Update Win10 to 1804 & Fixes
This commit is contained in:
Chris Long
@@ -54,7 +54,7 @@ else
|
||||
{
|
||||
Write-Host "GpLink $GPOName already linked on $OU. Moving On."
|
||||
}
|
||||
$OU = "ou=Workstations,dc=windomain,dc=local"
|
||||
$OU = "ou=Workstations,dc=windomain,dc=local"
|
||||
$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
|
||||
$GPO = Get-GPO -Name $GPOName
|
||||
If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path)
|
||||
@@ -67,7 +67,3 @@ else
|
||||
}
|
||||
|
||||
gpupdate /force
|
||||
# Enable WinRM
|
||||
Write-Host "Enabling WinRM"
|
||||
winrm qc /q:true
|
||||
Write-Host "Rebooting to make settings take effect..."
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
# Purpose: Downloads and unzips a copy of the Palantir osquery Github Repo. These configs are added to the Fleet server in bootstrap.sh.
|
||||
# The items from this config file are used later in install-osquery.ps1
|
||||
Write-Host "Downloading and unzipping the Palantir osquery Repo from Github..."
|
||||
|
||||
$osqueryRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\osquery-Master.zip'
|
||||
@@ -9,8 +10,8 @@ if (-not (Test-Path $osqueryRepoPath))
|
||||
Invoke-WebRequest -Uri "https://github.com/palantir/osquery-configuration/archive/master.zip" -OutFile $osqueryRepoPath
|
||||
Expand-Archive -path "$osqueryRepoPath" -destinationpath 'c:\Users\vagrant\AppData\Local\Temp' -Force
|
||||
}
|
||||
else
|
||||
else
|
||||
{
|
||||
Write-Host "$osqueryRepoPath already exists. Moving On."
|
||||
}
|
||||
Write-Host "Palantir OSQuery download complete!"
|
||||
Write-Host "Palantir osquery config download complete!"
|
||||
|
||||
@@ -15,4 +15,4 @@ else
|
||||
{
|
||||
Write-Host "$wefRepoPath already exists. Moving On."
|
||||
}
|
||||
Write-Host "Palantir WEF download complete!"
|
||||
Write-Host "Palantir WEF download complete!"
|
||||
|
||||
@@ -1,31 +1,28 @@
|
||||
# Source: https://github.com/StefanScherer/adfs2
|
||||
param ([String] $ip, [String] $dns)
|
||||
|
||||
if (Test-Path C:\Users\vagrant\enable-winrm-after-customization.bat) {
|
||||
Write-Host "Nothing to do in vCloud."
|
||||
exit 0
|
||||
}
|
||||
if (! (Test-Path 'C:\Program Files\VMware\VMware Tools')) {
|
||||
Write-Host "Nothing to do for other providers than VMware."
|
||||
exit 0
|
||||
}
|
||||
Write-Host "Setting IP address and DNS information for the second network adapter"
|
||||
|
||||
$subnet = $ip -replace "\.\d+$", ""
|
||||
|
||||
write-host "debug 1"
|
||||
$name = (Get-NetIPAddress -AddressFamily IPv4 `
|
||||
| Where-Object -FilterScript { ($_.IPAddress).StartsWith($subnet) } `
|
||||
).InterfaceAlias
|
||||
|
||||
write-host "debug 2"
|
||||
if (!$name) {
|
||||
$name = (Get-NetIPAddress -AddressFamily IPv4 `
|
||||
| Where-Object -FilterScript { ($_.IPAddress).StartsWith("169.254.") } `
|
||||
).InterfaceAlias
|
||||
}
|
||||
|
||||
write-host "debug 3"
|
||||
if ($name) {
|
||||
Write-Host "Set IP address to $ip of interface $name"
|
||||
& netsh.exe int ip set address "$name" static $ip 255.255.255.0 "$subnet.1"
|
||||
|
||||
write-host "debug 4"
|
||||
if ($dns) {
|
||||
Write-Host "Set DNS server address to $dns of interface $name"
|
||||
& netsh.exe interface ipv4 add dnsserver "$name" address=$dns index=1
|
||||
|
||||
@@ -3,8 +3,7 @@
|
||||
Write-Host "Installing AutorunsToWinEventLog..."
|
||||
If ((Get-ScheduledTask -TaskName "AutorunsToWinEventLog" -ea silent) -eq $null)
|
||||
{
|
||||
cd "c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\AutorunsToWinEventLog"
|
||||
.\Install.ps1
|
||||
. c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\AutorunsToWinEventLog\Install.ps1
|
||||
Write-Host "AutorunsToWinEventLog installed. Starting the scheduled task. Future runs will begin at 11am"
|
||||
Start-ScheduledTask -TaskName "AutorunsToWinEventLog"
|
||||
$Tsk = Get-ScheduledTask -TaskName "AutorunsToWinEventLog"
|
||||
@@ -13,7 +12,7 @@ If ((Get-ScheduledTask -TaskName "AutorunsToWinEventLog" -ea silent) -eq $null)
|
||||
throw "AutorunsToWinEventLog scheduled tasks wasn't running after starting it"
|
||||
}
|
||||
}
|
||||
else
|
||||
else
|
||||
{
|
||||
Write-Host "AutorunsToWinEventLog already installed. Moving On."
|
||||
}
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
# Purpose: Installs the Caldera agent on the host
|
||||
|
||||
if (-not (Test-Path 'C:\Program Files\cagent\cagent.exe'))
|
||||
{
|
||||
If (-not (Test-Path 'C:\Program Files\cagent\cagent.exe')) {
|
||||
# Add /etc/hosts entry
|
||||
Add-Content "c:\windows\system32\drivers\etc\hosts" " 192.168.38.5 logger"
|
||||
|
||||
@@ -21,13 +20,15 @@ if (-not (Test-Path 'C:\Program Files\cagent\cagent.exe'))
|
||||
# Ignore SSL warning for conf file download
|
||||
# https://stackoverflow.com/questions/34331206/ignore-ssl-warning-with-powershell-downloadstring
|
||||
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;(New-Object System.Net.WebClient).DownloadFile('https://logger:8888/conf.yml', $cagentConfPath)
|
||||
If (-not (Test-Path "$cagentConfPath" )) {
|
||||
Write-Host "Caldera Agent configuration failed. Unable to retrieve config from logger"
|
||||
}
|
||||
Start-Process -FilePath $cagentPath -ArgumentList '--startup', 'auto', 'install' -Wait
|
||||
Start-Process -FilePath $cagentPath -ArgumentList 'start' -Wait
|
||||
Start-Process -FilePath $cagentPath -ArgumentList 'start' -Wait
|
||||
} Else {
|
||||
Write-Host "Caldera Agent is already installed. Moving on."
|
||||
}
|
||||
If ((Get-Service -name cagent).Status -ne "Running")
|
||||
{
|
||||
If ((Get-Service -name cagent).Status -ne "Running") {
|
||||
throw "Caldera Agent service not running"
|
||||
}
|
||||
Write-Host "Cagent installation complete!"
|
||||
|
||||
@@ -1,12 +1,12 @@
|
||||
# Purpose: Installs a Splunk Universal Forwader on the host
|
||||
|
||||
If (-not (Test-Path "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe")) {
|
||||
Write-Host "Downloading Splunk"
|
||||
$msiFile = $env:Temp + "\splunkforwarder-6.5.2-67571ef4b87d-x64-release.msi"
|
||||
Write-Host "Downloading Splunk Universal Forwarder"
|
||||
$msiFile = $env:Temp + "\splunkforwarder-7.1.0-2e75b3406c5b-x64-release.msi"
|
||||
|
||||
Write-Host "Installing & Starting Splunk"
|
||||
(New-Object System.Net.WebClient).DownloadFile('https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=windows&version=6.5.2&product=universalforwarder&filename=splunkforwarder-6.5.2-67571ef4b87d-x64-release.msi&wget=true', $msiFile)
|
||||
Start-Process -FilePath "c:\windows\system32\msiexec.exe" -ArgumentList '/i', "$msiFile", 'RECEIVING_INDEXER="192.168.38.5:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_APP_ENABLE=1 AGREETOLICENSE=Yes SERVICESTARTTYPE=1 LAUNCHSPLUNK=1 /quiet' -Wait
|
||||
(New-Object System.Net.WebClient).DownloadFile('https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=windows&version=7.1.0&product=universalforwarder&filename=splunkforwarder-7.1.0-2e75b3406c5b-x64-release.msi&wget=true', $msiFile)
|
||||
Start-Process -FilePath "c:\windows\system32\msiexec.exe" -ArgumentList '/i', "$msiFile", 'RECEIVING_INDEXER="192.168.38.5:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_APP_ENABLE=1 AGREETOLICENSE=Yes SERVICESTARTTYPE=1 LAUNCHSPLUNK=1 SPLUNKPASSWORD=changeme /quiet' -Wait
|
||||
} Else {
|
||||
Write-Host "Splunk is already installed. Moving on."
|
||||
}
|
||||
|
||||
@@ -24,23 +24,32 @@ $sysmonPath = "C:\Tools\Sysinternals\Sysmon64.exe"
|
||||
$tcpviewPath = "C:\Tools\Sysinternals\Tcpview.exe"
|
||||
$sysmonConfigPath = "$sysmonDir\sysmonConfig.xml"
|
||||
|
||||
Write-Host "Downloading Autoruns64.exe..."
|
||||
Invoke-WebRequest -Uri "https://live.sysinternals.com/Autoruns64.exe" -OutFile $autorunsPath
|
||||
Write-Host "Downloading Procmon.exe..."
|
||||
Invoke-WebRequest -Uri "https://live.sysinternals.com/Procmon.exe" -OutFile $procmonPath
|
||||
Write-Host "Downloading PsExec64.exe..."
|
||||
Invoke-WebRequest -Uri "https://live.sysinternals.com/PsExec64.exe" -OutFile $psexecPath
|
||||
Write-Host "Downloading procexp64.exe..."
|
||||
Invoke-WebRequest -Uri "https://live.sysinternals.com/procexp64.exe" -OutFile $procexpPath
|
||||
Write-Host "Downloading Sysmon64.exe..."
|
||||
Invoke-WebRequest -Uri "https://live.sysinternals.com/Sysmon64.exe" -Outfile $sysmonPath
|
||||
Write-Host "Downloading Tcpview.exe..."
|
||||
Invoke-WebRequest -Uri "https://live.sysinternals.com/Tcpview.exe" -Outfile $tcpviewPath
|
||||
Copy-Item $sysmonPath $sysmonDir
|
||||
|
||||
# Download SwiftOnSecurity's Sysmon config
|
||||
Write-Host "Downloading SwiftOnSecurity's Sysmon config..."
|
||||
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml" -Outfile "$sysmonConfigPath"
|
||||
# Alternative: Download Olaf Hartong's Sysmon config (more CPU intensive)
|
||||
#Invoke-WebRequest -Uri "https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml" -Outfile "$sysmonConfigPath"
|
||||
|
||||
# Convert Sysmon config schema from 3.30 to 4.0 per GitHub Issue #38
|
||||
(Get-Content $sysmonConfigPath) -replace 'schemaversion="3.30"', 'schemaversion="4.00"' | Set-Content $sysmonConfigPath
|
||||
|
||||
# Convert Schema from 3.30 to 4.0 per GitHub Issue #38
|
||||
(Get-Content $sysmonConfigPath) -replace 'schemaversion="3.30"', 'schemaversion="4.00"' | Set-Content $sysmonConfigPath
|
||||
|
||||
# Startup Sysmon
|
||||
# Start Sysmon
|
||||
Write-Host "Starting Sysmon..."
|
||||
Start-Process -FilePath "$sysmonDir\Sysmon64.exe" -ArgumentList "-accepteula -i $sysmonConfigPath"
|
||||
Write-Host "Verifying that the Sysmon service is running..."
|
||||
Start-Sleep 5 # Give the service time to start
|
||||
If ((Get-Service -name Sysmon64).Status -ne "Running")
|
||||
{
|
||||
throw "The Sysmon service did not start successfully"
|
||||
}
|
||||
|
||||
@@ -3,24 +3,21 @@
|
||||
If (-not (Test-Path "C:\ProgramData\chocolatey")) {
|
||||
Write-Host "Installing Chocolatey"
|
||||
iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))
|
||||
}
|
||||
else {
|
||||
} else {
|
||||
Write-Host "Chocolatey is already installed."
|
||||
}
|
||||
|
||||
Write-Host "Installing atom, Notepad++, Chrome, WinRar, and Mimikatz."
|
||||
choco install -y atom
|
||||
Write-Host "Installing Notepad++, Chrome, WinRar, PowerSploit and Mimikatz."
|
||||
If ($(hostname) -eq "win10") {
|
||||
# Because the Windows10 start menu sucks
|
||||
choco install -y classic-shell -installArgs ADDLOCAL=ClassicStartMenu
|
||||
}
|
||||
choco install -y NotepadPlusPlus
|
||||
choco install -y GoogleChrome
|
||||
choco install -y WinRar
|
||||
Write-Host $env:LOCALAPPDATA
|
||||
$env:PATH="$env:PATH;$env:LOCALAPPDATA\atom\bin"
|
||||
apm install language-powershell
|
||||
apm install language-batch
|
||||
apm install language-docker
|
||||
|
||||
# Disable Windows Defender realtime scanning before downloading Mimikatz
|
||||
If ($env:computername -eq "WIN10") {
|
||||
If ($env:computername -eq "win10") {
|
||||
If (Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender")
|
||||
{
|
||||
Remove-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Recurse -Force
|
||||
@@ -28,7 +25,7 @@ If ($env:computername -eq "WIN10") {
|
||||
gpupdate /force | Out-String
|
||||
Set-MpPreference -ExclusionPath C:\commander.exe, C:\Tools
|
||||
set-MpPreference -DisableRealtimeMonitoring $true
|
||||
|
||||
|
||||
}
|
||||
|
||||
# Purpose: Downloads and unzips a copy of the latest Mimikatz trunk
|
||||
@@ -37,7 +34,6 @@ Write-Host "Determining latest release of Mimikatz..."
|
||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
$tag = (Invoke-WebRequest "https://api.github.com/repos/gentilkiwi/mimikatz/releases" -UseBasicParsing | ConvertFrom-Json)[0].tag_name
|
||||
$mimikatzDownloadUrl = "https://github.com/gentilkiwi/mimikatz/releases/download/$tag/mimikatz_trunk.zip"
|
||||
|
||||
$mimikatzRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\mimikatz_trunk.zip'
|
||||
if (-not (Test-Path $mimikatzRepoPath))
|
||||
{
|
||||
@@ -48,8 +44,19 @@ else
|
||||
{
|
||||
Write-Host "Mimikatz was already installed. Moving On."
|
||||
}
|
||||
# Enable realtime monitoring again, now that exclusion is set for mimikatz
|
||||
If ($env:computername -eq "WIN10") {
|
||||
set-MpPreference -DisableRealtimeMonitoring $false
|
||||
|
||||
# Download and unzip a copy of PowerSploit
|
||||
Write-Host "Downloading Powersploit..."
|
||||
# GitHub requires TLS 1.2 as of 2/27
|
||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
$powersploitDownloadUrl = "https://github.com/PowerShellMafia/PowerSploit/archive/master.zip"
|
||||
$powersploitRepoPath = "C:\Users\vagrant\AppData\Local\Temp\powersploit.zip"
|
||||
if (-not (Test-Path $powersploitRepoPath)) {
|
||||
Invoke-WebRequest -Uri "$powersploitDownloadUrl" -OutFile $powersploitRepoPath
|
||||
Expand-Archive -path "$powersploitRepoPath" -destinationpath 'c:\Tools\PowerSploit' -Force
|
||||
Copy-Item "c:\Tools\PowerSploit\PowerSploit-master\*" "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" -Recurse -Force
|
||||
} else {
|
||||
Write-Host "PowerSploit was already installed. Moving On."
|
||||
}
|
||||
Write-Host "Utilties installation complete!"
|
||||
|
||||
Write-Host "Utilties installation complete!"
|
||||
|
||||
Reference in New Issue
Block a user