From f206996a401a92d71b9b61ea200362075accdc42 Mon Sep 17 00:00:00 2001 From: Tyler Bennett Date: Fri, 18 Dec 2020 22:53:41 -0600 Subject: [PATCH 01/27] ensure all resources utilize the vars.esxi_datastore var --- ESXi/main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ESXi/main.tf b/ESXi/main.tf index d009c59..ac1fe03 100644 --- a/ESXi/main.tf +++ b/ESXi/main.tf @@ -68,7 +68,7 @@ resource "esxi_guest" "logger" { resource "esxi_guest" "dc" { guest_name = "dc" - disk_store = "datastore2" + disk_store = var.esxi_datastore guestos = "windows9srv-64" boot_disk_type = "thin" @@ -97,7 +97,7 @@ resource "esxi_guest" "dc" { resource "esxi_guest" "wef" { guest_name = "wef" - disk_store = "datastore2" + disk_store = var.esxi_datastore guestos = "windows9srv-64" boot_disk_type = "thin" @@ -126,7 +126,7 @@ resource "esxi_guest" "wef" { resource "esxi_guest" "win10" { guest_name = "win10" - disk_store = "datastore2" + disk_store = var.esxi_datastore guestos = "windows9-64" boot_disk_type = "thin" From cad9c0e553469b060b7e5c497d677fda241d108d Mon Sep 17 00:00:00 2001 From: Chris Long Date: Sun, 20 Dec 2020 20:35:04 -0800 Subject: [PATCH 02/27] Verify explorer.exe is running it before stopping it Issue #578 --- Vagrant/scripts/install-sysinternals.ps1 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Vagrant/scripts/install-sysinternals.ps1 b/Vagrant/scripts/install-sysinternals.ps1 index 3caa035..da00183 100755 --- a/Vagrant/scripts/install-sysinternals.ps1 +++ b/Vagrant/scripts/install-sysinternals.ps1 @@ -93,7 +93,9 @@ $Shortcut.TargetPath = $tcpviewPath $Shortcut.Save() # Restart Explorer so the taskbar shortcuts show up -Stop-Process -ProcessName explorer -Force +if (Get-Process -ProcessName explorer -ErrorAction 'silentlycontinue') { + Stop-Process -ProcessName explorer -Force +} # Download Olaf Hartongs Sysmon config Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Olaf Hartong's Sysmon config..." From f0987e8148bd5811238ba68efe6e741031bfd87b Mon Sep 17 00:00:00 2001 From: Chris Long Date: Sun, 27 Dec 2020 20:53:33 -0800 Subject: [PATCH 03/27] Don't sync VM clock with ESXi host --- ESXi/main.tf | 43 +++++++++++++++++++++++++-- ci/build_machine_bootstrap.sh | 4 +-- ci/manual_machine_bootstrap.sh | 8 ++--- ci/manual_machine_bootstrap_vmware.sh | 8 ++--- 4 files changed, 50 insertions(+), 13 deletions(-) diff --git a/ESXi/main.tf b/ESXi/main.tf index ac1fe03..b329810 100644 --- a/ESXi/main.tf +++ b/ESXi/main.tf @@ -18,6 +18,16 @@ resource "esxi_guest" "logger" { guest_name = "logger" disk_store = var.esxi_datastore guestos = "ubuntu-64" + custom_vmx_settings = [ + ['tools.syncTime', '0'], + ['time.synchronize.continue', '0'], + ['time.synchronize.restore', '0'], + ['time.synchronize.resume.disk', '0'], + ['time.synchronize.shrink', '0'], + ['time.synchronize.tools.startup', '0'], + ['time.synchronize.tools.enable', '0'], + ['time.synchronize.resume.host', '0'] + ] boot_disk_type = "thin" @@ -70,9 +80,18 @@ resource "esxi_guest" "dc" { guest_name = "dc" disk_store = var.esxi_datastore guestos = "windows9srv-64" + custom_vmx_settings = [ + ['tools.syncTime', '0'], + ['time.synchronize.continue', '0'], + ['time.synchronize.restore', '0'], + ['time.synchronize.resume.disk', '0'], + ['time.synchronize.shrink', '0'], + ['time.synchronize.tools.startup', '0'], + ['time.synchronize.tools.enable', '0'], + ['time.synchronize.resume.host', '0'] + ] boot_disk_type = "thin" - boot_disk_size = "35" memsize = "4096" numvcpus = "2" @@ -99,9 +118,18 @@ resource "esxi_guest" "wef" { guest_name = "wef" disk_store = var.esxi_datastore guestos = "windows9srv-64" + custom_vmx_settings = [ + ['tools.syncTime', '0'], + ['time.synchronize.continue', '0'], + ['time.synchronize.restore', '0'], + ['time.synchronize.resume.disk', '0'], + ['time.synchronize.shrink', '0'], + ['time.synchronize.tools.startup', '0'], + ['time.synchronize.tools.enable', '0'], + ['time.synchronize.resume.host', '0'] + ] boot_disk_type = "thin" - boot_disk_size = "35" memsize = "2048" numvcpus = "2" @@ -128,9 +156,18 @@ resource "esxi_guest" "win10" { guest_name = "win10" disk_store = var.esxi_datastore guestos = "windows9-64" + custom_vmx_settings = [ + ['tools.syncTime', '0'], + ['time.synchronize.continue', '0'], + ['time.synchronize.restore', '0'], + ['time.synchronize.resume.disk', '0'], + ['time.synchronize.shrink', '0'], + ['time.synchronize.tools.startup', '0'], + ['time.synchronize.tools.enable', '0'], + ['time.synchronize.resume.host', '0'] + ] boot_disk_type = "thin" - boot_disk_size = "35" memsize = "2048" numvcpus = "2" diff --git a/ci/build_machine_bootstrap.sh b/ci/build_machine_bootstrap.sh index 40c6ed0..ba57b06 100755 --- a/ci/build_machine_bootstrap.sh +++ b/ci/build_machine_bootstrap.sh @@ -79,8 +79,8 @@ ufw --force enable echo "[$(date +%H:%M:%S)]: Installing Vagrant..." mkdir /opt/vagrant cd /opt/vagrant || exit 1 -wget --progress=bar:force https://releases.hashicorp.com/vagrant/2.2.10/vagrant_2.2.10_x86_64.deb -dpkg -i vagrant_2.2.10_x86_64.deb +wget --progress=bar:force https://releases.hashicorp.com/vagrant/2.2.14/vagrant_2.2.14_x86_64.deb +dpkg -i vagrant_2.2.14_x86_64.deb echo "[$(date +%H:%M:%S)]: Installing vagrant-reload plugin..." vagrant plugin install vagrant-reload diff --git a/ci/manual_machine_bootstrap.sh b/ci/manual_machine_bootstrap.sh index 266ddc4..3a86c9e 100644 --- a/ci/manual_machine_bootstrap.sh +++ b/ci/manual_machine_bootstrap.sh @@ -25,8 +25,8 @@ git clone https://github.com/clong/DetectionLab.git /opt/DetectionLab # Install Vagrant mkdir /opt/vagrant cd /opt/vagrant || exit 1 -wget https://releases.hashicorp.com/vagrant/2.2.10/vagrant_2.2.10_x86_64.deb -dpkg -i vagrant_2.2.10_x86_64.deb +wget https://releases.hashicorp.com/vagrant/2.2.14/vagrant_2.2.14_x86_64.deb +dpkg -i vagrant_2.2.14_x86_64.deb # Disable IPv6 - may help with the vagrant-reload plugin: https://github.com/hashicorp/vagrant/issues/8795#issuecomment-468945063 echo "net.ipv6.conf.all.disable_ipv6=1" >> /etc/sysctl.conf @@ -40,8 +40,8 @@ sed -i 's/vb.gui = true/vb.gui = false/g' Vagrantfile # Install Packer mkdir /opt/packer cd /opt/packer || exit 1 -wget --progress=bar:force https://releases.hashicorp.com/packer/1.6.3/packer_1.6.3_linux_amd64.zip -unzip packer_1.6.3_linux_amd64.zip +wget --progress=bar:force https://releases.hashicorp.com/packer/1.6.6/packer_1.6.6_linux_amd64.zip +unzip packer_1.6.6_linux_amd64.zip cp packer /usr/local/bin/packer # Make the Packer images headless diff --git a/ci/manual_machine_bootstrap_vmware.sh b/ci/manual_machine_bootstrap_vmware.sh index 1daa3d3..4ca4207 100644 --- a/ci/manual_machine_bootstrap_vmware.sh +++ b/ci/manual_machine_bootstrap_vmware.sh @@ -28,8 +28,8 @@ git clone https://github.com/clong/DetectionLab.git /opt/DetectionLab # Install Vagrant mkdir /opt/vagrant cd /opt/vagrant || exit 1 -wget --progress=bar:force https://releases.hashicorp.com/vagrant/2.2.10/vagrant_2.2.10_x86_64.deb -dpkg -i vagrant_2.2.10_x86_64.deb +wget --progress=bar:force https://releases.hashicorp.com/vagrant/2.2.14/vagrant_2.2.14_x86_64.deb +dpkg -i vagrant_2.2.14_x86_64.deb # Disable IPv6 - may help with the vagrant-reload plugin: https://github.com/hashicorp/vagrant/issues/8795#issuecomment-468945063 echo "net.ipv6.conf.all.disable_ipv6=1" >> /etc/sysctl.conf sysctl -p /etc/sysctl.conf > /dev/null @@ -47,8 +47,8 @@ sed -i 's/v.gui = true/v.gui = false/g' Vagrantfile # Install Packer mkdir /opt/packer cd /opt/packer || exit 1 -wget --progress=bar:force https://releases.hashicorp.com/packer/1.6.3/packer_1.6.3_linux_amd64.zip -unzip packer_1.6.3_linux_amd64.zip +wget --progress=bar:force https://releases.hashicorp.com/packer/1.6.6/packer_1.6.6_linux_amd64.zip +unzip packer_1.6.6_linux_amd64.zip cp packer /usr/local/bin/packer # Make the Packer images headless From be28a4aa26a1d4ea68f5e2716f5960a181b24ed5 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Thu, 31 Dec 2020 10:17:16 -0800 Subject: [PATCH 04/27] Updating sponsors --- README.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 908e6a5..95a01f0 100644 --- a/README.md +++ b/README.md @@ -103,13 +103,13 @@ A sizable percentage of this code was borrowed and adapted from [Stefan Scherer] * [EVTX-ATTACK-SAMPLES](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES) # DetectionLab Sponsors -#### Lated updated: 9/16/2020 +#### Lated updated: 12/31/2020 I would like to extend thanks to the following sponsors for funding DetectionLab development. If you are interested in becoming a sponsor, please visit the [sponsors page](https://github.com/sponsors/clong). ### Diamond Sponsors: * [Veramine](https://github.com/veramine) * [Thinkst](https://github.com/ThinkstAppliedResearch) -* [csterner82](https://github.com/csterner82) +* [kungskal](https://github.com/kungskal) * [swizzlez](https://github.com/swizzlez) * [CyDefUnicorn](https://github.com/CyDefUnicorn) * [olliencc](https://github.com/olliencc) @@ -118,17 +118,18 @@ I would like to extend thanks to the following sponsors for funding DetectionLab * [mikeesparza](https://github.com/mikeesparza) * [dlee35](https://github.com/dlee35) * [chrissanders](https://github.com/chrissanders) -* [punchdrunktux](https://github.com/punchdrunktux) * [jaredhaight](https://github.com/jaredhaight) * [iamfuntime](https://github.com/iamfuntime) * [Luct0r](https://github.com/Luct0r) +* [zhuma549](https://github.com/zhuma549) +* +1 private sponsor ### Standard Sponsors: -* [dtonomy](https://github.com/dtonomy) * [braimee](https://github.com/braimee) -* [iLoC0dez](https://github.com/iLoC0dez) * [defensivedepth](https://github.com/defensivedepth) -* [elreydetoda](https://github.com/elreydetoda) * [kafkaesqu3](https://github.com/kafkaesqu3) * [anthonysecurity](https://github.com/anthonysecurity) +* [ealaney](https://github.com/ealaney) +* [elreydetoda](https://github.com/elreydetoda) +* [DevBits1702](https://github.com/DevBits1702) * +2 private sponsors From 7aa5dd5c543ecb44378b36dd39b320474cc13853 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Mon, 4 Jan 2021 10:40:34 -0800 Subject: [PATCH 05/27] Update README.md --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 95a01f0..6e963f5 100644 --- a/README.md +++ b/README.md @@ -6,9 +6,10 @@ DetectionLab is tested weekly on Saturdays via a scheduled CircleCI workflow to [![CircleCI](https://circleci.com/gh/clong/DetectionLab/tree/master.svg?style=shield)](https://circleci.com/gh/clong/DetectionLab/tree/master) ![Lint Code Base](https://github.com/clong/DetectionLab/workflows/Lint%20Code%20Base/badge.svg) [![license](https://img.shields.io/github/license/clong/DetectionLab.svg?style=flat-square)](https://github.com/clong/DetectionLab/blob/master/license.md) -![Maintenance](https://img.shields.io/maintenance/yes/2020.svg?style=flat-square) +![Maintenance](https://img.shields.io/maintenance/yes/2021.svg?style=flat-square) [![GitHub last commit](https://img.shields.io/github/last-commit/clong/DetectionLab.svg?style=flat-square)](https://github.com/clong/DetectionLab/commit/master) [![Twitter](https://img.shields.io/twitter/follow/DetectionLab.svg?style=social)](https://twitter.com/DetectionLab) +[![Slack][https://img.shields.io/badge/Slack-DetectionLab-blue](https://join.slack.com/t/cl0ng/shared_invite/zt-kjwgkldg-BqB1TyrUX0dSjDPe44tKRg) #### Donate to the project: From 46d487a05cbcdb2d74c1a0c9b2d45d5a682e16a3 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Mon, 4 Jan 2021 10:41:12 -0800 Subject: [PATCH 06/27] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6e963f5..7a33b73 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ DetectionLab is tested weekly on Saturdays via a scheduled CircleCI workflow to ![Maintenance](https://img.shields.io/maintenance/yes/2021.svg?style=flat-square) [![GitHub last commit](https://img.shields.io/github/last-commit/clong/DetectionLab.svg?style=flat-square)](https://github.com/clong/DetectionLab/commit/master) [![Twitter](https://img.shields.io/twitter/follow/DetectionLab.svg?style=social)](https://twitter.com/DetectionLab) -[![Slack][https://img.shields.io/badge/Slack-DetectionLab-blue](https://join.slack.com/t/cl0ng/shared_invite/zt-kjwgkldg-BqB1TyrUX0dSjDPe44tKRg) +[![Slack](https://img.shields.io/badge/Slack-DetectionLab-blue)](https://join.slack.com/t/cl0ng/shared_invite/zt-kjwgkldg-BqB1TyrUX0dSjDPe44tKRg) #### Donate to the project: From cdf2097a61de78f32fddb17d42bd8e8acb558ddc Mon Sep 17 00:00:00 2001 From: Spencer Walden Date: Tue, 5 Jan 2021 16:29:55 -0800 Subject: [PATCH 07/27] Updates else clause logged output and uses variables in script rather than hard code --- HyperV/hyperv-create-nat-switch.ps1 | 49 +++++++++++++++++------------ 1 file changed, 29 insertions(+), 20 deletions(-) diff --git a/HyperV/hyperv-create-nat-switch.ps1 b/HyperV/hyperv-create-nat-switch.ps1 index 94650da..bd6c0fa 100644 --- a/HyperV/hyperv-create-nat-switch.ps1 +++ b/HyperV/hyperv-create-nat-switch.ps1 @@ -1,32 +1,41 @@ # See: https://www.petri.com/using-nat-virtual-switch-hyper-v -If ("NATSwitch" -in (Get-VMSwitch | Select-Object -ExpandProperty Name) -eq $FALSE) { - 'Creating Internal-only switch named "NATSwitch" on Windows Hyper-V host...' +$NATHostIP = "192.168.38.1" +$NATNetPrefixLength = 24 +$NATNet = "192.168.38.0/$NATNetPrefixLength" +$NATNetName = "NATNetwork" +$NATSwitchName = "NATSwitch" +$NATSwitchNameAlias = "vEthernet ($NATSwitchName)" - New-VMSwitch -SwitchName "NATSwitch" -SwitchType Internal +# Check our NAT switch exists, create it and configure it if it doesn't. +If ("$NATSwitchName" -in (Get-VMSwitch | Select-Object -ExpandProperty Name) -eq $FALSE) { + "Creating Internal-only switch named ""$NatSwitchName"" on Windows Hyper-V host..." - New-NetIPAddress -IPAddress 192.168.38.1 -PrefixLength 24 -InterfaceAlias "vEthernet (NATSwitch)" + New-VMSwitch -SwitchName $NATSwitchName -SwitchType Internal + New-NetIPAddress -IPAddress $NATHostIP -PrefixLength $NATNetPrefixLength -InterfaceAlias $NATSwitchNameAlias + New-NetNAT -Name $NATNetName -InternalIPInterfaceAddressPrefix $NATNet - New-NetNAT -Name "NATNetwork" -InternalIPInterfaceAddressPrefix 192.168.38.0/24 -} -else { - '"NATSwitch" for static IP configuration already exists; skipping' +} else { + """$NATSwitchName"" VM Switch on Hyper-V host for guest static IP configuration already exists; skipping..." } -If ("192.168.38.1" -in (Get-NetIPAddress | Select-Object -ExpandProperty IPAddress) -eq $FALSE) { - 'Registering new IP address 192.168.38.1 on Windows Hyper-V host...' +# Check that our Hyper-V host has the proper gateway address for the NAT Network. +# TODO make sure that this is set for the proper NATSwitch +If ("$NATHostIP" -in (Get-NetIPAddress | Select-Object -ExpandProperty IPAddress) -eq $FALSE) { + "Registering new IP address $NATHostIP on Windows Hyper-V host..." - New-NetIPAddress -IPAddress 192.168.38.1 -PrefixLength 24 -InterfaceAlias "vEthernet (NATSwitch)" -} -else { - '"192.168.38.1" for static IP configuration already registered; skipping' + New-NetIPAddress -IPAddress $NATHostIP -PrefixLength $NATNetPrefixLength -InterfaceAlias $NATSwitchNameAlias + +} else { + """$NATHostIP"" Hyper-V host gateway address for guest static IP configuration already registered; skipping..." } -If ("192.168.38.0/24" -in (Get-NetNAT | Select-Object -ExpandProperty InternalIPInterfaceAddressPrefix) -eq $FALSE) { - 'Registering new NAT adapter for 192.168.38.0/24 on Windows Hyper-V host...' +# Check that our Hyper-V host has the proper NAT Network setup +If ("$NATNet" -in (Get-NetNAT | Select-Object -ExpandProperty InternalIPInterfaceAddressPrefix) -eq $FALSE) { + "Registering new NAT adapter for $NATNet on Windows Hyper-V host..." - New-NetNAT -Name "NATNetwork" -InternalIPInterfaceAddressPrefix 192.168.38.0/24 -} -else { - '"192.168.38.0/24" for static IP configuration already registered; skipping' + New-NetNAT -Name $NATNetName -InternalIPInterfaceAddressPrefix $NATNet + +} else { + """$NATNet"" Hyper-V host NAT Network for guest static IP configuration already registered; skipping" } \ No newline at end of file From b6195693c90f1c18758182399af71de49aed8b12 Mon Sep 17 00:00:00 2001 From: Spencer Walden Date: Tue, 5 Jan 2021 16:51:07 -0800 Subject: [PATCH 08/27] Updates NATNetwork gateway IP check to be more specific to avoid different adapters having an IP address collision. --- HyperV/hyperv-create-nat-switch.ps1 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/HyperV/hyperv-create-nat-switch.ps1 b/HyperV/hyperv-create-nat-switch.ps1 index bd6c0fa..e75e916 100644 --- a/HyperV/hyperv-create-nat-switch.ps1 +++ b/HyperV/hyperv-create-nat-switch.ps1 @@ -20,8 +20,7 @@ If ("$NATSwitchName" -in (Get-VMSwitch | Select-Object -ExpandProperty Name) -eq } # Check that our Hyper-V host has the proper gateway address for the NAT Network. -# TODO make sure that this is set for the proper NATSwitch -If ("$NATHostIP" -in (Get-NetIPAddress | Select-Object -ExpandProperty IPAddress) -eq $FALSE) { +If (@(Get-NetIPAddress | Where-Object {$_.IPAddress -eq "$NATHostIP" -and $_.InterfaceAlias -eq "$NATSwitchNameAlias"}).Count -eq 1) { "Registering new IP address $NATHostIP on Windows Hyper-V host..." New-NetIPAddress -IPAddress $NATHostIP -PrefixLength $NATNetPrefixLength -InterfaceAlias $NATSwitchNameAlias From 2023e54ece792bb817f3121195f014647ef15d71 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Tue, 5 Jan 2021 21:56:00 -0800 Subject: [PATCH 09/27] Monitor eth0 and eth1 with zeek and suricata --- Vagrant/logger_bootstrap.sh | 18 ++-- Vagrant/resources/GPO/rdp_users/manifest.xml | 0 .../splunk_server/logger_dashboard.xml | 27 ++--- Vagrant/resources/suricata/suricata.yaml | 5 +- ci/copy_to_s3.sh | 101 ++++++++++++++++++ 5 files changed, 131 insertions(+), 20 deletions(-) mode change 100644 => 100755 Vagrant/resources/GPO/rdp_users/manifest.xml create mode 100644 ci/copy_to_s3.sh diff --git a/Vagrant/logger_bootstrap.sh b/Vagrant/logger_bootstrap.sh index 82914e3..908b956 100644 --- a/Vagrant/logger_bootstrap.sh +++ b/Vagrant/logger_bootstrap.sh @@ -377,6 +377,11 @@ install_zeek() { crudini --set $NODECFG proxy host localhost # Setup $CPUS numbers of Zeek workers + crudini --set $NODECFG worker-eth0 type worker + crudini --set $NODECFG worker-eth0 host localhost + crudini --set $NODECFG worker-eth0 interface eth0 + crudini --set $NODECFG worker-eth0 lb_method pf_ring + crudini --set $NODECFG worker-eth0 lb_procs "$(nproc)" crudini --set $NODECFG worker-eth1 type worker crudini --set $NODECFG worker-eth1 host localhost crudini --set $NODECFG worker-eth1 interface eth1 @@ -391,7 +396,7 @@ install_zeek() { # Configure the Splunk inputs mkdir -p /opt/splunk/etc/apps/Splunk_TA_bro/local && touch /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager index zeek - crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager sourcetype bro:json + crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager sourcetype zeek:json crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager whitelist '.*\.log$' crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager blacklist '.*(communication|stderr)\.log$' crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager disabled 0 @@ -464,12 +469,11 @@ install_suricata() { suricata-update enable-source ptresearch/attackdetection # Configure the Splunk inputs - mkdir -p /opt/splunk/etc/apps/SplunkLightForwarder/local && touch /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf - crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata index suricata - crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata sourcetype suricata:json - crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata whitelist 'eve.json' - crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata disabled 0 - crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/props.conf json_suricata TRUNCATE 0 + crudini --set /opt/splunk/etc/apps/search/local/inputs.conf monitor:///var/log/suricata index suricata + crudini --set /opt/splunk/etc/apps/search/local/inputs.conf monitor:///var/log/suricata sourcetype suricata:json + crudini --set /opt/splunk/etc/apps/search/local/inputs.conf monitor:///var/log/suricata whitelist 'eve.json' + crudini --set /opt/splunk/etc/apps/search/local/inputs.conf monitor:///var/log/suricata disabled 0 + crudini --set /opt/splunk/etc/apps/search/local/props.conf suricata:json TRUNCATE 0 # Update suricata and restart suricata-update diff --git a/Vagrant/resources/GPO/rdp_users/manifest.xml b/Vagrant/resources/GPO/rdp_users/manifest.xml old mode 100644 new mode 100755 diff --git a/Vagrant/resources/splunk_server/logger_dashboard.xml b/Vagrant/resources/splunk_server/logger_dashboard.xml index 2e74211..d1720ff 100644 --- a/Vagrant/resources/splunk_server/logger_dashboard.xml +++ b/Vagrant/resources/splunk_server/logger_dashboard.xml @@ -69,13 +69,14 @@ Zeek Network Traffic by Type - index=zeek | stats count by _time, tag::eventtype | timechart span=1h count by tag::eventtype + | tstats count where index=zeek by source, _time span=1h prestats=t | timechart span=1h count by source useother=f -24h@h now + @@ -125,16 +126,18 @@ http://findingbad.blogspot.com/2020/05/hunting-for-beacons-part-2.html - index=zeek (dest_port=443 OR dest_port=80) -| rename orig_bytes as bytes_out resp_bytes as bytes_in -| stats count(bytes_out) as "beacon_count" values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out |eventstats sum(beacon_count) as total_count dc(bytes_out) as unique_count by src_ip,dest_ip -| eval beacon_avg=('beacon_count' / 'total_count') -| stats values(beacon_count) as beacon_count values(unique_count) as unique_count values(beacon_avg) as beacon_avg values(total_count) as total_count values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out -| head 100 -| eval incount=mvcount(bytes_in) -| eventstats avg(beacon_count) as overall_average -| eval beacon_percentage=('beacon_count' / 'overall_average') -| sort - beacon_percentage + index=zeek (dest_port=443 OR dest_port=80) dest_ip!=192.168.0.0/16 +| rename orig_bytes as bytes_out resp_bytes as bytes_in +| stats count(bytes_out) as "beacon_count" values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out |eventstats sum(beacon_count) as total_count dc(bytes_out) as unique_count by src_ip,dest_ip +| eval beacon_avg=('beacon_count' / 'total_count') +| stats values(beacon_count) as beacon_count values(unique_count) as unique_count values(beacon_avg) as beacon_avg values(total_count) as total_count values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out +| eval beacon_avg=('beacon_count' / 'total_count') +| stats values(beacon_count) as beacon_count values(unique_count) as unique_count values(beacon_avg) as beacon_avg values(total_count) as total_count values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out +| eval incount=mvcount(bytes_in) +| eventstats avg(beacon_count) as overall_average +| eval beacon_percentage=('beacon_count' / 'overall_average') +| sort - beacon_percentage +| fields - incount,overall_average -24h@h now @@ -215,4 +218,4 @@ - + \ No newline at end of file diff --git a/Vagrant/resources/suricata/suricata.yaml b/Vagrant/resources/suricata/suricata.yaml index 294ee5e..849a400 100644 --- a/Vagrant/resources/suricata/suricata.yaml +++ b/Vagrant/resources/suricata/suricata.yaml @@ -124,11 +124,14 @@ logging: facility: local5 format: "[%i] <%d> -- " af-packet: + - interface: eth0 + cluster-id: 98 + cluster-type: cluster_flow + defrag: yes - interface: eth1 cluster-id: 99 cluster-type: cluster_flow defrag: yes - - interface: default pcap-file: checksum-checks: auto app-layer: diff --git a/ci/copy_to_s3.sh b/ci/copy_to_s3.sh new file mode 100644 index 0000000..611b8b8 --- /dev/null +++ b/ci/copy_to_s3.sh @@ -0,0 +1,101 @@ +#!/usr/bin/env bash + +# This script is used to prepare DetectionLab to be imported as VM in AWS + +# Configure credentials for awscli +aws configure set aws_access_key_id $AWS_ACCESS_KEY +aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY +aws configure set default.region us-west-1 +export BUCKET_NAME="FILL_ME_IN" + +cd /opt/DetectionLab/Vagrant || exit 1 +echo "Running WinRM Commands to open WinRM on the firewall..." +for host in dc wef win10; +do + echo "Running 'Set-NetFirewallRule -Name WINRM-HTTP-In-TCP -Profile Any' on $host..." + vagrant winrm -e -c "Set-NetFirewallRule -Name 'WINRM-HTTP-In-TCP' -Profile Any" -s powershell $host; sleep 2 +done +echo "Running 'Set-NetFirewallRule -Name WINRM-HTTP-In-TCP-NoScope -Profile Any' on win10..." +vagrant winrm -c "Set-NetFirewallRule -Name 'WINRM-HTTP-In-TCP-NoScope' -Profile Any" -s powershell win10; sleep 2 + +echo "Running WinRM Commands to clear the event logs..." +for host in dc wef win10; +do + echo "Clearing event logs on $host..." + vagrant winrm -e -s powershell -c "Clear-Eventlog -Log Application, System" $host + sleep 2 +done + +echo "Printing activivation status of all hosts..." +for host in dc wef win10; +do + echo "$host" + vagrant winrm -s powershell -c "cscript c:\windows\system32\slmgr.vbs /dlv" $host + sleep 2 +done +echo "If you're ready to continue, type y:" +read READY + +if [ "$READY" != "y" ]; then + echo "Okay, quitting" + exit 1 +fi + +#echo "Re-arming WEF" +#vagrant winrm -e -s powershell -c "cscript c:\windows\system32\slmgr.vbs /rearm" wef +#echo "Activating Win10..." +#vagrant winrm -e -s powershell -c "Set-Service TrustedInstaller -StartupType Automatic" win10 +#sleep 2 +#vagrant winrm -e -s powershell -c "Start-Service TrustedInstaller" win10 +#sleep 10 +#vagrant winrm -e -s powershell -c "cscript c:\windows\system32\slmgr.vbs /ato " win10 + +# Stop vagrant and export each box as an OVA +cd /opt/DetectionLab/Vagrant || exit 1 +echo "Halting all VMs..." +vagrant halt + +echo "Creating a new tmux session..." +sn=tmuxsession +tmux new-session -s "$sn" -d +tmux new-window -t "$sn:2" -n "dc" -d +tmux new-window -t "$sn:3" -n "wef" -d +tmux new-window -t "$sn:4" -n "win10" -d +if which vmrun; then + tmux send-keys -t "$sn:2" 'ovftool /opt/DetectionLab/Vagrant/.vagrant/machines/dc/vmware_desktop/*/WindowsServer2016.vmx /root/dc.ova && echo -n "success" > /root/dc.export || echo "failed" > /root/dc.export' Enter + tmux send-keys -t "$sn:3" 'ovftool /opt/DetectionLab/Vagrant/.vagrant/machines/wef/vmware_desktop/*/WindowsServer2016.vmx /root/wef.ova && echo -n "success" > /root/wef.export || echo "failed" > /root/wef.export' Enter + tmux send-keys -t "$sn:4" 'ovftool /opt/DetectionLab/Vagrant/.vagrant/machines/win10/vmware_desktop/*/windows_10.vmx /root/win10.ova && echo -n "success" > /root/win10.export || echo "failed" > /root/win10.export' Enter +else + tmux send-keys -t "$sn:2" 'vboxmanage export dc.windomain.local -o /root/dc.ova && echo -n "success" > /root/dc.export || echo "failed" > /root/dc.export' Enter + tmux send-keys -t "$sn:3" 'vboxmanage export wef.windomain.local -o /root/wef.ova && echo -n "success" > /root/wef.export || echo "failed" > /root/wef.export' Enter + tmux send-keys -t "$sn:4" 'vboxmanage export win10.windomain.local -o /root/win10.ova && echo -n "success" > /root/win10.export || echo "failed" > /root/win10.export' Enter +fi + +# Sleep until all exports are complete +while [[ ! -f /root/dc.export || ! -f /root/wef.export || ! -f /root/win10.export ]]; + do sleep 5 + echo "Waiting for the OVA export to complete. Sleeping for 5." +done + +# Copy each OVA into S3 +if [[ "$(cat /root/dc.export)" == "success" && "$(cat /root/wef.export)" == "success" && "$(cat /root/win10.export)" == "success" ]]; then + for file in dc wef win10 + do + aws s3 cp /root/$file.ova s3://$BUCKET_NAME/disks/ + done +fi + +# Fix the bucket +cd /opt/DetectionLab/AWS/Terraform/vm_import || exit 1 +for file in *.json; + do sed -i "s/YOUR_BUCKET_GOES_HERE/$BUCKET_NAME/g" "$file"; +done + +# Fix the key names +for file in *.json; + do sed -i 's#"S3Key": "#"S3Key": "disks/#g' "$file"; +done + +aws ec2 import-image --description "dc" --license-type byol --disk-containers file:///opt/DetectionLab/AWS/Terraform/vm_import/dc.json +aws ec2 import-image --description "wef" --license-type byol --disk-containers file:///opt/DetectionLab/AWS/Terraform/vm_import/wef.json +aws ec2 import-image --description "win10" --license-type byol --disk-containers file:///opt/DetectionLab/AWS/Terraform/vm_import/win10.json From 6237582fc577ca0eeef3dde81158c774a40d0e45 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Mon, 11 Jan 2021 16:47:30 -0800 Subject: [PATCH 10/27] Update inventory.yml --- ESXi/ansible/inventory.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ESXi/ansible/inventory.yml b/ESXi/ansible/inventory.yml index a00fe41..46f3205 100644 --- a/ESXi/ansible/inventory.yml +++ b/ESXi/ansible/inventory.yml @@ -7,7 +7,7 @@ logger: ansible_password: vagrant ansible_port: 22 ansible_connection: ssh - ansible_ssh_common_args: '-o StrictHostKeyChecking=no' + ansible_ssh_common_args: '-o UserKnownHostsFile=/dev/null' dc: hosts: From c91b48e4bc891a4665d6de04addaeda98e9db0ac Mon Sep 17 00:00:00 2001 From: Chris Long Date: Mon, 11 Jan 2021 17:14:12 -0800 Subject: [PATCH 11/27] Moving the VMX time settings, reodering JSON files --- .gitignore | 3 +- ESXi/Packer/ubuntu1804_esxi.json | 37 +++++++++++------- ESXi/Packer/windows_10_esxi.json | 62 +++++++++++++++++------------- ESXi/Packer/windows_2016_esxi.json | 53 ++++++++++++++----------- ESXi/ansible/inventory.yml | 2 +- ESXi/main.tf | 45 +--------------------- ESXi/variables.tf | 3 +- 7 files changed, 96 insertions(+), 109 deletions(-) diff --git a/.gitignore b/.gitignore index 7b0b144..9ee2540 100755 --- a/.gitignore +++ b/.gitignore @@ -13,4 +13,5 @@ inventory.yml.bak *.box manifest.xml HyperV/.vagrant/* -logger_variables.sh \ No newline at end of file +logger_variables.sh +ESXi/Packer/variables.json diff --git a/ESXi/Packer/ubuntu1804_esxi.json b/ESXi/Packer/ubuntu1804_esxi.json index 77d8a3d..d7e7ef8 100644 --- a/ESXi/Packer/ubuntu1804_esxi.json +++ b/ESXi/Packer/ubuntu1804_esxi.json @@ -26,36 +26,45 @@ "" ], "boot_wait": "10s", - "keep_registered": true, - "remote_datastore": "{{user `esxi_datastore`}}", - "remote_host": "{{user `esxi_host`}}", - "remote_username": "{{user `esxi_username`}}", - "remote_password": "{{user `esxi_password`}}", - "remote_type": "esx5", - "vnc_disable_password": true, - "vnc_port_min": 5900, - "vnc_port_max": 5980, + "cpus": "{{ user `cpus` }}", "disk_size": "{{user `disk_size`}}", "guest_os_type": "ubuntu-64", "http_directory": "{{user `http_directory`}}", "iso_checksum": "{{user `iso_checksum`}}", "iso_url": "{{user `mirror`}}/{{user `mirror_directory`}}/{{user `iso_name`}}", + "keep_registered": true, "shutdown_command": "echo 'vagrant' | sudo -S shutdown -P now", "ssh_password": "vagrant", "ssh_port": 22, "ssh_username": "vagrant", "ssh_timeout": "10000s", - "pause_before_connecting": "10m", + "memory": "{{ user `memory` }}", + "pause_before_connecting": "1m", + "remote_datastore": "{{user `esxi_datastore`}}", + "remote_host": "{{user `esxi_host`}}", + "remote_username": "{{user `esxi_username`}}", + "remote_password": "{{user `esxi_password`}}", + "remote_type": "esx5", + "skip_export": true, "tools_upload_flavor": "linux", "type": "vmware-iso", "vm_name": "Ubuntu1804", - "memory": "{{ user `memory` }}", - "cpus": "{{ user `cpus` }}", "vmx_data": { "ethernet0.networkName": "{{user `esxi_network_with_dhcp_and_internet` }}", "cpuid.coresPerSocket": "1", - "ethernet0.pciSlotNumber": "32" - } + "ethernet0.pciSlotNumber": "32", + "tools.syncTime": "0", + "time.synchronize.continue": "0", + "time.synchronize.restore": "0", + "time.synchronize.resume.disk": "0", + "time.synchronize.shrink": "0", + "time.synchronize.tools.startup": "0", + "time.synchronize.tools.enable": "0", + "time.synchronize.resume.host": "0" + }, + "vnc_disable_password": true, + "vnc_port_min": 5900, + "vnc_port_max": 5980 } ], "provisioners": [ diff --git a/ESXi/Packer/windows_10_esxi.json b/ESXi/Packer/windows_10_esxi.json index 5b6964e..791d848 100644 --- a/ESXi/Packer/windows_10_esxi.json +++ b/ESXi/Packer/windows_10_esxi.json @@ -1,31 +1,10 @@ { "builders": [ { - "vnc_disable_password": true, - "keep_registered": true, - "remote_datastore": "{{user `esxi_datastore`}}", - "remote_host": "{{user `esxi_host`}}", - "remote_username": "{{user `esxi_username`}}", - "remote_password": "{{user `esxi_password`}}", - "remote_type": "esx5", - "type": "vmware-iso", - "vm_name":"Windows10", - "communicator": "winrm", - "iso_url": "{{user `iso_url`}}", - "iso_checksum": "{{user `iso_checksum`}}", - "headless": false, "boot_wait": "6m", "boot_command": "", - "winrm_username": "vagrant", - "winrm_password": "vagrant", - "winrm_timeout": "4h", - "shutdown_timeout": "2h", - "shutdown_command": "a:/sysprep.bat", - "guest_os_type": "windows9-64", - "disk_size": "{{user `disk_size`}}", - "vnc_port_min": 5900, - "vnc_port_max": 5980, - "version": 11, + "communicator": "winrm", + "disk_size": 61440, "floppy_files": [ "{{user `autounattend`}}", "../../Packer/floppy/WindowsPowershell.lnk", @@ -40,12 +19,42 @@ "../../Packer/scripts/unattend.xml", "../../Packer/scripts/sysprep.bat" ], + "guest_os_type": "windows9-64", + "keep_registered": true, + "headless": false, + "iso_url": "{{user `iso_url`}}", + "iso_checksum": "{{user `iso_checksum`}}", + "shutdown_timeout": "2h", + "shutdown_command": "a:/sysprep.bat", + "skip_export": true, + "remote_datastore": "{{user `esxi_datastore`}}", + "remote_host": "{{user `esxi_host`}}", + "remote_username": "{{user `esxi_username`}}", + "remote_password": "{{user `esxi_password`}}", + "remote_type": "esx5", + "type": "vmware-iso", + "version": 11, + "vm_name": "Windows10", + "vnc_disable_password": true, + "vnc_port_min": 5900, + "vnc_port_max": 5980, "vmx_data": { "ethernet0.networkName": "{{user `esxi_network_with_dhcp_and_internet`}}", "memsize": "2048", "numvcpus": "2", - "scsi0.virtualDev": "lsisas1068" - } + "scsi0.virtualDev": "lsisas1068", + "tools.syncTime": "0", + "time.synchronize.continue": "0", + "time.synchronize.restore": "0", + "time.synchronize.resume.disk": "0", + "time.synchronize.shrink": "0", + "time.synchronize.tools.startup": "0", + "time.synchronize.tools.enable": "0", + "time.synchronize.resume.host": "0" + }, + "winrm_username": "vagrant", + "winrm_password": "vagrant", + "winrm_timeout": "4h" } ], "provisioners": [ @@ -93,8 +102,7 @@ "esxi_password": "", "iso_checksum": "sha256:ab4862ba7d1644c27f27516d24cb21e6b39234eb3301e5f1fb365a78b22f79b3", "iso_url": "https://software-download.microsoft.com/download/pr/18362.30.190401-1528.19h1_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso", - "autounattend": "../../Packer/answer_files/10/Autounattend.xml", - "disk_size": "61440" + "autounattend": "../../Packer/answer_files/10/Autounattend.xml" } } diff --git a/ESXi/Packer/windows_2016_esxi.json b/ESXi/Packer/windows_2016_esxi.json index 9242bfa..6509d5a 100644 --- a/ESXi/Packer/windows_2016_esxi.json +++ b/ESXi/Packer/windows_2016_esxi.json @@ -1,28 +1,9 @@ { "builders": [ { - "vnc_disable_password": true, - "keep_registered": true, - "remote_datastore": "{{user `esxi_datastore`}}", - "remote_host": "{{user `esxi_host`}}", - "remote_username": "{{user `esxi_username`}}", - "remote_password": "{{user `esxi_password`}}", - "remote_type": "esx5", - "vm_name":"WindowsServer2016", - "type": "vmware-iso", - "communicator": "winrm", - "iso_url": "{{user `iso_url`}}", - "iso_checksum": "{{user `iso_checksum`}}", - "headless": false, "boot_wait": "2m", - "winrm_username": "vagrant", - "winrm_password": "vagrant", - "winrm_timeout": "4h", - "shutdown_timeout": "2h", - "shutdown_command": "a:/sysprep.bat", - "guest_os_type": "windows8srv-64", + "communicator": "winrm", "disk_size": 61440, - "version": 11, "floppy_files": [ "{{user `autounattend`}}", "../../Packer/floppy/WindowsPowershell.lnk", @@ -35,12 +16,40 @@ "../../Packer/scripts/microsoft-updates.bat", "../../Packer/scripts/win-updates.ps1" ], + "guest_os_type": "windows8srv-64", + "headless": false, + "iso_url": "{{user `iso_url`}}", + "iso_checksum": "{{user `iso_checksum`}}", + "keep_registered": true, + "shutdown_timeout": "2h", + "shutdown_command": "a:/sysprep.bat", + "skip_export": true, + "remote_datastore": "{{user `esxi_datastore`}}", + "remote_host": "{{user `esxi_host`}}", + "remote_username": "{{user `esxi_username`}}", + "remote_password": "{{user `esxi_password`}}", + "remote_type": "esx5", + "type": "vmware-iso", + "version": 11, + "vm_name": "WindowsServer2016", + "vnc_disable_password": true, "vmx_data": { "ethernet0.networkName": "{{user `esxi_network_with_dhcp_and_internet`}}", "memsize": "2048", "numvcpus": "2", - "scsi0.virtualDev": "lsisas1068" - } + "scsi0.virtualDev": "lsisas1068", + "tools.syncTime": "0", + "time.synchronize.continue": "0", + "time.synchronize.restore": "0", + "time.synchronize.resume.disk": "0", + "time.synchronize.shrink": "0", + "time.synchronize.tools.startup": "0", + "time.synchronize.tools.enable": "0", + "time.synchronize.resume.host": "0" + }, + "winrm_username": "vagrant", + "winrm_password": "vagrant", + "winrm_timeout": "4h" } ], "provisioners": [ diff --git a/ESXi/ansible/inventory.yml b/ESXi/ansible/inventory.yml index a00fe41..46f3205 100644 --- a/ESXi/ansible/inventory.yml +++ b/ESXi/ansible/inventory.yml @@ -7,7 +7,7 @@ logger: ansible_password: vagrant ansible_port: 22 ansible_connection: ssh - ansible_ssh_common_args: '-o StrictHostKeyChecking=no' + ansible_ssh_common_args: '-o UserKnownHostsFile=/dev/null' dc: hosts: diff --git a/ESXi/main.tf b/ESXi/main.tf index b329810..215a93e 100644 --- a/ESXi/main.tf +++ b/ESXi/main.tf @@ -18,16 +18,6 @@ resource "esxi_guest" "logger" { guest_name = "logger" disk_store = var.esxi_datastore guestos = "ubuntu-64" - custom_vmx_settings = [ - ['tools.syncTime', '0'], - ['time.synchronize.continue', '0'], - ['time.synchronize.restore', '0'], - ['time.synchronize.resume.disk', '0'], - ['time.synchronize.shrink', '0'], - ['time.synchronize.tools.startup', '0'], - ['time.synchronize.tools.enable', '0'], - ['time.synchronize.resume.host', '0'] - ] boot_disk_type = "thin" @@ -39,9 +29,8 @@ resource "esxi_guest" "logger" { provisioner "remote-exec" { inline = [ - "sudo ifconfig eth1 up || echo 'eth1 up'", - "sudo ifconfig eth2 up || echo 'eth2 up'", - "sudo route add default gw 192.168.76.1 || echo 'route exists'" + "sudo ifconfig eth0 up && echo 'eth0 up' || echo 'unable to bring eth0 interface up", + "sudo ifconfig eth1 up && echo 'eth1 up' || echo 'unable to bring eth1 interface up" ] connection { @@ -80,16 +69,6 @@ resource "esxi_guest" "dc" { guest_name = "dc" disk_store = var.esxi_datastore guestos = "windows9srv-64" - custom_vmx_settings = [ - ['tools.syncTime', '0'], - ['time.synchronize.continue', '0'], - ['time.synchronize.restore', '0'], - ['time.synchronize.resume.disk', '0'], - ['time.synchronize.shrink', '0'], - ['time.synchronize.tools.startup', '0'], - ['time.synchronize.tools.enable', '0'], - ['time.synchronize.resume.host', '0'] - ] boot_disk_type = "thin" @@ -118,16 +97,6 @@ resource "esxi_guest" "wef" { guest_name = "wef" disk_store = var.esxi_datastore guestos = "windows9srv-64" - custom_vmx_settings = [ - ['tools.syncTime', '0'], - ['time.synchronize.continue', '0'], - ['time.synchronize.restore', '0'], - ['time.synchronize.resume.disk', '0'], - ['time.synchronize.shrink', '0'], - ['time.synchronize.tools.startup', '0'], - ['time.synchronize.tools.enable', '0'], - ['time.synchronize.resume.host', '0'] - ] boot_disk_type = "thin" @@ -156,16 +125,6 @@ resource "esxi_guest" "win10" { guest_name = "win10" disk_store = var.esxi_datastore guestos = "windows9-64" - custom_vmx_settings = [ - ['tools.syncTime', '0'], - ['time.synchronize.continue', '0'], - ['time.synchronize.restore', '0'], - ['time.synchronize.resume.disk', '0'], - ['time.synchronize.shrink', '0'], - ['time.synchronize.tools.startup', '0'], - ['time.synchronize.tools.enable', '0'], - ['time.synchronize.resume.host', '0'] - ] boot_disk_type = "thin" diff --git a/ESXi/variables.tf b/ESXi/variables.tf index b907d0b..052bc07 100644 --- a/ESXi/variables.tf +++ b/ESXi/variables.tf @@ -1,7 +1,8 @@ # # See https://www.terraform.io/intro/getting-started/variables.html for more details. # -# Change these defaults to fit your needs! +# Don't change the variables in this file! +# Instead, create a terrform.tfvars file to override them. variable "esxi_hostname" { default = "" From 02cee91fe328d76c27722284f3f9627d427c0e60 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Mon, 11 Jan 2021 20:18:31 -0800 Subject: [PATCH 12/27] Add Big Sur check for prepare.ps1 --- Vagrant/prepare.sh | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/Vagrant/prepare.sh b/Vagrant/prepare.sh index 090dfcd..3a6528e 100755 --- a/Vagrant/prepare.sh +++ b/Vagrant/prepare.sh @@ -119,6 +119,14 @@ check_vagrant_vmware_utility_installed() { fi } +check_macos_bigsur() { + if sw_vers | grep ProductVersion | grep -c 11\. > /dev/null; then + echo "1" + else + echo "0" + fi +} + # List the available Vagrant providers present on the system list_providers() { VBOX_PRESENT=0 @@ -131,6 +139,7 @@ list_providers() { VMWARE_WORKSTATION_PRESENT=0 # Workstation doesn't exist on Darwain-based OS VAGRANT_VMWARE_DESKTOP_PLUGIN_PRESENT=$(check_vmware_desktop_vagrant_plugin_installed) VAGRANT_VMWARE_UTILITY_PRESENT=$(check_vagrant_vmware_utility_installed) + IS_BIGSUR=$(check_macos_bigsur) else VBOX_PRESENT=$(check_virtualbox_installed) VMWARE_WORKSTATION_PRESENT=$(check_vmware_workstation_installed) @@ -159,6 +168,10 @@ list_providers() { (echo >&2 "${INFO} More details can be found here: https://www.vagrantup.com/docs/providers/default" ) (echo >&2 "${INFO} Additionally, please ensure only one providers' network adapters are active at any given time." ) fi + if [[ $VMWARE_FUSION_PRESENT -eq 1 ]] && [[ $IS_BIGSUR -eq 1 ]]; then + (echo >&2 "${INFO} A workaround is currently required to use VMware Fusion with Big Sur.") + (echo >&2 "${INFO} See https://github.com/clong/DetectionLab/issues/539 for more info.") + fi } # Check to see if boxes exist in the "Boxes" directory already From ab9dd9487cdb484f663da52e8a36184830f653b0 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Wed, 13 Jan 2021 12:05:16 -0800 Subject: [PATCH 13/27] Fix Zeek/Suricata on AWS --- AWS/Terraform/main.tf | 1 + Vagrant/logger_bootstrap.sh | 16 +++++++++++----- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/AWS/Terraform/main.tf b/AWS/Terraform/main.tf index f979483..db9b530 100644 --- a/AWS/Terraform/main.tf +++ b/AWS/Terraform/main.tf @@ -193,6 +193,7 @@ resource "aws_instance" "logger" { "sudo sed -i 's/eth1/ens5/g' /opt/DetectionLab/Vagrant/logger_bootstrap.sh", "sudo sed -i 's/ETH1/ens5/g' /opt/DetectionLab/Vagrant/logger_bootstrap.sh", "sudo sed -i 's/eth1/ens5/g' /opt/DetectionLab/Vagrant/resources/suricata/suricata.yaml", + "sudo sed -i -e '127,130d' /opt/DetectionLab/Vagrant/resources/suricata/suricata.yaml", "sudo sed -i 's#/vagrant/resources#/opt/DetectionLab/Vagrant/resources#g' /opt/DetectionLab/Vagrant/logger_bootstrap.sh", "sudo sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/g' /etc/ssh/sshd_config", "sudo service ssh restart", diff --git a/Vagrant/logger_bootstrap.sh b/Vagrant/logger_bootstrap.sh index 908b956..e6d58a9 100644 --- a/Vagrant/logger_bootstrap.sh +++ b/Vagrant/logger_bootstrap.sh @@ -377,11 +377,17 @@ install_zeek() { crudini --set $NODECFG proxy host localhost # Setup $CPUS numbers of Zeek workers - crudini --set $NODECFG worker-eth0 type worker - crudini --set $NODECFG worker-eth0 host localhost - crudini --set $NODECFG worker-eth0 interface eth0 - crudini --set $NODECFG worker-eth0 lb_method pf_ring - crudini --set $NODECFG worker-eth0 lb_procs "$(nproc)" + # AWS only has a single interface (eth1), so don't monitor eth0 if we're in AWS + if ! curl -s 169.254.169.254 --connect-timeout 2 >/dev/null; then + # TL;DR of ^^^: if you can't reach the AWS metadata service, you're not running in AWS + # Therefore, it's ok to add this. + crudini --set $NODECFG worker-eth0 type worker + crudini --set $NODECFG worker-eth0 host localhost + crudini --set $NODECFG worker-eth0 interface eth0 + crudini --set $NODECFG worker-eth0 lb_method pf_ring + crudini --set $NODECFG worker-eth0 lb_procs "$(nproc)" + fi + crudini --set $NODECFG worker-eth1 type worker crudini --set $NODECFG worker-eth1 host localhost crudini --set $NODECFG worker-eth1 interface eth1 From 6c5cd3e137674f7985af7f13eab442e44f2f2636 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Wed, 20 Jan 2021 14:23:44 -0800 Subject: [PATCH 14/27] Update install-utilities.ps1 Don't check checksums for GoogleChrome choco package --- Vagrant/scripts/install-utilities.ps1 | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Vagrant/scripts/install-utilities.ps1 b/Vagrant/scripts/install-utilities.ps1 index c3b20e9..11703e9 100755 --- a/Vagrant/scripts/install-utilities.ps1 +++ b/Vagrant/scripts/install-utilities.ps1 @@ -15,6 +15,9 @@ If ($(hostname) -eq "win10") { & "C:\Program Files\Classic Shell\ClassicStartMenu.exe" "-xml" "c:\vagrant\resources\windows\MenuSettings.xml" regedit /s c:\vagrant\resources\windows\MenuStyle_Default_Win7.reg } -choco install -y --limit-output --no-progress NotepadPlusPlus GoogleChrome WinRar +choco install -y --limit-output --no-progress NotepadPlusPlus WinRar + +# The checksums for the GoogleChrome package are frequently out of date and cause the script to fail +choco install -y --limit-output --no-progress GoogleChrome Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Utilties installation complete!" From 77b484b0ecfe00a6d37424ed816e99577eb96437 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Wed, 20 Jan 2021 14:57:37 -0800 Subject: [PATCH 15/27] Actually adding the parameter --- Vagrant/scripts/install-utilities.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Vagrant/scripts/install-utilities.ps1 b/Vagrant/scripts/install-utilities.ps1 index 11703e9..c260700 100755 --- a/Vagrant/scripts/install-utilities.ps1 +++ b/Vagrant/scripts/install-utilities.ps1 @@ -18,6 +18,6 @@ If ($(hostname) -eq "win10") { choco install -y --limit-output --no-progress NotepadPlusPlus WinRar # The checksums for the GoogleChrome package are frequently out of date and cause the script to fail -choco install -y --limit-output --no-progress GoogleChrome +choco install -y --limit-output --no-progress --ignore-checksums GoogleChrome Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Utilties installation complete!" From 106a0a6805e221576662257824cd48a5c088f193 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Wed, 20 Jan 2021 18:45:30 -0800 Subject: [PATCH 16/27] Disable googlechrome installation (temporary) --- Vagrant/scripts/install-utilities.ps1 | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Vagrant/scripts/install-utilities.ps1 b/Vagrant/scripts/install-utilities.ps1 index c260700..ca1350d 100755 --- a/Vagrant/scripts/install-utilities.ps1 +++ b/Vagrant/scripts/install-utilities.ps1 @@ -17,7 +17,8 @@ If ($(hostname) -eq "win10") { } choco install -y --limit-output --no-progress NotepadPlusPlus WinRar -# The checksums for the GoogleChrome package are frequently out of date and cause the script to fail -choco install -y --limit-output --no-progress --ignore-checksums GoogleChrome +# The GoogleChrome choco repo is totally broken at the moment. +# Temporary workaround for https://github.com/clong/DetectionLab/issues/595 +# choco install -y --limit-output --no-progress --ignore-checksums GoogleChrome Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Utilties installation complete!" From 59119e0ae45fe16a78c4b024a41c86abfe591b91 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Thu, 21 Jan 2021 12:54:01 -0800 Subject: [PATCH 17/27] Update install-utilities.ps1 --- Vagrant/scripts/install-utilities.ps1 | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/Vagrant/scripts/install-utilities.ps1 b/Vagrant/scripts/install-utilities.ps1 index ca1350d..83a927d 100755 --- a/Vagrant/scripts/install-utilities.ps1 +++ b/Vagrant/scripts/install-utilities.ps1 @@ -17,8 +17,7 @@ If ($(hostname) -eq "win10") { } choco install -y --limit-output --no-progress NotepadPlusPlus WinRar -# The GoogleChrome choco repo is totally broken at the moment. -# Temporary workaround for https://github.com/clong/DetectionLab/issues/595 -# choco install -y --limit-output --no-progress --ignore-checksums GoogleChrome +# This repo often causes failures due to incorrect checksums, so we ignore them for Chrome +choco install -y --limit-output --no-progress --ignore-checksums GoogleChrome Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Utilties installation complete!" From c681c30449addedb2e6ec7f0c933d40e5cdfc358 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Tue, 26 Jan 2021 14:25:23 -0800 Subject: [PATCH 18/27] Add HTTP failover for autorunstowineventlog --- Vagrant/scripts/install-autorunstowineventlog.ps1 | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/Vagrant/scripts/install-autorunstowineventlog.ps1 b/Vagrant/scripts/install-autorunstowineventlog.ps1 index e11d332..39c1a3e 100644 --- a/Vagrant/scripts/install-autorunstowineventlog.ps1 +++ b/Vagrant/scripts/install-autorunstowineventlog.ps1 @@ -3,6 +3,14 @@ Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing AutorunsToWinEventLog..." If ((Get-ScheduledTask -TaskName "AutorunsToWinEventLog" -ea silent) -eq $null) { + # Modify the installer to add an HTTP fallback until this gets fixed upstream in the windows-event-fowarding repo + # See https://github.com/clong/DetectionLab/issues/597 + (Get-Content c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\AutorunsToWinEventLog\Install.ps1 -Raw) -replace 'Invoke-WebRequest -Uri "https://live.sysinternals.com/autorunsc64.exe" -OutFile "\$autorunsPath"', 'Try { + (New-Object System.Net.WebClient).DownloadFile(''https://live.sysinternals.com/Autoruns64.exe'', $autorunsPath) + } Catch { + Write-Host "HTTPS connection failed. Switching to HTTP :(" + (New-Object System.Net.WebClient).DownloadFile(''http://live.sysinternals.com/Autoruns64.exe'', $autorunsPath) + }' | Set-Content -Path "c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\AutorunsToWinEventLog\Install.ps1" . c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\AutorunsToWinEventLog\Install.ps1 Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) AutorunsToWinEventLog installed. Starting the scheduled task. Future runs will begin at 11am" Start-ScheduledTask -TaskName "AutorunsToWinEventLog" From 84dcc43af46f1df28b6f36a0b927ca5612fc7e45 Mon Sep 17 00:00:00 2001 From: mikajarvinen Date: Mon, 1 Feb 2021 20:49:26 +0200 Subject: [PATCH 19/27] fix a typo in vm_name -key value in qemu type section of windows_2016.json --- Packer/windows_2016.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packer/windows_2016.json b/Packer/windows_2016.json index 83a7716..c0e5ce8 100644 --- a/Packer/windows_2016.json +++ b/Packer/windows_2016.json @@ -83,7 +83,7 @@ }, { "type": "qemu", - "vm_name": "windows_10", + "vm_name": "WindowsServer2016", "communicator": "winrm", "iso_url": "{{user `iso_url`}}", "iso_checksum": "{{user `iso_checksum`}}", From 872a4284e6397214ced2555efb2837a355b56e12 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Thu, 4 Feb 2021 11:17:30 -0800 Subject: [PATCH 20/27] Updating sponsors --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7a33b73..ca5f10c 100644 --- a/README.md +++ b/README.md @@ -104,7 +104,7 @@ A sizable percentage of this code was borrowed and adapted from [Stefan Scherer] * [EVTX-ATTACK-SAMPLES](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES) # DetectionLab Sponsors -#### Lated updated: 12/31/2020 +#### Lated updated: 02/04/2020 I would like to extend thanks to the following sponsors for funding DetectionLab development. If you are interested in becoming a sponsor, please visit the [sponsors page](https://github.com/sponsors/clong). ### Diamond Sponsors: @@ -129,7 +129,7 @@ I would like to extend thanks to the following sponsors for funding DetectionLab * [braimee](https://github.com/braimee) * [defensivedepth](https://github.com/defensivedepth) * [kafkaesqu3](https://github.com/kafkaesqu3) -* [anthonysecurity](https://github.com/anthonysecurity) +* [mdtro](https://github.com/mdtro) * [ealaney](https://github.com/ealaney) * [elreydetoda](https://github.com/elreydetoda) * [DevBits1702](https://github.com/DevBits1702) From a422ad844231ff4e8d316fb7d72af2e56541313f Mon Sep 17 00:00:00 2001 From: mdtro Date: Sat, 6 Feb 2021 01:01:08 -0600 Subject: [PATCH 21/27] add custom props.conf for Splunk TA for Zeek and update logger_bootstrap --- Vagrant/logger_bootstrap.sh | 4 ++++ Vagrant/resources/splunk_server/zeek_ta_props.conf | 12 ++++++++++++ 2 files changed, 16 insertions(+) create mode 100644 Vagrant/resources/splunk_server/zeek_ta_props.conf diff --git a/Vagrant/logger_bootstrap.sh b/Vagrant/logger_bootstrap.sh index e6d58a9..cc65dc5 100644 --- a/Vagrant/logger_bootstrap.sh +++ b/Vagrant/logger_bootstrap.sh @@ -195,6 +195,10 @@ install_splunk() { cp /vagrant/resources/splunk_server/windows_ta_props.conf /opt/splunk/etc/apps/Splunk_TA_windows/default/props.conf cp /vagrant/resources/splunk_server/sysmon_ta_props.conf /opt/splunk/etc/apps/TA-microsoft-sysmon/default/props.conf + # Add props.conf to Splunk Zeek TA to properly parse timestamp + # and avoid grouping events as a single event + cp /vagrant/resources/splunk_server/zeek_ta_props.conf /opt/splunk/etc/apps/Splunk_TA_bro/local/props.conf + # Add custom Macro definitions for ThreatHunting App cp /vagrant/resources/splunk_server/macros.conf /opt/splunk/etc/apps/ThreatHunting/default/macros.conf # Fix props.conf in ThreatHunting App diff --git a/Vagrant/resources/splunk_server/zeek_ta_props.conf b/Vagrant/resources/splunk_server/zeek_ta_props.conf new file mode 100644 index 0000000..8bf46c5 --- /dev/null +++ b/Vagrant/resources/splunk_server/zeek_ta_props.conf @@ -0,0 +1,12 @@ +[zeek:json] +DATETIME_CONFIG = +INDEXED_EXTRACTIONS = json +KV_MODE = none +LINE_BREAKER = ([\r\n]+) +NO_BINARY_CHECK = true +category = Structured +description = Zeek JSON sourcetype with fixed timestamp parsing. +disabled = false +pulldown_type = true +TIMESTAMP_FIELDS = ts +TIME_FORMAT = %s.%6N \ No newline at end of file From eedd621537c1b4f617e44da2e5f51d6da72b0923 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Mon, 15 Feb 2021 15:51:39 -0800 Subject: [PATCH 22/27] Improve fleet release link finding --- Vagrant/logger_bootstrap.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Vagrant/logger_bootstrap.sh b/Vagrant/logger_bootstrap.sh index cc65dc5..ccbd341 100644 --- a/Vagrant/logger_bootstrap.sh +++ b/Vagrant/logger_bootstrap.sh @@ -271,7 +271,7 @@ install_fleet_import_osquery_config() { mysql -uroot -pkolide -e "create database kolide;" # Always download the latest release of Fleet - curl -s https://api.github.com/repos/fleetdm/fleet/releases/latest | grep 'https://github.com' | grep "/fleet.zip" | cut -d ':' -f 2,3 | tr -d '"' | wget --progress=bar:force -i - + curl -s https://api.github.com/repos/fleetdm/fleet/releases | grep 'https://github.com' | grep "/fleet.zip" | cut -d ':' -f 2,3 | tr -d '"' | tr -d ' ' | head -1 | wget --progress=bar:force -i - unzip fleet.zip -d fleet cp fleet/linux/fleetctl /usr/local/bin/fleetctl && chmod +x /usr/local/bin/fleetctl cp fleet/linux/fleet /usr/local/bin/fleet && chmod +x /usr/local/bin/fleet From f6a85be0c6ef983476cc782bf7fe8949aefd1772 Mon Sep 17 00:00:00 2001 From: Parker McGee Date: Fri, 19 Feb 2021 08:21:25 -0500 Subject: [PATCH 23/27] Fix Fleet install in ESXi to use the latest fleet.zip release --- ESXi/ansible/roles/logger/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ESXi/ansible/roles/logger/tasks/main.yml b/ESXi/ansible/roles/logger/tasks/main.yml index 8f33d0e..40bf5f3 100644 --- a/ESXi/ansible/roles/logger/tasks/main.yml +++ b/ESXi/ansible/roles/logger/tasks/main.yml @@ -300,7 +300,7 @@ executable: /bin/bash become: yes shell: | - if [ -f "/opt/fleet" ]; then + if [ -d "/opt/fleet" ]; then echo "[$(date +%H:%M:%S)]: Fleet is already installed" else cd /opt || exit 1 @@ -314,7 +314,7 @@ mysql -uroot -pkolide -e "create database kolide;" # Always download the latest release of Fleet - curl -s https://api.github.com/repos/fleetdm/fleet/releases/latest | grep 'https://github.com' | grep "/fleet.zip" | cut -d ':' -f 2,3 | tr -d '"' | wget --progress=bar:force -i - + curl -s https://api.github.com/repos/fleetdm/fleet/releases | grep 'https://github.com' | grep "/fleet.zip" | cut -d ':' -f 2,3 | tr -d '"' | tr -d ' ' | head -1 | wget --progress=bar:force -i - unzip fleet.zip -d fleet cp fleet/linux/fleetctl /usr/local/bin/fleetctl && chmod +x /usr/local/bin/fleetctl cp fleet/linux/fleet /usr/local/bin/fleet && chmod +x /usr/local/bin/fleet From 0f8559e0951f1cabdc7ee4e9a27d896bc4c57780 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Wed, 24 Feb 2021 12:47:56 -1000 Subject: [PATCH 24/27] Update slack join URL --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ca5f10c..189269f 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ DetectionLab is tested weekly on Saturdays via a scheduled CircleCI workflow to ![Maintenance](https://img.shields.io/maintenance/yes/2021.svg?style=flat-square) [![GitHub last commit](https://img.shields.io/github/last-commit/clong/DetectionLab.svg?style=flat-square)](https://github.com/clong/DetectionLab/commit/master) [![Twitter](https://img.shields.io/twitter/follow/DetectionLab.svg?style=social)](https://twitter.com/DetectionLab) -[![Slack](https://img.shields.io/badge/Slack-DetectionLab-blue)](https://join.slack.com/t/cl0ng/shared_invite/zt-kjwgkldg-BqB1TyrUX0dSjDPe44tKRg) +[![Slack](https://img.shields.io/badge/SlBeack-DetectionLab-blue)](https://join.slack.com/t/detectionlab/shared_invite/zt-mv1qnw9f-3qo2ZrB0IbIKhvinfsgYhg) #### Donate to the project: From 94ff45110527325148be7a5a42d931ed21312534 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Wed, 24 Feb 2021 12:48:53 -1000 Subject: [PATCH 25/27] Mobile commits are hard --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 189269f..51c98ec 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ DetectionLab is tested weekly on Saturdays via a scheduled CircleCI workflow to ![Maintenance](https://img.shields.io/maintenance/yes/2021.svg?style=flat-square) [![GitHub last commit](https://img.shields.io/github/last-commit/clong/DetectionLab.svg?style=flat-square)](https://github.com/clong/DetectionLab/commit/master) [![Twitter](https://img.shields.io/twitter/follow/DetectionLab.svg?style=social)](https://twitter.com/DetectionLab) -[![Slack](https://img.shields.io/badge/SlBeack-DetectionLab-blue)](https://join.slack.com/t/detectionlab/shared_invite/zt-mv1qnw9f-3qo2ZrB0IbIKhvinfsgYhg) +[![Slack](https://img.shields.io/badge/Slack-DetectionLab-blue)](https://join.slack.com/t/detectionlab/shared_invite/zt-mv1qnw9f-3qo2ZrB0IbIKhvinfsgYhg) #### Donate to the project: From 9b597c99a5ce35d8d6740f02fa08fd208a84669e Mon Sep 17 00:00:00 2001 From: Chris Long Date: Fri, 26 Feb 2021 10:56:17 -0800 Subject: [PATCH 26/27] Add check for Virtual Machine Platform to prepare script --- .gitignore | 1 + Vagrant/prepare.ps1 | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/.gitignore b/.gitignore index 9ee2540..667b1ff 100755 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ +Azure/Ansible/inventory.yml Vagrant/.vagrant/* Vagrant/vagrant*.log Packer/packer_cache/* diff --git a/Vagrant/prepare.ps1 b/Vagrant/prepare.ps1 index 66a851d..45201e2 100644 --- a/Vagrant/prepare.ps1 +++ b/Vagrant/prepare.ps1 @@ -253,6 +253,14 @@ function preflight_checks { else { Write-Host ' ['$($checkmark)'] The vagrant-reload plugin is installed' -ForegroundColor green } + + # Warn if Virtual Machine Platform is enabled + Write-Host '' + Write-Host '[+] Checking if Virtual Machine Platform is enabled...' + if ((Get-WindowsOptionalFeature -Online -FeatureName "VirtualMachinePlatform").State -eq "Enabled") { + Write-Host ' [-] The "Virtual Machine Platform" Windows feature is enabled on your computer and is known to cause issues with starting Virtualbox VMs' -ForegroundColor yellow + Write-Host ' [-] If you experience issues with Virtualbox, it is recommended to disable it by running "optionalfeatures" from the run prompt and unchecking "Virtual Machine Platform".' -ForegroundColor yellow + } } From 606dfe166fcb2493ce4dc05e63a39d6adc6369d7 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Fri, 26 Feb 2021 13:33:37 -0800 Subject: [PATCH 27/27] Add Process Hacker to utilities download --- Vagrant/scripts/install-utilities.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Vagrant/scripts/install-utilities.ps1 b/Vagrant/scripts/install-utilities.ps1 index 83a927d..d41ebc4 100755 --- a/Vagrant/scripts/install-utilities.ps1 +++ b/Vagrant/scripts/install-utilities.ps1 @@ -15,7 +15,7 @@ If ($(hostname) -eq "win10") { & "C:\Program Files\Classic Shell\ClassicStartMenu.exe" "-xml" "c:\vagrant\resources\windows\MenuSettings.xml" regedit /s c:\vagrant\resources\windows\MenuStyle_Default_Win7.reg } -choco install -y --limit-output --no-progress NotepadPlusPlus WinRar +choco install -y --limit-output --no-progress NotepadPlusPlus WinRar processhacker # This repo often causes failures due to incorrect checksums, so we ignore them for Chrome choco install -y --limit-output --no-progress --ignore-checksums GoogleChrome