Adding ATA to Packer image, adding evtx-attack-samples
This commit is contained in:
Chris Long
70
Vagrant/scripts/install-evtx-attack-samples.ps1
Normal file
70
Vagrant/scripts/install-evtx-attack-samples.ps1
Normal file
@@ -0,0 +1,70 @@
|
||||
# Purpose: Downloads and indexes the EVTX samples from https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/ into Splunk
|
||||
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Indexing EVTX Attack Samples into Splunk..."
|
||||
|
||||
# Disabling the progress bar speeds up IWR https://github.com/PowerShell/PowerShell/issues/2138
|
||||
$ProgressPreference = 'SilentlyContinue'
|
||||
# GitHub requires TLS 1.2 as of 2/27
|
||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
|
||||
$inputsConf = "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf"
|
||||
|
||||
# Download and unzip a copy of EVTX Attack Samples
|
||||
$evtxAttackDownloadUrl = "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/archive/master.zip"
|
||||
$evtxAttackRepoPath = "C:\Users\vagrant\AppData\Local\Temp\evtxattack.zip"
|
||||
If (-not (Test-Path "C:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master")) {
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading EVTX Attack Samples"
|
||||
Invoke-WebRequest -Uri "$evtxAttackDownloadUrl" -OutFile "$evtxAttackRepoPath"
|
||||
Expand-Archive -path "$evtxAttackRepoPath" -destinationpath 'c:\Tools\EVTX-ATTACK-SAMPLES' -Force
|
||||
# Add stanzas to Splunk inputs.conf to index the evtx files
|
||||
# Huge thanks to https://www.cloud-response.com/2019/07/importing-windows-event-log-files-into.html for showing how to do this!
|
||||
If (!(Select-String -Path $inputsConf -Pattern "evtx_attack_sample")) {
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Splunk inputs.conf has not yet been modified. Adding stanzas for these evtx files now..."
|
||||
Add-Content -Path "$inputsConf" -Value '
|
||||
[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\AutomatedTestingTools\*.evtx]
|
||||
index = evtx_attack_samples
|
||||
sourcetype = preprocess-winevt
|
||||
|
||||
[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Command and Control\*.evtx]
|
||||
index = evtx_attack_samples
|
||||
sourcetype = preprocess-winevt
|
||||
|
||||
[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Credential Access\*.evtx]
|
||||
index = evtx_attack_samples
|
||||
sourcetype = preprocess-winevt
|
||||
|
||||
[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Defense Evasion\*.evtx]
|
||||
index = evtx_attack_samples
|
||||
sourcetype = preprocess-winevt
|
||||
|
||||
[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Discovery\*.evtx]
|
||||
index = evtx_attack_samples
|
||||
sourcetype = preprocess-winevt
|
||||
|
||||
[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Execution\*.evtx]
|
||||
index = evtx_attack_samples
|
||||
sourcetype = preprocess-winevt
|
||||
|
||||
[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Lateral Movement\*.evtx]
|
||||
index = evtx_attack_samples
|
||||
sourcetype = preprocess-winevt
|
||||
|
||||
[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Other\*.evtx]
|
||||
index = evtx_attack_samples
|
||||
sourcetype = preprocess-winevt
|
||||
|
||||
[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Persistence\*.evtx]
|
||||
index = evtx_attack_samples
|
||||
sourcetype = preprocess-winevt
|
||||
|
||||
[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Privilege Escalation\*.evtx]
|
||||
index = evtx_attack_samples
|
||||
sourcetype = preprocess-winevt'
|
||||
# Restart the forwarder to pick up changes
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Restarting the Splunk Forwarder..."
|
||||
Restart-Service SplunkForwarder
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Done! Look in 'index=EVTX-ATTACK-SAMPLES' in Splunk to query these samples."
|
||||
}
|
||||
} Else {
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) EVTX attack samples were already installed. Moving On."
|
||||
}
|
||||
@@ -28,14 +28,14 @@ public static class SSLValidator {
|
||||
If (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center"))
|
||||
{
|
||||
$download = $false
|
||||
If (-not (Test-Path "$env:temp\$title.iso"))
|
||||
If (-not (Test-Path "c:\$title.iso"))
|
||||
{
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso doesn't exist yet, downloading..."
|
||||
$download = $true
|
||||
}
|
||||
Else
|
||||
{
|
||||
$actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash
|
||||
$actualHash = (Get-FileHash -Algorithm SHA256 -Path "c:\$title.iso").Hash
|
||||
If (-not ($actualHash -eq $fileHash))
|
||||
{
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso exists, but the hash did not validate successfully. Downloading a new copy..."
|
||||
@@ -47,21 +47,21 @@ If (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading $title..."
|
||||
# Disabling the progress bar speeds up IWR https://github.com/PowerShell/PowerShell/issues/2138
|
||||
$ProgressPreference = 'SilentlyContinue'
|
||||
Invoke-WebRequest -Uri $downloadUrl -OutFile "$env:temp\$title.iso"
|
||||
$actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash
|
||||
Invoke-WebRequest -Uri $downloadUrl -OutFile "c:\$title.iso"
|
||||
$actualHash = (Get-FileHash -Algorithm SHA256 -Path "c:\$title.iso").Hash
|
||||
If (-not ($actualHash -eq $fileHash))
|
||||
{
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso was not downloaded correctly: hash from downloaded file: $actualHash, should've been: $fileHash. Re-trying using BitsAdmin now..."
|
||||
Remove-Item -Path "$env:temp\$title.iso" -Force
|
||||
bitsadmin /Transfer ATA $downloadUrl "$env:temp\$title.iso"
|
||||
$actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash
|
||||
Remove-Item -Path "c:\$title.iso" -Force
|
||||
bitsadmin /Transfer ATA $downloadUrl "c:\$title.iso"
|
||||
$actualHash = (Get-FileHash -Algorithm SHA256 -Path "c:\$title.iso").Hash
|
||||
If (-not ($actualHash -eq $fileHash))
|
||||
{
|
||||
Throw "$title.iso was not downloaded correctly after a retry: hash from downloaded file: $actualHash, should've been: $fileHash - Giving up."
|
||||
}
|
||||
}
|
||||
}
|
||||
$Mount = Mount-DiskImage -ImagePath "$env:temp\$title.iso" -StorageType ISO -Access ReadOnly -PassThru
|
||||
$Mount = Mount-DiskImage -ImagePath "c:\$title.iso" -StorageType ISO -Access ReadOnly -PassThru
|
||||
$Volume = $Mount | Get-Volume
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing $title"
|
||||
$Install = Start-Process -Wait -FilePath ($Volume.DriveLetter + ":\Microsoft ATA Center Setup.exe") -ArgumentList "/q --LicenseAccepted NetFrameworkCommandLineArguments=`"/q`" --EnableMicrosoftUpdate" -PassThru
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
If (-not (Test-Path "C:\ProgramData\chocolatey")) {
|
||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing Chocolatey"
|
||||
iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))
|
||||
Invoke-Expression ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))
|
||||
} else {
|
||||
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Chocolatey is already installed."
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user