From ff3e595235e087fb13c7eac316e975d6bdd42b32 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Tue, 29 Sep 2020 17:36:32 -0700 Subject: [PATCH] Adding ATA to Packer image, adding evtx-attack-samples --- Packer/scripts/download-microsoft-ata.ps1 | 44 ++++++++++++ Packer/scripts/vm-guest-tools.ps1 | 11 ++- Packer/windows_2016.json | 3 +- Vagrant/Vagrantfile | 3 +- .../scripts/install-evtx-attack-samples.ps1 | 70 +++++++++++++++++++ Vagrant/scripts/install-microsoft-ata.ps1 | 16 ++--- Vagrant/scripts/install-utilities.ps1 | 2 +- ci/manual_machine_bootstrap.sh | 4 +- ci/manual_machine_bootstrap_vmware.sh | 23 ++++-- 9 files changed, 155 insertions(+), 21 deletions(-) create mode 100644 Packer/scripts/download-microsoft-ata.ps1 create mode 100644 Vagrant/scripts/install-evtx-attack-samples.ps1 diff --git a/Packer/scripts/download-microsoft-ata.ps1 b/Packer/scripts/download-microsoft-ata.ps1 new file mode 100644 index 0000000..af6e0fb --- /dev/null +++ b/Packer/scripts/download-microsoft-ata.ps1 @@ -0,0 +1,44 @@ +# Purpose: Downloads, installs and configures Microsft ATA 1.9 +$title = "Microsoft ATA 1.9" +$downloadUrl = "http://download.microsoft.com/download/4/9/1/491394D1-3F28-4261-ABC6-C836A301290E/ATA1.9.iso" +$fileHash = "DC1070A9E8F84E75198A920A2E00DDC3CA8D12745AF64F6B161892D9F3975857" # Use Get-FileHash on a correct downloaded file to get the hash + +# Enable web requests to endpoints with invalid SSL certs (like self-signed certs) +If (-not("SSLValidator" -as [type])) { + add-type -TypeDefinition @" +using System; +using System.Net; +using System.Net.Security; +using System.Security.Cryptography.X509Certificates; + +public static class SSLValidator { + public static bool ReturnTrue(object sender, + X509Certificate certificate, + X509Chain chain, + SslPolicyErrors sslPolicyErrors) { return true; } + + public static RemoteCertificateValidationCallback GetDelegate() { + return new RemoteCertificateValidationCallback(SSLValidator.ReturnTrue); + } +} +"@ +} +[System.Net.ServicePointManager]::ServerCertificateValidationCallback = [SSLValidator]::GetDelegate() + + +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading $title..." +# Disabling the progress bar speeds up IWR https://github.com/PowerShell/PowerShell/issues/2138 +$ProgressPreference = 'SilentlyContinue' +Invoke-WebRequest -Uri $downloadUrl -OutFile "c:\$title.iso" +$actualHash = (Get-FileHash -Algorithm SHA256 -Path "c:\$title.iso").Hash +If (-not ($actualHash -eq $fileHash)) { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso was not downloaded correctly: hash from downloaded file: $actualHash, should've been: $fileHash. Re-trying using BitsAdmin now..." + Remove-Item -Path "c:\$title.iso" -Force + bitsadmin /Transfer ATA $downloadUrl "c:\$title.iso" + $actualHash = (Get-FileHash -Algorithm SHA256 -Path "c:\$title.iso").Hash + If (-not ($actualHash -eq $fileHash)) { + Throw "$title.iso was not downloaded correctly after a retry: hash from downloaded file: $actualHash, should've been: $fileHash - Giving up." + } +} + +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Microsoft ATA sucessfully downloaded to c:\$title.iso !" \ No newline at end of file diff --git a/Packer/scripts/vm-guest-tools.ps1 b/Packer/scripts/vm-guest-tools.ps1 index 7148696..9771cd1 100644 --- a/Packer/scripts/vm-guest-tools.ps1 +++ b/Packer/scripts/vm-guest-tools.ps1 @@ -38,7 +38,16 @@ if ("$env:PACKER_BUILDER_TYPE" -eq "vmware-iso") { } cmd /c "C:\PROGRA~1\7-Zip\7z.exe" x "C:\Windows\Temp\windows.iso" -oC:\Windows\Temp\VMWare - cmd /c C:\Windows\Temp\VMWare\setup.exe /S /v"/qn REBOOT=R\" + cmd /c C:\Windows\Temp\VMWare\setup.exe /S /v "/qn REBOOT=R" + $software = "VMware Tools"; + $installed = (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where { $_.DisplayName -eq $software }) -ne $null + + If (-Not $installed) { + Write-Host "'$software' did not install successfully. Quitting."; + exit 1 + } Else { + Write-Host "'$software' was installed successfully." + } Remove-Item -Force "C:\Windows\Temp\vmware-tools.tar" Remove-Item -Force "C:\Windows\Temp\windows.iso" diff --git a/Packer/windows_2016.json b/Packer/windows_2016.json index d549ddb..83a7716 100644 --- a/Packer/windows_2016.json +++ b/Packer/windows_2016.json @@ -143,7 +143,8 @@ "type": "powershell", "scripts": [ "./scripts/vm-guest-tools.ps1", - "./scripts/debloat-windows.ps1" + "./scripts/debloat-windows.ps1", + "./scripts/download-microsoft-ata.ps1" ] }, { diff --git a/Vagrant/Vagrantfile b/Vagrant/Vagrantfile index 3601edb..74c12e2 100644 --- a/Vagrant/Vagrantfile +++ b/Vagrant/Vagrantfile @@ -136,6 +136,7 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", path: "scripts/install-windows_ta.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/install-evtx-attack-samples.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false @@ -170,7 +171,7 @@ Vagrant.configure("2") do |config| lv.graphics_type = "spice" lv.video_type = "qxl" lv.input :type => "tablet", :bus => "usb" - override.vm.box = "../Boxes/windows_2016_libvirt.box" + override.vm.box = "../Boxes/windows_2016_libvirt.box" lv.video_vram = 32768 lv.memory = 2048 lv.cpus = 2 diff --git a/Vagrant/scripts/install-evtx-attack-samples.ps1 b/Vagrant/scripts/install-evtx-attack-samples.ps1 new file mode 100644 index 0000000..1045be5 --- /dev/null +++ b/Vagrant/scripts/install-evtx-attack-samples.ps1 @@ -0,0 +1,70 @@ +# Purpose: Downloads and indexes the EVTX samples from https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/ into Splunk + +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Indexing EVTX Attack Samples into Splunk..." + +# Disabling the progress bar speeds up IWR https://github.com/PowerShell/PowerShell/issues/2138 +$ProgressPreference = 'SilentlyContinue' +# GitHub requires TLS 1.2 as of 2/27 +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + +$inputsConf = "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf" + +# Download and unzip a copy of EVTX Attack Samples +$evtxAttackDownloadUrl = "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/archive/master.zip" +$evtxAttackRepoPath = "C:\Users\vagrant\AppData\Local\Temp\evtxattack.zip" +If (-not (Test-Path "C:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master")) { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading EVTX Attack Samples" + Invoke-WebRequest -Uri "$evtxAttackDownloadUrl" -OutFile "$evtxAttackRepoPath" + Expand-Archive -path "$evtxAttackRepoPath" -destinationpath 'c:\Tools\EVTX-ATTACK-SAMPLES' -Force + # Add stanzas to Splunk inputs.conf to index the evtx files + # Huge thanks to https://www.cloud-response.com/2019/07/importing-windows-event-log-files-into.html for showing how to do this! + If (!(Select-String -Path $inputsConf -Pattern "evtx_attack_sample")) { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Splunk inputs.conf has not yet been modified. Adding stanzas for these evtx files now..." + Add-Content -Path "$inputsConf" -Value ' +[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\AutomatedTestingTools\*.evtx] +index = evtx_attack_samples +sourcetype = preprocess-winevt + +[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Command and Control\*.evtx] +index = evtx_attack_samples +sourcetype = preprocess-winevt + +[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Credential Access\*.evtx] +index = evtx_attack_samples +sourcetype = preprocess-winevt + +[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Defense Evasion\*.evtx] +index = evtx_attack_samples +sourcetype = preprocess-winevt + +[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Discovery\*.evtx] +index = evtx_attack_samples +sourcetype = preprocess-winevt + +[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Execution\*.evtx] +index = evtx_attack_samples +sourcetype = preprocess-winevt + +[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Lateral Movement\*.evtx] +index = evtx_attack_samples +sourcetype = preprocess-winevt + +[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Other\*.evtx] +index = evtx_attack_samples +sourcetype = preprocess-winevt + +[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Persistence\*.evtx] +index = evtx_attack_samples +sourcetype = preprocess-winevt + +[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Privilege Escalation\*.evtx] +index = evtx_attack_samples +sourcetype = preprocess-winevt' + # Restart the forwarder to pick up changes + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Restarting the Splunk Forwarder..." + Restart-Service SplunkForwarder + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Done! Look in 'index=EVTX-ATTACK-SAMPLES' in Splunk to query these samples." + } +} Else { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) EVTX attack samples were already installed. Moving On." +} \ No newline at end of file diff --git a/Vagrant/scripts/install-microsoft-ata.ps1 b/Vagrant/scripts/install-microsoft-ata.ps1 index 6d64cdb..8af36db 100644 --- a/Vagrant/scripts/install-microsoft-ata.ps1 +++ b/Vagrant/scripts/install-microsoft-ata.ps1 @@ -28,14 +28,14 @@ public static class SSLValidator { If (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center")) { $download = $false - If (-not (Test-Path "$env:temp\$title.iso")) + If (-not (Test-Path "c:\$title.iso")) { Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso doesn't exist yet, downloading..." $download = $true } Else { - $actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash + $actualHash = (Get-FileHash -Algorithm SHA256 -Path "c:\$title.iso").Hash If (-not ($actualHash -eq $fileHash)) { Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso exists, but the hash did not validate successfully. Downloading a new copy..." @@ -47,21 +47,21 @@ If (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading $title..." # Disabling the progress bar speeds up IWR https://github.com/PowerShell/PowerShell/issues/2138 $ProgressPreference = 'SilentlyContinue' - Invoke-WebRequest -Uri $downloadUrl -OutFile "$env:temp\$title.iso" - $actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash + Invoke-WebRequest -Uri $downloadUrl -OutFile "c:\$title.iso" + $actualHash = (Get-FileHash -Algorithm SHA256 -Path "c:\$title.iso").Hash If (-not ($actualHash -eq $fileHash)) { Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso was not downloaded correctly: hash from downloaded file: $actualHash, should've been: $fileHash. Re-trying using BitsAdmin now..." - Remove-Item -Path "$env:temp\$title.iso" -Force - bitsadmin /Transfer ATA $downloadUrl "$env:temp\$title.iso" - $actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash + Remove-Item -Path "c:\$title.iso" -Force + bitsadmin /Transfer ATA $downloadUrl "c:\$title.iso" + $actualHash = (Get-FileHash -Algorithm SHA256 -Path "c:\$title.iso").Hash If (-not ($actualHash -eq $fileHash)) { Throw "$title.iso was not downloaded correctly after a retry: hash from downloaded file: $actualHash, should've been: $fileHash - Giving up." } } } - $Mount = Mount-DiskImage -ImagePath "$env:temp\$title.iso" -StorageType ISO -Access ReadOnly -PassThru + $Mount = Mount-DiskImage -ImagePath "c:\$title.iso" -StorageType ISO -Access ReadOnly -PassThru $Volume = $Mount | Get-Volume Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing $title" $Install = Start-Process -Wait -FilePath ($Volume.DriveLetter + ":\Microsoft ATA Center Setup.exe") -ArgumentList "/q --LicenseAccepted NetFrameworkCommandLineArguments=`"/q`" --EnableMicrosoftUpdate" -PassThru diff --git a/Vagrant/scripts/install-utilities.ps1 b/Vagrant/scripts/install-utilities.ps1 index 5859699..c3b20e9 100755 --- a/Vagrant/scripts/install-utilities.ps1 +++ b/Vagrant/scripts/install-utilities.ps1 @@ -3,7 +3,7 @@ If (-not (Test-Path "C:\ProgramData\chocolatey")) { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing Chocolatey" - iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1')) + Invoke-Expression ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1')) } else { Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Chocolatey is already installed." } diff --git a/ci/manual_machine_bootstrap.sh b/ci/manual_machine_bootstrap.sh index 63683d9..b61c2dd 100644 --- a/ci/manual_machine_bootstrap.sh +++ b/ci/manual_machine_bootstrap.sh @@ -40,8 +40,8 @@ sed -i 's/vb.gui = true/vb.gui = false/g' Vagrantfile # Install Packer mkdir /opt/packer cd /opt/packer || exit 1 -wget --progress=bar:force https://releases.hashicorp.com/packer/1.6.0/packer_1.6.0_linux_amd64.zip -unzip packer_1.6.0_linux_amd64.zip +wget --progress=bar:force https://releases.hashicorp.com/packer/1.6.3/packer_1.6.3_linux_amd64.zip +unzip packer_1.6.3_linux_amd64.zip cp packer /usr/local/bin/packer # Make the Packer images headless diff --git a/ci/manual_machine_bootstrap_vmware.sh b/ci/manual_machine_bootstrap_vmware.sh index 5001b13..c50aeae 100644 --- a/ci/manual_machine_bootstrap_vmware.sh +++ b/ci/manual_machine_bootstrap_vmware.sh @@ -14,9 +14,9 @@ apt-get install -y linux-headers-"$(uname -r)" build-essential unzip git ufw apa pip install awscli --upgrade --user cp /root/.local/bin/aws /usr/local/bin/aws && chmod +x /usr/local/bin/aws -wget -O VMware-Workstation-Full-15.5.6-16341506.x86_64.bundle "https://download3.vmware.com/software/wkst/file/VMware-Workstation-Full-15.5.6-16341506.x86_64.bundle" -chmod +x VMware-Workstation-Full-15.5.6-16341506.x86_64.bundle -sudo sh VMware-Workstation-Full-15.5.6-16341506.x86_64.bundle --console --required --eulas-agreed --set-setting vmware-workstation serialNumber $SERIALNUMBER +wget -O VMware-Workstation-Full-16.0.0-16894299.x86_64.bundle "https://download3.vmware.com/software/wkst/file/VMware-Workstation-Full-16.0.0-16894299.x86_64.bundle" +chmod +x VMware-Workstation-Full-16.0.0-16894299.x86_64.bundle +sudo sh VMware-Workstation-Full-16.0.0-16894299.x86_64.bundle --console --required --eulas-agreed --set-setting vmware-workstation serialNumber $SERIALNUMBER # Set up firewall ufw allow ssh @@ -37,8 +37,8 @@ vagrant plugin install vagrant-reload vagrant plugin install vagrant-vmware-desktop echo $LICENSEFILE | base64 -d > /tmp/license.lic vagrant plugin license vagrant-vmware-desktop /tmp/license.lic -wget --progress=bar:force "https://releases.hashicorp.com/vagrant-vmware-utility/1.0.11/vagrant-vmware-utility_1.0.11_x86_64.deb" -dpkg -i vagrant-vmware-utility_1.0.11_x86_64.deb +wget --progress=bar:force "https://releases.hashicorp.com/vagrant-vmware-utility/1.0.12/vagrant-vmware-utility_1.0.12_x86_64.deb" +dpkg -i vagrant-vmware-utility_1.0.12_x86_64.deb # Make the Vagrant instances headless cd /opt/DetectionLab/Vagrant || exit 1 @@ -47,8 +47,8 @@ sed -i 's/v.gui = true/v.gui = false/g' Vagrantfile # Install Packer mkdir /opt/packer cd /opt/packer || exit 1 -wget --progress=bar:force https://releases.hashicorp.com/packer/1.6.0/packer_1.6.0_linux_amd64.zip -unzip packer_1.6.0_linux_amd64.zip +wget --progress=bar:force https://releases.hashicorp.com/packer/1.6.3/packer_1.6.3_linux_amd64.zip +unzip packer_1.6.3_linux_amd64.zip cp packer /usr/local/bin/packer # Make the Packer images headless @@ -56,3 +56,12 @@ cd /opt/DetectionLab/Packer || exit 1 for file in *.json; do sed -i 's/"headless": false,/"headless": true,/g' "$file"; done + +echo '# This file is automatically generated. +# Hand-editing this file is not recommended. +network0.name = "Bridged" +network0.device = "vmnet0" +network1.name = "HostOnly" +network1.device = "vmnet1" +network2.name = "NAT" +network2.device = "vmnet8"' > /etc/vmware/netmap.conf \ No newline at end of file