diff --git a/AWS/Terraform/locals.tf b/AWS/Terraform/locals.tf index cf7c63a..9c1a072 100644 --- a/AWS/Terraform/locals.tf +++ b/AWS/Terraform/locals.tf @@ -3,5 +3,5 @@ locals { splunk_url = "https://${aws_instance.logger.public_ip}:8000" ata_url = "https://${aws_instance.wef.public_ip}" guacamole_url = "http://${aws_instance.logger.public_ip}:8080/guacamole" - velociraptor_url = "http://${aws_instance.logger.public_ip}:9999" + velociraptor_url = "https://${aws_instance.logger.public_ip}:9999" } diff --git a/Azure/README.md b/Azure/README.md index 5e33e91..e0a6a3b 100644 --- a/Azure/README.md +++ b/Azure/README.md @@ -1,7 +1,5 @@ # Building DetectionLab on Azure -NOTE: This is an early release and it's possible that certain features may not work perfectly for everyone yet - ## Prereqs (~30-60 minutes) 0. Have an active [Azure account](https://azure.microsoft.com/en-us/free/). If you don't have one yet, they give you $200 worth of credit to use within the first 30 days! 1. [Install Terraform](https://www.terraform.io/downloads.html) and move it to a directory included in your system's PATH. diff --git a/README.md b/README.md index 5a1fc87..5edccf0 100644 --- a/README.md +++ b/README.md @@ -34,7 +34,8 @@ NOTE: This lab has not been hardened in any way and runs with default vagrant cr * osquery comes installed on each host and is pre-configured to connect to a [Fleet](https://kolide.co/fleet) server via TLS. Fleet is preconfigured with the configuration from [Palantir's osquery Configuration](https://github.com/palantir/osquery-configuration) * Sysmon is installed and configured using [Olaf Hartong's open-sourced Sysmon configuration](https://github.com/olafhartong/sysmon-modular) * All autostart items are logged to Windows Event Logs via [AutorunsToWinEventLog](https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog) -* SMBv1 Auditing is enabled +* Zeek and Suricata are pre-configured to monitor and alert on network traffic +* Apache Guacamole is installed to easily access all hosts from your local browser ## Requirements for VMware or Virtualbox * 55GB+ of free disk space @@ -137,4 +138,4 @@ I would like to extend thanks to the following sponsors for funding DetectionLab * [elreydetoda](https://github.com/elreydetoda) * [kafkaesqu3](https://github.com/kafkaesqu3) * [anthonysecurity](https://github.com/anthonysecurity) -* +2 private sponsors \ No newline at end of file +* +2 private sponsors diff --git a/Vagrant/bootstrap.sh b/Vagrant/bootstrap.sh index 1039269..1535ecc 100644 --- a/Vagrant/bootstrap.sh +++ b/Vagrant/bootstrap.sh @@ -519,7 +519,7 @@ postinstall_tasks() { echo export PATH="$PATH:/opt/splunk/bin:/opt/zeek/bin" >>~/.bashrc echo "export SPLUNK_HOME=/opt/splunk" >>~/.bashrc # Ping DetectionLab server for usage statistics - curl -s -A "DetectionLab-logger" "https://detectionlab.network/logger" + curl -s -A "DetectionLab-logger" "https:/ping.detectionlab.network/logger" } main() { diff --git a/Vagrant/resources/splunk_forwarder/wef_inputs.conf b/Vagrant/resources/splunk_forwarder/wef_inputs.conf index 0b6c195..81557de 100755 --- a/Vagrant/resources/splunk_forwarder/wef_inputs.conf +++ b/Vagrant/resources/splunk_forwarder/wef_inputs.conf @@ -59,6 +59,8 @@ disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 +blacklist = Message="(?:Process Name:).+(?:C:\\Program Files\\osquery\\osqueryd\\osqueryd.exe)" +blacklist1 = Message="(?:Process Name:).+(?:C:\\Program Files\\SplunkUniversalForwarder\\bin\\)" [WinEventLog://WEC-Code-Integrity] sourcetype = WinEventLog:Security @@ -87,6 +89,16 @@ start_from = oldest current_only = 0 checkpointInterval = 5 +[WinEventLog://WEC2-Object-Manipulation] +sourcetype = WinEventLog:Security +source = WinEventLog:Object-Handle +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 +blacklist = Message="(?:Process Name:).+(?:osqueryd.exe)" + [WinEventLog://WEC2-Task-Scheduler] sourcetype = WinEventLog:Task-Scheduler source = WinEventLog:Task-Scheduler @@ -140,7 +152,6 @@ disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 -blacklist1 = EventCode="4798" Message=".+Process Name:.+\\osqueryd\\osqueryd.exe" [WinEventLog://WEC3-Windows-Diagnostics] sourcetype = WinEventLog:System @@ -412,15 +423,6 @@ start_from = oldest current_only = 0 checkpointInterval = 5 -[WinEventLog://WEC2-Object-Manipulation] -sourcetype = WinEventLog:Security -source = WinEventLog:Object-Handle -index=wineventlog -disabled = 0 -start_from = oldest -current_only = 0 -checkpointInterval = 5 - [monitor://c:\pslogs] index = powershell sourcetype = powershell_transcript diff --git a/Vagrant/resources/splunk_server/props.conf b/Vagrant/resources/splunk_server/props.conf index d4bd90d..e0b130c 100644 --- a/Vagrant/resources/splunk_server/props.conf +++ b/Vagrant/resources/splunk_server/props.conf @@ -1,5 +1,8 @@ [source::WinEventLog:*] TRANSFORMS-host = wef_computername_as_host +TRANSFORMS-removedescription1 = removeEventDesc1 +TRANSFORMS-removedescription2 = removeEventDesc2 +TRANSFORMS-null = autoruns_wineventlog_null [powershell_transcript] TRANSFORMS-powershell_rename_host = powershell_rename_host @@ -23,5 +26,3 @@ TRUNCATE = 0 [osquery:status] TRANSFORMS-null = osquery_status_filter -[WinEventLog] -TRANSFORMS-null = autoruns_wineventlog_null diff --git a/Vagrant/resources/splunk_server/transforms.conf b/Vagrant/resources/splunk_server/transforms.conf index 0f9b468..db76ad0 100644 --- a/Vagrant/resources/splunk_server/transforms.conf +++ b/Vagrant/resources/splunk_server/transforms.conf @@ -20,6 +20,18 @@ DEST_KEY = queue FORMAT = nullQueue [autoruns_wineventlog_null] -REGEX = "Script\sName\s=\sC\:\\Program Files\\AutorunsToWinEventLog\\AutorunsToWinEventLog.ps1" +REGEX = "C:\\Program Files\\AutorunsToWinEventLog\\AutorunsToWinEventLog.ps1" DEST_KEY = queue FORMAT = nullQueue + +[removeEventDesc1] +LOOKAHEAD = 20000 +REGEX = (?msi)(.*)This event is generated +DEST_KEY = _raw +FORMAT = $1 + +[removeEventDesc2] +LOOKAHEAD = 20000 +REGEX = (?msi)(.*)The subject fields indicate +DEST_KEY = _raw +FORMAT = $1 diff --git a/Vagrant/scripts/provision.ps1 b/Vagrant/scripts/provision.ps1 index db8a277..e70c2da 100644 --- a/Vagrant/scripts/provision.ps1 +++ b/Vagrant/scripts/provision.ps1 @@ -11,7 +11,7 @@ Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Checking if Windows evaluation is exp . c:\vagrant\scripts\fix-windows-expiration.ps1 # Ping DetectionLab server for usage statistics -curl -userAgent "DetectionLab-$box" "https://detectionlab.network/$box" -UseBasicParsing | out-null +curl -userAgent "DetectionLab-$box" "https://ping.detectionlab.network/$box" -UseBasicParsing | out-null Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Disabling IPv6 on all network adatpers..." Get-NetAdapterBinding -ComponentID ms_tcpip6 | ForEach-Object {Disable-NetAdapterBinding -Name $_.Name -ComponentID ms_tcpip6} diff --git a/img/Overview.png b/img/Overview.png new file mode 100644 index 0000000..a3f3514 Binary files /dev/null and b/img/Overview.png differ diff --git a/img/overview.jpeg b/img/overview.jpeg deleted file mode 100644 index c1c0a6f..0000000 Binary files a/img/overview.jpeg and /dev/null differ