trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixing Microsoft ATA on Azure

Browse Source
This commit is contained in:
Chris Long
2020-07-20 17:19:17 -07:00
parent 27aa62706d
commit bf2b89275e
6 changed files with 64 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
AWS/Terraform/locals.tf
View File

@@ -3,4 +3,5 @@ locals {
splunk_url = "https://${aws_instance.logger.public_ip}:8000" splunk_url = "https://${aws_instance.logger.public_ip}:8000"
ata_url = "https://${aws_instance.wef.public_ip}" ata_url = "https://${aws_instance.wef.public_ip}"
guacamole_url = "http://${aws_instance.logger.public_ip}:8080/guacamole" guacamole_url = "http://${aws_instance.logger.public_ip}:8080/guacamole"
velociraptor_url = "http://${aws_instance.logger.public_ip}:9999"
} }

1
AWS/Terraform/main.tf
View File

@@ -166,7 +166,6 @@ resource "aws_security_group" "windows" {
resource "aws_key_pair" "auth" { resource "aws_key_pair" "auth" {
key_name = var.public_key_name key_name = var.public_key_name
public_key = file(var.public_key_path) public_key = file(var.public_key_path)
tags = var.custom-tags
} }
resource "aws_instance" "logger" { resource "aws_instance" "logger" {

4
AWS/Terraform/outputs.tf
View File

@@ -33,3 +33,7 @@ output "splunk_url" {
output "guacamole_url" { output "guacamole_url" {
value = local.guacamole_url value = local.guacamole_url
} }
output "velociraptor_url" {
value = local.velociraptor_url
}

1
Azure/Terraform/locals.tf
View File

@@ -3,4 +3,5 @@ locals {
splunk_url = "https://${azurerm_public_ip.logger-publicip.ip_address}:8000" splunk_url = "https://${azurerm_public_ip.logger-publicip.ip_address}:8000"
ata_url = "https://${azurerm_public_ip.wef-publicip.ip_address}" ata_url = "https://${azurerm_public_ip.wef-publicip.ip_address}"
guacamole_url = "http://${azurerm_public_ip.logger-publicip.ip_address}:8080/guacamole" guacamole_url = "http://${azurerm_public_ip.logger-publicip.ip_address}:8080/guacamole"
velociraptor_url = "https://${azurerm_public_ip.logger-publicip.ip_address}:9999"
} }

4
Azure/Terraform/outputs.tf
View File

@@ -33,3 +33,7 @@ output "splunk_url" {
output "guacamole_url" { output "guacamole_url" {
value = local.guacamole_url value = local.guacamole_url
} }
output "velociraptor_url" {
value = local.velociraptor_url
}

84
Vagrant/scripts/install-microsoft-ata.ps1
View File

@@ -4,7 +4,7 @@ $downloadUrl = "http://download.microsoft.com/download/4/9/1/491394D1-3F28-4261-
$fileHash = "DC1070A9E8F84E75198A920A2E00DDC3CA8D12745AF64F6B161892D9F3975857" # Use Get-FileHash on a correct downloaded file to get the hash $fileHash = "DC1070A9E8F84E75198A920A2E00DDC3CA8D12745AF64F6B161892D9F3975857" # Use Get-FileHash on a correct downloaded file to get the hash
# Enable web requests to endpoints with invalid SSL certs (like self-signed certs) # Enable web requests to endpoints with invalid SSL certs (like self-signed certs)
if (-not("SSLValidator" -as [type])) { If (-not("SSLValidator" -as [type])) {
add-type -TypeDefinition @" add-type -TypeDefinition @"
using System; using System;
using System.Net; using System.Net;
@@ -25,37 +25,37 @@ public static class SSLValidator {
} }
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = [SSLValidator]::GetDelegate() [System.Net.ServicePointManager]::ServerCertificateValidationCallback = [SSLValidator]::GetDelegate()
if (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center")) If (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center"))
{ {
$download = $false $download = $false
if (-not (Test-Path "$env:temp\$title.iso")) If (-not (Test-Path "$env:temp\$title.iso"))
{ {
Write-Host "$title.iso doesn't exist yet, downloading..." Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso doesn't exist yet, downloading..."
$download = $true $download = $true
} }
else Else
{ {
$actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash $actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash
If (-not ($actualHash -eq $fileHash)) If (-not ($actualHash -eq $fileHash))
{ {
Write-Host "$title.iso exists, but has wrong hash, downloading..." Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso exists, but the hash did not validate successfully. Downloading a new copy..."
$download = $true $download = $true
} }
} }
if ($download -eq $true) If ($download -eq $true)
{ {
Write-Host "Downloading $title..." Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading $title..."
Invoke-WebRequest -Uri $downloadUrl -OutFile "$env:temp\$title.iso" Invoke-WebRequest -Uri $downloadUrl -OutFile "$env:temp\$title.iso"
$actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash $actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash
If (-not ($actualHash -eq $fileHash)) If (-not ($actualHash -eq $fileHash))
{ {
Write-Host "$title.iso was not downloaded correctly: hash from downloaded file: $actualHash, should've been: $fileHash. Re-trying using BitsAdmin now..." Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso was not downloaded correctly: hash from downloaded file: $actualHash, should've been: $fileHash. Re-trying using BitsAdmin now..."
Remove-Item -Path "$env:temp\$title.iso" -Force Remove-Item -Path "$env:temp\$title.iso" -Force
bitsadmin /Transfer ATA $downloadUrl "$env:temp\$title.iso" bitsadmin /Transfer ATA $downloadUrl "$env:temp\$title.iso"
$actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash $actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash
If (-not ($actualHash -eq $fileHash)) If (-not ($actualHash -eq $fileHash))
{ {
throw "$title.iso was not downloaded correctly after a retry: hash from downloaded file: $actualHash, should've been: $fileHash - Giving up." Throw "$title.iso was not downloaded correctly after a retry: hash from downloaded file: $actualHash, should've been: $fileHash - Giving up."
} }
} }
} }
@@ -68,19 +68,16 @@ if (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center
$body = get-content "C:\vagrant\resources\microsoft_ata\microsoft-ata-config.json" $body = get-content "C:\vagrant\resources\microsoft_ata\microsoft-ata-config.json"
$req = [System.Net.WebRequest]::CreateHttp("https://wef") $req = [System.Net.WebRequest]::CreateHttp("https://wef")
try Try {
{
$req.GetResponse() $req.GetResponse()
} }
catch Catch {
{
# we don't care about errors here, we just want to get the cert ;) # we don't care about errors here, we just want to get the cert ;)
} }
$ThumbPrint = $req.ServicePoint.Certificate.GetCertHashString() $ThumbPrint = $req.ServicePoint.Certificate.GetCertHashString()
$body = $body -replace "{{THUMBPRINT}}", $ThumbPrint $body = $body -replace "{{THUMBPRINT}}", $ThumbPrint
Invoke-RestMethod -uri https://localhost/api/management/systemProfiles/center -body $body -Method Post -UseBasicParsing -UseDefaultCredentials -ContentType "application/json" Invoke-RestMethod -uri https://localhost/api/management/systemProfiles/center -body $body -Method Post -UseBasicParsing -UseDefaultCredentials -ContentType "application/json"
} }
Start-Sleep -Seconds 60 Start-Sleep -Seconds 60
@@ -89,20 +86,21 @@ Invoke-Command -computername dc -Credential (new-object pscredential("windomain\
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Installing the ATA Lightweight gateway on DC..." Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Installing the ATA Lightweight gateway on DC..."
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Adding wef.windomain.local to hosts file..."
Add-Content 'c:\\windows\\system32\\drivers\\etc\\hosts' ' 192.168.38.103 wef.windomain.local'
# Enable web requests to endpoints with invalid SSL certs (like self-signed certs) # Enable web requests to endpoints with invalid SSL certs (like self-signed certs)
if (-not("SSLValidator" -as [type])) { If (-not("SSLValidator" -as [type])) {
add-type -TypeDefinition @" add-type -TypeDefinition @"
using System; using System;
using System.Net; using System.Net;
using System.Net.Security; using System.Net.Security;
using System.Security.Cryptography.X509Certificates; using System.Security.Cryptography.X509Certificates;
public static class SSLValidator { public static class SSLValidator {
public static bool ReturnTrue(object sender, public static bool ReturnTrue(object sender,
X509Certificate certificate, X509Certificate certificate,
X509Chain chain, X509Chain chain,
SslPolicyErrors sslPolicyErrors) { return true; } SslPolicyErrors sslPolicyErrors) { return true; }
public static RemoteCertificateValidationCallback GetDelegate() { public static RemoteCertificateValidationCallback GetDelegate() {
return new RemoteCertificateValidationCallback(SSLValidator.ReturnTrue); return new RemoteCertificateValidationCallback(SSLValidator.ReturnTrue);
} }
@@ -111,38 +109,47 @@ Invoke-Command -computername dc -Credential (new-object pscredential("windomain\
} }
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = [SSLValidator]::GetDelegate() [System.Net.ServicePointManager]::ServerCertificateValidationCallback = [SSLValidator]::GetDelegate()
If (-not (Test-Path "$env:temp\gatewaysetup.zip")) If (-not (Test-Path "$env:temp\gatewaysetup.zip")) {
{ Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Downloading Microsoft ATA now..."
Write-Host "[$env:computername] ATA Gateway not yet downloaded. Downloading now..."
Invoke-WebRequest -uri https://wef/api/management/softwareUpdates/gateways/deploymentPackage -UseBasicParsing -OutFile "$env:temp\gatewaysetup.zip" -Credential (new-object pscredential("wef\vagrant", (convertto-securestring -AsPlainText -Force -String "vagrant"))) Invoke-WebRequest -uri https://wef/api/management/softwareUpdates/gateways/deploymentPackage -UseBasicParsing -OutFile "$env:temp\gatewaysetup.zip" -Credential (new-object pscredential("wef\vagrant", (convertto-securestring -AsPlainText -Force -String "vagrant")))
Expand-Archive -Path "$env:temp\gatewaysetup.zip" -DestinationPath "$env:temp\gatewaysetup" -Force Expand-Archive -Path "$env:temp\gatewaysetup.zip" -DestinationPath "$env:temp\gatewaysetup" -Force
} }
else Else {
{ Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Microsoft Gateway has already been already downloaded. Moving On."
Write-Host "[$env:computername] Gateway setup already downloaded. Moving On."
} }
if (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics")) If (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics")) {
{ Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Attempting to install Microsoft ATA... "
Write-Host "[$env:computername] ATA Gateway not yet installed. Attempting to install now..."
Set-Location "$env:temp\gatewaysetup" Set-Location "$env:temp\gatewaysetup"
Try {
Start-Process -Wait -FilePath ".\Microsoft ATA Gateway Setup.exe" -ArgumentList "/q NetFrameworkCommandLineArguments=`"/q`" ConsoleAccountName=`"wef\vagrant`" ConsoleAccountPassword=`"vagrant`"" Start-Process -Wait -FilePath ".\Microsoft ATA Gateway Setup.exe" -ArgumentList "/q NetFrameworkCommandLineArguments=`"/q`" ConsoleAccountName=`"wef\vagrant`" ConsoleAccountPassword=`"vagrant`""
Write-Host "[$env:computername] ATA Gateway installation complete!" } Catch {
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Something went wrong attempting to install the Gateway on DC. Aborting installation."
Exit 1
} }
else Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] ATA Gateway installation complete!"
{
Write-Host "[$env:computername] ATA Gateway already installed. Moving On."
} }
Write-Host "[$env:computername] Waiting for the ATA Gateway service to start..." Else {
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] The Microsoft ATA Gateway was already installed. Moving On."
Exit 0
}
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Ensuring the ATA Gateway service exists..."
Try {
Get-Service "ATAGateway" -ErrorAction Stop
} Catch [Microsoft.PowerShell.Commands.ServiceCommandException] {
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Unable to find the ATAGateway service. Installation must have failed. Exiting."
Exit 1
}
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Waiting for the ATA Gateway service to start..."
(Get-Service ATAGateway).WaitForStatus('Running', '00:10:00') (Get-Service ATAGateway).WaitForStatus('Running', '00:10:00')
If ((Get-Service "ATAGateway").Status -ne "Running") If ((Get-Service "ATAGateway").Status -ne "Running") {
{ Throw "ATA Gateway service failed to start on DC"
throw "ATA Gateway service failed to start on DC"
} }
# Disable invalid web requests to endpoints with invalid SSL certs again # Disable invalid web requests to endpoints with invalid SSL certs again
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = $null [System.Net.ServicePointManager]::ServerCertificateValidationCallback = $null
} }
# set DC as domain synchronizer # Set the DC as the domain synchronizer
$config = Invoke-RestMethod -Uri "https://localhost/api/management/systemProfiles/gateways" -UseDefaultCredentials -UseBasicParsing $config = Invoke-RestMethod -Uri "https://localhost/api/management/systemProfiles/gateways" -UseDefaultCredentials -UseBasicParsing
$config[0].Configuration.DirectoryServicesResolverConfiguration.UpdateDirectoryEntityChangesConfiguration.IsEnabled = $true $config[0].Configuration.DirectoryServicesResolverConfiguration.UpdateDirectoryEntityChangesConfiguration.IsEnabled = $true
@@ -151,7 +158,6 @@ Invoke-RestMethod -Uri "https://localhost/api/management/systemProfiles/gateways
# Disable invalid web requests to endpoints with invalid SSL certs again # Disable invalid web requests to endpoints with invalid SSL certs again
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = $null [System.Net.ServicePointManager]::ServerCertificateValidationCallback = $null
If ((Get-Service -name "ATACenter").Status -ne "Running") If ((Get-Service -name "ATACenter").Status -ne "Running") {
{ Throw "The Microsoft ATA service was unable to start."
throw "MS ATA service was not running."
} }