Merge pull request #688 from clong/aws_script

Convert AWS remote-exec to use script instead of inline

.circleci/config.yml

@@ -113,11 +113,11 @@ jobs:
               export STATUS=$(curl -s $IP_ADDRESS)
               if [ "$STATUS" == "building" ]; then
                 echo "[$(date +%H:%M:%S)]: $STATUS"
-                scp -q -i ~/.ssh/id_rsa root@"$IP_ADDRESS":/opt/DetectionLab/Vagrant/vagrant_up_*.log /tmp/artifacts/ || echo "Vagrant log not yet present"
+                scp -q -i ~/.ssh/id_rsa root@"$IP_ADDRESS":/opt/DetectionLab/Vagrant/*.log /tmp/artifacts/ || echo "Vagrant log not yet present"
                 sleep 300
                 ((MINUTES_PAST += 5))
               else
-                scp -q -i ~/.ssh/id_rsa root@"$IP_ADDRESS":/opt/DetectionLab/Vagrant/vagrant_up_*.log /tmp/artifacts/ || echo "Vagrant log not yet present"
+                scp -q -i ~/.ssh/id_rsa root@"$IP_ADDRESS":/opt/DetectionLab/Vagrant/*.log /tmp/artifacts/ || echo "Vagrant log not yet present"
                 echo "$STATUS" > /tmp/status
                 break
               fi

AWS/Terraform/main.tf

@@ -36,8 +36,8 @@ resource "aws_subnet" "default" {
 # Adjust VPC DNS settings to not conflict with lab
 resource "aws_vpc_dhcp_options" "default" {
   domain_name          = "windomain.local"
-  domain_name_servers  = concat([aws_instance.dc.private_ip], var.external_dns_servers)
+  domain_name_servers  = concat(["192.168.38.102"], var.external_dns_servers)
-  netbios_name_servers = [aws_instance.dc.private_ip]
+  netbios_name_servers = ["192.168.38.102"]
   tags = var.custom-tags
 }
 
@@ -210,13 +210,25 @@ resource "aws_instance" "logger" {
 
 resource "aws_instance" "dc" {
   instance_type = "t3.medium"
+  depends_on = [
+    aws_vpc_dhcp_options.default,
+    aws_vpc_dhcp_options_association.default
+  ]
+
+  provisioner "file" {
+    source      = "scripts/bootstrap.ps1"
+    destination = "C:\\Temp\\bootstrap.ps1"
+
+    connection {
+      type     = "winrm"
+      user     = "vagrant"
+      password = "vagrant"
+      host     = coalesce(self.public_ip, self.private_ip)
+    }
+  }
 
   provisioner "remote-exec" {
-    inline = [
+    inline = ["powershell.exe -File C:\\Temp\\bootstrap.ps1"]
-      "choco install -force -y winpcap",
-      "ipconfig /renew",
-      "powershell.exe -c \"Add-Content 'c:\\windows\\system32\\drivers\\etc\\hosts' '        192.168.38.103    wef.windomain.local'\"",
-      ]
 
     connection {
       type     = "winrm"
@@ -244,14 +256,25 @@ resource "aws_instance" "dc" {
 
 resource "aws_instance" "wef" {
   instance_type = "t3.medium"
+    depends_on = [
+    aws_vpc_dhcp_options.default,
+    aws_vpc_dhcp_options_association.default
+  ]
+
+  provisioner "file" {
+    source      = "scripts/bootstrap.ps1"
+    destination = "C:\\Temp\\bootstrap.ps1"
+
+    connection {
+      type     = "winrm"
+      user     = "vagrant"
+      password = "vagrant"
+      host     = coalesce(self.public_ip, self.private_ip)
+    }
+  }
 
   provisioner "remote-exec" {
-    inline = [
+    inline = ["powershell.exe -File C:\\Temp\\bootstrap.ps1"]
-      "choco install -force -y winpcap",
-      "powershell.exe -c \"Add-Content 'c:\\windows\\system32\\drivers\\etc\\hosts' '        192.168.38.102    dc.windomain.local'\"",
-      "powershell.exe -c \"Add-Content 'c:\\windows\\system32\\drivers\\etc\\hosts' '        192.168.38.102    windomain.local'\"",
-      "ipconfig /renew",
-    ]
 
     connection {
       type     = "winrm"
@@ -279,14 +302,25 @@ resource "aws_instance" "wef" {
 
 resource "aws_instance" "win10" {
   instance_type = "t2.large"
+    depends_on = [
+    aws_vpc_dhcp_options.default,
+    aws_vpc_dhcp_options_association.default
+  ]
+
+  provisioner "file" {
+    source      = "scripts/bootstrap.ps1"
+    destination = "C:\\Temp\\bootstrap.ps1"
+
+    connection {
+      type     = "winrm"
+      user     = "vagrant"
+      password = "vagrant"
+      host     = coalesce(self.public_ip, self.private_ip)
+    }
+  }
 
   provisioner "remote-exec" {
-    inline = [
+    inline = ["powershell.exe -File C:\\Temp\\bootstrap.ps1"]
-      "choco install -force -y winpcap",
-      "powershell.exe -c \"Add-Content 'c:\\windows\\system32\\drivers\\etc\\hosts' '        192.168.38.102    dc.windomain.local'\"",
-      "powershell.exe -c \"Add-Content 'c:\\windows\\system32\\drivers\\etc\\hosts' '        192.168.38.102    windomain.local'\"",
-      "ipconfig /renew",
-    ]
 
     connection {
       type     = "winrm"

AWS/Terraform/scripts/bootstrap.ps1

@@ -0,0 +1,40 @@
+# Purpose: Prepare the AWS AMIs for use
+
+# Hardcode IP addresses in the HOSTS file
+If ($env:COMPUTERNAME -eq "DC") {
+  Add-Content 'c:\\windows\\system32\\drivers\\etc\\hosts' '        192.168.38.103    wef.windomain.local'
+  Add-Content 'c:\\windows\\system32\\drivers\\etc\\hosts' '        192.168.38.104    win10.windomain.local'
+}
+Else {
+  Add-Content 'c:\\windows\\system32\\drivers\\etc\\hosts' '        192.168.38.102    dc.windomain.local'
+  Add-Content 'c:\\windows\\system32\\drivers\\etc\\hosts' '        192.168.38.102    windomain.local'
+}
+
+# Keep renewing the IP address until the domain controller is set as a DNS server
+while (!(Get-DNSClientServerAddress | Where-Object { $_.ServerAddresses -eq "192.168.38.102" })) { 
+  write-host "Waiting to receive the correct DNS settings from DHCP..."; 
+  start-sleep 5; 
+  ipconfig /renew
+}
+
+# Install npcap so Wireshark recognizes the AWS network adapters
+Start-Job -ScriptBlock { choco install -y --force npcap --version 0.86 }
+
+# Check if gpupdate works
+if ($env:COMPUTERNAME -ne "DC") { 
+  Write-Host "Attempting a Group Policy Update..."
+  Try {
+    Start-Process gpupdate -ArgumentList "/force" -RedirectStandardOutput "c:\Temp\gpupdate_stdout.txt" -RedirectStandardError "c:\Temp\gpupdate_stderr.txt" -ErrorAction Stop
+    $stdout = (Get-Content "c:\Temp\gpupdate_stdout.txt")
+    Write-Host "$stdout"
+  } 
+  Catch {
+    $ErrorMessage = $_.Exception.Message
+    Write-Host "Error: $ErrorMessage"
+    $stderr = (Get-Content "c:\Temp\gpupdate_stderr.txt")
+    Write-Host $stderr
+  }
+}
+
+
+

Vagrant/logger_bootstrap.sh

@@ -210,8 +210,13 @@ install_splunk() {
 
     # Add custom Macro definitions for ThreatHunting App
     cp /vagrant/resources/splunk_server/macros.conf /opt/splunk/etc/apps/ThreatHunting/default/macros.conf
-    # Fix props.conf in ThreatHunting App
+    # Fix some misc stuff
-    sed -i 's/EVAL-host_fqdn = Computer/EVAL-host_fqdn = ComputerName/g' /opt/splunk/etc/apps/ThreatHunting/default/props.conf
+    sed -i 's/index=windows/`windows`/g' /opt/splunk/etc/apps/ThreatHunting/default/data/ui/views/computer_investigator.xml
+    sed -i 's/$host$)/$host$*)/g' /opt/splunk/etc/apps/ThreatHunting/default/data/ui/views/computer_investigator.xml
+    # This is probably horrible and may break some stuff, but I'm hoping it fixes more than it breaks
+    find /opt/splunk/etc/apps/ThreatHunting -type f ! -path "/opt/splunk/etc/apps/ThreatHunting/default/props.conf" -exec sed -i -e 's/host_fqdn/ComputerName/g' {} \;
+    find /opt/splunk/etc/apps/ThreatHunting -type f ! -path "/opt/splunk/etc/apps/ThreatHunting/default/props.conf" -exec sed -i -e 's/event_id/EventCode/g' {} \;
+
     # Fix Windows TA macros
     mkdir /opt/splunk/etc/apps/Splunk_TA_windows/local
     cp /opt/splunk/etc/apps/Splunk_TA_windows/default/macros.conf /opt/splunk/etc/apps/Splunk_TA_windows/local

Vagrant/post_build_checks.sh

@@ -65,4 +65,3 @@ post_build_checks() {
 }
 
 post_build_checks
-exit 0

ci/build_machine_bootstrap.sh

@@ -110,10 +110,10 @@ main() {
   # Build and Test Vagrant hosts
   cd Vagrant || exit 1
   build_vagrant_hosts
-  /bin/bash "$DL_DIR/Vagrant/post_build_checks.sh"
+  /bin/bash "$DL_DIR/Vagrant/post_build_checks.sh" > $DL_DIR/Vagrant/post_build.log
+  exit 0
 }
 main
-exit 0
 EOF
 chmod +x /opt/DetectionLab/build.sh