From a36cf9a904c828dcfd98fad23586372e8a60e500 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Thu, 29 Jul 2021 21:05:01 -0700 Subject: [PATCH] Fix threathunting and DNS issues --- AWS/Terraform/main.tf | 17 ++++++++++++++--- AWS/Terraform/scripts/bootstrap.ps1 | 8 ++++---- AWS/Terraform/scripts/coveware.ps1 | 0 Vagrant/logger_bootstrap.sh | 9 +++++++-- 4 files changed, 25 insertions(+), 9 deletions(-) delete mode 100644 AWS/Terraform/scripts/coveware.ps1 diff --git a/AWS/Terraform/main.tf b/AWS/Terraform/main.tf index e74f573..50e0760 100644 --- a/AWS/Terraform/main.tf +++ b/AWS/Terraform/main.tf @@ -36,8 +36,8 @@ resource "aws_subnet" "default" { # Adjust VPC DNS settings to not conflict with lab resource "aws_vpc_dhcp_options" "default" { domain_name = "windomain.local" - domain_name_servers = concat([aws_instance.dc.private_ip], var.external_dns_servers) - netbios_name_servers = [aws_instance.dc.private_ip] + domain_name_servers = concat(["192.168.38.102"], var.external_dns_servers) + netbios_name_servers = ["192.168.38.102"] tags = var.custom-tags } @@ -159,7 +159,6 @@ resource "aws_security_group" "windows" { from_port = 0 to_port = 0 protocol = "-1" - protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } } @@ -211,6 +210,10 @@ resource "aws_instance" "logger" { resource "aws_instance" "dc" { instance_type = "t3.medium" + depends_on = [ + aws_vpc_dhcp_options.default, + aws_vpc_dhcp_options_association.default + ] provisioner "file" { source = "scripts/bootstrap.ps1" @@ -253,6 +256,10 @@ resource "aws_instance" "dc" { resource "aws_instance" "wef" { instance_type = "t3.medium" + depends_on = [ + aws_vpc_dhcp_options.default, + aws_vpc_dhcp_options_association.default + ] provisioner "file" { source = "scripts/bootstrap.ps1" @@ -295,6 +302,10 @@ resource "aws_instance" "wef" { resource "aws_instance" "win10" { instance_type = "t2.large" + depends_on = [ + aws_vpc_dhcp_options.default, + aws_vpc_dhcp_options_association.default + ] provisioner "file" { source = "scripts/bootstrap.ps1" diff --git a/AWS/Terraform/scripts/bootstrap.ps1 b/AWS/Terraform/scripts/bootstrap.ps1 index 3b164ce..2044bd2 100644 --- a/AWS/Terraform/scripts/bootstrap.ps1 +++ b/AWS/Terraform/scripts/bootstrap.ps1 @@ -1,8 +1,5 @@ # Purpose: Prepare the AWS AMIs for use -# Install npcap so Wireshark recognizes the AWS network adapters -Start-Job -ScriptBlock { choco install -y --force npcap --version 0.86 } - # Hardcode IP addresses in the HOSTS file If ($env:COMPUTERNAME -eq "DC") { Add-Content 'c:\\windows\\system32\\drivers\\etc\\hosts' ' 192.168.38.103 wef.windomain.local' @@ -16,10 +13,13 @@ Else { # Keep renewing the IP address until the domain controller is set as a DNS server while (!(Get-DNSClientServerAddress | Where-Object { $_.ServerAddresses -eq "192.168.38.102" })) { write-host "Waiting to receive the correct DNS settings from DHCP..."; - start-sleep 1; + start-sleep 5; ipconfig /renew } +# Install npcap so Wireshark recognizes the AWS network adapters +Start-Job -ScriptBlock { choco install -y --force npcap --version 0.86 } + # Check if gpupdate works if ($env:COMPUTERNAME -ne "DC") { Write-Host "Attempting a Group Policy Update..." diff --git a/AWS/Terraform/scripts/coveware.ps1 b/AWS/Terraform/scripts/coveware.ps1 deleted file mode 100644 index e69de29..0000000 diff --git a/Vagrant/logger_bootstrap.sh b/Vagrant/logger_bootstrap.sh index 25e7dc0..c107215 100644 --- a/Vagrant/logger_bootstrap.sh +++ b/Vagrant/logger_bootstrap.sh @@ -210,8 +210,13 @@ install_splunk() { # Add custom Macro definitions for ThreatHunting App cp /vagrant/resources/splunk_server/macros.conf /opt/splunk/etc/apps/ThreatHunting/default/macros.conf - # Fix props.conf in ThreatHunting App - sed -i 's/EVAL-host_fqdn = Computer/EVAL-host_fqdn = ComputerName/g' /opt/splunk/etc/apps/ThreatHunting/default/props.conf + # Fix some misc stuff + sed -i 's/index=windows/`windows`/g' /opt/splunk/etc/apps/ThreatHunting/default/data/ui/views/computer_investigator.xml + sed -i 's/$host$)/$host$*)/g' /opt/splunk/etc/apps/ThreatHunting/default/data/ui/views/computer_investigator.xml + # This is probably horrible and may break some stuff, but I'm hoping it fixes more than it breaks + find /opt/splunk/etc/apps/ThreatHunting -type f ! -path "/opt/splunk/etc/apps/ThreatHunting/default/props.conf" -exec sed -i -e 's/host_fqdn/ComputerName/g' {} \; + find /opt/splunk/etc/apps/ThreatHunting -type f ! -path "/opt/splunk/etc/apps/ThreatHunting/default/props.conf" -exec sed -i -e 's/event_id/EventCode/g' {} \; + # Fix Windows TA macros mkdir /opt/splunk/etc/apps/Splunk_TA_windows/local cp /opt/splunk/etc/apps/Splunk_TA_windows/default/macros.conf /opt/splunk/etc/apps/Splunk_TA_windows/local