diff --git a/Vagrant/Vagrantfile b/Vagrant/Vagrantfile index 70cc0dc..28295dc 100644 --- a/Vagrant/Vagrantfile +++ b/Vagrant/Vagrantfile @@ -63,7 +63,6 @@ Vagrant.configure("2") do |config| cfg.vm.provision "reload" cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false - cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false @@ -130,7 +129,6 @@ Vagrant.configure("2") do |config| cfg.vm.provision "reload" cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false - cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: false cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false cfg.vm.provision "shell", path: "scripts/install-wefsubscriptions.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: false @@ -194,7 +192,6 @@ Vagrant.configure("2") do |config| cfg.vm.provision "reload" cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false - cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: false cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false diff --git a/Vagrant/scripts/configure-ou.ps1 b/Vagrant/scripts/configure-ou.ps1 index d32694c..e36c07d 100644 --- a/Vagrant/scripts/configure-ou.ps1 +++ b/Vagrant/scripts/configure-ou.ps1 @@ -13,43 +13,46 @@ ping /n 1 windomain.local Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Server and Workstation OUs..." # Create the Servers OU if it doesn't exist -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Server OU" -try { - Get-ADOrganizationalUnit -Identity 'OU=Servers,DC=windomain,DC=local' | Out-Null - Write-Host "Servers OU already exists. Moving On." -} -catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] { - New-ADOrganizationalUnit -Name "Servers" -Server "dc.windomain.local" - Write-Host "Created Servers OU." -} -catch [Microsoft.ActiveDirectory.Management.ADServerDownException] { - Write-Host "Unable to reach Active Directory. Sleeping for 10 and attmepting one more time..." - Start-Sleep 10 - New-ADOrganizationalUnit -Name "Servers" -Server "dc.windomain.local" - Write-Host "Created Servers OU after a retry." -} -catch { - Write-Host "Something went wrong attempting to reach AD or create the OU." +$servers_ou_created = 0 +while ($servers_ou_created != 1) { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Server OU" + try { + Get-ADOrganizationalUnit -Identity 'OU=Servers,DC=windomain,DC=local' | Out-Null + Write-Host "Servers OU already exists. Moving On." + } + catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] { + New-ADOrganizationalUnit -Name "Servers" -Server "dc.windomain.local" + Write-Host "Created Servers OU." + $servers_ou_created = 1 + } + catch [Microsoft.ActiveDirectory.Management.ADServerDownException] { + Write-Host "Unable to reach Active Directory. Sleeping for 5 and trying again..." + Start-Sleep 5 + } + catch { + Write-Host "Something went wrong attempting to reach AD or create the OU." + } } # Create the Workstations OU if it doesn't exist +$workstations_ou_created = 0 +while ($workstations_ou_created != 1) { Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Workstations OU" -try { - Get-ADOrganizationalUnit -Identity 'OU=Workstations,DC=windomain,DC=local' | Out-Null - Write-Host "Workstations OU already exists. Moving On." -} -catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] { - New-ADOrganizationalUnit -Name "Workstations" -Server "dc.windomain.local" - Write-Host "Created Workstations OU." -} -catch [Microsoft.ActiveDirectory.Management.ADServerDownException] { - Write-Host "Unable to reach Active Directory. Sleeping for 10 and attmepting one more time..." - Start-Sleep 10 - New-ADOrganizationalUnit -Name "Workstations" -Server "dc.windomain.local" - Write-Host "Created Workstations OU after a retry." -} -catch { - Write-Host "Something went wrong attempting to reach AD or create the OU." + try { + Get-ADOrganizationalUnit -Identity 'OU=Workstations,DC=windomain,DC=local' | Out-Null + Write-Host "Workstations OU already exists. Moving On." + } + catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] { + New-ADOrganizationalUnit -Name "Workstations" -Server "dc.windomain.local" + Write-Host "Created Workstations OU." + } + catch [Microsoft.ActiveDirectory.Management.ADServerDownException] { + Write-Host "Unable to reach Active Directory. Sleeping for 5 and trying again..." + Start-Sleep 5 + } + catch { + Write-Host "Something went wrong attempting to reach AD or create the OU." + } } # Sysprep breaks auto-login. Let's restore it here: diff --git a/Vagrant/scripts/download_palantir_osquery.ps1 b/Vagrant/scripts/download_palantir_osquery.ps1 deleted file mode 100644 index d20c7dd..0000000 --- a/Vagrant/scripts/download_palantir_osquery.ps1 +++ /dev/null @@ -1,17 +0,0 @@ -# Purpose: Downloads and unzips a copy of the Palantir osquery Github Repo. These configs are added to the Fleet server in bootstrap.sh. -# The items from this config file are used later in install-osquery.ps1 -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading and unzipping the Palantir osquery Repo from Github..." - -$osqueryRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\osquery-Master.zip' -if (-not (Test-Path $osqueryRepoPath)) -{ - # GitHub requires TLS 1.2 as of 2/1/2018 - [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - Invoke-WebRequest -Uri "https://github.com/palantir/osquery-configuration/archive/master.zip" -OutFile $osqueryRepoPath - Expand-Archive -path "$osqueryRepoPath" -destinationpath 'c:\Users\vagrant\AppData\Local\Temp' -Force -} -else -{ - Write-Host "$osqueryRepoPath already exists. Moving On." -} -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Palantir osquery config download complete!" diff --git a/Vagrant/scripts/install-osquery.ps1 b/Vagrant/scripts/install-osquery.ps1 index 0cd42a7..6900410 100755 --- a/Vagrant/scripts/install-osquery.ps1 +++ b/Vagrant/scripts/install-osquery.ps1 @@ -1,18 +1,18 @@ # Purpose: Installs osquery on the host # Note: by default, osquery will be configured to connect to the Fleet server on the "logger" host via TLS. -# If you would like to have osquery run without TLS & Fleet, uncomment line 15 and comment lines 21-30. Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing osquery..." -$packsDir = "c:\Program Files\osquery\packs" +$flagfile = "c:\Program Files\osquery\osquery.flags" choco install -y --limit-output --no-progress osquery | Out-String # Apparently Out-String makes the process wait $service = Get-WmiObject -Class Win32_Service -Filter "Name='osqueryd'" If (-not ($service)) { Write-Host "Setting osquery to run as a service" New-Service -Name "osqueryd" -BinaryPathName "C:\Program Files\osquery\osqueryd\osqueryd.exe --flagfile=`"C:\Program Files\osquery\osquery.flags`"" - # Copy over the config and packs from the Palantir repo - Copy-Item "c:\Users\vagrant\AppData\Local\Temp\osquery-configuration-master\Classic\Endpoints\Windows\*" "c:\Program Files\osquery" - Copy-Item "c:\Users\vagrant\AppData\Local\Temp\osquery-configuration-master\Classic\Endpoints\packs" -Path "c:\Program Files\osquery" + # Download the flags file from the Palantir osquery-configuration Github + # GitHub requires TLS 1.2 as of 2/1/2018 + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + Invoke-WebRequest -Uri "https://raw.githubusercontent.com/palantir/osquery-configuration/master/Classic/Endpoints/Windows/osquery.flags" -OutFile $flagfile ## Use the TLS config ## Add entry to hosts file for Kolide for SSL validation @@ -20,14 +20,14 @@ If (-not ($service)) { ## Add kolide secret and avoid BOM $Utf8NoBomEncoding = New-Object System.Text.UTF8Encoding $False [System.IO.File]::WriteAllLines("c:\Program Files\osquery\kolide_secret.txt", "enrollmentsecret", $Utf8NoBomEncoding) - ## Change TLS server hostname - (Get-Content "c:\Program Files\osquery\osquery.flags") -replace 'tls.endpoint.server.com', 'kolide:8412' | Set-Content "c:\Program Files\osquery\osquery.flags" - ## Change path to secrets - (Get-Content "c:\Program Files\osquery\osquery.flags") -replace 'path\\to\\file\\containing\\secret.txt', 'Program Files\osquery\kolide_secret.txt' | Set-Content "c:\Program Files\osquery\osquery.flags" - ## Change path to certfile - (Get-Content "c:\Program Files\osquery\osquery.flags") -replace 'c:\\ProgramData\\osquery\\certfile.crt', 'c:\Program Files\osquery\certfile.crt' | Set-Content "c:\Program Files\osquery\osquery.flags" + ## Change TLS server hostname in the flags file + (Get-Content $flagfile) -replace 'tls.endpoint.server.com', 'kolide:8412' | Set-Content $flagfile + ## Change path to secrets in the flags file + (Get-Content $flagfile) -replace 'path\\to\\file\\containing\\secret.txt', 'Program Files\osquery\kolide_secret.txt' | Set-Content $flagfile + ## Change path to certfile in the flags file + (Get-Content $flagfile) -replace 'c:\\ProgramData\\osquery\\certfile.crt', 'c:\Program Files\osquery\certfile.crt' | Set-Content $flagfile ## Remove the verbose flag and replace it with the logger_min_status=1 option (See https://github.com/osquery/osquery/issues/5212) - (Get-Content "c:\Program Files\osquery\osquery.flags") -replace '--verbose=true', '--logger_min_status=1' | Set-Content "c:\Program Files\osquery\osquery.flags" + (Get-Content $flagfile) -replace '--verbose=true', '--logger_min_status=1' | Set-Content $flagfile ## Add certfile.crt Copy-Item "c:\vagrant\resources\fleet\server.crt" "c:\Program Files\osquery\certfile.crt" ## Start the service