trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Updating hashes for pre-built boxes and small fixes

Browse Source
This commit is contained in:
Chris Long
2018-06-28 23:20:24 -07:00
parent 1585afd1dc
commit b9b65601a6
8 changed files with 95 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
Packer/scripts/MakeWindows10GreatAgain.ps1
View File

@@ -11,10 +11,13 @@ if ($onedrive) {
} }
c:\Windows\SysWOW64\OneDriveSetup.exe /uninstall c:\Windows\SysWOW64\OneDriveSetup.exe /uninstall
Write-Host "Running Update-Help..."
Update-Help -Force -ErrorAction SilentlyContinue Update-Help -Force -ErrorAction SilentlyContinue
# Remove Microsoft Store and Edge shortcuts from the taskbar Write-Host "Removing Microsoft Store, Mail, and Edge shortcuts from the taskbar..."
$appname = "Microsoft Edge" $appname = "Microsoft Edge"
((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true} ((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true}
$appname = "Microsoft Store" $appname = "Microsoft Store"
((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true} ((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true}
$appname = "Mail"
((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true}

10
README.md
View File

@@ -71,10 +71,10 @@ Windows users will want to use the following script:
Provider | Box | URL | MD5 | Size Provider | Box | URL | MD5 | Size
------------|-----|-----|----|---- ------------|-----|-----|----|----
Virtualbox |Windows 2016 | https://www.detectionlab.network/windows_2016_virtualbox.box | b59cf23dfbcdb63c0dc8a98fbc564451 | 6.4GB Virtualbox |Windows 2016 | https://www.detectionlab.network/windows_2016_virtualbox.box | f352c852ed1b849dab18442caef83712 | 6.4GB
Virtualbox | Windows 10 | https://www.detectionlab.network/windows_10_virtualbox.box | d6304f01caa553a18022ea7b5a73ad0d | 5.8GB Virtualbox | Windows 10 | https://www.detectionlab.network/windows_10_virtualbox.box | ad78b3406dd2c0e3418d1dd61e2abc2c | 5.8GB
VMware | Windows 2016 | https://www.detectionlab.network/windows_2016_vmware.box | 249fc2472849582d8b736cdabaf0eceb | 6.7GB VMware | Windows 2016 | https://www.detectionlab.network/windows_2016_vmware.box | da1111c765b2fdc2ce012b6348cf74e2 | 6.7GB
VMware | Windows 10 | https://www.detectionlab.network/windows_10_vmware.box | 4355e9758a862a6f6349e31fdc3a6078 | 6.0GB VMware | Windows 10 | https://www.detectionlab.network/windows_10_vmware.box | 14e1c4cc15e1dc47aead906b25c5b3cc | 6.0GB
If you choose to download the boxes, you may skip steps 2 and 3. If you don't trust pre-built boxes, I recommend following steps 2 and 3 to build them on your machine. If you choose to download the boxes, you may skip steps 2 and 3. If you don't trust pre-built boxes, I recommend following steps 2 and 3 to build them on your machine.
@@ -240,7 +240,7 @@ Requests for tools and features will be reviewed on a case by case basis, but I
## Credits/Resources ## Credits/Resources
A sizable percentage of this code was borrowed and adapted from [Stefan Scherer](https://twitter.com/stefscherer)'s [packer-windows](https://github.com/StefanScherer/packer-windows) and [adfs2](https://github.com/StefanScherer/adfs2) Github repos. A huge thanks to him for building the foundation that allowed me to design this lab environment. A sizable percentage of this code was borrowed and adapted from [Stefan Scherer](https://twitter.com/stefscherer)'s [packer-windows](https://github.com/StefanScherer/packer-windows) and [adfs2](https://github.com/StefanScherer/adfs2) Github repos. A huge thanks to him for building the foundation that allowed me to design this lab environment.
# Acknowledgements # Acknowledgements
* [Microsoft Advanced Threat Analytics](https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics) * [Microsoft Advanced Threat Analytics](https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics)
* [Splunk](https://www.splunk.com) * [Splunk](https://www.splunk.com)
* [osquery](https://osquery.io) * [osquery](https://osquery.io)

1
Vagrant/Vagrantfile vendored
View File

@@ -154,6 +154,7 @@ Vagrant.configure("2") do |config|
cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: true
cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: true
cfg.vm.provision "shell", path: "scripts/MakeWindows10GreatAgain.ps1", privileged: true
cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: true
cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: true
cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: true

23
Vagrant/scripts/MakeWindows10GreatAgain.ps1 Normal file
View File

@@ -0,0 +1,23 @@
# Import the registry keys
Write-Host "Making Windows 10 Great again"
Write-Host "Importing registry keys..."
regedit /s a:\MakeWindows10GreatAgain.reg
# Remove OneDrive from the System
Write-Host "Removing OneDrive..."
$onedrive = Get-Process onedrive -ErrorAction SilentlyContinue
if ($onedrive) {
taskkill /f /im OneDrive.exe
}
c:\Windows\SysWOW64\OneDriveSetup.exe /uninstall
Write-Host "Running Update-Help..."
Update-Help -Force -ErrorAction SilentlyContinue
Write-Host "Removing Microsoft Store and Edge shortcuts from the taskbar..."
$appname = "Microsoft Edge"
((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true}
$appname = "Microsoft Store"
((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true}
$appname = "Mail"
((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true}

49
Vagrant/scripts/MakeWindows10GreatAgain.reg Normal file
View File

@@ -0,0 +1,49 @@
Windows Registry Editor Version 5.00
# Disable Cortana (Windows search still remains)
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search]
"AllowCortana"=dword:00000000
# Disable Notification Center
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer]
"DisableNotificationCenter"=dword:00000001
# Don't reboot when users are logged in for Windows updates
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoRebootWithLoggedOnUsers"=dword:00000001
# Disable Microsoft.com accounts
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"NoConnectedUser"=dword:00000003
# Show all file extensions
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt"=dword:00000000
# Set explorer to open to "This PC" for new windows
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"LaunchTo"=dword:00000001
# Show hidden files (not including OS files)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
# Show "This PC" on Desktop
# Created by: Shawn Brink
# http://www.tenforums.com
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu]
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"=dword:00000000
# Enable Developer Mode (prerequisite for Linux subsystem)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock]
"AllowDevelopmentWithoutDevLicense"=dword:00000001
# Disable Microsoft People icon from taskbar
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People]
"PeopleBand"=dword:00000000

1
Vagrant/scripts/install-caldera-agent.ps1
View File

@@ -28,6 +28,7 @@ If (-not (Test-Path 'C:\Program Files\cagent\cagent.exe')) {
} Else { } Else {
Write-Host "Caldera Agent is already installed. Moving on." Write-Host "Caldera Agent is already installed. Moving on."
} }
Start-Sleep 5
If ((Get-Service -name cagent).Status -ne "Running") { If ((Get-Service -name cagent).Status -ne "Running") {
throw "Caldera Agent service not running" throw "Caldera Agent service not running"
} }

16
build.ps1
View File

@@ -174,12 +174,12 @@ function list_providers {
function download_boxes { function download_boxes {
Write-Verbose '[download_boxes] Running..' Write-Verbose '[download_boxes] Running..'
if ($PackerProvider -eq 'virtualbox') { if ($PackerProvider -eq 'virtualbox') {
$win10Hash = 'd6304f01caa553a18022ea7b5a73ad0d' $win10Hash = 'ad78b3406dd2c0e3418d1dd61e2abc2c'
$win2016Hash = 'b59cf23dfbcdb63c0dc8a98fbc564451' $win2016Hash = 'f352c852ed1b849dab18442caef83712'
} }
if ($PackerProvider -eq 'vmware') { if ($PackerProvider -eq 'vmware') {
$win10Hash = '4355e9758a862a6f6349e31fdc3a6078' $win10Hash = '14e1c4cc15e1dc47aead906b25c5b3cc'
$win2016Hash = '249fc2472849582d8b736cdabaf0eceb' $win2016Hash = 'da1111c765b2fdc2ce012b6348cf74e2'
} }
$win10Filename = "windows_10_$PackerProvider.box" $win10Filename = "windows_10_$PackerProvider.box"
@@ -372,14 +372,14 @@ function download {
} }
catch catch
{ {
if ($_.Exception.InnerException.Response.StatusCode -eq 401 -and $SuccessOn401.IsPresent) if ($_.Exception.InnerException.Response.StatusCode -eq 401 -and $SuccessOn401.IsPresent)
{ {
return $true return $true
} }
else else
{ {
Write-Verbose "Error occured on webrequest: $_" Write-Verbose "Error occured on webrequest: $_"
return $false return $false
} }
} }
@@ -400,7 +400,7 @@ function post_build_checks {
Write-Verbose "[post_build_checks] Fleet Result: $FLEET_CHECK" Write-Verbose "[post_build_checks] Fleet Result: $FLEET_CHECK"
Write-Verbose '[post_build_checks] Running MS ATA Check.' Write-Verbose '[post_build_checks] Running MS ATA Check.'
$ATA_CHECK = download -URL 'https://192.168.38.3' -SuccessOn401 $ATA_CHECK = download -URL 'https://192.168.38.3' -SuccessOn401
Write-Verbose "[post_build_checks] ATA Result: $ATA_CHECK" Write-Verbose "[post_build_checks] ATA Result: $ATA_CHECK"

8
build.sh
View File

@@ -399,19 +399,19 @@ download_boxes() {
fi fi
# Verify hashes of VirtualBox boxes # Verify hashes of VirtualBox boxes
if [ "$PROVIDER" == "virtualbox" ]; then if [ "$PROVIDER" == "virtualbox" ]; then
if [ "$("$MD5TOOL" "$DL_DIR"/Boxes/windows_10_"$PROVIDER".box | cut -d ' ' -f "$CUT_INDEX")" != "d6304f01caa553a18022ea7b5a73ad0d" ]; then if [ "$("$MD5TOOL" "$DL_DIR"/Boxes/windows_10_"$PROVIDER".box | cut -d ' ' -f "$CUT_INDEX")" != "ad78b3406dd2c0e3418d1dd61e2abc2c" ]; then
(echo >&2 "Hash mismatch on windows_10_virtualbox.box") (echo >&2 "Hash mismatch on windows_10_virtualbox.box")
fi fi
if [ "$("$MD5TOOL" "$DL_DIR"/Boxes/windows_2016_"$PROVIDER".box | cut -d ' ' -f "$CUT_INDEX")" != "b59cf23dfbcdb63c0dc8a98fbc564451" ]; then if [ "$("$MD5TOOL" "$DL_DIR"/Boxes/windows_2016_"$PROVIDER".box | cut -d ' ' -f "$CUT_INDEX")" != "f352c852ed1b849dab18442caef83712" ]; then
(echo >&2 "Hash mismatch on windows_2016_virtualbox.box") (echo >&2 "Hash mismatch on windows_2016_virtualbox.box")
fi fi
# Verify hashes of VMware boxes # Verify hashes of VMware boxes
elif [ "$PROVIDER" == "vmware" ]; then elif [ "$PROVIDER" == "vmware" ]; then
if [ "$("$MD5TOOL" "$DL_DIR"/Boxes/windows_10_"$PROVIDER".box | cut -d ' ' -f "$CUT_INDEX")" != "4355e9758a862a6f6349e31fdc3a6078" ]; then if [ "$("$MD5TOOL" "$DL_DIR"/Boxes/windows_10_"$PROVIDER".box | cut -d ' ' -f "$CUT_INDEX")" != "14e1c4cc15e1dc47aead906b25c5b3cc" ]; then
(echo >&2 "Hash mismatch on windows_10_vmware.box") (echo >&2 "Hash mismatch on windows_10_vmware.box")
exit 1 exit 1
fi fi
if [ "$("$MD5TOOL" "$DL_DIR"/Boxes/windows_2016_"$PROVIDER".box | cut -d ' ' -f "$CUT_INDEX")" != "249fc2472849582d8b736cdabaf0eceb" ]; then if [ "$("$MD5TOOL" "$DL_DIR"/Boxes/windows_2016_"$PROVIDER".box | cut -d ' ' -f "$CUT_INDEX")" != "da1111c765b2fdc2ce012b6348cf74e2" ]; then
(echo >&2 "Hash mismatch on windows_2016_vmware.box") (echo >&2 "Hash mismatch on windows_2016_vmware.box")
exit 1 exit 1
fi fi