From b9b65601a686c4ee22ffd03f6bec60f8837e584a Mon Sep 17 00:00:00 2001 From: Chris Long Date: Thu, 28 Jun 2018 23:20:24 -0700 Subject: [PATCH] Updating hashes for pre-built boxes and small fixes --- Packer/scripts/MakeWindows10GreatAgain.ps1 | 5 ++- README.md | 10 ++--- Vagrant/Vagrantfile | 1 + Vagrant/scripts/MakeWindows10GreatAgain.ps1 | 23 ++++++++++ Vagrant/scripts/MakeWindows10GreatAgain.reg | 49 +++++++++++++++++++++ Vagrant/scripts/install-caldera-agent.ps1 | 1 + build.ps1 | 16 +++---- build.sh | 8 ++-- 8 files changed, 95 insertions(+), 18 deletions(-) create mode 100644 Vagrant/scripts/MakeWindows10GreatAgain.ps1 create mode 100644 Vagrant/scripts/MakeWindows10GreatAgain.reg diff --git a/Packer/scripts/MakeWindows10GreatAgain.ps1 b/Packer/scripts/MakeWindows10GreatAgain.ps1 index 16313f1..67b4cc2 100644 --- a/Packer/scripts/MakeWindows10GreatAgain.ps1 +++ b/Packer/scripts/MakeWindows10GreatAgain.ps1 @@ -11,10 +11,13 @@ if ($onedrive) { } c:\Windows\SysWOW64\OneDriveSetup.exe /uninstall +Write-Host "Running Update-Help..." Update-Help -Force -ErrorAction SilentlyContinue -# Remove Microsoft Store and Edge shortcuts from the taskbar +Write-Host "Removing Microsoft Store, Mail, and Edge shortcuts from the taskbar..." $appname = "Microsoft Edge" ((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true} $appname = "Microsoft Store" ((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true} +$appname = "Mail" +((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true} diff --git a/README.md b/README.md index 4ac3018..57bc648 100644 --- a/README.md +++ b/README.md @@ -71,10 +71,10 @@ Windows users will want to use the following script: Provider | Box | URL | MD5 | Size ------------|-----|-----|----|---- -Virtualbox |Windows 2016 | https://www.detectionlab.network/windows_2016_virtualbox.box | b59cf23dfbcdb63c0dc8a98fbc564451 | 6.4GB -Virtualbox | Windows 10 | https://www.detectionlab.network/windows_10_virtualbox.box | d6304f01caa553a18022ea7b5a73ad0d | 5.8GB -VMware | Windows 2016 | https://www.detectionlab.network/windows_2016_vmware.box | 249fc2472849582d8b736cdabaf0eceb | 6.7GB -VMware | Windows 10 | https://www.detectionlab.network/windows_10_vmware.box | 4355e9758a862a6f6349e31fdc3a6078 | 6.0GB +Virtualbox |Windows 2016 | https://www.detectionlab.network/windows_2016_virtualbox.box | f352c852ed1b849dab18442caef83712 | 6.4GB +Virtualbox | Windows 10 | https://www.detectionlab.network/windows_10_virtualbox.box | ad78b3406dd2c0e3418d1dd61e2abc2c | 5.8GB +VMware | Windows 2016 | https://www.detectionlab.network/windows_2016_vmware.box | da1111c765b2fdc2ce012b6348cf74e2 | 6.7GB +VMware | Windows 10 | https://www.detectionlab.network/windows_10_vmware.box | 14e1c4cc15e1dc47aead906b25c5b3cc | 6.0GB If you choose to download the boxes, you may skip steps 2 and 3. If you don't trust pre-built boxes, I recommend following steps 2 and 3 to build them on your machine. @@ -240,7 +240,7 @@ Requests for tools and features will be reviewed on a case by case basis, but I ## Credits/Resources A sizable percentage of this code was borrowed and adapted from [Stefan Scherer](https://twitter.com/stefscherer)'s [packer-windows](https://github.com/StefanScherer/packer-windows) and [adfs2](https://github.com/StefanScherer/adfs2) Github repos. A huge thanks to him for building the foundation that allowed me to design this lab environment. -# Acknowledgements +# Acknowledgements * [Microsoft Advanced Threat Analytics](https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics) * [Splunk](https://www.splunk.com) * [osquery](https://osquery.io) diff --git a/Vagrant/Vagrantfile b/Vagrant/Vagrantfile index 722ef4f..c2ddc7f 100644 --- a/Vagrant/Vagrantfile +++ b/Vagrant/Vagrantfile @@ -154,6 +154,7 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: true + cfg.vm.provision "shell", path: "scripts/MakeWindows10GreatAgain.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: true diff --git a/Vagrant/scripts/MakeWindows10GreatAgain.ps1 b/Vagrant/scripts/MakeWindows10GreatAgain.ps1 new file mode 100644 index 0000000..7d5bef4 --- /dev/null +++ b/Vagrant/scripts/MakeWindows10GreatAgain.ps1 @@ -0,0 +1,23 @@ +# Import the registry keys +Write-Host "Making Windows 10 Great again" +Write-Host "Importing registry keys..." +regedit /s a:\MakeWindows10GreatAgain.reg + +# Remove OneDrive from the System +Write-Host "Removing OneDrive..." +$onedrive = Get-Process onedrive -ErrorAction SilentlyContinue +if ($onedrive) { + taskkill /f /im OneDrive.exe +} +c:\Windows\SysWOW64\OneDriveSetup.exe /uninstall + +Write-Host "Running Update-Help..." +Update-Help -Force -ErrorAction SilentlyContinue + +Write-Host "Removing Microsoft Store and Edge shortcuts from the taskbar..." +$appname = "Microsoft Edge" +((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true} +$appname = "Microsoft Store" +((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true} +$appname = "Mail" +((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true} diff --git a/Vagrant/scripts/MakeWindows10GreatAgain.reg b/Vagrant/scripts/MakeWindows10GreatAgain.reg new file mode 100644 index 0000000..e8ed2d4 --- /dev/null +++ b/Vagrant/scripts/MakeWindows10GreatAgain.reg @@ -0,0 +1,49 @@ +Windows Registry Editor Version 5.00 + +# Disable Cortana (Windows search still remains) +[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search] +"AllowCortana"=dword:00000000 + +# Disable Notification Center +[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer] +"DisableNotificationCenter"=dword:00000001 + +# Don't reboot when users are logged in for Windows updates +[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] +"NoAutoRebootWithLoggedOnUsers"=dword:00000001 + +# Disable Microsoft.com accounts +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] +"NoConnectedUser"=dword:00000003 + +# Show all file extensions +[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] +"HideFileExt"=dword:00000000 + +# Set explorer to open to "This PC" for new windows +[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced] +"LaunchTo"=dword:00000001 + +# Show hidden files (not including OS files) +[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced] +"Hidden"=dword:00000001 + +# Show "This PC" on Desktop +# Created by: Shawn Brink +# http://www.tenforums.com +[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel] +"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"=dword:00000000 + +[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel] +"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"=dword:00000000 + +[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu] +"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"=dword:00000000 + +# Enable Developer Mode (prerequisite for Linux subsystem) +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock] +"AllowDevelopmentWithoutDevLicense"=dword:00000001 + +# Disable Microsoft People icon from taskbar +[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People] +"PeopleBand"=dword:00000000 diff --git a/Vagrant/scripts/install-caldera-agent.ps1 b/Vagrant/scripts/install-caldera-agent.ps1 index ba8b562..bd047ee 100644 --- a/Vagrant/scripts/install-caldera-agent.ps1 +++ b/Vagrant/scripts/install-caldera-agent.ps1 @@ -28,6 +28,7 @@ If (-not (Test-Path 'C:\Program Files\cagent\cagent.exe')) { } Else { Write-Host "Caldera Agent is already installed. Moving on." } +Start-Sleep 5 If ((Get-Service -name cagent).Status -ne "Running") { throw "Caldera Agent service not running" } diff --git a/build.ps1 b/build.ps1 index 0291e05..6bc24b3 100644 --- a/build.ps1 +++ b/build.ps1 @@ -174,12 +174,12 @@ function list_providers { function download_boxes { Write-Verbose '[download_boxes] Running..' if ($PackerProvider -eq 'virtualbox') { - $win10Hash = 'd6304f01caa553a18022ea7b5a73ad0d' - $win2016Hash = 'b59cf23dfbcdb63c0dc8a98fbc564451' + $win10Hash = 'ad78b3406dd2c0e3418d1dd61e2abc2c' + $win2016Hash = 'f352c852ed1b849dab18442caef83712' } if ($PackerProvider -eq 'vmware') { - $win10Hash = '4355e9758a862a6f6349e31fdc3a6078' - $win2016Hash = '249fc2472849582d8b736cdabaf0eceb' + $win10Hash = '14e1c4cc15e1dc47aead906b25c5b3cc' + $win2016Hash = 'da1111c765b2fdc2ce012b6348cf74e2' } $win10Filename = "windows_10_$PackerProvider.box" @@ -372,14 +372,14 @@ function download { } catch { - if ($_.Exception.InnerException.Response.StatusCode -eq 401 -and $SuccessOn401.IsPresent) + if ($_.Exception.InnerException.Response.StatusCode -eq 401 -and $SuccessOn401.IsPresent) { return $true } - else + else { Write-Verbose "Error occured on webrequest: $_" - return $false + return $false } } @@ -400,7 +400,7 @@ function post_build_checks { Write-Verbose "[post_build_checks] Fleet Result: $FLEET_CHECK" Write-Verbose '[post_build_checks] Running MS ATA Check.' - $ATA_CHECK = download -URL 'https://192.168.38.3' -SuccessOn401 + $ATA_CHECK = download -URL 'https://192.168.38.3' -SuccessOn401 Write-Verbose "[post_build_checks] ATA Result: $ATA_CHECK" diff --git a/build.sh b/build.sh index 10ae118..01dd143 100755 --- a/build.sh +++ b/build.sh @@ -399,19 +399,19 @@ download_boxes() { fi # Verify hashes of VirtualBox boxes if [ "$PROVIDER" == "virtualbox" ]; then - if [ "$("$MD5TOOL" "$DL_DIR"/Boxes/windows_10_"$PROVIDER".box | cut -d ' ' -f "$CUT_INDEX")" != "d6304f01caa553a18022ea7b5a73ad0d" ]; then + if [ "$("$MD5TOOL" "$DL_DIR"/Boxes/windows_10_"$PROVIDER".box | cut -d ' ' -f "$CUT_INDEX")" != "ad78b3406dd2c0e3418d1dd61e2abc2c" ]; then (echo >&2 "Hash mismatch on windows_10_virtualbox.box") fi - if [ "$("$MD5TOOL" "$DL_DIR"/Boxes/windows_2016_"$PROVIDER".box | cut -d ' ' -f "$CUT_INDEX")" != "b59cf23dfbcdb63c0dc8a98fbc564451" ]; then + if [ "$("$MD5TOOL" "$DL_DIR"/Boxes/windows_2016_"$PROVIDER".box | cut -d ' ' -f "$CUT_INDEX")" != "f352c852ed1b849dab18442caef83712" ]; then (echo >&2 "Hash mismatch on windows_2016_virtualbox.box") fi # Verify hashes of VMware boxes elif [ "$PROVIDER" == "vmware" ]; then - if [ "$("$MD5TOOL" "$DL_DIR"/Boxes/windows_10_"$PROVIDER".box | cut -d ' ' -f "$CUT_INDEX")" != "4355e9758a862a6f6349e31fdc3a6078" ]; then + if [ "$("$MD5TOOL" "$DL_DIR"/Boxes/windows_10_"$PROVIDER".box | cut -d ' ' -f "$CUT_INDEX")" != "14e1c4cc15e1dc47aead906b25c5b3cc" ]; then (echo >&2 "Hash mismatch on windows_10_vmware.box") exit 1 fi - if [ "$("$MD5TOOL" "$DL_DIR"/Boxes/windows_2016_"$PROVIDER".box | cut -d ' ' -f "$CUT_INDEX")" != "249fc2472849582d8b736cdabaf0eceb" ]; then + if [ "$("$MD5TOOL" "$DL_DIR"/Boxes/windows_2016_"$PROVIDER".box | cut -d ' ' -f "$CUT_INDEX")" != "da1111c765b2fdc2ce012b6348cf74e2" ]; then (echo >&2 "Hash mismatch on windows_2016_vmware.box") exit 1 fi