From bf2b89275e9ec541bbda51d5d44aa28ee0abbf79 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Mon, 20 Jul 2020 17:19:17 -0700 Subject: [PATCH] Fixing Microsoft ATA on Azure --- AWS/Terraform/locals.tf | 9 ++- AWS/Terraform/main.tf | 1 - AWS/Terraform/outputs.tf | 4 + Azure/Terraform/locals.tf | 3 +- Azure/Terraform/outputs.tf | 6 +- Vagrant/scripts/install-microsoft-ata.ps1 | 90 ++++++++++++----------- 6 files changed, 64 insertions(+), 49 deletions(-) diff --git a/AWS/Terraform/locals.tf b/AWS/Terraform/locals.tf index 380edb7..cf7c63a 100644 --- a/AWS/Terraform/locals.tf +++ b/AWS/Terraform/locals.tf @@ -1,6 +1,7 @@ locals { - fleet_url = "https://${aws_instance.logger.public_ip}:8412" - splunk_url = "https://${aws_instance.logger.public_ip}:8000" - ata_url = "https://${aws_instance.wef.public_ip}" - guacamole_url = "http://${aws_instance.logger.public_ip}:8080/guacamole" + fleet_url = "https://${aws_instance.logger.public_ip}:8412" + splunk_url = "https://${aws_instance.logger.public_ip}:8000" + ata_url = "https://${aws_instance.wef.public_ip}" + guacamole_url = "http://${aws_instance.logger.public_ip}:8080/guacamole" + velociraptor_url = "http://${aws_instance.logger.public_ip}:9999" } diff --git a/AWS/Terraform/main.tf b/AWS/Terraform/main.tf index abb0eac..c634f53 100644 --- a/AWS/Terraform/main.tf +++ b/AWS/Terraform/main.tf @@ -166,7 +166,6 @@ resource "aws_security_group" "windows" { resource "aws_key_pair" "auth" { key_name = var.public_key_name public_key = file(var.public_key_path) - tags = var.custom-tags } resource "aws_instance" "logger" { diff --git a/AWS/Terraform/outputs.tf b/AWS/Terraform/outputs.tf index e2ac47c..1d5169b 100644 --- a/AWS/Terraform/outputs.tf +++ b/AWS/Terraform/outputs.tf @@ -33,3 +33,7 @@ output "splunk_url" { output "guacamole_url" { value = local.guacamole_url } + +output "velociraptor_url" { + value = local.velociraptor_url +} diff --git a/Azure/Terraform/locals.tf b/Azure/Terraform/locals.tf index 1fb4054..d6b5ebc 100644 --- a/Azure/Terraform/locals.tf +++ b/Azure/Terraform/locals.tf @@ -3,4 +3,5 @@ locals { splunk_url = "https://${azurerm_public_ip.logger-publicip.ip_address}:8000" ata_url = "https://${azurerm_public_ip.wef-publicip.ip_address}" guacamole_url = "http://${azurerm_public_ip.logger-publicip.ip_address}:8080/guacamole" -} \ No newline at end of file + velociraptor_url = "https://${azurerm_public_ip.logger-publicip.ip_address}:9999" +} diff --git a/Azure/Terraform/outputs.tf b/Azure/Terraform/outputs.tf index 693d8df..d7b5b38 100644 --- a/Azure/Terraform/outputs.tf +++ b/Azure/Terraform/outputs.tf @@ -32,4 +32,8 @@ output "splunk_url" { output "guacamole_url" { value = local.guacamole_url -} \ No newline at end of file +} + +output "velociraptor_url" { + value = local.velociraptor_url +} diff --git a/Vagrant/scripts/install-microsoft-ata.ps1 b/Vagrant/scripts/install-microsoft-ata.ps1 index d9dc2a9..ffae058 100644 --- a/Vagrant/scripts/install-microsoft-ata.ps1 +++ b/Vagrant/scripts/install-microsoft-ata.ps1 @@ -4,7 +4,7 @@ $downloadUrl = "http://download.microsoft.com/download/4/9/1/491394D1-3F28-4261- $fileHash = "DC1070A9E8F84E75198A920A2E00DDC3CA8D12745AF64F6B161892D9F3975857" # Use Get-FileHash on a correct downloaded file to get the hash # Enable web requests to endpoints with invalid SSL certs (like self-signed certs) -if (-not("SSLValidator" -as [type])) { +If (-not("SSLValidator" -as [type])) { add-type -TypeDefinition @" using System; using System.Net; @@ -25,37 +25,37 @@ public static class SSLValidator { } [System.Net.ServicePointManager]::ServerCertificateValidationCallback = [SSLValidator]::GetDelegate() -if (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center")) +If (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center")) { $download = $false - if (-not (Test-Path "$env:temp\$title.iso")) + If (-not (Test-Path "$env:temp\$title.iso")) { - Write-Host "$title.iso doesn't exist yet, downloading..." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso doesn't exist yet, downloading..." $download = $true } - else + Else { $actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash If (-not ($actualHash -eq $fileHash)) { - Write-Host "$title.iso exists, but has wrong hash, downloading..." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso exists, but the hash did not validate successfully. Downloading a new copy..." $download = $true } } - if ($download -eq $true) + If ($download -eq $true) { - Write-Host "Downloading $title..." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading $title..." Invoke-WebRequest -Uri $downloadUrl -OutFile "$env:temp\$title.iso" $actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash If (-not ($actualHash -eq $fileHash)) { - Write-Host "$title.iso was not downloaded correctly: hash from downloaded file: $actualHash, should've been: $fileHash. Re-trying using BitsAdmin now..." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso was not downloaded correctly: hash from downloaded file: $actualHash, should've been: $fileHash. Re-trying using BitsAdmin now..." Remove-Item -Path "$env:temp\$title.iso" -Force bitsadmin /Transfer ATA $downloadUrl "$env:temp\$title.iso" $actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash If (-not ($actualHash -eq $fileHash)) { - throw "$title.iso was not downloaded correctly after a retry: hash from downloaded file: $actualHash, should've been: $fileHash - Giving up." + Throw "$title.iso was not downloaded correctly after a retry: hash from downloaded file: $actualHash, should've been: $fileHash - Giving up." } } } @@ -68,41 +68,39 @@ if (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center $body = get-content "C:\vagrant\resources\microsoft_ata\microsoft-ata-config.json" $req = [System.Net.WebRequest]::CreateHttp("https://wef") - try - { + Try { $req.GetResponse() } - catch - { + Catch { # we don't care about errors here, we just want to get the cert ;) } $ThumbPrint = $req.ServicePoint.Certificate.GetCertHashString() $body = $body -replace "{{THUMBPRINT}}", $ThumbPrint Invoke-RestMethod -uri https://localhost/api/management/systemProfiles/center -body $body -Method Post -UseBasicParsing -UseDefaultCredentials -ContentType "application/json" - } Start-Sleep -Seconds 60 -Invoke-Command -computername dc -Credential (new-object pscredential("windomain\vagrant",(ConvertTo-SecureString -AsPlainText -Force -String "vagrant"))) -ScriptBlock { +Invoke-Command -computername dc -Credential (new-object pscredential("windomain\vagrant", (ConvertTo-SecureString -AsPlainText -Force -String "vagrant"))) -ScriptBlock { Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Installing the ATA Lightweight gateway on DC..." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Adding wef.windomain.local to hosts file..." + Add-Content 'c:\\windows\\system32\\drivers\\etc\\hosts' ' 192.168.38.103 wef.windomain.local' + # Enable web requests to endpoints with invalid SSL certs (like self-signed certs) - if (-not("SSLValidator" -as [type])) { + If (-not("SSLValidator" -as [type])) { add-type -TypeDefinition @" using System; using System.Net; using System.Net.Security; using System.Security.Cryptography.X509Certificates; - public static class SSLValidator { public static bool ReturnTrue(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { return true; } - public static RemoteCertificateValidationCallback GetDelegate() { return new RemoteCertificateValidationCallback(SSLValidator.ReturnTrue); } @@ -111,38 +109,47 @@ Invoke-Command -computername dc -Credential (new-object pscredential("windomain\ } [System.Net.ServicePointManager]::ServerCertificateValidationCallback = [SSLValidator]::GetDelegate() - If (-not (Test-Path "$env:temp\gatewaysetup.zip")) - { - Write-Host "[$env:computername] ATA Gateway not yet downloaded. Downloading now..." - Invoke-WebRequest -uri https://wef/api/management/softwareUpdates/gateways/deploymentPackage -UseBasicParsing -OutFile "$env:temp\gatewaysetup.zip" -Credential (new-object pscredential("wef\vagrant",(convertto-securestring -AsPlainText -Force -String "vagrant"))) + If (-not (Test-Path "$env:temp\gatewaysetup.zip")) { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Downloading Microsoft ATA now..." + Invoke-WebRequest -uri https://wef/api/management/softwareUpdates/gateways/deploymentPackage -UseBasicParsing -OutFile "$env:temp\gatewaysetup.zip" -Credential (new-object pscredential("wef\vagrant", (convertto-securestring -AsPlainText -Force -String "vagrant"))) Expand-Archive -Path "$env:temp\gatewaysetup.zip" -DestinationPath "$env:temp\gatewaysetup" -Force } - else - { - Write-Host "[$env:computername] Gateway setup already downloaded. Moving On." + Else { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Microsoft Gateway has already been already downloaded. Moving On." } - if (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics")) - { - Write-Host "[$env:computername] ATA Gateway not yet installed. Attempting to install now..." + If (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics")) { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Attempting to install Microsoft ATA... " Set-Location "$env:temp\gatewaysetup" - Start-Process -Wait -FilePath ".\Microsoft ATA Gateway Setup.exe" -ArgumentList "/q NetFrameworkCommandLineArguments=`"/q`" ConsoleAccountName=`"wef\vagrant`" ConsoleAccountPassword=`"vagrant`"" - Write-Host "[$env:computername] ATA Gateway installation complete!" + Try { + Start-Process -Wait -FilePath ".\Microsoft ATA Gateway Setup.exe" -ArgumentList "/q NetFrameworkCommandLineArguments=`"/q`" ConsoleAccountName=`"wef\vagrant`" ConsoleAccountPassword=`"vagrant`"" + } Catch { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Something went wrong attempting to install the Gateway on DC. Aborting installation." + Exit 1 + } + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] ATA Gateway installation complete!" } - else - { - Write-Host "[$env:computername] ATA Gateway already installed. Moving On." + Else { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] The Microsoft ATA Gateway was already installed. Moving On." + Exit 0 } - Write-Host "[$env:computername] Waiting for the ATA Gateway service to start..." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Ensuring the ATA Gateway service exists..." + Try { + Get-Service "ATAGateway" -ErrorAction Stop + } Catch [Microsoft.PowerShell.Commands.ServiceCommandException] { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Unable to find the ATAGateway service. Installation must have failed. Exiting." + Exit 1 + } + + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Waiting for the ATA Gateway service to start..." (Get-Service ATAGateway).WaitForStatus('Running', '00:10:00') - If ((Get-Service "ATAGateway").Status -ne "Running") - { - throw "ATA Gateway service failed to start on DC" + If ((Get-Service "ATAGateway").Status -ne "Running") { + Throw "ATA Gateway service failed to start on DC" } # Disable invalid web requests to endpoints with invalid SSL certs again [System.Net.ServicePointManager]::ServerCertificateValidationCallback = $null } -# set DC as domain synchronizer +# Set the DC as the domain synchronizer $config = Invoke-RestMethod -Uri "https://localhost/api/management/systemProfiles/gateways" -UseDefaultCredentials -UseBasicParsing $config[0].Configuration.DirectoryServicesResolverConfiguration.UpdateDirectoryEntityChangesConfiguration.IsEnabled = $true @@ -151,7 +158,6 @@ Invoke-RestMethod -Uri "https://localhost/api/management/systemProfiles/gateways # Disable invalid web requests to endpoints with invalid SSL certs again [System.Net.ServicePointManager]::ServerCertificateValidationCallback = $null -If ((Get-Service -name "ATACenter").Status -ne "Running") -{ - throw "MS ATA service was not running." +If ((Get-Service -name "ATACenter").Status -ne "Running") { + Throw "The Microsoft ATA service was unable to start." }