Merge pull request #2 from clong/master

Update from original repo
2020-08-18 09:51:33 +02:00
parent 8d713746f3 4ed4d9ed4a
commit cefd90068b
10 changed files with 34 additions and 20 deletions
--- a/AWS/Terraform/locals.tf
+++ b/AWS/Terraform/locals.tf
@@ -3,5 +3,5 @@ locals {
  splunk_url       = "https://${aws_instance.logger.public_ip}:8000"
  ata_url          = "https://${aws_instance.wef.public_ip}"
  guacamole_url    = "http://${aws_instance.logger.public_ip}:8080/guacamole"
-  velociraptor_url = "http://${aws_instance.logger.public_ip}:9999"
+  velociraptor_url = "https://${aws_instance.logger.public_ip}:9999"
 }
--- a/Azure/README.md
+++ b/Azure/README.md
@@ -1,7 +1,5 @@
 # Building DetectionLab on Azure
 NOTE: This is an early release and it's possible that certain features may not work perfectly for everyone yet
 ## Prereqs (~30-60 minutes)
 0. Have an active [Azure account](https://azure.microsoft.com/en-us/free/). If you don't have one yet, they give you $200 worth of credit to use within the first 30 days!
 1. [Install Terraform](https://www.terraform.io/downloads.html) and move it to a directory included in your system's PATH.
--- a/README.md
+++ b/README.md
@@ -34,7 +34,8 @@ NOTE: This lab has not been hardened in any way and runs with default vagrant cr
 * osquery comes installed on each host and is pre-configured to connect to a [Fleet](https://kolide.co/fleet) server via TLS. Fleet is preconfigured with the configuration from [Palantir's osquery Configuration](https://github.com/palantir/osquery-configuration)
 * Sysmon is installed and configured using [Olaf Hartong's open-sourced Sysmon configuration](https://github.com/olafhartong/sysmon-modular)
 * All autostart items are logged to Windows Event Logs via [AutorunsToWinEventLog](https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog)
-* SMBv1 Auditing is enabled
+* Zeek and Suricata are pre-configured to monitor and alert on network traffic
 * Apache Guacamole is installed to easily access all hosts from your local browser
 ## Requirements for VMware or Virtualbox
 * 55GB+ of free disk space
--- a/Vagrant/bootstrap.sh
+++ b/Vagrant/bootstrap.sh
@@ -519,7 +519,7 @@ postinstall_tasks() {
  echo export PATH="$PATH:/opt/splunk/bin:/opt/zeek/bin" >>~/.bashrc
  echo "export SPLUNK_HOME=/opt/splunk" >>~/.bashrc
  # Ping DetectionLab server for usage statistics
-  curl -s -A "DetectionLab-logger" "https://detectionlab.network/logger"
+  curl -s -A "DetectionLab-logger" "https:/ping.detectionlab.network/logger"
 }
 main() {
--- a/Vagrant/resources/splunk_forwarder/wef_inputs.conf
+++ b/Vagrant/resources/splunk_forwarder/wef_inputs.conf
@@ -59,6 +59,8 @@ disabled = 0
 start_from = oldest
 current_only = 0
 checkpointInterval = 5
 blacklist = Message="(?:Process Name:).+(?:C:\\Program Files\\osquery\\osqueryd\\osqueryd.exe)"
 blacklist1 = Message="(?:Process Name:).+(?:C:\\Program Files\\SplunkUniversalForwarder\\bin\\)"
 [WinEventLog://WEC-Code-Integrity]
 sourcetype = WinEventLog:Security
@@ -87,6 +89,16 @@ start_from = oldest
 current_only = 0
 checkpointInterval = 5
 [WinEventLog://WEC2-Object-Manipulation]
 sourcetype = WinEventLog:Security
 source = WinEventLog:Object-Handle
 index=wineventlog
 disabled = 0
 start_from = oldest
 current_only = 0
 checkpointInterval = 5
 blacklist = Message="(?:Process Name:).+(?:osqueryd.exe)"
 [WinEventLog://WEC2-Task-Scheduler]
 sourcetype = WinEventLog:Task-Scheduler
 source = WinEventLog:Task-Scheduler
@@ -140,7 +152,6 @@ disabled = 0
 start_from = oldest
 current_only = 0
 checkpointInterval = 5
 blacklist1 = EventCode="4798" Message=".+Process Name:.+\\osqueryd\\osqueryd.exe"
 [WinEventLog://WEC3-Windows-Diagnostics]
 sourcetype = WinEventLog:System
@@ -412,15 +423,6 @@ start_from = oldest
 current_only = 0
 checkpointInterval = 5
 [WinEventLog://WEC2-Object-Manipulation]
 sourcetype = WinEventLog:Security
 source = WinEventLog:Object-Handle
 index=wineventlog
 disabled = 0
 start_from = oldest
 current_only = 0
 checkpointInterval = 5
 [monitor://c:\pslogs]
 index = powershell
 sourcetype = powershell_transcript
--- a/Vagrant/resources/splunk_server/props.conf
+++ b/Vagrant/resources/splunk_server/props.conf
@@ -1,5 +1,8 @@
 [source::WinEventLog:*]
 TRANSFORMS-host = wef_computername_as_host
 TRANSFORMS-removedescription1 = removeEventDesc1
 TRANSFORMS-removedescription2 = removeEventDesc2
 TRANSFORMS-null = autoruns_wineventlog_null
 [powershell_transcript]
 TRANSFORMS-powershell_rename_host = powershell_rename_host
@@ -23,5 +26,3 @@ TRUNCATE = 0
 [osquery:status]
 TRANSFORMS-null = osquery_status_filter
 [WinEventLog]
 TRANSFORMS-null = autoruns_wineventlog_null
--- a/Vagrant/resources/splunk_server/transforms.conf
+++ b/Vagrant/resources/splunk_server/transforms.conf
@@ -20,6 +20,18 @@ DEST_KEY = queue
 FORMAT = nullQueue
 [autoruns_wineventlog_null]
-REGEX = "Script\sName\s=\sC\:\\Program Files\\AutorunsToWinEventLog\\AutorunsToWinEventLog.ps1"
+REGEX = "C:\\Program Files\\AutorunsToWinEventLog\\AutorunsToWinEventLog.ps1"
 DEST_KEY = queue
 FORMAT = nullQueue
 [removeEventDesc1]
 LOOKAHEAD = 20000
 REGEX = (?msi)(.*)This event is generated
 DEST_KEY = _raw
 FORMAT = $1
 [removeEventDesc2]
 LOOKAHEAD = 20000
 REGEX = (?msi)(.*)The subject fields indicate
 DEST_KEY = _raw
 FORMAT = $1
--- a/Vagrant/scripts/provision.ps1
+++ b/Vagrant/scripts/provision.ps1
@@ -11,7 +11,7 @@ Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Checking if Windows evaluation is exp
 . c:\vagrant\scripts\fix-windows-expiration.ps1
 # Ping DetectionLab server for usage statistics
-curl -userAgent "DetectionLab-$box" "https://detectionlab.network/$box" -UseBasicParsing | out-null
+curl -userAgent "DetectionLab-$box" "https://ping.detectionlab.network/$box" -UseBasicParsing | out-null
 Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Disabling IPv6 on all network adatpers..."
 Get-NetAdapterBinding -ComponentID ms_tcpip6 | ForEach-Object {Disable-NetAdapterBinding -Name $_.Name -ComponentID ms_tcpip6}
--- a/img/Overview.png
+++ b/img/Overview.png
--- a/img/overview.jpeg
+++ b/img/overview.jpeg