Merge branch 'master' into ESXi-ifconfig-up-fix

ESXi/README.md

@@ -47,6 +47,21 @@ These commands can be run in parallel from three separate terminal sessions.
 
 If you run into any issues along the way, please open an issue on Github and I'll do my best to find a solution.
 
+## Configuring Windows 10 with WSL as a Provisioning Host
+
+Note: Run the following commands as a root user or with sudo
+
+1. In Windows 10 install WSL (version 1 or 2)
+2. Install Ubuntu 18.04 app from the Microsoft Store
+3. Update repositories and upgrade the distro: apt update && upgrade
+4. Ensure you will install the most recent Ansible version: apt-add-repository --yes --update ppa:ansible/ansible
+5. Install the following packages: apt install python python-pip ansible unzip sshpass libffi-dev libssl-dev
+6. Install PyWinRM using: pip install pywinrm
+7. Install Terraform and Packer by downloading the 64-bit Linux binaries and moving them to /usr/local/bin
+8. Install VMWare OVF tool by downloading 64-bit Linux binary from my.vmware.com and running it with "--eulas-agreed" option
+9. Download the Linux binary for the Terraform ESXi Provider from https://github.com/josenk/terraform-provider-esxi/releases and move it to /usr/local/bin
+10. From "DetectionLab/ESXi/ansible" directory, run: "ansible --version" and ensure that the config file used is "DetectionLab/ESXi/ansible/ansible.cfg". If not, implement the Ansible "world-writtable directory" fix by going to running: "chmod o-w ." from "DetectionLab/ESXi/ansible" directory.
+
 ## Future work required
 * It probably makes sense to abstract all of the logic in `bootstrap.sh` into individual Ansible tasks
 * There's a lot of areas to make reliability improvements

ESXi/ansible/roles/logger/tasks/main.yml

@@ -217,7 +217,7 @@
       /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/punchcard-custom-visualization_130.tgz -auth 'admin:changeme'
       /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/sankey-diagram-custom-visualization_130.tgz -auth 'admin:changeme'
       /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/link-analysis-app-for-splunk_161.tgz -auth 'admin:changeme'
-      /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_143.tgz -auth 'admin:changeme'
+      /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_144.tgz -auth 'admin:changeme'
 
       ## Fix a bug with the ThreatHunting App (https://github.com/olafhartong/ThreatHunting/pull/57)
       mv /opt/splunk/etc/apps/ThreatHunting/lookups/sysmonevencodes.csv /opt/splunk/etc/apps/ThreatHunting/lookups/sysmoneventcodes.csv
@@ -404,7 +404,9 @@
     LATEST_VELOCIRAPTOR_LINUX_URL=$(curl -sL https://github.com/Velocidex/velociraptor/releases/latest | grep 'linux-amd64' | grep -Eo "/(?[^\"]+)" | grep amd | sed 's#^#https://github.com#g')
     echo "[$(date +%H:%M:%S)]: The URL for the latest release was extracted as $LATEST_VELOCIRAPTOR_LINUX_URL"
     echo "[$(date +%H:%M:%S)]: Attempting to download..."
-    wget -P /opt/velociraptor --progress=bar:force "$LATEST_VELOCIRAPTOR_LINUX_URL"
+    #wget -P /opt/velociraptor --progress=bar:force "$LATEST_VELOCIRAPTOR_LINUX_URL"
+    # Harcoding until the release after v0.4.7
+    wget -P /opt/velociraptor --progress=bar:force "https://github.com/Velocidex/velociraptor/releases/download/v0.4.7/velociraptor-v0.4.7-1-linux-amd64"
     if [ "$(file /opt/velociraptor/velociraptor*linux-amd64 | grep -c 'ELF 64-bit LSB executable')" -eq 1 ]; then
       echo "[$(date +%H:%M:%S)]: Velociraptor successfully downloaded!"
     else