlflag boolean true" | debconf-set-selections;
sed -i "2ideb mirror://mirrors.ubuntu.com/mirrors.txt xenial main restricted universe multiverse\ndeb mirror://mirrors.ubuntu.com/mirrors.txt xenial-updates main restricted universe multiverse\ndeb mirror://mirrors.ubuntu.com/mirrors.txt xenial-backports main restricted universe multiverse\ndeb mirror://mirrors.ubuntu.com/mirrors.txt xenial-security main restricted universe multiverse" /etc/apt/sources.list sed -i "2ideb mirror://mirrors.ubuntu.com/mirrors.txt xenial main restricted universe multiverse\ndeb mirror://mirrors.ubuntu.com/mirrors.txt xenial-updates main restricted universe multiverse\ndeb mirror://mirrors.ubuntu.com/mirrors.txt xenial-backports main restricted universe multiverse\ndeb mirror://mirrors.ubuntu.com/mirrors.txt xenial-security main restricted universe multiverse" /etc/apt/sources.list
install_python_apt_source() {
# Install apt source for Python3.6
add-apt-repository -y ppa:jonathonf/python-3.6
add-apt-repository -y ppa:apt-fast/stable
}
apt_install_prerequisites() { apt_install_prerequisites() {
# Install prerequisites and useful tools # Install prerequisites and useful tools
echo "Running apt-get update..." echo "Running apt-get update..."
apt-get -qq update apt-get -qq update
apt-get -qq install -y apt-fast apt-get -qq install -y apt-fast
echo "Running apt-fast install..." echo "Running apt-fast install..."
apt-fast -qq install -y jq whois build-essential git docker docker-compose unzip python3.6 python3.6-dev apt-fast -qq install -y jq whois build-essential git docker docker-compose unzip
# Install pip for Python 3.6
echo "Installing Pip3.6..."
curl -s https://bootstrap.pypa.io/get-pip.py | sudo -H python3.6
} }
test_prerequisites() { test_prerequisites() {
for package in jq whois build-essential git docker docker-compose unzip python3.6 python3.6-dev for package in jq whois build-essential git docker docker-compose unzip
do do
echo "[TEST] Validating that $package is correctly installed..." echo "[TEST] Validating that $package is correctly installed..."
# Loop through each package using dpkg # Loop through each package using dpkg
@@ -219,33 +210,6 @@ import_osquery_config_into_fleet() {
/opt/splunk/bin/splunk add monitor "/home/vagrant/kolide-quickstart/osquery_status" -index osquery-status -sourcetype 'osquery:status' -auth 'admin:changeme' /opt/splunk/bin/splunk add monitor "/home/vagrant/kolide-quickstart/osquery_status" -index osquery-status -sourcetype 'osquery:status' -auth 'admin:changeme'
} }
install_caldera() {
if [ -f "/lib/systemd/system/caldera.service" ]; then
echo "Caldera is already installed... Skipping"
else
# Install Mitre's Caldera
echo "Installing Caldera..."
cd /home/vagrant || exit
git clone https://github.com/mitre/caldera.git
cd /home/vagrant/caldera/plugins || exit
git clone https://github.com/mitre/adversary.git adversary
git clone https://github.com/mitre/chain.git chain
git clone https://github.com/mitre/gui.git gui
git clone https://github.com/mitre/sandcat.git sandcat
git clone https://github.com/mitre/stockpile.git stockpile
cd /home/vagrant/caldera || exit
pip3.6 install -r requirements.txt
# Make Caldera accessible on all ports
sed -i 's/127.0.0.1/0.0.0.0/g' conf/local.yml
# Create Systemd service for Caldera
cp /vagrant/resources/caldera/caldera.service /lib/systemd/system/caldera.service
cd /home/vagrant/caldera || exit
cp /vagrant/resources/caldera/cert.pem /vagrant/resources/caldera/key.pem /home/vagrant/caldera/conf
service caldera start
systemctl enable caldera.service
fi
}
install_bro() { install_bro() {
# Environment variables # Environment variables
NODECFG=/opt/bro/etc/node.cfg NODECFG=/opt/bro/etc/node.cfg
@@ -436,7 +400,6 @@ main() {
install_fleet install_fleet
download_palantir_osquery_config download_palantir_osquery_config
import_osquery_config_into_fleet import_osquery_config_into_fleet
install_caldera
install_suricata install_suricata
install_bro install_bro
} }

11
Vagrant/resources/caldera/caldera.service
View File

@@ -1,11 +0,0 @@
[Unit]
Description=Caldera
After=multi-user.target
[Service]
Type=idle
WorkingDirectory=/home/vagrant/caldera
ExecStart=/usr/bin/python3.6 server.py -E local
[Install]
WantedBy=multi-user.target

20
Vagrant/resources/caldera/cert.pem
View File

@@ -1,20 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDVTCCAj2gAwIBAgIJAKUxnMnJz4CPMA0GCSqGSIb3DQEBCwUAMEExDzANBgNV
BAMMBmxvZ2dlcjEQMA4GA1UECwwHU2VydmVyczEPMA0GA1UECgwGbG9nZ2VyMQsw
CQYDVQQGEwJVUzAeFw0xOTAzMjcwMzU3NThaFw0yOTAzMjYwMzU3NThaMEExDzAN
BgNVBAMMBmxvZ2dlcjEQMA4GA1UECwwHU2VydmVyczEPMA0GA1UECgwGbG9nZ2Vy
MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKL/
7cDUXrSac8oILHLN3iKtuhoLttPrVi+GuYsdfKer7D9M9DrkGAvQ+qHLpHgg+omY
ZIK4kDjS26eDKP2SGTHjeYwlmcJPnII6YU8vYdzyvi4eLJjI+lMO8BYd2yL2PVJX
W8ScY/2MoC8LX31A8maGDW+4E6bu3ItAEchh4EWRj8V4PqCDJH1XnY18A0N0QEDV
Osleb2dFWvXtyFmSu0OsqiMxBzlPbf/yl71Q1VjrRUT+alDJNfF3ewctshvx4hV8
qDwpATR9GPfPKV6w1lj0a+81Qpwy6vOLve3yCV02lWe1TaCjL2otGbTspujbulkR
DGy6MC9/9i1CRkEIBj0CAwEAAaNQME4wHQYDVR0OBBYEFKGWfBB6O2ktq/a4frXy
LKxZNjngMB8GA1UdIwQYMBaAFKGWfBB6O2ktq/a4frXyLKxZNjngMAwGA1UdEwQF
MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAIgLaPeFJS/bHzITf62RgDbBEU3zaeOg
72xiFHWd6uIA9SCHGHuKhbpzLOqBtoSGZlejI75/QDwAiwpu/cd9BWx9h9S/f0Zf
fZnA/ngPojhnaHYFIn8165z/XSJwNvDhVh1oYqMcfTPgeSlbRdPTwAjxdYsJ4nik
4xriKHV6WQ9ixFwOk9ROYg1M/OJ2lmOi23NFODKVP0LFPAqZEX7evKJatWQiJ2tF
iUAm+4xvkGVJfPd6hShYEsXDjTJC+fVFgsPTWhaHGnLjiLORJLgvd/E6wIGGzvx7
fIw1x7LxMmhlWa74yyGZKAMUOlMh4uBAYR3JhsVYl2LNSK9HwZYnfXc=
-----END CERTIFICATE-----

24
Vagrant/resources/caldera/conf.yml
View File

@@ -1,24 +0,0 @@
url_root: https://logger:8888
verify_hostname: false
cert: |
-----BEGIN CERTIFICATE-----
MIIDVTCCAj2gAwIBAgIJAKUxnMnJz4CPMA0GCSqGSIb3DQEBCwUAMEExDzANBgNV
BAMMBmxvZ2dlcjEQMA4GA1UECwwHU2VydmVyczEPMA0GA1UECgwGbG9nZ2VyMQsw
CQYDVQQGEwJVUzAeFw0xOTAzMjcwMzU3NThaFw0yOTAzMjYwMzU3NThaMEExDzAN
BgNVBAMMBmxvZ2dlcjEQMA4GA1UECwwHU2VydmVyczEPMA0GA1UECgwGbG9nZ2Vy
MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKL/
7cDUXrSac8oILHLN3iKtuhoLttPrVi+GuYsdfKer7D9M9DrkGAvQ+qHLpHgg+omY
ZIK4kDjS26eDKP2SGTHjeYwlmcJPnII6YU8vYdzyvi4eLJjI+lMO8BYd2yL2PVJX
W8ScY/2MoC8LX31A8maGDW+4E6bu3ItAEchh4EWRj8V4PqCDJH1XnY18A0N0QEDV
Osleb2dFWvXtyFmSu0OsqiMxBzlPbf/yl71Q1VjrRUT+alDJNfF3ewctshvx4hV8
qDwpATR9GPfPKV6w1lj0a+81Qpwy6vOLve3yCV02lWe1TaCjL2otGbTspujbulkR
DGy6MC9/9i1CRkEIBj0CAwEAAaNQME4wHQYDVR0OBBYEFKGWfBB6O2ktq/a4frXy
LKxZNjngMB8GA1UdIwQYMBaAFKGWfBB6O2ktq/a4frXyLKxZNjngMAwGA1UdEwQF
MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAIgLaPeFJS/bHzITf62RgDbBEU3zaeOg
72xiFHWd6uIA9SCHGHuKhbpzLOqBtoSGZlejI75/QDwAiwpu/cd9BWx9h9S/f0Zf
fZnA/ngPojhnaHYFIn8165z/XSJwNvDhVh1oYqMcfTPgeSlbRdPTwAjxdYsJ4nik
4xriKHV6WQ9ixFwOk9ROYg1M/OJ2lmOi23NFODKVP0LFPAqZEX7evKJatWQiJ2tF
iUAm+4xvkGVJfPd6hShYEsXDjTJC+fVFgsPTWhaHGnLjiLORJLgvd/E6wIGGzvx7
fIw1x7LxMmhlWa74yyGZKAMUOlMh4uBAYR3JhsVYl2LNSK9HwZYnfXc=
-----END CERTIFICATE-----
logging_level: debug

28
Vagrant/resources/caldera/key.pem
View File

@@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCi/+3A1F60mnPK
CCxyzd4irboaC7bT61YvhrmLHXynq+w/TPQ65BgL0Pqhy6R4IPqJmGSCuJA40tun
gyj9khkx43mMJZnCT5yCOmFPL2Hc8r4uHiyYyPpTDvAWHdsi9j1SV1vEnGP9jKAv
C199QPJmhg1vuBOm7tyLQBHIYeBFkY/FeD6ggyR9V52NfANDdEBA1TrJXm9nRVr1
7chZkrtDrKojMQc5T23/8pe9UNVY60VE/mpQyTXxd3sHLbIb8eIVfKg8KQE0fRj3
zylesNZY9GvvNUKcMurzi73t8gldNpVntU2goy9qLRm07Kbo27pZEQxsujAvf/Yt
QkZBCAY9AgMBAAECggEAchAQKyExyMZQgq9nk0r2yGOz2GgcH34OyKFJk80lnxvS
7ZUHT3KwVQx/Zttfk2TYjZLjuwo2el0rsrQ46gDjuqKJOwZQ68XUKtl5oPTyUbBY
X2NkJ+J0Mc1BOujXoUaZMNbK8/HQkuxmZ6VYxAi/1/i0zFoO/oEmOheymfvL+kG9
Yi9o7DR8o8yHT2XAJM3sdRLb19/BdquB8vcXYvHY/X2+2uLU4vDycHZ9bFiRWfMK
bpgzH0XRsfz5/9nV42gUhPZWbKJYZnauYI4k603i5uT165chkkv4HJld5mgUMZel
U58zFE9LwGOKuQJbYkvKDj4G+vF4i9ONRMg5jNhO4QKBgQDPRALjFSFoTd5wOjef
Z2n5P307DPyix+GxbE1VRvsKpWNW/DYmVHrLX9cyZPpVPwcAla11gSoSOQ4AW3F4
8uVrL86FTPI3h4nCZje6NvLlzNvI7zmNgCVHLrtp16sub7qxRTuLJuO8V0Penka8
dpRI1npaetvwuVjNjw98NdioWQKBgQDJU2hKEbCmX+h9IfuKdOCT5gMYjii1ndC4
uUwrUf+Fy9Z0aZIIDa/TKjmVnUEd+2C4AGdWIc0p/ApzKId9o9f0RUTFv0x2fKGt
wQUE4BuvHBTQY++N6lYSEVBHOicoITbKfTQyiHimzgg19JjRaxPEoI7zla7euOtz
wD8RZisQhQKBgQCoqP14cG95AzSpOpacvnh7/PAZJ15F0EWWLT1Y0aPja+ZEmIQv
+Lrb2CezuHwE9n7qOOKoJe1oWslL/R1/gJiz+nkh/BV2nnK5oJhkjeZmnaeUASdi
QA8Vt6+GV5vS89SGAIKNn53eW1y9QSrqncvY4b869ZMYdpsO2wWM2/xsMQKBgQCU
cgaszrxlAMTJN3xky+cnxmqz+WY0/AeBnUd3jb+OJQ2cypbdj1H8rt7E3a288LSR
F+MaFFRVx7zgypqU3nGGcGjUMkir+RuxpWgQ/zoKdPc37OgeyRHrwo5h5pQmt87R
oV4SgKQNwk81kYP4ri5mRkkBfHXzTYB22eLm7mGEjQKBgB+WaIOMpgQwrewRkU17
S63jjHso3J4S21OHm748vpx3ize4JpnAkRpfpwZ9Rj+TmyOjgitJNWdV77zdiQkN
5Dv5ZjsIurrnDXMslBww37mnV7LXyDAAsyaKqSGQuikKusz45FSej82KIfr/zGv+
WbNZ+sK8mdVZoUSam+6BO9JH
-----END PRIVATE KEY-----

12
Vagrant/resources/caldera/mongod.service
View File

@@ -1,12 +0,0 @@
[Unit]
Description=High-performance, schema-free document-oriented database
After=network.target
Documentation=https://docs.mongodb.org/manual
[Service]
User=mongodb
Group=mongodb
ExecStart=/usr/bin/mongod --quiet --config /etc/mongod.conf
[Install]
WantedBy=multi-user.target

27
Vagrant/resources/caldera/settings.yml
View File

@@ -1,27 +0,0 @@
auth:
key: !!binary |
QfVQNdpJt0br69u4yGYgjJYr8mlKRb8nhkzxd+XkuBt7D/JKeCUmSafJuBFY3w7oXatwSqFYKdWn
ZhVklJsZAmoPy3BEr1maTwFFfJtfav6e6JUMfPKP2SXHFW0fsyF3mdxpXtMbRrMTwnQ4TrndAtCs
E0jWC9qM/ktTga5UweS3YkDlQpWQHktgPPRC8nLk2dtGkWLuam7lfFCW93mxrNyYAAlbNQPq8/ld
DvYD+eWB8tviOh5ZcntmST4tCXXZqk6pGByWV8m7EnBRK4ffIoNmgNV5K7UrWBPEI5ZbNbHx9rSl
GNqAiA9T020MJ5qyrCl9mgZTnbmKXiUOcgpr6g==
crypto:
cert: conf/cert.pem
key: conf/key.pem
database:
host: localhost
key: !!binary |
UXFoNGMzdU1kYWJzU195ZDEybUItWnBJbEg5UnNqYndmQWJpcC1xNjFNaz0=
port: 27017
proxy:
default:
cert: ''
http: ''
https: ''
server:
host: 0.0.0.0
https: true
port: 8888
users:
- name: admin
password: caldera

36
Vagrant/scripts/install-caldera-agent.ps1
View File

@@ -1,36 +0,0 @@
# Purpose: Installs the Caldera agent on the host
Write-Host "Installing the Caldera agent..."
$url="https://192.168.38.105:8888/file/render"; $ps_table = $PSVersionTable.PSVersion;If([double]$ps_table.Major -ge 6){iex (irm -Method Post -Uri $url -Headers @{"file"="54ndc47.ps1"} -SkipCertificateCheck);}else{[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$True};$web=New-Object System.Net.WebClient;$web.Headers.Add("file","54ndc47.ps1");$resp=$web.UploadString("$url",'');iex($resp);}
If (-not (Test-Path 'C:\Program Files\cagent\cagent.exe')) {
# Add /etc/hosts entry
Add-Content "c:\windows\system32\drivers\etc\hosts" " 192.168.38.105 logger"
# Make the directory
New-Item "c:\Program Files\cagent" -type directory
# Install Visual Studio 2015 C++ Redistributable
choco install -y vcredist2015
# Download cagent and start the service
Write-Host "Downloading Caldera Agent (cagent.exe)"
$cagentPath = "C:\Program Files\cagent\cagent.exe"
$cagentConfPath = "C:\Program Files\cagent\conf.yml"
# GitHub requires TLS 1.2 as of 2/1/2018
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
(New-Object System.Net.WebClient).DownloadFile('https://github.com/mitre/caldera-agent/releases/download/v0.1.0/cagent.exe', $cagentPath)
# Copy hardocded Caldera config from the Vagrant resources folder
Copy-Item "C:\vagrant\resources\caldera\conf.yml" $cagentConfPath -Force
If (-not (Test-Path "$cagentConfPath" )) {
Write-Host "Caldera Agent configuration failed. Unable to retrieve config from resources folder."
}
Start-Process -FilePath $cagentPath -ArgumentList '--startup', 'auto', 'install' -Wait
Start-Process -FilePath $cagentPath -ArgumentList 'start' -Wait
} Else {
Write-Host "Caldera Agent is already installed. Moving on."
}
Start-Sleep 5
If ((Get-Service -name cagent).Status -ne "Running") {
throw "Caldera Agent service not running"
}
Write-Host "Cagent installation complete!"

7
build.ps1
View File

@@ -338,10 +338,6 @@ function download {
function post_build_checks { function post_build_checks {
Write-Host '[post_build_checks] Running Caldera Check.'
$CALDERA_CHECK = download -URL 'https://192.168.38.105:8888' -PatternToMatch '<title>CALDERA</title>'
Write-Host "[post_build_checks] Cladera Result: $CALDERA_CHECK"
Write-Host '[post_build_checks] Running Splunk Check.' Write-Host '[post_build_checks] Running Splunk Check.'
$SPLUNK_CHECK = download -URL 'https://192.168.38.105:8000/en-US/account/login?return_to=%2Fen-US%2F' -PatternToMatch 'This browser is not supported by Splunk' $SPLUNK_CHECK = download -URL 'https://192.168.38.105:8000/en-US/account/login?return_to=%2Fen-US%2F' -PatternToMatch 'This browser is not supported by Splunk'
Write-Host "[post_build_checks] Splunk Result: $SPLUNK_CHECK" Write-Host "[post_build_checks] Splunk Result: $SPLUNK_CHECK"
@@ -354,9 +350,6 @@ function post_build_checks {
$ATA_CHECK = download -URL 'https://192.168.38.103' -SuccessOn401 $ATA_CHECK = download -URL 'https://192.168.38.103' -SuccessOn401
Write-Host "[post_build_checks] ATA Result: $ATA_CHECK" Write-Host "[post_build_checks] ATA Result: $ATA_CHECK"
if ($CALDERA_CHECK -eq $false) {
Write-Warning 'Caldera failed post-build tests and may not be functioning correctly.'
}
if ($SPLUNK_CHECK -eq $false) { if ($SPLUNK_CHECK -eq $false) {
Write-Warning 'Splunk failed post-build tests and may not be functioning correctly.' Write-Warning 'Splunk failed post-build tests and may not be functioning correctly.'
} }

6
build.sh
View File

@@ -261,7 +261,6 @@ vagrant_reload_host() {
post_build_checks() { post_build_checks() {
# If the curl operation fails, we'll just leave the variable equal to 0 # If the curl operation fails, we'll just leave the variable equal to 0
# This is needed to prevent the script from exiting if the curl operation fails # This is needed to prevent the script from exiting if the curl operation fails
CALDERA_CHECK=$(curl -ks -m 2 https://192.168.38.105:8888 | grep -c '302: Found' || echo "")
SPLUNK_CHECK=$(curl -ks -m 2 https://192.168.38.105:8000/en-US/account/login?return_to=%2Fen-US%2F | grep -c 'This browser is not supported by Splunk' || echo "") SPLUNK_CHECK=$(curl -ks -m 2 https://192.168.38.105:8000/en-US/account/login?return_to=%2Fen-US%2F | grep -c 'This browser is not supported by Splunk' || echo "")
FLEET_CHECK=$(curl -ks -m 2 https://192.168.38.105:8412 | grep -c 'Kolide Fleet' || echo "") FLEET_CHECK=$(curl -ks -m 2 https://192.168.38.105:8412 | grep -c 'Kolide Fleet' || echo "")
ATA_CHECK=$(curl --fail --write-out "%{http_code}" -ks https://192.168.38.103 -m 2) ATA_CHECK=$(curl --fail --write-out "%{http_code}" -ks https://192.168.38.103 -m 2)
@@ -271,16 +270,13 @@ post_build_checks() {
# Associative arrays are only supported in bash 4 and up # Associative arrays are only supported in bash 4 and up
if [ "$BASH_MAJOR_VERSION" -ge 4 ]; then if [ "$BASH_MAJOR_VERSION" -ge 4 ]; then
declare -A SERVICES declare -A SERVICES
SERVICES=(["caldera"]="$CALDERA_CHECK" ["splunk"]="$SPLUNK_CHECK" ["fleet"]="$FLEET_CHECK" ["ms_ata"]="$ATA_CHECK") SERVICES=(["splunk"]="$SPLUNK_CHECK" ["fleet"]="$FLEET_CHECK" ["ms_ata"]="$ATA_CHECK")
for SERVICE in "${!SERVICES[@]}"; do for SERVICE in "${!SERVICES[@]}"; do
if [ "${SERVICES[$SERVICE]}" -lt 1 ]; then if [ "${SERVICES[$SERVICE]}" -lt 1 ]; then
(echo >&2 "Warning: $SERVICE failed post-build tests and may not be functioning correctly.") (echo >&2 "Warning: $SERVICE failed post-build tests and may not be functioning correctly.")
fi fi
done done
else else
if [ "$CALDERA_CHECK" -lt 1 ]; then
(echo >&2 "Warning: Caldera failed post-build tests and may not be functioning correctly.")
fi
if [ "$SPLUNK_CHECK" -lt 1 ]; then if [ "$SPLUNK_CHECK" -lt 1 ]; then
(echo >&2 "Warning: Splunk failed post-build tests and may not be functioning correctly.") (echo >&2 "Warning: Splunk failed post-build tests and may not be functioning correctly.")
fi fi