Fixing Microsoft ATA on Azure

2020-07-20 17:19:17 -07:00
parent 27aa62706d
commit bf2b89275e
6 changed files with 64 additions and 49 deletions
--- a/AWS/Terraform/locals.tf
+++ b/AWS/Terraform/locals.tf
@@ -1,6 +1,7 @@
 locals {
-  fleet_url     = "https://${aws_instance.logger.public_ip}:8412"
-  splunk_url    = "https://${aws_instance.logger.public_ip}:8000"
-  ata_url       = "https://${aws_instance.wef.public_ip}"
-  guacamole_url = "http://${aws_instance.logger.public_ip}:8080/guacamole"
+  fleet_url        = "https://${aws_instance.logger.public_ip}:8412"
+  splunk_url       = "https://${aws_instance.logger.public_ip}:8000"
+  ata_url          = "https://${aws_instance.wef.public_ip}"
+  guacamole_url    = "http://${aws_instance.logger.public_ip}:8080/guacamole"
+  velociraptor_url = "http://${aws_instance.logger.public_ip}:9999"
 }
--- a/AWS/Terraform/main.tf
+++ b/AWS/Terraform/main.tf
@@ -166,7 +166,6 @@ resource "aws_security_group" "windows" {
 resource "aws_key_pair" "auth" {
  key_name   = var.public_key_name
  public_key = file(var.public_key_path)
-  tags = var.custom-tags
 }

 resource "aws_instance" "logger" {
--- a/AWS/Terraform/outputs.tf
+++ b/AWS/Terraform/outputs.tf
@@ -33,3 +33,7 @@ output "splunk_url" {
 output "guacamole_url" {
  value = local.guacamole_url
 }
+
+output "velociraptor_url" {
+  value = local.velociraptor_url
+}
--- a/Azure/Terraform/locals.tf
+++ b/Azure/Terraform/locals.tf
@@ -3,4 +3,5 @@ locals {
  splunk_url = "https://${azurerm_public_ip.logger-publicip.ip_address}:8000"
  ata_url    = "https://${azurerm_public_ip.wef-publicip.ip_address}"
  guacamole_url = "http://${azurerm_public_ip.logger-publicip.ip_address}:8080/guacamole"
+  velociraptor_url = "https://${azurerm_public_ip.logger-publicip.ip_address}:9999"
 }
--- a/Azure/Terraform/outputs.tf
+++ b/Azure/Terraform/outputs.tf
@@ -33,3 +33,7 @@ output "splunk_url" {
 output "guacamole_url" {
  value = local.guacamole_url
 }
+
+output "velociraptor_url" {
+  value = local.velociraptor_url
+}
--- a/Vagrant/scripts/install-microsoft-ata.ps1
+++ b/Vagrant/scripts/install-microsoft-ata.ps1
@@ -4,7 +4,7 @@ $downloadUrl = "http://download.microsoft.com/download/4/9/1/491394D1-3F28-4261-
 $fileHash = "DC1070A9E8F84E75198A920A2E00DDC3CA8D12745AF64F6B161892D9F3975857" # Use Get-FileHash on a correct downloaded file to get the hash

 # Enable web requests to endpoints with invalid SSL certs (like self-signed certs)
-if (-not("SSLValidator" -as [type])) {
+If (-not("SSLValidator" -as [type])) {
    add-type -TypeDefinition @"
 using System;
 using System.Net;
@@ -25,37 +25,37 @@ public static class SSLValidator {
 }
 [System.Net.ServicePointManager]::ServerCertificateValidationCallback = [SSLValidator]::GetDelegate()

-if (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center"))
+If (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center"))
 {
    $download = $false
-    if (-not (Test-Path "$env:temp\$title.iso"))
+    If (-not (Test-Path "$env:temp\$title.iso"))
    {
-        Write-Host "$title.iso doesn't exist yet, downloading..."
+        Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso doesn't exist yet, downloading..."
        $download = $true
    }
-    else
+    Else
    {
        $actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash
        If (-not ($actualHash -eq $fileHash))
        {
-            Write-Host "$title.iso exists, but has wrong hash, downloading..."
+            Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso exists, but the hash did not validate successfully. Downloading a new copy..."
            $download = $true
        }
    }
-    if ($download -eq $true)
+    If ($download -eq $true)
    {
-        Write-Host "Downloading $title..."
+        Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading $title..."
        Invoke-WebRequest -Uri $downloadUrl -OutFile "$env:temp\$title.iso"
        $actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash
        If (-not ($actualHash -eq $fileHash))
        {
-            Write-Host "$title.iso was not downloaded correctly: hash from downloaded file: $actualHash, should've been: $fileHash. Re-trying using BitsAdmin now..."
+            Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso was not downloaded correctly: hash from downloaded file: $actualHash, should've been: $fileHash. Re-trying using BitsAdmin now..."
            Remove-Item -Path "$env:temp\$title.iso" -Force
            bitsadmin /Transfer ATA $downloadUrl "$env:temp\$title.iso"
            $actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash
            If (-not ($actualHash -eq $fileHash))
            {
-                throw "$title.iso was not downloaded correctly after a retry: hash from downloaded file: $actualHash, should've been: $fileHash - Giving up."
+                Throw "$title.iso was not downloaded correctly after a retry: hash from downloaded file: $actualHash, should've been: $fileHash - Giving up."
            }
        }
    }
@@ -68,41 +68,39 @@ if (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center
    $body = get-content "C:\vagrant\resources\microsoft_ata\microsoft-ata-config.json"

    $req = [System.Net.WebRequest]::CreateHttp("https://wef")
-    try
-    {
+    Try {
        $req.GetResponse()
    }
-    catch
-    {
+    Catch {
        # we don't care about errors here, we just want to get the cert ;)
    }
    $ThumbPrint = $req.ServicePoint.Certificate.GetCertHashString()
    $body = $body -replace "{{THUMBPRINT}}", $ThumbPrint

    Invoke-RestMethod -uri https://localhost/api/management/systemProfiles/center -body $body -Method Post -UseBasicParsing -UseDefaultCredentials -ContentType "application/json"
-
 }

 Start-Sleep -Seconds 60

-Invoke-Command -computername dc -Credential (new-object pscredential("windomain\vagrant",(ConvertTo-SecureString -AsPlainText -Force -String "vagrant"))) -ScriptBlock {
+Invoke-Command -computername dc -Credential (new-object pscredential("windomain\vagrant", (ConvertTo-SecureString -AsPlainText -Force -String "vagrant"))) -ScriptBlock {

    Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Installing the ATA Lightweight gateway on DC..."

+    Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Adding wef.windomain.local to hosts file..."
+    Add-Content 'c:\\windows\\system32\\drivers\\etc\\hosts' '        192.168.38.103    wef.windomain.local'
+
    # Enable web requests to endpoints with invalid SSL certs (like self-signed certs)
-    if (-not("SSLValidator" -as [type])) {
+    If (-not("SSLValidator" -as [type])) {
        add-type -TypeDefinition @"
    using System;
    using System.Net;
    using System.Net.Security;
    using System.Security.Cryptography.X509Certificates;
-
    public static class SSLValidator {
        public static bool ReturnTrue(object sender,
            X509Certificate certificate,
            X509Chain chain,
            SslPolicyErrors sslPolicyErrors) { return true; }
-
        public static RemoteCertificateValidationCallback GetDelegate() {
            return new RemoteCertificateValidationCallback(SSLValidator.ReturnTrue);
        }
@@ -111,38 +109,47 @@ Invoke-Command -computername dc -Credential (new-object pscredential("windomain\
    }
    [System.Net.ServicePointManager]::ServerCertificateValidationCallback = [SSLValidator]::GetDelegate()

-    If (-not (Test-Path "$env:temp\gatewaysetup.zip"))
-    {
-        Write-Host "[$env:computername] ATA Gateway not yet downloaded. Downloading now..."
-        Invoke-WebRequest -uri https://wef/api/management/softwareUpdates/gateways/deploymentPackage -UseBasicParsing -OutFile "$env:temp\gatewaysetup.zip" -Credential (new-object pscredential("wef\vagrant",(convertto-securestring -AsPlainText -Force -String "vagrant")))
+    If (-not (Test-Path "$env:temp\gatewaysetup.zip")) {
+        Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Downloading Microsoft ATA now..."
+        Invoke-WebRequest -uri https://wef/api/management/softwareUpdates/gateways/deploymentPackage -UseBasicParsing -OutFile "$env:temp\gatewaysetup.zip" -Credential (new-object pscredential("wef\vagrant", (convertto-securestring -AsPlainText -Force -String "vagrant")))
        Expand-Archive -Path "$env:temp\gatewaysetup.zip" -DestinationPath "$env:temp\gatewaysetup" -Force
    }
-    else
-    {
-        Write-Host "[$env:computername] Gateway setup already downloaded. Moving On."
+    Else {
+        Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Microsoft Gateway has already been already downloaded. Moving On."
    }
-    if (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics"))
-    {
-        Write-Host "[$env:computername] ATA Gateway not yet installed. Attempting to install now..."
+    If (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics")) {
+        Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Attempting to install Microsoft ATA... "
        Set-Location "$env:temp\gatewaysetup"
-        Start-Process -Wait -FilePath ".\Microsoft ATA Gateway Setup.exe" -ArgumentList "/q NetFrameworkCommandLineArguments=`"/q`" ConsoleAccountName=`"wef\vagrant`" ConsoleAccountPassword=`"vagrant`""
-        Write-Host "[$env:computername] ATA Gateway installation complete!"
+        Try {
+            Start-Process -Wait -FilePath ".\Microsoft ATA Gateway Setup.exe" -ArgumentList "/q NetFrameworkCommandLineArguments=`"/q`" ConsoleAccountName=`"wef\vagrant`" ConsoleAccountPassword=`"vagrant`""
+        } Catch { 
+            Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Something went wrong attempting to install the Gateway on DC. Aborting installation."
+            Exit 1
+        }
+        Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] ATA Gateway installation complete!"
    }
-    else
-    {
-        Write-Host "[$env:computername] ATA Gateway already installed. Moving On."
+    Else {
+        Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] The Microsoft ATA Gateway was already installed. Moving On."
+        Exit 0
    }
-    Write-Host "[$env:computername] Waiting for the ATA Gateway service to start..."
+    Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Ensuring the ATA Gateway service exists..."
+    Try {
+        Get-Service "ATAGateway" -ErrorAction Stop
+    } Catch [Microsoft.PowerShell.Commands.ServiceCommandException] {
+        Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Unable to find the ATAGateway service. Installation must have failed. Exiting."
+        Exit 1
+    }
+
+    Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Waiting for the ATA Gateway service to start..."
    (Get-Service ATAGateway).WaitForStatus('Running', '00:10:00')
-    If ((Get-Service "ATAGateway").Status -ne "Running")
-    {
-        throw "ATA Gateway service failed to start on DC"
+    If ((Get-Service "ATAGateway").Status -ne "Running") {
+        Throw "ATA Gateway service failed to start on DC"
    }
    # Disable invalid web requests to endpoints with invalid SSL certs again
    [System.Net.ServicePointManager]::ServerCertificateValidationCallback = $null
 }

-# set DC as domain synchronizer
+# Set the DC as the domain synchronizer
 $config = Invoke-RestMethod -Uri "https://localhost/api/management/systemProfiles/gateways" -UseDefaultCredentials -UseBasicParsing
 $config[0].Configuration.DirectoryServicesResolverConfiguration.UpdateDirectoryEntityChangesConfiguration.IsEnabled = $true

@@ -151,7 +158,6 @@ Invoke-RestMethod -Uri "https://localhost/api/management/systemProfiles/gateways
 # Disable invalid web requests to endpoints with invalid SSL certs again
 [System.Net.ServicePointManager]::ServerCertificateValidationCallback = $null

-If ((Get-Service -name "ATACenter").Status -ne "Running")
-{
-    throw "MS ATA service was not running."
+If ((Get-Service -name "ATACenter").Status -ne "Running") {
+    Throw "The Microsoft ATA service was unable to start."
 }