From 7c182fccb24e769c4926d2731c20450d58d117df Mon Sep 17 00:00:00 2001 From: Chris Long Date: Sun, 25 Jul 2021 22:31:45 -0700 Subject: [PATCH 1/4] Convert AWS remote-exec to use script instead of inline --- AWS/Terraform/main.tf | 56 ++++++++++++++++++++--------- AWS/Terraform/scripts/bootstrap.ps1 | 40 +++++++++++++++++++++ AWS/Terraform/scripts/coveware.ps1 | 0 Vagrant/post_build_checks.sh | 1 - ci/build_machine_bootstrap.sh | 1 - 5 files changed, 79 insertions(+), 19 deletions(-) create mode 100644 AWS/Terraform/scripts/bootstrap.ps1 create mode 100644 AWS/Terraform/scripts/coveware.ps1 diff --git a/AWS/Terraform/main.tf b/AWS/Terraform/main.tf index 68d672e..845e280 100644 --- a/AWS/Terraform/main.tf +++ b/AWS/Terraform/main.tf @@ -211,12 +211,20 @@ resource "aws_instance" "logger" { resource "aws_instance" "dc" { instance_type = "t3.medium" + provisioner "file" { + source = "scripts/bootstrap.ps1" + destination = "C:\\Temp\\script.ps1" + + connection { + type = "winrm" + user = "vagrant" + password = "vagrant" + host = coalesce(self.public_ip, self.private_ip) + } + } + provisioner "remote-exec" { - inline = [ - "choco install -force -y winpcap", - "ipconfig /renew", - "powershell.exe -c \"Add-Content 'c:\\windows\\system32\\drivers\\etc\\hosts' ' 192.168.38.103 wef.windomain.local'\"", - ] + inline = ["powershell.exe -File C:\\Temp\\script.ps1"] connection { type = "winrm" @@ -245,13 +253,20 @@ resource "aws_instance" "dc" { resource "aws_instance" "wef" { instance_type = "t3.medium" + provisioner "file" { + source = "scripts/bootstrap.ps1" + destination = "C:\\Temp\\script.ps1" + + connection { + type = "winrm" + user = "vagrant" + password = "vagrant" + host = coalesce(self.public_ip, self.private_ip) + } + } + provisioner "remote-exec" { - inline = [ - "choco install -force -y winpcap", - "powershell.exe -c \"Add-Content 'c:\\windows\\system32\\drivers\\etc\\hosts' ' 192.168.38.102 dc.windomain.local'\"", - "powershell.exe -c \"Add-Content 'c:\\windows\\system32\\drivers\\etc\\hosts' ' 192.168.38.102 windomain.local'\"", - "ipconfig /renew", - ] + inline = ["powershell.exe -File C:\\Temp\\script.ps1"] connection { type = "winrm" @@ -280,13 +295,20 @@ resource "aws_instance" "wef" { resource "aws_instance" "win10" { instance_type = "t2.large" + provisioner "file" { + source = "scripts/bootstrap.ps1" + destination = "C:\\Temp\\script.ps1" + + connection { + type = "winrm" + user = "vagrant" + password = "vagrant" + host = coalesce(self.public_ip, self.private_ip) + } + } + provisioner "remote-exec" { - inline = [ - "choco install -force -y winpcap", - "powershell.exe -c \"Add-Content 'c:\\windows\\system32\\drivers\\etc\\hosts' ' 192.168.38.102 dc.windomain.local'\"", - "powershell.exe -c \"Add-Content 'c:\\windows\\system32\\drivers\\etc\\hosts' ' 192.168.38.102 windomain.local'\"", - "ipconfig /renew", - ] + inline = ["powershell.exe -File C:\\Temp\\script.ps1"] connection { type = "winrm" diff --git a/AWS/Terraform/scripts/bootstrap.ps1 b/AWS/Terraform/scripts/bootstrap.ps1 new file mode 100644 index 0000000..3b164ce --- /dev/null +++ b/AWS/Terraform/scripts/bootstrap.ps1 @@ -0,0 +1,40 @@ +# Purpose: Prepare the AWS AMIs for use + +# Install npcap so Wireshark recognizes the AWS network adapters +Start-Job -ScriptBlock { choco install -y --force npcap --version 0.86 } + +# Hardcode IP addresses in the HOSTS file +If ($env:COMPUTERNAME -eq "DC") { + Add-Content 'c:\\windows\\system32\\drivers\\etc\\hosts' ' 192.168.38.103 wef.windomain.local' + Add-Content 'c:\\windows\\system32\\drivers\\etc\\hosts' ' 192.168.38.104 win10.windomain.local' +} +Else { + Add-Content 'c:\\windows\\system32\\drivers\\etc\\hosts' ' 192.168.38.102 dc.windomain.local' + Add-Content 'c:\\windows\\system32\\drivers\\etc\\hosts' ' 192.168.38.102 windomain.local' +} + +# Keep renewing the IP address until the domain controller is set as a DNS server +while (!(Get-DNSClientServerAddress | Where-Object { $_.ServerAddresses -eq "192.168.38.102" })) { + write-host "Waiting to receive the correct DNS settings from DHCP..."; + start-sleep 1; + ipconfig /renew +} + +# Check if gpupdate works +if ($env:COMPUTERNAME -ne "DC") { + Write-Host "Attempting a Group Policy Update..." + Try { + Start-Process gpupdate -ArgumentList "/force" -RedirectStandardOutput "c:\Temp\gpupdate_stdout.txt" -RedirectStandardError "c:\Temp\gpupdate_stderr.txt" -ErrorAction Stop + $stdout = (Get-Content "c:\Temp\gpupdate_stdout.txt") + Write-Host "$stdout" + } + Catch { + $ErrorMessage = $_.Exception.Message + Write-Host "Error: $ErrorMessage" + $stderr = (Get-Content "c:\Temp\gpupdate_stderr.txt") + Write-Host $stderr + } +} + + + diff --git a/AWS/Terraform/scripts/coveware.ps1 b/AWS/Terraform/scripts/coveware.ps1 new file mode 100644 index 0000000..e69de29 diff --git a/Vagrant/post_build_checks.sh b/Vagrant/post_build_checks.sh index bbf1d46..1ab9ce5 100755 --- a/Vagrant/post_build_checks.sh +++ b/Vagrant/post_build_checks.sh @@ -65,4 +65,3 @@ post_build_checks() { } post_build_checks -exit 0 diff --git a/ci/build_machine_bootstrap.sh b/ci/build_machine_bootstrap.sh index ae61792..3dc0007 100755 --- a/ci/build_machine_bootstrap.sh +++ b/ci/build_machine_bootstrap.sh @@ -113,7 +113,6 @@ main() { /bin/bash "$DL_DIR/Vagrant/post_build_checks.sh" } main -exit 0 EOF chmod +x /opt/DetectionLab/build.sh From 478c3131b2a2ae2c8356bd02bb6506644065c3d4 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Sun, 25 Jul 2021 22:34:16 -0700 Subject: [PATCH 2/4] script.ps1 -> bootstrap.ps1 --- AWS/Terraform/main.tf | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/AWS/Terraform/main.tf b/AWS/Terraform/main.tf index 845e280..e74f573 100644 --- a/AWS/Terraform/main.tf +++ b/AWS/Terraform/main.tf @@ -159,6 +159,7 @@ resource "aws_security_group" "windows" { from_port = 0 to_port = 0 protocol = "-1" + protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } } @@ -213,7 +214,7 @@ resource "aws_instance" "dc" { provisioner "file" { source = "scripts/bootstrap.ps1" - destination = "C:\\Temp\\script.ps1" + destination = "C:\\Temp\\bootstrap.ps1" connection { type = "winrm" @@ -224,7 +225,7 @@ resource "aws_instance" "dc" { } provisioner "remote-exec" { - inline = ["powershell.exe -File C:\\Temp\\script.ps1"] + inline = ["powershell.exe -File C:\\Temp\\bootstrap.ps1"] connection { type = "winrm" @@ -255,7 +256,7 @@ resource "aws_instance" "wef" { provisioner "file" { source = "scripts/bootstrap.ps1" - destination = "C:\\Temp\\script.ps1" + destination = "C:\\Temp\\bootstrap.ps1" connection { type = "winrm" @@ -266,7 +267,7 @@ resource "aws_instance" "wef" { } provisioner "remote-exec" { - inline = ["powershell.exe -File C:\\Temp\\script.ps1"] + inline = ["powershell.exe -File C:\\Temp\\bootstrap.ps1"] connection { type = "winrm" @@ -297,7 +298,7 @@ resource "aws_instance" "win10" { provisioner "file" { source = "scripts/bootstrap.ps1" - destination = "C:\\Temp\\script.ps1" + destination = "C:\\Temp\\bootstrap.ps1" connection { type = "winrm" @@ -308,7 +309,7 @@ resource "aws_instance" "win10" { } provisioner "remote-exec" { - inline = ["powershell.exe -File C:\\Temp\\script.ps1"] + inline = ["powershell.exe -File C:\\Temp\\bootstrap.ps1"] connection { type = "winrm" From 76978b7b03a2e970044dfc0baad4822720eb681d Mon Sep 17 00:00:00 2001 From: Chris Long Date: Mon, 26 Jul 2021 21:45:09 -0700 Subject: [PATCH 3/4] update --- .circleci/config.yml | 4 ++-- ci/build_machine_bootstrap.sh | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index afa42e0..dbb9e78 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -113,11 +113,11 @@ jobs: export STATUS=$(curl -s $IP_ADDRESS) if [ "$STATUS" == "building" ]; then echo "[$(date +%H:%M:%S)]: $STATUS" - scp -q -i ~/.ssh/id_rsa root@"$IP_ADDRESS":/opt/DetectionLab/Vagrant/vagrant_up_*.log /tmp/artifacts/ || echo "Vagrant log not yet present" + scp -q -i ~/.ssh/id_rsa root@"$IP_ADDRESS":/opt/DetectionLab/Vagrant/*.log /tmp/artifacts/ || echo "Vagrant log not yet present" sleep 300 ((MINUTES_PAST += 5)) else - scp -q -i ~/.ssh/id_rsa root@"$IP_ADDRESS":/opt/DetectionLab/Vagrant/vagrant_up_*.log /tmp/artifacts/ || echo "Vagrant log not yet present" + scp -q -i ~/.ssh/id_rsa root@"$IP_ADDRESS":/opt/DetectionLab/Vagrant/*.log /tmp/artifacts/ || echo "Vagrant log not yet present" echo "$STATUS" > /tmp/status break fi diff --git a/ci/build_machine_bootstrap.sh b/ci/build_machine_bootstrap.sh index 3dc0007..4514fec 100755 --- a/ci/build_machine_bootstrap.sh +++ b/ci/build_machine_bootstrap.sh @@ -110,7 +110,8 @@ main() { # Build and Test Vagrant hosts cd Vagrant || exit 1 build_vagrant_hosts - /bin/bash "$DL_DIR/Vagrant/post_build_checks.sh" + /bin/bash "$DL_DIR/Vagrant/post_build_checks.sh" > $DL_DIR/Vagrant/post_build.log + exit 0 } main EOF From a36cf9a904c828dcfd98fad23586372e8a60e500 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Thu, 29 Jul 2021 21:05:01 -0700 Subject: [PATCH 4/4] Fix threathunting and DNS issues --- AWS/Terraform/main.tf | 17 ++++++++++++++--- AWS/Terraform/scripts/bootstrap.ps1 | 8 ++++---- AWS/Terraform/scripts/coveware.ps1 | 0 Vagrant/logger_bootstrap.sh | 9 +++++++-- 4 files changed, 25 insertions(+), 9 deletions(-) delete mode 100644 AWS/Terraform/scripts/coveware.ps1 diff --git a/AWS/Terraform/main.tf b/AWS/Terraform/main.tf index e74f573..50e0760 100644 --- a/AWS/Terraform/main.tf +++ b/AWS/Terraform/main.tf @@ -36,8 +36,8 @@ resource "aws_subnet" "default" { # Adjust VPC DNS settings to not conflict with lab resource "aws_vpc_dhcp_options" "default" { domain_name = "windomain.local" - domain_name_servers = concat([aws_instance.dc.private_ip], var.external_dns_servers) - netbios_name_servers = [aws_instance.dc.private_ip] + domain_name_servers = concat(["192.168.38.102"], var.external_dns_servers) + netbios_name_servers = ["192.168.38.102"] tags = var.custom-tags } @@ -159,7 +159,6 @@ resource "aws_security_group" "windows" { from_port = 0 to_port = 0 protocol = "-1" - protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } } @@ -211,6 +210,10 @@ resource "aws_instance" "logger" { resource "aws_instance" "dc" { instance_type = "t3.medium" + depends_on = [ + aws_vpc_dhcp_options.default, + aws_vpc_dhcp_options_association.default + ] provisioner "file" { source = "scripts/bootstrap.ps1" @@ -253,6 +256,10 @@ resource "aws_instance" "dc" { resource "aws_instance" "wef" { instance_type = "t3.medium" + depends_on = [ + aws_vpc_dhcp_options.default, + aws_vpc_dhcp_options_association.default + ] provisioner "file" { source = "scripts/bootstrap.ps1" @@ -295,6 +302,10 @@ resource "aws_instance" "wef" { resource "aws_instance" "win10" { instance_type = "t2.large" + depends_on = [ + aws_vpc_dhcp_options.default, + aws_vpc_dhcp_options_association.default + ] provisioner "file" { source = "scripts/bootstrap.ps1" diff --git a/AWS/Terraform/scripts/bootstrap.ps1 b/AWS/Terraform/scripts/bootstrap.ps1 index 3b164ce..2044bd2 100644 --- a/AWS/Terraform/scripts/bootstrap.ps1 +++ b/AWS/Terraform/scripts/bootstrap.ps1 @@ -1,8 +1,5 @@ # Purpose: Prepare the AWS AMIs for use -# Install npcap so Wireshark recognizes the AWS network adapters -Start-Job -ScriptBlock { choco install -y --force npcap --version 0.86 } - # Hardcode IP addresses in the HOSTS file If ($env:COMPUTERNAME -eq "DC") { Add-Content 'c:\\windows\\system32\\drivers\\etc\\hosts' ' 192.168.38.103 wef.windomain.local' @@ -16,10 +13,13 @@ Else { # Keep renewing the IP address until the domain controller is set as a DNS server while (!(Get-DNSClientServerAddress | Where-Object { $_.ServerAddresses -eq "192.168.38.102" })) { write-host "Waiting to receive the correct DNS settings from DHCP..."; - start-sleep 1; + start-sleep 5; ipconfig /renew } +# Install npcap so Wireshark recognizes the AWS network adapters +Start-Job -ScriptBlock { choco install -y --force npcap --version 0.86 } + # Check if gpupdate works if ($env:COMPUTERNAME -ne "DC") { Write-Host "Attempting a Group Policy Update..." diff --git a/AWS/Terraform/scripts/coveware.ps1 b/AWS/Terraform/scripts/coveware.ps1 deleted file mode 100644 index e69de29..0000000 diff --git a/Vagrant/logger_bootstrap.sh b/Vagrant/logger_bootstrap.sh index 25e7dc0..c107215 100644 --- a/Vagrant/logger_bootstrap.sh +++ b/Vagrant/logger_bootstrap.sh @@ -210,8 +210,13 @@ install_splunk() { # Add custom Macro definitions for ThreatHunting App cp /vagrant/resources/splunk_server/macros.conf /opt/splunk/etc/apps/ThreatHunting/default/macros.conf - # Fix props.conf in ThreatHunting App - sed -i 's/EVAL-host_fqdn = Computer/EVAL-host_fqdn = ComputerName/g' /opt/splunk/etc/apps/ThreatHunting/default/props.conf + # Fix some misc stuff + sed -i 's/index=windows/`windows`/g' /opt/splunk/etc/apps/ThreatHunting/default/data/ui/views/computer_investigator.xml + sed -i 's/$host$)/$host$*)/g' /opt/splunk/etc/apps/ThreatHunting/default/data/ui/views/computer_investigator.xml + # This is probably horrible and may break some stuff, but I'm hoping it fixes more than it breaks + find /opt/splunk/etc/apps/ThreatHunting -type f ! -path "/opt/splunk/etc/apps/ThreatHunting/default/props.conf" -exec sed -i -e 's/host_fqdn/ComputerName/g' {} \; + find /opt/splunk/etc/apps/ThreatHunting -type f ! -path "/opt/splunk/etc/apps/ThreatHunting/default/props.conf" -exec sed -i -e 's/event_id/EventCode/g' {} \; + # Fix Windows TA macros mkdir /opt/splunk/etc/apps/Splunk_TA_windows/local cp /opt/splunk/etc/apps/Splunk_TA_windows/default/macros.conf /opt/splunk/etc/apps/Splunk_TA_windows/local