Update Splunk apps, create vagrantfile_minimum, bugfixes

2019-03-01 22:45:37 -08:00
parent ef566fc5ef
commit 93183a95e2
12 changed files with 302 additions and 63 deletions
--- a/Vagrant/scripts/install-choco-extras.ps1
+++ b/Vagrant/scripts/install-choco-extras.ps1
@@ -0,0 +1,14 @@
+# Purpose: Install additional packages from Chocolatey.
+
+If (-not (Test-Path "C:\ProgramData\chocolatey")) {
+  Write-Host "Installing Chocolatey"
+  iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))
+} else {
+  Write-Host "Chocolatey is already installed."
+}
+
+Write-Host "Installing Chocolatey extras..."
+choco install -y wireshark
+choco install -y microsoft-message-analyzer
+
+Write-Host "Utilties installation complete!"
--- a/Vagrant/scripts/install-redteam.ps1
+++ b/Vagrant/scripts/install-redteam.ps1
@@ -0,0 +1,44 @@
+# Purpose: Installs Mimikatz and Powersploit into c:\Tools\Mimikatz. Used to install redteam related tooling.
+
+# Disable Windows Defender realtime scanning before downloading Mimikatz and drop the firewall
+If ($env:computername -eq "win10") {
+  If (Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender")
+  {
+    Remove-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Recurse -Force
+  }
+  gpupdate /force | Out-String
+  Set-MpPreference -ExclusionPath C:\commander.exe, C:\Tools
+  set-MpPreference -DisableRealtimeMonitoring $true
+  Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
+}
+
+# Purpose: Downloads and unzips a copy of the latest Mimikatz trunk
+Write-Host "Determining latest release of Mimikatz..."
+# GitHub requires TLS 1.2 as of 2/27
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+$tag = (Invoke-WebRequest "https://api.github.com/repos/gentilkiwi/mimikatz/releases" -UseBasicParsing | ConvertFrom-Json)[0].tag_name
+$mimikatzDownloadUrl = "https://github.com/gentilkiwi/mimikatz/releases/download/$tag/mimikatz_trunk.zip"
+$mimikatzRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\mimikatz_trunk.zip'
+if (-not (Test-Path $mimikatzRepoPath))
+{
+  Invoke-WebRequest -Uri "$mimikatzDownloadUrl" -OutFile $mimikatzRepoPath
+  Expand-Archive -path "$mimikatzRepoPath" -destinationpath 'c:\Tools\Mimikatz' -Force
+}
+else
+{
+  Write-Host "Mimikatz was already installed. Moving On."
+}
+
+# Download and unzip a copy of PowerSploit
+Write-Host "Downloading Powersploit..."
+# GitHub requires TLS 1.2 as of 2/27
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+$powersploitDownloadUrl = "https://github.com/PowerShellMafia/PowerSploit/archive/master.zip"
+$powersploitRepoPath = "C:\Users\vagrant\AppData\Local\Temp\powersploit.zip"
+if (-not (Test-Path $powersploitRepoPath)) {
+  Invoke-WebRequest -Uri "$powersploitDownloadUrl" -OutFile $powersploitRepoPath
+  Expand-Archive -path "$powersploitRepoPath" -destinationpath 'c:\Tools\PowerSploit' -Force
+  Copy-Item "c:\Tools\PowerSploit\PowerSploit-master\*" "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" -Recurse -Force
+} else {
+  Write-Host "PowerSploit was already installed. Moving On."
+}
--- a/Vagrant/scripts/install-utilities.ps1
+++ b/Vagrant/scripts/install-utilities.ps1
@@ -1,4 +1,4 @@
-# Purpose: Installs chocolatey package manager, then installs custom utilities from Choco and adds syntax highlighting for Powershell, Batch, and Docker. Also installs Mimikatz into c:\Tools\Mimikatz.
+# Purpose: Installs chocolatey package manager, then installs custom utilities from Choco.

 If (-not (Test-Path "C:\ProgramData\chocolatey")) {
  Write-Host "Installing Chocolatey"
@@ -7,7 +7,7 @@ If (-not (Test-Path "C:\ProgramData\chocolatey")) {
  Write-Host "Chocolatey is already installed."
 }

-Write-Host "Installing Notepad++, Chrome, WinRar, PowerSploit and Mimikatz."
+Write-Host "Installing utilities..."
 If ($(hostname) -eq "win10") {
  # Because the Windows10 start menu sucks
  choco install -y classic-shell -installArgs ADDLOCAL=ClassicStartMenu
@@ -16,47 +16,4 @@ choco install -y NotepadPlusPlus
 choco install -y GoogleChrome
 choco install -y WinRar

-# Disable Windows Defender realtime scanning before downloading Mimikatz and drop the firewall
-If ($env:computername -eq "win10") {
-  If (Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender")
-  {
-    Remove-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Recurse -Force
-  }
-  gpupdate /force | Out-String
-  Set-MpPreference -ExclusionPath C:\commander.exe, C:\Tools
-  set-MpPreference -DisableRealtimeMonitoring $true
-  Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
-}
-
-# Purpose: Downloads and unzips a copy of the latest Mimikatz trunk
-Write-Host "Determining latest release of Mimikatz..."
-# GitHub requires TLS 1.2 as of 2/27
-[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-$tag = (Invoke-WebRequest "https://api.github.com/repos/gentilkiwi/mimikatz/releases" -UseBasicParsing | ConvertFrom-Json)[0].tag_name
-$mimikatzDownloadUrl = "https://github.com/gentilkiwi/mimikatz/releases/download/$tag/mimikatz_trunk.zip"
-$mimikatzRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\mimikatz_trunk.zip'
-if (-not (Test-Path $mimikatzRepoPath))
-{
-  Invoke-WebRequest -Uri "$mimikatzDownloadUrl" -OutFile $mimikatzRepoPath
-  Expand-Archive -path "$mimikatzRepoPath" -destinationpath 'c:\Tools\Mimikatz' -Force
-}
-else
-{
-  Write-Host "Mimikatz was already installed. Moving On."
-}
-
-# Download and unzip a copy of PowerSploit
-Write-Host "Downloading Powersploit..."
-# GitHub requires TLS 1.2 as of 2/27
-[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-$powersploitDownloadUrl = "https://github.com/PowerShellMafia/PowerSploit/archive/master.zip"
-$powersploitRepoPath = "C:\Users\vagrant\AppData\Local\Temp\powersploit.zip"
-if (-not (Test-Path $powersploitRepoPath)) {
-  Invoke-WebRequest -Uri "$powersploitDownloadUrl" -OutFile $powersploitRepoPath
-  Expand-Archive -path "$powersploitRepoPath" -destinationpath 'c:\Tools\PowerSploit' -Force
-  Copy-Item "c:\Tools\PowerSploit\PowerSploit-master\*" "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" -Recurse -Force
-} else {
-  Write-Host "PowerSploit was already installed. Moving On."
-}
-
 Write-Host "Utilties installation complete!"
--- a/Vagrant/scripts/install-wefsubscriptions.ps1
+++ b/Vagrant/scripts/install-wefsubscriptions.ps1
@@ -1,40 +1,43 @@
 # Purpose: Imports the custom Windows Event Channel and XML subscriptions on the WEF host
 # Note: This only needs to be installed on the WEF server

-Write-Host "Installing WEF Subscriptions"
+Write-Host "Installing WEF Subscriptions..."

-Write-Host "Copying Custom Event Channels DLL"
+Write-Host "Copying Custom Event Channels DLL..."
 if (-not (Test-Path "$env:windir\system32\CustomEventChannels.dll"))
 {
    Copy-Item c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\windows-event-channels\CustomEventChannels.dll "$env:windir\system32"
    Copy-Item c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\windows-event-channels\CustomEventChannels.man "$env:windir\system32"

-    Write-Host "Installing Custom Event Channels Manifest"
+    Write-Host "Installing Custom Event Channels Manifest..."
    wevtutil im "c:\windows\system32\CustomEventChannels.man"
-    Write-Host "Resizing Channels to 4GB"
+    Write-Host "Resizing Channels to 4GB..."
    $xml = wevtutil el | select-string -pattern "WEC"
    foreach ($subscription in $xml) { wevtutil sl $subscription /ms:4294967296 }

-    Write-Host "Starting the Windows Event Collector Service"
+    Write-Host "Starting the Windows Event Collector Service..."
    net start wecsvc

-    Write-Host "Creating custom event subscriptions"
+    Write-Host "Creating custom event subscriptions..."
    cd c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions
    cmd /c "for /r %i in (*.xml) do wecutil cs %i"

-    Write-Host "Enabling custom event subscriptions"
+    Write-Host "Enabling custom event subscriptions..."
    cmd /c "for /r %i in (*.xml) do wecutil ss %~ni /e:true"

-    Write-Host "Enabling WecUtil Quick Config"
+    Write-Host "Enabling WecUtil Quick Config..."
    wecutil qc /q:true
 }
-else 
+else
 {
-    Write-Host "WEF Subscriptions already installed, moving on"
+  Write-Host "WEF Subscriptions are already installed, moving on..."
+  if ((Get-Service -Name wecsvc).Status -ne "Running")
+  {
    net start wecsvc
+  }
 }
 Start-Sleep -Seconds 60
 if ((Get-Service -Name wecsvc).Status -ne "Running")
 {
-    throw "Windows Event Collector service was not running"
-}
+    throw "Windows Event Collector failed to start"
+}