Merge branch 'master' into osquery_refactor

2020-06-20 18:34:28 -07:00
parent bb12246e74 9e6670b1e2
commit 8fca376f4a
3 changed files with 15 additions and 5 deletions
--- a/README.md
+++ b/README.md
@@ -25,16 +25,16 @@ NOTE: This lab has not been hardened in any way and runs with default vagrant cr

 ## Primary Lab Features:
 * Microsoft Advanced Threat Analytics (https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics) is installed on the WEF machine, with the lightweight ATA gateway installed on the DC
-* Splunk forwarders are pre-installed and all indexes are pre-created. Technology add-ons for Windows are also preconfigured.
+* A Splunk forwarder is pre-installed and all indexes are pre-created. Technology add-ons are also preconfigured.
 * A custom Windows auditing configuration is set via GPO to include command line process auditing and additional OS-level logging
 * [Palantir's Windows Event Forwarding](http://github.com/palantir/windows-event-forwarding)  subscriptions and custom channels are implemented
 * Powershell transcript logging is enabled. All logs are saved to `\\wef\pslogs`
 * osquery comes installed on each host and is pre-configured to connect to a [Fleet](https://kolide.co/fleet) server via TLS. Fleet is preconfigured with the configuration from [Palantir's osquery Configuration](https://github.com/palantir/osquery-configuration)
-* Sysmon is installed and configured using SwiftOnSecurity’s open-sourced configuration
+* Sysmon is installed and configured using [Olaf Hartong's open-sourced Sysmon configuration](https://github.com/olafhartong/sysmon-modular)
 * All autostart items are logged to Windows Event Logs via [AutorunsToWinEventLog](https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog)
 * SMBv1 Auditing is enabled

-## Requirements
+## Requirements for VMware or Virtualbox
 * 55GB+ of free disk space
 * 16GB+ of RAM
 * Packer 1.3.2 or newer
@@ -48,6 +48,7 @@ NOTE: This lab has not been hardened in any way and runs with default vagrant cr
 Please view the quickstart guides based on the operating system you are using. The AWS/Terraform DetectionLab can be launched from any operating system.

 * [AWS via Terraform](https://github.com/clong/DetectionLab/wiki/Quickstart---AWS-(Terraform))
+* [Azure via Terraform & Ansible](https://github.com/clong/DetectionLab/tree/master/Azure)
 * [MacOS](https://github.com/clong/DetectionLab/wiki/Quickstart---MacOS)
 * [Windows](https://github.com/clong/DetectionLab/wiki/Quickstart---Windows)
 * [Linux](https://github.com/clong/DetectionLab/wiki/Quickstart-Linux)
--- a/Vagrant/scripts/fix-windows-expiration.ps1
+++ b/Vagrant/scripts/fix-windows-expiration.ps1
@@ -18,7 +18,12 @@ if ($regex.Matches.Value -eq "grace time expired") {
  # If activation was successful, the regex should match 90 or 180 (Win10 or Win2016)
  $regex = cscript c:\windows\system32\slmgr.vbs /dlv | select-string -Pattern "\((\d+) day\(s\)"
 }  
-$days_left = $regex.Matches.Groups[1].Value
+try {
+  $days_left = $regex.Matches.Groups[1].Value
+} catch {
+  Write-Host "Unable to successfully parse the output from slmgr, not rearming"
+  $days_left = 90
+}

 if ($days_left -as [int] -lt 30) {
  write-host "Less than 30 days remaining before Windows expiration. Attempting to rearm..."
--- a/Vagrant/scripts/install-microsoft-ata.ps1
+++ b/Vagrant/scripts/install-microsoft-ata.ps1
@@ -113,6 +113,7 @@ Invoke-Command -computername dc -Credential (new-object pscredential("windomain\

    If (-not (Test-Path "$env:temp\gatewaysetup.zip"))
    {
+        Write-Host "[$env:computername] ATA Gateway not yet downloaded. Downloading now..."
        Invoke-WebRequest -uri https://wef/api/management/softwareUpdates/gateways/deploymentPackage -UseBasicParsing -OutFile "$env:temp\gatewaysetup.zip" -Credential (new-object pscredential("wef\vagrant",(convertto-securestring -AsPlainText -Force -String "vagrant")))
        Expand-Archive -Path "$env:temp\gatewaysetup.zip" -DestinationPath "$env:temp\gatewaysetup" -Force
    }
@@ -122,17 +123,20 @@ Invoke-Command -computername dc -Credential (new-object pscredential("windomain\
    }
    if (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics"))
    {
+        Write-Host "[$env:computername] ATA Gateway not yet installed. Attempting to install now..."
        Set-Location "$env:temp\gatewaysetup"
        Start-Process -Wait -FilePath ".\Microsoft ATA Gateway Setup.exe" -ArgumentList "/q NetFrameworkCommandLineArguments=`"/q`" ConsoleAccountName=`"wef\vagrant`" ConsoleAccountPassword=`"vagrant`""
+        Write-Host "[$env:computername] ATA Gateway installation complete!"
    }
    else
    {
        Write-Host "[$env:computername] ATA Gateway already installed. Moving On."
    }
+    Write-Host "[$env:computername] Waiting for the ATA Gateway service to start..."
    (Get-Service ATAGateway).WaitForStatus('Running', '00:10:00')
    If ((Get-Service "ATAGateway").Status -ne "Running")
    {
-        throw "ATA lightweight gateway not running"
+        throw "ATA Gateway service failed to start on DC"
    }
    # Disable invalid web requests to endpoints with invalid SSL certs again
    [System.Net.ServicePointManager]::ServerCertificateValidationCallback = $null