diff --git a/Azure/Ansible/roles/common/tasks/main.yml b/Azure/Ansible/roles/common/tasks/main.yml index 0ddd5a6..d157421 100644 --- a/Azure/Ansible/roles/common/tasks/main.yml +++ b/Azure/Ansible/roles/common/tasks/main.yml @@ -27,6 +27,15 @@ - debug: msg="{{ sysinternals.stdout_lines }}" +- name: Installing Velociraptor + win_shell: ".\\install-velociraptor.ps1" + args: + chdir: 'c:\vagrant\scripts' + register: velociraptor + failed_when: "'Exception' in velociraptor.stdout" + +- debug: msg="{{ velociraptor.stdout_lines }}" + - name: Installing AutorunsToWineventlog win_shell: ".\\install-autorunstowineventlog.ps1" args: diff --git a/ESXi/ansible/roles/common/tasks/main.yml b/ESXi/ansible/roles/common/tasks/main.yml index f8e694e..029e26c 100644 --- a/ESXi/ansible/roles/common/tasks/main.yml +++ b/ESXi/ansible/roles/common/tasks/main.yml @@ -27,6 +27,15 @@ - debug: msg="{{ sysinternals.stdout_lines }}" +- name: Installing Velociraptor + win_shell: ".\\install-velociraptor.ps1" + args: + chdir: 'c:\vagrant\scripts' + register: velociraptor + failed_when: "'Exception' in velociraptor.stdout" + +- debug: msg="{{ velociraptor.stdout_lines }}" + - name: Installing AutorunsToWineventlog win_shell: ".\\install-autorunstowineventlog.ps1" args: diff --git a/ESXi/ansible/roles/logger/tasks/main.yml b/ESXi/ansible/roles/logger/tasks/main.yml index 9f26597..96f0148 100644 --- a/ESXi/ansible/roles/logger/tasks/main.yml +++ b/ESXi/ansible/roles/logger/tasks/main.yml @@ -387,6 +387,14 @@ suricata-update enable-source et/open suricata-update enable-source ptresearch/attackdetection + # Configure the Splunk inputs + mkdir -p /opt/splunk/etc/apps/SplunkLightForwarder/local && touch /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf + crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata index suricata + crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata sourcetype suricata:json + crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata whitelist 'eve.json' + crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata disabled 0 + crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/props.conf json_suricata TRUNCATE 0 + # Update suricata and restart suricata-update service suricata stop @@ -425,10 +433,6 @@ shell: | # Environment variables NODECFG=/opt/zeek/etc/node.cfg - SPLUNK_ZEEK_JSON=/opt/splunk/etc/apps/Splunk_TA_bro - SPLUNK_ZEEK_MONITOR='monitor:///opt/zeek/spool/manager' - SPLUNK_SURICATA_MONITOR='monitor:///var/log/suricata' - SPLUNK_SURICATA_SOURCETYPE='json_suricata' export PATH=$PATH:/opt/zeek/bin pip install zkg==2.1.1 zkg refresh @@ -474,22 +478,16 @@ systemctl enable zeek systemctl start zeek - mkdir -p $SPLUNK_ZEEK_JSON/local - cp $SPLUNK_ZEEK_JSON/default/inputs.conf $SPLUNK_ZEEK_JSON/local/inputs.conf - - crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR index zeek - crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR sourcetype bro:json - crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR whitelist '.*\.log$' - crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR blacklist '.*(communication|stderr)\.log$' - crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR disabled 0 - crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR index suricata - crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR sourcetype suricata:json - crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR whitelist 'eve.json' - crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR disabled 0 - crudini --set $SPLUNK_ZEEK_JSON/local/props.conf $SPLUNK_SURICATA_SOURCETYPE TRUNCATE 0 + # Configure the Splunk inputs + mkdir -p /opt/splunk/etc/apps/Splunk_TA_bro/local && touch /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf + crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager index zeek + crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager sourcetype bro:json + crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager whitelist '.*\.log$' + crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager blacklist '.*(communication|stderr)\.log$' + crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager disabled 0 # Ensure permissions are correct and restart splunk - chown -R splunk $SPLUNK_ZEEK_JSON + chown -R splunk:splunk /opt/splunk/etc/apps/Splunk_TA_bro /opt/splunk/bin/splunk restart # Verify that Zeek is running diff --git a/Vagrant/Vagrantfile b/Vagrant/Vagrantfile index 28295dc..2b61768 100644 --- a/Vagrant/Vagrantfile +++ b/Vagrant/Vagrantfile @@ -68,6 +68,7 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/install-velociraptor.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/configure-ou.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/configure-wef-gpo.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/configure-powershelllogging.ps1", privileged: false @@ -138,6 +139,7 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/install-velociraptor.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/configure-pslogstranscriptsshare.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: false @@ -198,6 +200,7 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/install-velociraptor.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false cfg.vm.provision "shell", inline: 'cscript c:\windows\system32\slmgr.vbs /dlv', privileged: false diff --git a/Vagrant/bootstrap.sh b/Vagrant/bootstrap.sh index 6a9c6ab..330268f 100644 --- a/Vagrant/bootstrap.sh +++ b/Vagrant/bootstrap.sh @@ -351,7 +351,7 @@ install_zeek() { crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager disabled 0 # Ensure permissions are correct and restart splunk - chown -R splunk /opt/splunk/etc/apps/Splunk_TA_bro + chown -R splunk:splunk /opt/splunk/etc/apps/Splunk_TA_bro /opt/splunk/bin/splunk restart # Verify that Zeek is running @@ -361,6 +361,35 @@ install_zeek() { fi } +install_velociraptor() { + echo "[$(date +%H:%M:%S)]: Installing Velociraptor..." + mkdir /opt/install_velociraptor + echo "[$(date +%H:%M:%S)]: Attempting to determine the URL for the latest release of Velociraptor" + LATEST_VELOCIRAPTOR_LINUX_URL=$(curl -sL https://github.com/Velocidex/velociraptor/releases/latest | grep 'linux-amd64' | grep -Eo "/(?[^\"]+)" | grep amd | sed 's#^#https://github.com#g') + echo "[$(date +%H:%M:%S)]: The URL for the latest release was extracted as $LATEST_VELOCIRAPTOR_LINUX_URL" + echo "[$(date +%H:%M:%S)]: Attempting to download..." + wget -P /opt/velociraptor "$LATEST_VELOCIRAPTOR_LINUX_URL" + if [ "$(file velociraptor*linux-amd64 | grep -c 'ELF 64-bit LSB executable')" -eq 1 ]; then + echo "[$(date +%H:%M:%S)]: Velociraptor successfully downloaded!" + else + echo "[$(date +%H:%M:%S)]: Failed to download the latest version of Velociraptor. Please open a DetectionLab issue on Github." + return + fi + + mv velociraptor-*-linux-amd64 velociraptor + chmod +x velociraptor + cp /vagrant/resources/velociraptor/server.config.yaml /opt/velociraptor + echo "[$(date +%H:%M:%S)]: Creating Velociraptor dpkg..." + ./velociraptor --config ~/server.config.yaml debian server + echo "[$(date +%H:%M:%S)]: Installing the dpkg..." + if dpkg -i velociraptor_*_server.deb > /dev/null; then + echo "[$(date +%H:%M:%S)]: Installation complete!" + else + echo "[$(date +%H:%M:%S)]: Failed to install the dpkg" + return + fi +} + install_suricata() { # Run iwr -Uri testmyids.com -UserAgent "BlackSun" in Powershell to generate test alerts from Windows echo "[$(date +%H:%M:%S)]: Installing Suricata..." @@ -450,6 +479,7 @@ install_guacamole() { postinstall_tasks() { # Include Splunk and Zeek in the PATH echo export PATH="$PATH:/opt/splunk/bin:/opt/zeek/bin" >>~/.bashrc + echo "export SPLUNK_HOME=/opt/splunk" >>~/.bashrc # Ping DetectionLab server for usage statistics curl -s -A "DetectionLab-logger" "https://detectionlab.network/logger" } @@ -463,6 +493,7 @@ main() { install_fleet download_palantir_osquery_config import_osquery_config_into_fleet + install_velociraptor install_suricata install_zeek install_guacamole diff --git a/Vagrant/resources/splunk_server/splunk-add-on-for-microsoft-windows_700.tgz b/Vagrant/resources/splunk_server/splunk-add-on-for-microsoft-windows_700.tgz new file mode 100644 index 0000000..5027116 Binary files /dev/null and b/Vagrant/resources/splunk_server/splunk-add-on-for-microsoft-windows_700.tgz differ diff --git a/Vagrant/resources/velociraptor/Velociraptor.config.yaml b/Vagrant/resources/velociraptor/Velociraptor.config.yaml new file mode 100644 index 0000000..7782db2 --- /dev/null +++ b/Vagrant/resources/velociraptor/Velociraptor.config.yaml @@ -0,0 +1,54 @@ +version: + name: velociraptor + version: 0.4.5 + commit: 17e0f0f + build_time: "2020-06-12T09:39:50+10:00" +Client: + server_urls: + - https://logger:9000/ + ca_certificate: | + -----BEGIN CERTIFICATE----- + MIIDKjCCAhKgAwIBAgIQJpjTbn3lIQ0+ApCGFx65ZDANBgkqhkiG9w0BAQsFADAa + MRgwFgYDVQQKEw9WZWxvY2lyYXB0b3IgQ0EwHhcNMjAwNjMwMDAxNTUyWhcNMzAw + NjI4MDAxNTUyWjAaMRgwFgYDVQQKEw9WZWxvY2lyYXB0b3IgQ0EwggEiMA0GCSqG + SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC85kV1Bq7AmCHEgPItAzKtdbmF/4usy9YH + KY1uSCo5i2wCpxGu+kyoyMd9REjXnfLvPxpSkeoV7uAPPiVnzWD43Du2f3b0Kh5x + ppTYH0pb60NVV5KqQd3HI0Gssa5VYqLRjSeb7SN/JNxRjWeVG0VpX9vDTlWcTJ11 + n9/ZP3eYnPIuNmHdAiYe0EbN1Cbmkh6VFALofYnbHC5qqdq1aHtI4jvquqYoCYgc + y0b3GN00tuYLG7huu+G9Ng99aFjEfCD84eI//S2rLn/JaTHsYiqay+WDWHSwo0+4 + nMuUtolMdvP5R/rOPNG7NuU/8lg8zgql+baZIFENlSohkQpetg8NAgMBAAGjbDBq + MA4GA1UdDwEB/wQEAwICpDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw + DwYDVR0TAQH/BAUwAwEB/zAoBgNVHREEITAfgh1WZWxvY2lyYXB0b3JfY2EudmVs + b2NpZGV4LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAmA1PR5GM/c4l0POFaZLdkVXC + LSMmPJaCu4TihgxtG+/noTR7fDiCWdjcS93Pc3YYMYYmFmZ86iwbOK3sFT8HWoFA + X03IyJyWKOAdgYioXYWoXjKI8QCFEVtYnZaxkI9On4zlYntadjJS/s8cFXlU2koZ + mF6YWQdC5wbA45FyUyCCbBQLlm91KejZK+8BvHkMvSfUWk0WIYV4bHH1MkEg/csU + /mw6N81dnaUZ7tWbPxGdtbY9+xTboygx7DlghykcI5wuWXJxm5K1vNj9dvCF4cUw + OuTkZ6ekn+anNLHBOs4u01kSplR++Jjf2rzlpkDN/ei4yJCkyM00MtbyTzM5zA== + -----END CERTIFICATE----- + nonce: fvKPYbt+0n0= + writeback_darwin: /etc/velociraptor.writeback.yaml + writeback_linux: /etc/velociraptor.writeback.yaml + writeback_windows: $ProgramFiles\Velociraptor\velociraptor.writeback.yaml + max_poll: 60 + windows_installer: + service_name: Velociraptor + install_path: $ProgramFiles\Velociraptor\Velociraptor.exe + service_description: Velociraptor service + darwin_installer: + service_name: com.velocidex.velociraptor + install_path: /usr/local/sbin/velociraptor + version: + name: velociraptor + version: 0.4.5 + commit: 17e0f0f + build_time: "2020-06-12T09:39:50+10:00" + use_self_signed_ssl: true + pinned_server_name: VelociraptorServer + max_upload_size: 5242880 + local_buffer: + memory_size: 52428800 + disk_size: 1073741824 + filename_linux: /var/tmp/Velociraptor_Buffer.bin + filename_windows: $TEMP/Velociraptor_Buffer.bin + filename_darwin: /var/tmp/Velociraptor_Buffer.bin \ No newline at end of file diff --git a/Vagrant/resources/velociraptor/server.config.yaml b/Vagrant/resources/velociraptor/server.config.yaml new file mode 100644 index 0000000..9779064 --- /dev/null +++ b/Vagrant/resources/velociraptor/server.config.yaml @@ -0,0 +1,175 @@ +version: + name: velociraptor + version: 0.4.5 + commit: 17e0f0f + build_time: "2020-06-12T09:39:50+10:00" +Client: + server_urls: + - https://logger:9000/ + ca_certificate: | + -----BEGIN CERTIFICATE----- + MIIDKjCCAhKgAwIBAgIQJpjTbn3lIQ0+ApCGFx65ZDANBgkqhkiG9w0BAQsFADAa + MRgwFgYDVQQKEw9WZWxvY2lyYXB0b3IgQ0EwHhcNMjAwNjMwMDAxNTUyWhcNMzAw + NjI4MDAxNTUyWjAaMRgwFgYDVQQKEw9WZWxvY2lyYXB0b3IgQ0EwggEiMA0GCSqG + SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC85kV1Bq7AmCHEgPItAzKtdbmF/4usy9YH + KY1uSCo5i2wCpxGu+kyoyMd9REjXnfLvPxpSkeoV7uAPPiVnzWD43Du2f3b0Kh5x + ppTYH0pb60NVV5KqQd3HI0Gssa5VYqLRjSeb7SN/JNxRjWeVG0VpX9vDTlWcTJ11 + n9/ZP3eYnPIuNmHdAiYe0EbN1Cbmkh6VFALofYnbHC5qqdq1aHtI4jvquqYoCYgc + y0b3GN00tuYLG7huu+G9Ng99aFjEfCD84eI//S2rLn/JaTHsYiqay+WDWHSwo0+4 + nMuUtolMdvP5R/rOPNG7NuU/8lg8zgql+baZIFENlSohkQpetg8NAgMBAAGjbDBq + MA4GA1UdDwEB/wQEAwICpDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw + DwYDVR0TAQH/BAUwAwEB/zAoBgNVHREEITAfgh1WZWxvY2lyYXB0b3JfY2EudmVs + b2NpZGV4LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAmA1PR5GM/c4l0POFaZLdkVXC + LSMmPJaCu4TihgxtG+/noTR7fDiCWdjcS93Pc3YYMYYmFmZ86iwbOK3sFT8HWoFA + X03IyJyWKOAdgYioXYWoXjKI8QCFEVtYnZaxkI9On4zlYntadjJS/s8cFXlU2koZ + mF6YWQdC5wbA45FyUyCCbBQLlm91KejZK+8BvHkMvSfUWk0WIYV4bHH1MkEg/csU + /mw6N81dnaUZ7tWbPxGdtbY9+xTboygx7DlghykcI5wuWXJxm5K1vNj9dvCF4cUw + OuTkZ6ekn+anNLHBOs4u01kSplR++Jjf2rzlpkDN/ei4yJCkyM00MtbyTzM5zA== + -----END CERTIFICATE----- + nonce: fvKPYbt+0n0= + writeback_darwin: /etc/velociraptor.writeback.yaml + writeback_linux: /etc/velociraptor.writeback.yaml + writeback_windows: $ProgramFiles\Velociraptor\velociraptor.writeback.yaml + max_poll: 60 + windows_installer: + service_name: Velociraptor + install_path: $ProgramFiles\Velociraptor\Velociraptor.exe + service_description: Velociraptor service + darwin_installer: + service_name: com.velocidex.velociraptor + install_path: /usr/local/sbin/velociraptor + version: + name: velociraptor + version: 0.4.5 + commit: 17e0f0f + build_time: "2020-06-12T09:39:50+10:00" + use_self_signed + BQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEB + AEohrNAKjUcq2wNIiPX6tCRDLbzRB/qmf+GBbpslRTa7RQVvFOgtUVYejcnMYUBG + LEmL+uxACJNliCqjo76OkIPUbKj32CrKGU8Jj/dKCAK5PQW1kDEhdes61RA5TuAz + W/HC9iEuNHAZLmvjnoIOxM+tZgaf/KdOGWyyZaFKD+d+ojd9Y4I/FDXpng3DB26Q + xzS/vAKMrYq4LOnPtDdbJpUrVgm8Rw2T9oiV8aZxSR+EenjfvLywMRM4nJ8l1W4n + jJDmNzWmEHxShhCL7DEdnrFbq/HttI56b8L3CYqDZ5P5J3xTVchX6J2x71YrKRv1 + 7AaFjAISs3AbF0AOJ0PEbMQ= + -----END CERTIFICATE----- + gw_private_key: | + -----BEGIN RSA PRIVATE KEY----- + MIIEowIBAAKCAQEAl73NRkhNSd/kU13Jm7Vyua3mRsnUUii1jVFtdNW1j52Fm1Y1 + 3NSotSeQ3Mro9Pak2UkUYq/DVLzT1v/NEXXMhxAQqeVl+3ei4V3RfHTDG2afBqW2 + m65/FFNHjRVTPsQ7CSJQdoxOcxINC3lStFojFLTpzvXZLJ9ID+vNkUjAGZY9QO5O + X2LyIIcWIKl3mGSN3TtLhGz276NSKIVwfXHSAIa1JbDKtgvwcImcmnL4ziPWuSO9 + cVBW+jLIhn9PFl2+BauYWX/LvO4cZivCzPAqgvjJ4ETAURQlTDwkyAQlEH7h67Ti + JyZ+YZSEBA1cElRHsUscbK89gfTGx3VUyOfiLwIDAQABAoIBADj567oYK+0xRGqJ + LMpqt0lBItYxsqem4YTOrmrQU/w5CZHqLQ9eSnq7AInnJtHUStHLvvvPQ2jt/h0c + r8N+l+2e+qLQoBpsMZytvZsdvKTtQ4kbcBXEz7KyEovHFhrbU896MvxQcqSCgqNs + SsGtlr6Pr7smVQWMSWKxB98lkfwI+bMT8MLInDqjiUUtF/UCrz94CJKorSkWJpYW + rswOYoWK4XwmimZIsjH3mszLCItxL2blaX0plGzyT+K18kX4TKwCdLiaNVywHhLY + PoYq3Sc++vqthzCMJzckpYvq2mZgZ4vAO/spOE3aoDyceh0DkPEu5BF86WjBmpQS + vDM89QECgYEAw9uL+7NIZKoJhyv2yLTIHPinuIqWm1L6EqMtYAz7TZZzQqeS2CMN + JJL+pRyH+lZzREMloB3dtKPg7HRS9czY+kJGUiEcZdlX8oQDvN0/5plelCXt/YMc + 5p/E/j2EGDGv5XvCOzdtux22ckiNtdVT1YwptY1vcPJQdhWykwIQsdMCgYEAxlZC + /YvhoxFKlYXxTFQv3w9x3hmdxEpmgU7G3nnQP6Eyqq34mDmUWLzRE2jicxTiOlMn + jnwyM5SAf6OW/cg+VDJtQZxvke0vBOaVsw+MnEaFjAPSP1RBkTLVZUlqA16yNjxE + dwv20AIW2TsIkVVT28qVXOGRvtpuBJFUuw58OLUCgYANAw7/v991YJ6VbmRM3UXW + Nubdqcdrtk2K43BmSzZ+5xntObjVxy5eWa21Rnn6Nbgett9PDezmzWRqEShZ0Cwy + JCkL18tNMO1Y3VBqQcC3D0VrTkHLb+SBpeeuhGO8P8DR3DEBQiN2JPk0CoHvrKaP + L2qt9yGKPW7/CV39yktVpQKBgQCnb18yaIpdfVV3kRG5nEClkIZSN1HmyeBrPTPJ + 0RArB0ycpi19ZO6FUzE1r4+sE29ASb7VHKfMv4sTNelb6VYlAkUV5JiTmqXc/0RV + W8UakLZhE0DE0b5gc4eO8EEdAy5zdsFdtq3vwDPFw35iIqSeohEhzhOaCRBjrsTW + /U2FGQKBgGd5tkj+2epytsXjJ5akjpLFrNafNyrm6A1ereo2vA3qU8KBeXW9yzmg + 4OuFkXh/saxcpumV/tgpdsdm6XZja7NhL26UxCMyecxbDMkHz4021beaW2xZnm9z + Za/VZdQOw217z20LYILOaPjH4Xsp9k3n8wQ+jq6yFCalbVSrFjfA + -----END RSA PRIVATE KEY----- + internal_cidr: + - 127.0.0.1/12 + - 192.168.0.0/16 + initial_users: + - name: admin + password_hash: 490d3f018f6f7ae2a7b2c839607d08098f07caa3e5d4ed451ce7e81d3ece1e33 + password_salt: e32a6323b44a688cf277fec0d8a1f5cf21b2564a192289b1fcb7cad0f81360c9 +CA: + private_key: | + -----BEGIN RSA PRIVATE KEY----- + MIIEogIBAAKCAQEAvOZFdQauwJghxIDyLQMyrXW5hf+LrMvWBymNbkgqOYtsAqcR + rvpMqMjHfURI153y7z8aUpHqFe7gDz4lZ81g+Nw7tn929CoecaaU2B9KW+tDVVeS + qkHdxyNBrLGuVWKi0Y0nm+0jfyTcUY1nlRtFaV/bw05VnEyddZ/f2T93 + hqlW3q6Pzs9bgTPybKRbWO9wszuzodwe2de70CHQUTp3tdvgUhYLdDqZb+n7cqpq + 1JIqVoc2PBIdKpFWRPYTn0o1sGMnZb5c+V6y2BLt1LL8bwmmJeB0UNq4U7YAuV5w + MVIDAoGAGlYxLpCS8cv6TAwOxonJmC3EPAuvnF7SCzgfX1eB9PXL09jiMyq73V7U + ev0prSLunj56eI9hiA2Bv+QCP6+gjrijuQjuvPdW9P+ybxxy4Cl5+Mdqg7ZTf8UO + ewNfKk3/11/QbvmUsGWYvVPNExryBRumSKuh7Av0I+6xVc+cwUE= + -----END RSA PRIVATE KEY----- +Frontend: + hostname: logger + bind_address: 0.0.0.0 + bind_port: 9000 + certificate: | + -----BEGIN CERTIFICATE----- + MIIDGDCCAgCgAwIBAgIRALbVSS1itQp9RsDmjJ3YECowDQYJKoZIhvcNAQELBQAw + GjEYMBYGA1UEChMPVmVsb2NpcmFwdG9yIENBMB4XDTIwMDYzMDAwMTU1MloXDTIx + MDYzMDAwMTU1MlowNDEVMBMGA1UEChMMVmVsb2NpcmFwdG9yMRswGQYDVQQDExJW + ZWxvY2lyYXB0b3JTZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB + AQCj2FgejZ4sb3CTDq/Ka0N/CBbwxbBXJMdoWDSG2ZB8HoJOETAIOwQkKQqaivn1 + OtHU6lnxFKxJtD/s1GBkf2XpNOnaLJDY5PB74ZfLnBjGtaGoi+LVyjVv3ee3vKdD + yqnC0ew8ck4i2MiRR5v1Ho1TwohMsthHU4MyDjvbDMyNK1hlu5s9DsV/PYg6sdEN + aUcFG3ZG07g7b+u8/AUGSFMXXWw9hPj0AKz3Fat91A2BJE9NmLnpFXBUAKjfSGjo + NL50ETpc7GDt0iJ8si8WQP/Gj5znDW7hcvczfYq6xdE05Xo4rOLAvWxf+cOjGRk2 + mbtjHBdjfSwNIxZ8xErk4QuLAgMBAAGjPzA9MA4GA1UdDwEB/wQEAwIFoDAdBgNV + HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADANBgkqhkiG + 9w0BAQsFAAOCAQEArlVw9RRIC5J0eiZ4nETe+IO3xBz3uRuPM8R906cVg/vicUnv + DX6GGkq6GoQVpq5WcEObUt2kSPpyJZCNSRGNzeRI7VztmfJN+Gj5AZbSV1lUqHe/ + ZmZ6Lcy03ZDs/WPUw5mHwerADDqN8w+yFKyQGXhoY3oH9MrvF9loiBiwAMHVBNkz + q54zQdpGURYLl34haZqHvmyrZGiAYxUMifT1MybXAiD4vQ0lmmgBgGW3DAeXZByU + UpKtEjA6JqJPB9EeZ7bbKYTvg7ZGyRF26ii90srfPZRI7IBGlPbRTjQqEIstfHH8 + pfZ0QGAR8d6qfaCaySkEYX+aQpjwN+t9tBDp8g== + -----END CERTIFICATE----- + private_key: | + -----BEGIN RSA PRIVATE KEY----- + MIIEowIBAAKCAQEAo9hYHo2eLG9wkw6vymtDfwgW8MWwVyTHaFg0htmQfB6CThEw + CDsEJCkKmor59TrR1OpZ8RSsSbQ/7NRgZH9l6TTp2iyQ2OTwe+GXy5wYxrWhqIvi + 1co1b93nt7ynQ8qpwtHsPHJOItjIkUeb9R6NU8KITLLYR1ODMg472wzMjStYZbub + PQ7Ffz2IOrHRDWlHBRt2RtO4O2/rvPwFBkhTF11sPYT49ACs9xWrfdQNgSRPTZi5 + 6RVwVACo30ho6DS+dBE6XOxg7dIifLIvFkD/xo+c5w1u4XL3M32KusXRNOV6OKzi + wL1sX/nDoxkZNpm7YxwXY30sDSMWfMRK5OELiwIDAQABAoIBAQCZ0UN4+47hPIW9 + KW6TY/vryFZxF8ajKR4jsZsudhYU0DeYvr4PHAiZQgZ4a7yaIuxXLOPfVn8gep4A + 4qjT8F5mf4yDjI83cEbspi9xsUv5UQ9BQoJkHv/n07X0YqHNHPgetCFJ5i3AvTAe + Y9HgXxxi5CA9kTFGVPq4BXDgBrYKWISLUn4YEBjrVAU2H5q9umvYX4T7sL8FB7cz + jPFpSRu7zD5rm0D2pZXc/Jiv7wp5iGiFpxaq4Gg4pLsj/bBW8z390id1kS/2KCcc + qdoJNrV9Kx48tYx3IC1hUEp8v+Fcu9MVC//EhQPjzbtCpFL7HfrWcou5Tmj/z4Zl + +dT2v3vxAoGBAMyC7BbWEbdc/YiYyQW8xT70evcccysWi4FSiJfUYJNu1nAdQtzL + e2l24YKVUWx4W1top6T690/lqL82G/0EUNBywTfqBwxrwGyDuiNsWDiQnDn9jNY+ + l/SZcrm6OhiVXQxOFOsxy+F+nZG9eIFsEA9/I0nNYrUcnpQAuyxr6N09AoGBAM0Y + aiLz+2Ul0OsgkgD1mL/DSbAGgwZvAIrBxy4oP/zRpRM+iKzuWYXUoBXIZeR+7r3C + 8OF17nJ6fTYgNBWXdzpaJ3xnfg9ZatKN20Qp3ESLTcEH9ekUPn5p8920e+r3gT19 + JpBkbL5L7eDTWKdOG6JNWhl473CyhNVYeeHdAKhnAoGAM93cXGpMMfHOhw8gpGjc + qXu9l+BKQRpFpTW2WLNPDvUkQ2jYZUDh+rxgswqFjPn1SXiAU/ImOMgpBN2HOaMX + j9YatMCQqxDEy4CY+5Tlxuq+BGMOjeNwDGPCWeImC8gNwionWgLWD0laUvT3k/NB + G30GCRiiuQYaHbUVw01W0I0CgYA4JUfg+7PFk92mkIsHsjQ3wuloQ9AYsciPM88o + JqKlvmqXYxYdaT6esX+Flw+1xr3quvQgdJ1rP3cJmzVG9+kO02Fd4CMVZqAkterh + tSf0p8IIZvp97SnSh4TYG7GUuF7sC1fETYmrarPbSWBKpMpR2yUgNggubOCKWyc6 + mrq0XwKBgAIf2gArbJbJGfAX0R7ncOIXAmSOqI9d2gVAcHISLrNG/jbebjBnCPsI + BDhYKebOJ5qJNQeNnD3FssFrYVC+BggHB86Q0vkqzTGmFPYG/L2Iz6ROm1WeRPY/ + tZgsrKTDJ+G4aOH6tSXPX9ZKLcZ9Jz+p9X7NFnvWklOctQ9q12Yz + -----END RSA PRIVATE KEY----- + max_upload_size: 10485760 + dyn_dns: {} + default_client_monitoring_artifacts: + - Generic.Client.Stats + expected_clients: 10000 + GRPC_pool_max_size: 100 + GRPC_pool_max_wait: 60 +Datastore: + implementation: FileBaseDataStore + location: /opt/velociraptor + filestore_directory: /opt/velociraptor +Writeback: {} +Mail: {} +Logging: + output_directory: /opt/velociraptor/logs + separate_logs_per_component: true +Monitoring: + bind_address: 127.0.0.1 + bind_port: 8003 +api_config: {} +server_type: linux +obfuscation_nonce: ZcKwjHiIuWU= \ No newline at end of file diff --git a/Vagrant/scripts/fix-windows-expiration.ps1 b/Vagrant/scripts/fix-windows-expiration.ps1 index 2541e62..f5247b2 100644 --- a/Vagrant/scripts/fix-windows-expiration.ps1 +++ b/Vagrant/scripts/fix-windows-expiration.ps1 @@ -1,38 +1,57 @@ # Purpose: Re-arms the expiration timer on expiring Windows eval images and fixes activation issues # Check to see if there are days left on the timer or if it's just expired -$regex = cscript c:\windows\system32\slmgr.vbs /dlv | select-string -Pattern "\((\d+) day\(s\)|grace time expired" -if ($regex.Matches.Value -eq "grace time expired") { +$regex = cscript c:\windows\system32\slmgr.vbs /dlv | select-string -Pattern "\((\d+) day\(s\)|grace time expired|0xC004D302|0xC004FC07" +If ($regex.Matches.Value -eq "grace time expired" -or $regex.Matches.Value -eq "0xC004D302") { # If it shows expired, it's likely it wasn't properly activated Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) It appears Windows was not properly activated. Attempting to resolve..." - try { + Try { # The TrustedInstaller service MUST be running for activation to succeed Set-Service TrustedInstaller -StartupType Automatic Start-Service TrustedInstaller Start-Sleep 10 # Attempt to activate cscript c:\windows\system32\slmgr.vbs /ato - } catch { + } Catch { Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Something went wrong trying to reactivate Windows..." } - # If activation was successful, the regex should match 90 or 180 (Win10 or Win2016) - $regex = cscript c:\windows\system32\slmgr.vbs /dlv | select-string -Pattern "\((\d+) day\(s\)" -} -try { +} +Elseif ($regex.Matches.Value -eq "0xC004FC07") { + Try { + cscript c:\windows\system32\slmgr.vbs /rearm + } Catch { + Write-Host "Something went wrong trying to re-arm the image..." + } +} + +# If activation was successful, the regex should match 90 or 180 (Win10 or Win2016) +$regex = cscript c:\windows\system32\slmgr.vbs /dlv | select-string -Pattern "\((\d+) day\(s\)" + +Try { $days_left = $regex.Matches.Groups[1].Value -} catch { +} Catch { Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Unable to successfully parse the output from slmgr, not rearming" $days_left = 90 } - -if ($days_left -as [int] -lt 30) { + +If ($days_left -as [int] -lt 30) { write-host "$('[{0:HH:mm}]' -f (Get-Date)) $days_left days remaining before expiration" write-host "$('[{0:HH:mm}]' -f (Get-Date)) Less than 30 days remaining before Windows expiration. Attempting to rearm..." - try { - cscript c:\windows\system32\slmgr.vbs /rearm - } catch { - Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Something went wrong trying to re-arm the image..." + Try { + # The TrustedInstaller service MUST be running for activation to succeed + Set-Service TrustedInstaller -StartupType Automatic + Start-Service TrustedInstaller + Start-Sleep 10 + # Attempt to activate + cscript c:\windows\system32\slmgr.vbs /ato + } Catch { + Try { + cscript c:\windows\system32\slmgr.vbs /rearm + } Catch { + Write-Host "Something went wrong trying to re-arm the image..." + } } -} else { +} +Else { Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $days_left days left until expiration, no need to rearm." } diff --git a/Vagrant/scripts/install-osquery.ps1 b/Vagrant/scripts/install-osquery.ps1 index 6900410..e151c81 100755 --- a/Vagrant/scripts/install-osquery.ps1 +++ b/Vagrant/scripts/install-osquery.ps1 @@ -1,5 +1,4 @@ -# Purpose: Installs osquery on the host -# Note: by default, osquery will be configured to connect to the Fleet server on the "logger" host via TLS. +# Purpose: Installs osquery on the host. Osquery conntects to Fleet via TLS. Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing osquery..." $flagfile = "c:\Program Files\osquery\osquery.flags" @@ -16,7 +15,12 @@ If (-not ($service)) { ## Use the TLS config ## Add entry to hosts file for Kolide for SSL validation + If (Select-String -Path "c:\windows\system32\drivers\etc\hosts" -Pattern "kolide") { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Hosts file already updated. Moving on." + } Else { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Adding kolide to the hosts file" Add-Content "c:\windows\system32\drivers\etc\hosts" " 192.168.38.105 kolide" + } ## Add kolide secret and avoid BOM $Utf8NoBomEncoding = New-Object System.Text.UTF8Encoding $False [System.IO.File]::WriteAllLines("c:\Program Files\osquery\kolide_secret.txt", "enrollmentsecret", $Utf8NoBomEncoding) diff --git a/Vagrant/scripts/install-velociraptor.ps1 b/Vagrant/scripts/install-velociraptor.ps1 new file mode 100644 index 0000000..64609d9 --- /dev/null +++ b/Vagrant/scripts/install-velociraptor.ps1 @@ -0,0 +1,34 @@ +# Purpose: Installs velociraptor on the host + +# Add a hosts entry to avoid DNS issues +If (Select-String -Path "c:\windows\system32\drivers\etc\hosts" -Pattern "logger") { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Hosts file already updated. Moving on." +} Else { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Adding logger to the hosts file" + Add-Content "c:\windows\system32\drivers\etc\hosts" " 192.168.38.105 logger" +} + +# Downloads and install the latest Velociraptor release +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Determining latest release of Velociraptor..." +# GitHub requires TLS 1.2 as of 2/27 +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 +$tag = (Invoke-WebRequest "https://api.github.com/repos/Velocidex/velociraptor/releases" -UseBasicParsing | ConvertFrom-Json)[0].tag_name +$velociraptorDownloadUrl = "https://github.com/Velocidex/velociraptor/releases/download/$tag/velociraptor-$tag-windows-amd64.msi" +$velociraptorMSIPath = 'C:\Users\vagrant\AppData\Local\Temp\velociraptor.msi' +If (-not (Test-Path "C:\Program Files\Velociraptor")) { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Velociraptor..." + Invoke-WebRequest -Uri "$velociraptorDownloadUrl" -OutFile $velociraptorMSIPath + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing Velociraptor..." + msiexec /i $velociraptorMSIPath /quiet /qn /norestart /log c:\Users\vagrant\AppData\Local\Temp\velociraptor_install.log + Copy-File "c:\vagrant\resources\velociraptor\Velociraptor.config.yaml" "C:\Program Files\Velociraptor" + Restart-Service Velociraptor + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Velociraptor successfully installed!" +} Else { + Write-Host "Velociraptor was already installed. Moving On." +} +If ((Get-Service -name Velociraptor).Status -ne "Running") +{ + Throw "Velociraptor service is not running" +} + +