From 51b6599c39b72d99737e81f04caba1bd70419261 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Thu, 15 Oct 2020 18:52:49 -0700 Subject: [PATCH 1/4] Add WINS server config --- Vagrant/scripts/join-domain.ps1 | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/Vagrant/scripts/join-domain.ps1 b/Vagrant/scripts/join-domain.ps1 index f3df98b..c9a2094 100755 --- a/Vagrant/scripts/join-domain.ps1 +++ b/Vagrant/scripts/join-domain.ps1 @@ -9,12 +9,8 @@ Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) First, set DNS to DC to join the doma $newDNSServers = "192.168.38.102" $adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.IPAddress -match "192.168.38."} # Don't do this in Azure. If the network adatper description contains "Hyper-V", this won't apply changes. -$adapters | ForEach-Object {if (!($_.Description).Contains("Hyper-V")) {$_.SetDNSServerSearchOrder($newDNSServers)}} - -# Hardcoding DNS domain name in hosts file to sidestep any DNS issues -If (!(Select-String -Path $hostsFile -Pattern "192.168.38.102")) { - Add-Content $hostsFile " 192.168.38.102 windomain.local" -} +# Specify the DC as a WINS server to help with connectivity as well +$adapters | ForEach-Object {if (!($_.Description).Contains("Hyper-V")) {$_.SetDNSServerSearchOrder($newDNSServers); $_.SetWINSServer($newDNSServers, "")}} Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Now join the domain..." $hostname = $(hostname) @@ -60,4 +56,4 @@ If ($hostname -ne "win10" -And (Get-Service -Name WinDefend -ErrorAction Silentl Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Windows Defender did not uninstall successfully..." Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) We'll try again during install-red-team.ps1" } -} \ No newline at end of file +} From 023b9acd8d574ac56eaa369d201445bb56e29a12 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Fri, 16 Oct 2020 15:31:11 -0700 Subject: [PATCH 2/4] Fix typo --- Vagrant/scripts/join-domain.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Vagrant/scripts/join-domain.ps1 b/Vagrant/scripts/join-domain.ps1 index c9a2094..f0bc59e 100755 --- a/Vagrant/scripts/join-domain.ps1 +++ b/Vagrant/scripts/join-domain.ps1 @@ -24,7 +24,7 @@ If ($hostname -eq "wef") { # Attempt to fix Issue #517 Set-ItemProperty -LiteralPath 'HKLM:\SYSTEM\CurrentControlSet\Control' -Name 'WaitToKillServiceTimeout' -Value '500' -Type String -Force -ea SilentlyContinue New-ItemProperty -LiteralPath 'HKCU:\Control Panel\Desktop' -Name 'AutoEndTasks' -Value 1 -PropertyType DWord -Force -ea SilentlyContinue - Set-ItemProperty -LiteralPath 'HKLM:\SYSTEM\CurrentControlSet\Control\SessionManager\Power' -Name 'HiberbootEnabled' -Value 0 -PropertyType DWord -Force -ea SilentlyContinue + Set-ItemProperty -LiteralPath 'HKLM:\SYSTEM\CurrentControlSet\Control\SessionManager\Power' -Name 'HiberbootEnabled' -Value 0 -Type DWord -Force -ea SilentlyContinue } ElseIf ($hostname -eq "win10") { Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Adding Win10 to the domain. Sometimes this step times out. If that happens, just run 'vagrant reload win10 --provision'" #debug Add-Computer -DomainName "windomain.local" -credential $DomainCred -OUPath "ou=Workstations,dc=windomain,dc=local" From f75231b76ede81b571ad32236e4f83b70fc6afdf Mon Sep 17 00:00:00 2001 From: Chris Long Date: Fri, 16 Oct 2020 22:43:56 -0700 Subject: [PATCH 3/4] Fixing Issue #535 --- Azure/Terraform/main.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Azure/Terraform/main.tf b/Azure/Terraform/main.tf index 7e3fb0c..ebcf9c3 100644 --- a/Azure/Terraform/main.tf +++ b/Azure/Terraform/main.tf @@ -266,8 +266,10 @@ resource "azurerm_virtual_machine" "logger" { } inline = [ "sudo add-apt-repository universe && sudo apt-get -qq update && sudo apt-get -qq install -y git", + "sudo sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/g' /etc/ssh/sshd_config && sudo service ssh restart", "echo 'logger' | sudo tee /etc/hostname && sudo hostnamectl set-hostname logger", "sudo adduser --disabled-password --gecos \"\" vagrant && echo 'vagrant:vagrant' | sudo chpasswd", + "echo 'vagrant:vagrant' | sudo chpasswd", "sudo mkdir /home/vagrant/.ssh && sudo cp /home/ubuntu/.ssh/authorized_keys /home/vagrant/.ssh/authorized_keys && sudo chown -R vagrant:vagrant /home/vagrant/.ssh", "echo 'vagrant ALL=(ALL:ALL) NOPASSWD:ALL' | sudo tee -a /etc/sudoers", "sudo git clone https://github.com/clong/DetectionLab.git /opt/DetectionLab", From 0c9a096c173d39609f3d7968c33883f16e1990bb Mon Sep 17 00:00:00 2001 From: Sean Ryan Date: Sun, 18 Oct 2020 19:08:57 -0700 Subject: [PATCH 4/4] added missing commands from bootstrap file for threathunting app to work --- ESXi/ansible/roles/logger/tasks/main.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/ESXi/ansible/roles/logger/tasks/main.yml b/ESXi/ansible/roles/logger/tasks/main.yml index 89b72e2..295e052 100644 --- a/ESXi/ansible/roles/logger/tasks/main.yml +++ b/ESXi/ansible/roles/logger/tasks/main.yml @@ -231,8 +231,17 @@ sed -i "s/license_key =/license_key = $MAXMIND_LICENSE/g" /opt/splunk/etc/apps/TA-asngen/local/asngen.conf fi + # Replace the props.conf for Sysmon TA and Windows TA + # Removed all the 'rename = xmlwineventlog' directives + # I know youre not supposed to modify files in "default", + # but for some reason adding them to "local" wasnt working + cp /vagrant/resources/splunk_server/windows_ta_props.conf /opt/splunk/etc/apps/Splunk_TA_windows/default/props.conf + cp /vagrant/resources/splunk_server/sysmon_ta_props.conf /opt/splunk/etc/apps/TA-microsoft-sysmon/default/props.conf + # Add custom Macro definitions for ThreatHunting App cp /vagrant/resources/splunk_server/macros.conf /opt/splunk/etc/apps/ThreatHunting/default/macros.conf + # Fix props.conf in ThreatHunting App + sed -i 's/EVAL-host_fqdn = Computer/EVAL-host_fqdn = ComputerName/g' /opt/splunk/etc/apps/ThreatHunting/default/props.conf # Fix Windows TA macros mkdir /opt/splunk/etc/apps/Splunk_TA_windows/local cp /opt/splunk/etc/apps/Splunk_TA_windows/default/macros.conf /opt/splunk/etc/apps/Splunk_TA_windows/local