diff --git a/.github/issue_template.md b/.github/issue_template.md index 275e1e9..5ef07b5 100644 --- a/.github/issue_template.md +++ b/.github/issue_template.md @@ -2,8 +2,7 @@ * Provider (VirtualBox/VMWare): * Vagrant Version: * Packer Version: +* Are you using stock boxes (downloaded) or were they built from scratch using Packer? * Is the issue reproducible or intermittent? ### Description of the issue: - - diff --git a/README.md b/README.md index 31bb4e4..4f288d0 100644 --- a/README.md +++ b/README.md @@ -177,10 +177,11 @@ suricata | Suricata IDS logs * Process Explorer * PsExec * TCPView + * Notepad++ * Google Chrome - * Atom editor * WinRar * Mimikatz + * Wireshark ## Applied GPOs * [Custom Event Channel Permissions](https://rawgit.com/clong/DetectionLab/master/Vagrant/resources/GPO/reports/Custom%20Event%20Channel%20Permissions.htm) diff --git a/Vagrant/Vagrantfile b/Vagrant/Vagrantfile index 017dc60..56a591a 100644 --- a/Vagrant/Vagrantfile +++ b/Vagrant/Vagrantfile @@ -56,6 +56,8 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false @@ -118,6 +120,8 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", path: "scripts/install-windows_ta.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false @@ -175,6 +179,8 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false diff --git a/Vagrant/Vagrantfile_Minimum b/Vagrant/Vagrantfile_Minimum new file mode 100644 index 0000000..2054745 --- /dev/null +++ b/Vagrant/Vagrantfile_Minimum @@ -0,0 +1,216 @@ +Vagrant.configure("2") do |config| + + config.vm.define "logger" do |cfg| + cfg.vm.box = "bento/ubuntu-16.04" + cfg.vm.hostname = "logger" + config.vm.provision :shell, path: "bootstrap.sh" + cfg.vm.network :private_network, ip: "192.168.38.105", gateway: "192.168.38.1", dns: "8.8.8.8" + + cfg.vm.provider "vmware_fusion" do |v, override| + v.vmx["displayname"] = "logger" + v.memory = 2048 + v.cpus = 1 + v.gui = true + end + + cfg.vm.provider "vmware_desktop" do |v, override| + v.vmx["displayname"] = "logger" + v.memory = 4096 + v.cpus = 2 + v.gui = true + end + + cfg.vm.provider "virtualbox" do |vb, override| + vb.gui = true + vb.name = "logger" + vb.customize ["modifyvm", :id, "--memory", 4096] + vb.customize ["modifyvm", :id, "--cpus", 2] + vb.customize ["modifyvm", :id, "--vram", "32"] + vb.customize ["modifyvm", :id, "--nicpromisc2", "allow-all"] + vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"] + vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ] + end + end + + config.vm.define "dc" do |cfg| + cfg.vm.box = "../Boxes/windows_2016_virtualbox.box" + cfg.vm.hostname = "dc" + cfg.vm.boot_timeout = 600 + # use the plaintext WinRM transport and force it to use basic authentication. + # NB this is needed because the default negotiate transport stops working + # after the domain controller is installed. + # see https://groups.google.com/forum/#!topic/vagrant-up/sZantuCM0q4 + cfg.winrm.transport = :plaintext + cfg.vm.communicator = "winrm" + cfg.winrm.basic_auth_only = true + cfg.winrm.timeout = 300 + cfg.winrm.retry_limit = 20 + cfg.vm.network :private_network, ip: "192.168.38.102", gateway: "192.168.38.1" + + cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "192.168.38.102" + cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false + cfg.vm.provision "reload" + cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/configure-ou.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/configure-wef-gpo.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/configure-powershelllogging.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/configure-AuditingPolicyGPOs.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false + cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false + cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: false + + cfg.vm.provider "vmware_fusion" do |v, override| + override.vm.box = "../Boxes/windows_2016_vmware.box" + v.vmx["displayname"] = "dc.windomain.local" + v.memory = 2560 + v.cpus = 2 + v.gui = true + end + + cfg.vm.provider "vmware_desktop" do |v, override| + override.vm.box = "../Boxes/windows_2016_vmware.box" + v.vmx["displayname"] = "dc.windomain.local" + v.memory = 2560 + v.cpus = 2 + v.gui = true + v.enable_vmrun_ip_lookup = false + end + + cfg.vm.provider "virtualbox" do |vb, override| + vb.gui = true + vb.name = "dc.windomain.local" + vb.default_nic_type = "82545EM" + vb.customize ["modifyvm", :id, "--memory", 2560] + vb.customize ["modifyvm", :id, "--cpus", 2] + vb.customize ["modifyvm", :id, "--vram", "32"] + vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"] + vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ] + end + end + + config.vm.define "wef" do |cfg| + cfg.vm.box = "../Boxes/windows_2016_virtualbox.box" + cfg.vm.hostname = "wef" + cfg.vm.boot_timeout = 600 + cfg.vm.communicator = "winrm" + cfg.winrm.basic_auth_only = true + cfg.winrm.timeout = 300 + cfg.winrm.retry_limit = 20 + cfg.vm.network :private_network, ip: "192.168.38.103", gateway: "192.168.38.1", dns: "192.168.38.102" + + cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.103 -dns 192.168.38.102" + cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false + cfg.vm.provision "reload" + cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: false + cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false + cfg.vm.provision "shell", path: "scripts/install-wefsubscriptions.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/install-windows_ta.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/configure-pslogstranscriptsshare.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false + cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: false + + cfg.vm.provider "vmware_fusion" do |v, override| + override.vm.box = "../Boxes/windows_2016_vmware.box" + v.vmx["displayname"] = "wef.windomain.local" + v.memory = 2048 + v.cpus = 2 + v.gui = true + end + + cfg.vm.provider "vmware_desktop" do |v, override| + override.vm.box = "../Boxes/windows_2016_vmware.box" + v.vmx["displayname"] = "wef.windomain.local" + v.memory = 2048 + v.cpus = 2 + v.gui = true + v.enable_vmrun_ip_lookup = false + end + + cfg.vm.provider "virtualbox" do |vb, override| + vb.gui = true + vb.name = "wef.windomain.local" + vb.default_nic_type = "82545EM" + vb.customize ["modifyvm", :id, "--memory", 2048] + vb.customize ["modifyvm", :id, "--cpus", 2] + vb.customize ["modifyvm", :id, "--vram", "32"] + vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"] + vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ] + end + end + + config.vm.define "win10" do |cfg| + cfg.vm.box = "../Boxes/windows_10_virtualbox.box" + cfg.vm.hostname = "win10" + cfg.vm.boot_timeout = 600 + cfg.vm.communicator = "winrm" + cfg.winrm.basic_auth_only = true + cfg.winrm.timeout = 300 + cfg.winrm.retry_limit = 20 + cfg.vm.network :private_network, ip: "192.168.38.104", gateway: "192.168.38.1", dns: "192.168.38.102" + + cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.104 -dns 192.168.38.102" + cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false + cfg.vm.provision "reload" + cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/MakeWindows10GreatAgain.ps1", privileged: false + cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false + cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false + + cfg.vm.provider "vmware_fusion" do |v, override| + override.vm.box = "../Boxes/windows_10_vmware.box" + v.vmx["displayname"] = "win10.windomain.local" + v.vmx["gui.fullscreenatpoweron"] = "FALSE" + v.vmx["gui.viewModeAtPowerOn"] = "windowed" + v.vmx["gui.fitguestusingnativedisplayresolution"] = "FALSE" + v.memory = 2048 + v.cpus = 1 + v.gui = true + end + + cfg.vm.provider "vmware_desktop" do |v, override| + override.vm.box = "../Boxes/windows_10_vmware.box" + v.vmx["displayname"] = "win10.windomain.local" + v.vmx["gui.fullscreenatpoweron"] = "FALSE" + v.vmx["gui.viewModeAtPowerOn"] = "windowed" + v.memory = 2048 + v.cpus = 1 + v.gui = true + v.enable_vmrun_ip_lookup = false + end + + cfg.vm.provider "virtualbox" do |vb, override| + vb.gui = true + vb.name = "win10.windomain.local" + vb.default_nic_type = "82545EM" + vb.customize ["modifyvm", :id, "--memory", 2048] + vb.customize ["modifyvm", :id, "--cpus", 1] + vb.customize ["modifyvm", :id, "--vram", "32"] + vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"] + vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ] + end + end +end diff --git a/Vagrant/bootstrap.sh b/Vagrant/bootstrap.sh index 69f0b2e..8d1d90d 100644 --- a/Vagrant/bootstrap.sh +++ b/Vagrant/bootstrap.sh @@ -76,11 +76,11 @@ install_splunk() { /opt/splunk/bin/splunk add index threathunting -auth 'admin:changeme' /opt/splunk/bin/splunk install app /vagrant/resources/splunk_forwarder/splunk-add-on-for-microsoft-windows_500.tgz -auth 'admin:changeme' /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/add-on-for-microsoft-sysmon_800.tgz -auth 'admin:changeme' - /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/asn-lookup-generator_012.tgz -auth 'admin:changeme' + /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/asn-lookup-generator_100.tgz -auth 'admin:changeme' /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/force-directed-app-for-splunk_200.tgz -auth 'admin:changeme' /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/punchcard-custom-visualization_130.tgz -auth 'admin:changeme' /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/sankey-diagram-custom-visualization_130.tgz -auth 'admin:changeme' - /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_11.tgz -auth 'admin:changeme' + /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_12.tgz -auth 'admin:changeme' # Add custom Macro definitions for ThreatHunting App cp /vagrant/resources/splunk_server/macros.conf /opt/splunk/etc/apps/ThreatHunting/local diff --git a/Vagrant/resources/splunk_server/asn-lookup-generator_012.tgz b/Vagrant/resources/splunk_server/asn-lookup-generator_012.tgz deleted file mode 100644 index c374125..0000000 Binary files a/Vagrant/resources/splunk_server/asn-lookup-generator_012.tgz and /dev/null differ diff --git a/Vagrant/resources/splunk_server/asn-lookup-generator_100.tgz b/Vagrant/resources/splunk_server/asn-lookup-generator_100.tgz new file mode 100644 index 0000000..be5f810 Binary files /dev/null and b/Vagrant/resources/splunk_server/asn-lookup-generator_100.tgz differ diff --git a/Vagrant/resources/splunk_server/threathunting_11.tgz b/Vagrant/resources/splunk_server/threathunting_11.tgz deleted file mode 100644 index 6d12c72..0000000 Binary files a/Vagrant/resources/splunk_server/threathunting_11.tgz and /dev/null differ diff --git a/Vagrant/resources/splunk_server/threathunting_12.tgz b/Vagrant/resources/splunk_server/threathunting_12.tgz new file mode 100644 index 0000000..023f34f Binary files /dev/null and b/Vagrant/resources/splunk_server/threathunting_12.tgz differ diff --git a/Vagrant/scripts/install-choco-extras.ps1 b/Vagrant/scripts/install-choco-extras.ps1 new file mode 100644 index 0000000..f12a4b6 --- /dev/null +++ b/Vagrant/scripts/install-choco-extras.ps1 @@ -0,0 +1,15 @@ +# Purpose: Install additional packages from Chocolatey. + +Write-Host "Installing additional Choco packages..." + +If (-not (Test-Path "C:\ProgramData\chocolatey")) { + Write-Host "Installing Chocolatey" + iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1')) +} else { + Write-Host "Chocolatey is already installed." +} + +Write-Host "Installing Chocolatey extras..." +choco install -y wireshark + +Write-Host "Choco addons complete!" diff --git a/Vagrant/scripts/install-redteam.ps1 b/Vagrant/scripts/install-redteam.ps1 new file mode 100644 index 0000000..4fa79b2 --- /dev/null +++ b/Vagrant/scripts/install-redteam.ps1 @@ -0,0 +1,50 @@ +# Purpose: Installs Mimikatz and Powersploit into c:\Tools\Mimikatz. Used to install redteam related tooling. + +Write-Host "Installing Red Team Tooling..." + + +# Disable Windows Defender realtime scanning before downloading Mimikatz and drop the firewall +If ($env:computername -eq "win10") { + If (Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender") + { + Remove-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Recurse -Force + } + gpupdate /force | Out-String + Write-Host "Disabling Windows Defender Realtime Monitoring..." + Set-MpPreference -ExclusionPath C:\commander.exe, C:\Tools + set-MpPreference -DisableRealtimeMonitoring $true + Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False +} + +# Purpose: Downloads and unzips a copy of the latest Mimikatz trunk +Write-Host "Determining latest release of Mimikatz..." +# GitHub requires TLS 1.2 as of 2/27 +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 +$tag = (Invoke-WebRequest "https://api.github.com/repos/gentilkiwi/mimikatz/releases" -UseBasicParsing | ConvertFrom-Json)[0].tag_name +$mimikatzDownloadUrl = "https://github.com/gentilkiwi/mimikatz/releases/download/$tag/mimikatz_trunk.zip" +$mimikatzRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\mimikatz_trunk.zip' +if (-not (Test-Path $mimikatzRepoPath)) +{ + Invoke-WebRequest -Uri "$mimikatzDownloadUrl" -OutFile $mimikatzRepoPath + Expand-Archive -path "$mimikatzRepoPath" -destinationpath 'c:\Tools\Mimikatz' -Force +} +else +{ + Write-Host "Mimikatz was already installed. Moving On." +} + +# Download and unzip a copy of PowerSploit +Write-Host "Downloading Powersploit..." +# GitHub requires TLS 1.2 as of 2/27 +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 +$powersploitDownloadUrl = "https://github.com/PowerShellMafia/PowerSploit/archive/master.zip" +$powersploitRepoPath = "C:\Users\vagrant\AppData\Local\Temp\powersploit.zip" +if (-not (Test-Path $powersploitRepoPath)) { + Invoke-WebRequest -Uri "$powersploitDownloadUrl" -OutFile $powersploitRepoPath + Expand-Archive -path "$powersploitRepoPath" -destinationpath 'c:\Tools\PowerSploit' -Force + Copy-Item "c:\Tools\PowerSploit\PowerSploit-master\*" "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" -Recurse -Force +} else { + Write-Host "PowerSploit was already installed. Moving On." +} + +Write-Host "Red Team tooling installation complete!" diff --git a/Vagrant/scripts/install-utilities.ps1 b/Vagrant/scripts/install-utilities.ps1 index 8122197..28225ea 100755 --- a/Vagrant/scripts/install-utilities.ps1 +++ b/Vagrant/scripts/install-utilities.ps1 @@ -1,4 +1,4 @@ -# Purpose: Installs chocolatey package manager, then installs custom utilities from Choco and adds syntax highlighting for Powershell, Batch, and Docker. Also installs Mimikatz into c:\Tools\Mimikatz. +# Purpose: Installs chocolatey package manager, then installs custom utilities from Choco. If (-not (Test-Path "C:\ProgramData\chocolatey")) { Write-Host "Installing Chocolatey" @@ -7,7 +7,7 @@ If (-not (Test-Path "C:\ProgramData\chocolatey")) { Write-Host "Chocolatey is already installed." } -Write-Host "Installing Notepad++, Chrome, WinRar, PowerSploit and Mimikatz." +Write-Host "Installing utilities..." If ($(hostname) -eq "win10") { # Because the Windows10 start menu sucks choco install -y classic-shell -installArgs ADDLOCAL=ClassicStartMenu @@ -16,47 +16,4 @@ choco install -y NotepadPlusPlus choco install -y GoogleChrome choco install -y WinRar -# Disable Windows Defender realtime scanning before downloading Mimikatz and drop the firewall -If ($env:computername -eq "win10") { - If (Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender") - { - Remove-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Recurse -Force - } - gpupdate /force | Out-String - Set-MpPreference -ExclusionPath C:\commander.exe, C:\Tools - set-MpPreference -DisableRealtimeMonitoring $true - Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False -} - -# Purpose: Downloads and unzips a copy of the latest Mimikatz trunk -Write-Host "Determining latest release of Mimikatz..." -# GitHub requires TLS 1.2 as of 2/27 -[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -$tag = (Invoke-WebRequest "https://api.github.com/repos/gentilkiwi/mimikatz/releases" -UseBasicParsing | ConvertFrom-Json)[0].tag_name -$mimikatzDownloadUrl = "https://github.com/gentilkiwi/mimikatz/releases/download/$tag/mimikatz_trunk.zip" -$mimikatzRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\mimikatz_trunk.zip' -if (-not (Test-Path $mimikatzRepoPath)) -{ - Invoke-WebRequest -Uri "$mimikatzDownloadUrl" -OutFile $mimikatzRepoPath - Expand-Archive -path "$mimikatzRepoPath" -destinationpath 'c:\Tools\Mimikatz' -Force -} -else -{ - Write-Host "Mimikatz was already installed. Moving On." -} - -# Download and unzip a copy of PowerSploit -Write-Host "Downloading Powersploit..." -# GitHub requires TLS 1.2 as of 2/27 -[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -$powersploitDownloadUrl = "https://github.com/PowerShellMafia/PowerSploit/archive/master.zip" -$powersploitRepoPath = "C:\Users\vagrant\AppData\Local\Temp\powersploit.zip" -if (-not (Test-Path $powersploitRepoPath)) { - Invoke-WebRequest -Uri "$powersploitDownloadUrl" -OutFile $powersploitRepoPath - Expand-Archive -path "$powersploitRepoPath" -destinationpath 'c:\Tools\PowerSploit' -Force - Copy-Item "c:\Tools\PowerSploit\PowerSploit-master\*" "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" -Recurse -Force -} else { - Write-Host "PowerSploit was already installed. Moving On." -} - Write-Host "Utilties installation complete!" diff --git a/Vagrant/scripts/install-wefsubscriptions.ps1 b/Vagrant/scripts/install-wefsubscriptions.ps1 index 3fbee76..45f6251 100644 --- a/Vagrant/scripts/install-wefsubscriptions.ps1 +++ b/Vagrant/scripts/install-wefsubscriptions.ps1 @@ -1,40 +1,43 @@ # Purpose: Imports the custom Windows Event Channel and XML subscriptions on the WEF host # Note: This only needs to be installed on the WEF server -Write-Host "Installing WEF Subscriptions" +Write-Host "Installing WEF Subscriptions..." -Write-Host "Copying Custom Event Channels DLL" +Write-Host "Copying Custom Event Channels DLL..." if (-not (Test-Path "$env:windir\system32\CustomEventChannels.dll")) { Copy-Item c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\windows-event-channels\CustomEventChannels.dll "$env:windir\system32" Copy-Item c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\windows-event-channels\CustomEventChannels.man "$env:windir\system32" - Write-Host "Installing Custom Event Channels Manifest" + Write-Host "Installing Custom Event Channels Manifest..." wevtutil im "c:\windows\system32\CustomEventChannels.man" - Write-Host "Resizing Channels to 4GB" + Write-Host "Resizing Channels to 4GB..." $xml = wevtutil el | select-string -pattern "WEC" foreach ($subscription in $xml) { wevtutil sl $subscription /ms:4294967296 } - Write-Host "Starting the Windows Event Collector Service" + Write-Host "Starting the Windows Event Collector Service..." net start wecsvc - Write-Host "Creating custom event subscriptions" + Write-Host "Creating custom event subscriptions..." cd c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions cmd /c "for /r %i in (*.xml) do wecutil cs %i" - Write-Host "Enabling custom event subscriptions" + Write-Host "Enabling custom event subscriptions..." cmd /c "for /r %i in (*.xml) do wecutil ss %~ni /e:true" - Write-Host "Enabling WecUtil Quick Config" + Write-Host "Enabling WecUtil Quick Config..." wecutil qc /q:true } -else +else { - Write-Host "WEF Subscriptions already installed, moving on" + Write-Host "WEF Subscriptions are already installed, moving on..." + if ((Get-Service -Name wecsvc).Status -ne "Running") + { net start wecsvc + } } Start-Sleep -Seconds 60 if ((Get-Service -Name wecsvc).Status -ne "Running") { - throw "Windows Event Collector service was not running" -} \ No newline at end of file + throw "Windows Event Collector failed to start" +}