diff --git a/README.md b/README.md index 9d60ad7..e985613 100644 --- a/README.md +++ b/README.md @@ -14,6 +14,7 @@ NOTE: This lab has not been hardened in any way and runs with default vagrant cr * Powershell transcript logging is enabled. All logs are saved to `\\wef\pslogs` * osquery comes installed on each host and is pre-configured to connect to a [Fleet](https://kolide.co/fleet) server via TLS. Fleet is preconfigured with the configuration from [Palantir's osquery Configuration](https://github.com/palantir/osquery-configuration) * Sysmon is installed and configured using SwiftOnSecurity’s open-sourced configuration +* Mitre's [Caldera](https://github.com/mitre/caldera) server is built on the logger host and the Caldera agent gets pre-installed on all Windows hosts * All autostart items are logged to Windows Event Logs via [AutorunsToWinEventLog](https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog) * SMBv1 Auditing is enabled @@ -84,8 +85,9 @@ Vagrant commands must be run from the "Vagrant" folder. ## Lab Information * Domain Name: windomain.local * Admininstrator login: vagrant:vagrant -* Fleet login: admin:admin123# -* Splunk login: admin:changeme +* Fleet login: https://192.168.38.5:8412 - admin:admin123# +* Splunk login: https://192.168.38.5:8000 - admin:changeme +* Caldera login: https://192.168.38.5:8888 - admin:caldera ## Lab Hosts * DC - Windows 2016 Domain Controller @@ -113,6 +115,7 @@ Vagrant commands must be run from the "Vagrant" folder. * Logger - Ubuntu 16.04 * Splunk Enterprise * Fleet osquery Manager + * Mitre's Caldera Server ## Splunk Indexes Index Name | Description @@ -127,6 +130,7 @@ wineventlog | Windows Event Logs * Sysmon * osquery * AutorunsToWinEventLog + * Caldera Agent * Process Monitor * Process Explorer * PsExec @@ -193,6 +197,7 @@ A sizable percentage of this code was borrowed and adapted from [Stefan Scherer] * [Splunk](https://www.splunk.com) * [osquery](https://osquery.io) * [Fleet](https://kolide.co/fleet) +* [Caldera](https://github.com/mitre/caldera) * [Windows Event Forwarding for Network Defense](https://medium.com/@palantir/windows-event-forwarding-for-network-defense-cb208d5ff86f) * [palantir/windows-event-forwarding](http://github.com/palantir/windows-event-forwarding) * [osquery Across the Enterprise](https://medium.com/@palantir/osquery-across-the-enterprise-3c3c9d13ec55) diff --git a/Vagrant/Vagrantfile b/Vagrant/Vagrantfile index 67c4931..68604cb 100644 --- a/Vagrant/Vagrantfile +++ b/Vagrant/Vagrantfile @@ -46,6 +46,7 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: true + cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/configure-ou.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/configure-wef-gpo.ps1", privileged: true @@ -89,6 +90,7 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", path: "scripts/install-windows_ta.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: true + cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/configure-pslogstranscriptsshare.ps1", privileged: true @@ -128,6 +130,7 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: true + cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: true diff --git a/Vagrant/bootstrap.sh b/Vagrant/bootstrap.sh index 75dbd23..4d6ccec 100644 --- a/Vagrant/bootstrap.sh +++ b/Vagrant/bootstrap.sh @@ -1,8 +1,12 @@ #! /bin/bash +# Install key and apt source for MongoDB +apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv EA312927 +echo "deb http://repo.mongodb.org/apt/ubuntu "$(lsb_release -sc)"/mongodb-org/3.2 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.2.list + # Install prerequisites and useful tools apt-get update -apt-get install -y jq whois build-essential git docker docker-compose unzip +apt-get install -y jq whois build-essential git docker docker-compose unzip python3-dev python3-pip mongodb-org # Install Golang v1.8 wget https://storage.googleapis.com/golang/go1.8.linux-amd64.tar.gz @@ -111,3 +115,27 @@ curl 'https://192.168.38.5:8412/api/v1/kolide/packs/5' -X PATCH -H 'origin: http # Add Splunk monitors for Fleet /opt/splunk/bin/splunk add monitor "/home/vagrant/kolide-quickstart/osquery_result" -index osquery -sourcetype 'osquery:json' -auth 'admin:changeme' /opt/splunk/bin/splunk add monitor "/home/vagrant/kolide-quickstart/osquery_status" -index osquery-status -sourcetype 'osquery:status' -auth 'admin:changeme' + +# Install Mitre's Caldera +cd /home/vagrant +git clone https://github.com/mitre/caldera.git +cd /home/vagrant/caldera/caldera +pip3 install -r requirements.txt +pip3 install aiohttp==2.3.8 # See https://github.com/mitre/caldera/pull/13 +# Patch sslproto https://github.com/mitre/caldera/issues/14#issuecomment-358190888 +cd /usr/lib/python3.5/asyncio +cp /vagrant/resources/caldera/sslproto.patch . +patch < sslproto.patch +# Add a Systemd service for MongoDB +# https://www.howtoforge.com/tutorial/install-mongodb-on-ubuntu-16.04/ +cp /vagrant/resources/caldera/mongod.service /lib/systemd/system/mongod.service +# Create Systemd service for Caldera +cp /vagrant/resources/caldera/caldera.service /lib/systemd/system/caldera.service +# Enable replication +echo 'replication: + replSetName: caldera' >> /etc/mongod.conf +service mongod start +cd /home/vagrant/caldera +mkdir -p dep/crater/crater +wget https://github.com/mitre/caldera-crater/releases/download/v0.1.0/CraterMainWin8up.exe -O /home/vagrant/caldera/dep/crater/crater/CraterMain.exe +service caldera start diff --git a/Vagrant/resources/caldera/caldera.service b/Vagrant/resources/caldera/caldera.service new file mode 100644 index 0000000..9e8524d --- /dev/null +++ b/Vagrant/resources/caldera/caldera.service @@ -0,0 +1,11 @@ +[Unit] +Description=My Script Service +After=multi-user.target + +[Service] +Type=idle +WorkingDirectory=/home/vagrant/caldera/caldera +ExecStart=/usr/bin/python3 caldera.py + +[Install] +WantedBy=multi-user.target diff --git a/Vagrant/resources/caldera/mongod.service b/Vagrant/resources/caldera/mongod.service new file mode 100644 index 0000000..5a726a1 --- /dev/null +++ b/Vagrant/resources/caldera/mongod.service @@ -0,0 +1,12 @@ +[Unit] +Description=High-performance, schema-free document-oriented database +After=network.target +Documentation=https://docs.mongodb.org/manual + +[Service] +User=mongodb +Group=mongodb +ExecStart=/usr/bin/mongod --quiet --config /etc/mongod.conf + +[Install] +WantedBy=multi-user.target diff --git a/Vagrant/resources/caldera/sslproto.patch b/Vagrant/resources/caldera/sslproto.patch new file mode 100644 index 0000000..66c1e76 --- /dev/null +++ b/Vagrant/resources/caldera/sslproto.patch @@ -0,0 +1,14 @@ +--- sslproto.py 2018-01-17 08:00:50.567571454 +0000 ++++ sslproto.py.new 2018-01-17 08:03:31.996275969 +0000 +@@ -533,8 +533,10 @@ + def _get_extra_info(self, name, default=None): + if name in self._extra: + return self._extra[name] +- else: ++ elif self._transport is not None: + return self._transport.get_extra_info(name, default) ++ else: ++ return default + + def _start_shutdown(self): + if self._in_shutdown: diff --git a/Vagrant/scripts/install-caldera-agent.ps1 b/Vagrant/scripts/install-caldera-agent.ps1 new file mode 100644 index 0000000..9ab10f2 --- /dev/null +++ b/Vagrant/scripts/install-caldera-agent.ps1 @@ -0,0 +1,26 @@ +# Purpose: Installs the Caldera agent on the host + +# Add /etc/hosts entry +Add-Content "c:\windows\system32\drivers\etc\hosts" " 192.168.38.5 logger" + +# Make the directory +New-Item "c:\Program Files\cagent" -type directory + +# Install Visual Studio 2015 C++ Redistributable +choco install -y vcredist2015 + +# Download cagent and start the service +If (-not (Test-Path "C:\Program Files\cagent\cagent.exe")) { + Write-Host "Downloading Caldera Agent (cagent.exe)" + $cagentPath = "C:\Program Files\cagent\cagent.exe" + $cagentConfPath = "C:\Program Files\cagent\conf.yml" + (New-Object System.Net.WebClient).DownloadFile('https://github.com/mitre/caldera-agent/releases/download/v0.1.0/cagent.exe', $cagentPath) + # Ignore SSL warning for conf file download + # https://stackoverflow.com/questions/34331206/ignore-ssl-warning-with-powershell-downloadstring + [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;(New-Object System.Net.WebClient).DownloadFile('https://logger:8888/conf.yml', $cagentConfPath) + Start-Process -FilePath $cagentPath -ArgumentList '--startup', 'auto', 'install' -Wait + Start-Process -FilePath $cagentPath -ArgumentList 'start' -Wait +} Else { + Write-Host "Caldera Agent is already installed. Moving on." +} +Write-Host "Cagent installation complete!" diff --git a/Vagrant/scripts/install-sysinternals.ps1 b/Vagrant/scripts/install-sysinternals.ps1 index 7885e14..20379b4 100755 --- a/Vagrant/scripts/install-sysinternals.ps1 +++ b/Vagrant/scripts/install-sysinternals.ps1 @@ -38,6 +38,9 @@ Invoke-WebRequest -Uri "https://raw.githubusercontent.com/SwiftOnSecurity/sysmon # Convert Sysmon config schema from 3.30 to 4.0 per GitHub Issue #38 (Get-Content $sysmonConfigPath) -replace 'schemaversion="3.30"', 'schemaversion="4.00"' | Set-Content $sysmonConfigPath +# Convert Schema from 3.30 to 4.0 per GitHub Issue #38 +(Get-Content $sysmonConfigPath) -replace 'schemaversion="3.30"', 'schemaversion="4.00"' | Set-Content $sysmonConfigPath + # Startup Sysmon Write-Host "Starting Sysmon..." Start-Process -FilePath "$sysmonDir\Sysmon64.exe" -ArgumentList "-accepteula -i $sysmonConfigPath" diff --git a/Vagrant/scripts/join-domain.ps1 b/Vagrant/scripts/join-domain.ps1 index 894abb5..009294f 100755 --- a/Vagrant/scripts/join-domain.ps1 +++ b/Vagrant/scripts/join-domain.ps1 @@ -18,7 +18,7 @@ $DomainCred = New-Object System.Management.Automation.PSCredential $user, $pass If ($hostname -eq "wef") { Add-Computer -DomainName "windomain.local" -credential $DomainCred -OUPath "ou=Servers,dc=windomain,dc=local" -PassThru } ElseIf ($hostname -eq "win10") { - Write-Host "Adding Win10 to the domain. Sometimes this step times out when using VMWare. If that happens, just run 'vagrant reload win10 --provision'" #debug + Write-Host "Adding Win10 to the domain. Sometimes this step times out. If that happens, just run 'vagrant reload win10 --provision'" #debug Add-Computer -DomainName "windomain.local" -credential $DomainCred -OUPath "ou=Workstations,dc=windomain,dc=local" } Else { Add-Computer -DomainName "windomain.local" -credential $DomainCred -PassThru