trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Adding ATA to Packer image, adding evtx-attack-samples

Browse Source
This commit is contained in:
Chris Long
2020-09-29 17:36:32 -07:00
parent aa51e77663
commit ff3e595235
9 changed files with 155 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
Packer/scripts/download-microsoft-ata.ps1 Normal file
View File

@@ -0,0 +1,44 @@
# Purpose: Downloads, installs and configures Microsft ATA 1.9
$title = "Microsoft ATA 1.9"
$downloadUrl = "http://download.microsoft.com/download/4/9/1/491394D1-3F28-4261-ABC6-C836A301290E/ATA1.9.iso"
$fileHash = "DC1070A9E8F84E75198A920A2E00DDC3CA8D12745AF64F6B161892D9F3975857" # Use Get-FileHash on a correct downloaded file to get the hash
# Enable web requests to endpoints with invalid SSL certs (like self-signed certs)
If (-not("SSLValidator" -as [type])) {
add-type -TypeDefinition @"
using System;
using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
public static class SSLValidator {
public static bool ReturnTrue(object sender,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors sslPolicyErrors) { return true; }
public static RemoteCertificateValidationCallback GetDelegate() {
return new RemoteCertificateValidationCallback(SSLValidator.ReturnTrue);
}
}
"@
}
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = [SSLValidator]::GetDelegate()
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading $title..."
# Disabling the progress bar speeds up IWR https://github.com/PowerShell/PowerShell/issues/2138
$ProgressPreference = 'SilentlyContinue'
Invoke-WebRequest -Uri $downloadUrl -OutFile "c:\$title.iso"
$actualHash = (Get-FileHash -Algorithm SHA256 -Path "c:\$title.iso").Hash
If (-not ($actualHash -eq $fileHash)) {
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso was not downloaded correctly: hash from downloaded file: $actualHash, should've been: $fileHash. Re-trying using BitsAdmin now..."
Remove-Item -Path "c:\$title.iso" -Force
bitsadmin /Transfer ATA $downloadUrl "c:\$title.iso"
$actualHash = (Get-FileHash -Algorithm SHA256 -Path "c:\$title.iso").Hash
If (-not ($actualHash -eq $fileHash)) {
Throw "$title.iso was not downloaded correctly after a retry: hash from downloaded file: $actualHash, should've been: $fileHash - Giving up."
}
}
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Microsoft ATA sucessfully downloaded to c:\$title.iso !"

11
Packer/scripts/vm-guest-tools.ps1
View File

@@ -38,7 +38,16 @@ if ("$env:PACKER_BUILDER_TYPE" -eq "vmware-iso") {
} }
cmd /c "C:\PROGRA~1\7-Zip\7z.exe" x "C:\Windows\Temp\windows.iso" -oC:\Windows\Temp\VMWare cmd /c "C:\PROGRA~1\7-Zip\7z.exe" x "C:\Windows\Temp\windows.iso" -oC:\Windows\Temp\VMWare
cmd /c C:\Windows\Temp\VMWare\setup.exe /S /v"/qn REBOOT=R\" cmd /c C:\Windows\Temp\VMWare\setup.exe /S /v "/qn REBOOT=R"
$software = "VMware Tools";
$installed = (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where { $_.DisplayName -eq $software }) -ne $null
If (-Not $installed) {
Write-Host "'$software' did not install successfully. Quitting.";
exit 1
} Else {
Write-Host "'$software' was installed successfully."
}
Remove-Item -Force "C:\Windows\Temp\vmware-tools.tar" Remove-Item -Force "C:\Windows\Temp\vmware-tools.tar"
Remove-Item -Force "C:\Windows\Temp\windows.iso" Remove-Item -Force "C:\Windows\Temp\windows.iso"

3
Packer/windows_2016.json
View File

@@ -143,7 +143,8 @@
"type": "powershell", "type": "powershell",
"scripts": [ "scripts": [
"./scripts/vm-guest-tools.ps1", "./scripts/vm-guest-tools.ps1",
"./scripts/debloat-windows.ps1" "./scripts/debloat-windows.ps1",
"./scripts/download-microsoft-ata.ps1"
] ]
}, },
{ {

3
Vagrant/Vagrantfile vendored
View File

@@ -136,6 +136,7 @@ Vagrant.configure("2") do |config|
cfg.vm.provision "shell", path: "scripts/install-windows_ta.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-windows_ta.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-evtx-attack-samples.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
@@ -170,7 +171,7 @@ Vagrant.configure("2") do |config|
lv.graphics_type = "spice" lv.graphics_type = "spice"
lv.video_type = "qxl" lv.video_type = "qxl"
lv.input :type => "tablet", :bus => "usb" lv.input :type => "tablet", :bus => "usb"
override.vm.box = "../Boxes/windows_2016_libvirt.box" override.vm.box = "../Boxes/windows_2016_libvirt.box"
lv.video_vram = 32768 lv.video_vram = 32768
lv.memory = 2048 lv.memory = 2048
lv.cpus = 2 lv.cpus = 2

70
Vagrant/scripts/install-evtx-attack-samples.ps1 Normal file
View File

@@ -0,0 +1,70 @@
# Purpose: Downloads and indexes the EVTX samples from https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/ into Splunk
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Indexing EVTX Attack Samples into Splunk..."
# Disabling the progress bar speeds up IWR https://github.com/PowerShell/PowerShell/issues/2138
$ProgressPreference = 'SilentlyContinue'
# GitHub requires TLS 1.2 as of 2/27
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$inputsConf = "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf"
# Download and unzip a copy of EVTX Attack Samples
$evtxAttackDownloadUrl = "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/archive/master.zip"
$evtxAttackRepoPath = "C:\Users\vagrant\AppData\Local\Temp\evtxattack.zip"
If (-not (Test-Path "C:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master")) {
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading EVTX Attack Samples"
Invoke-WebRequest -Uri "$evtxAttackDownloadUrl" -OutFile "$evtxAttackRepoPath"
Expand-Archive -path "$evtxAttackRepoPath" -destinationpath 'c:\Tools\EVTX-ATTACK-SAMPLES' -Force
# Add stanzas to Splunk inputs.conf to index the evtx files
# Huge thanks to https://www.cloud-response.com/2019/07/importing-windows-event-log-files-into.html for showing how to do this!
If (!(Select-String -Path $inputsConf -Pattern "evtx_attack_sample")) {
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Splunk inputs.conf has not yet been modified. Adding stanzas for these evtx files now..."
Add-Content -Path "$inputsConf" -Value '
[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\AutomatedTestingTools\*.evtx]
index = evtx_attack_samples
sourcetype = preprocess-winevt
[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Command and Control\*.evtx]
index = evtx_attack_samples
sourcetype = preprocess-winevt
[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Credential Access\*.evtx]
index = evtx_attack_samples
sourcetype = preprocess-winevt
[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Defense Evasion\*.evtx]
index = evtx_attack_samples
sourcetype = preprocess-winevt
[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Discovery\*.evtx]
index = evtx_attack_samples
sourcetype = preprocess-winevt
[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Execution\*.evtx]
index = evtx_attack_samples
sourcetype = preprocess-winevt
[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Lateral Movement\*.evtx]
index = evtx_attack_samples
sourcetype = preprocess-winevt
[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Other\*.evtx]
index = evtx_attack_samples
sourcetype = preprocess-winevt
[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Persistence\*.evtx]
index = evtx_attack_samples
sourcetype = preprocess-winevt
[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Privilege Escalation\*.evtx]
index = evtx_attack_samples
sourcetype = preprocess-winevt'
# Restart the forwarder to pick up changes
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Restarting the Splunk Forwarder..."
Restart-Service SplunkForwarder
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Done! Look in 'index=EVTX-ATTACK-SAMPLES' in Splunk to query these samples."
}
} Else {
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) EVTX attack samples were already installed. Moving On."
}

16
Vagrant/scripts/install-microsoft-ata.ps1
View File

@@ -28,14 +28,14 @@ public static class SSLValidator {
If (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center")) If (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center"))
{ {
$download = $false $download = $false
If (-not (Test-Path "$env:temp\$title.iso")) If (-not (Test-Path "c:\$title.iso"))
{ {
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso doesn't exist yet, downloading..." Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso doesn't exist yet, downloading..."
$download = $true $download = $true
} }
Else Else
{ {
$actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash $actualHash = (Get-FileHash -Algorithm SHA256 -Path "c:\$title.iso").Hash
If (-not ($actualHash -eq $fileHash)) If (-not ($actualHash -eq $fileHash))
{ {
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso exists, but the hash did not validate successfully. Downloading a new copy..." Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso exists, but the hash did not validate successfully. Downloading a new copy..."
@@ -47,21 +47,21 @@ If (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading $title..." Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading $title..."
# Disabling the progress bar speeds up IWR https://github.com/PowerShell/PowerShell/issues/2138 # Disabling the progress bar speeds up IWR https://github.com/PowerShell/PowerShell/issues/2138
$ProgressPreference = 'SilentlyContinue' $ProgressPreference = 'SilentlyContinue'
Invoke-WebRequest -Uri $downloadUrl -OutFile "$env:temp\$title.iso" Invoke-WebRequest -Uri $downloadUrl -OutFile "c:\$title.iso"
$actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash $actualHash = (Get-FileHash -Algorithm SHA256 -Path "c:\$title.iso").Hash
If (-not ($actualHash -eq $fileHash)) If (-not ($actualHash -eq $fileHash))
{ {
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso was not downloaded correctly: hash from downloaded file: $actualHash, should've been: $fileHash. Re-trying using BitsAdmin now..." Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso was not downloaded correctly: hash from downloaded file: $actualHash, should've been: $fileHash. Re-trying using BitsAdmin now..."
Remove-Item -Path "$env:temp\$title.iso" -Force Remove-Item -Path "c:\$title.iso" -Force
bitsadmin /Transfer ATA $downloadUrl "$env:temp\$title.iso" bitsadmin /Transfer ATA $downloadUrl "c:\$title.iso"
$actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash $actualHash = (Get-FileHash -Algorithm SHA256 -Path "c:\$title.iso").Hash
If (-not ($actualHash -eq $fileHash)) If (-not ($actualHash -eq $fileHash))
{ {
Throw "$title.iso was not downloaded correctly after a retry: hash from downloaded file: $actualHash, should've been: $fileHash - Giving up." Throw "$title.iso was not downloaded correctly after a retry: hash from downloaded file: $actualHash, should've been: $fileHash - Giving up."
} }
} }
} }
$Mount = Mount-DiskImage -ImagePath "$env:temp\$title.iso" -StorageType ISO -Access ReadOnly -PassThru $Mount = Mount-DiskImage -ImagePath "c:\$title.iso" -StorageType ISO -Access ReadOnly -PassThru
$Volume = $Mount | Get-Volume $Volume = $Mount | Get-Volume
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing $title" Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing $title"
$Install = Start-Process -Wait -FilePath ($Volume.DriveLetter + ":\Microsoft ATA Center Setup.exe") -ArgumentList "/q --LicenseAccepted NetFrameworkCommandLineArguments=`"/q`" --EnableMicrosoftUpdate" -PassThru $Install = Start-Process -Wait -FilePath ($Volume.DriveLetter + ":\Microsoft ATA Center Setup.exe") -ArgumentList "/q --LicenseAccepted NetFrameworkCommandLineArguments=`"/q`" --EnableMicrosoftUpdate" -PassThru

2
Vagrant/scripts/install-utilities.ps1
View File

@@ -3,7 +3,7 @@
If (-not (Test-Path "C:\ProgramData\chocolatey")) { If (-not (Test-Path "C:\ProgramData\chocolatey")) {
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing Chocolatey" Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing Chocolatey"
iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1')) Invoke-Expression ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))
} else { } else {
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Chocolatey is already installed." Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Chocolatey is already installed."
} }

4
ci/manual_machine_bootstrap.sh
View File

@@ -40,8 +40,8 @@ sed -i 's/vb.gui = true/vb.gui = false/g' Vagrantfile
# Install Packer # Install Packer
mkdir /opt/packer mkdir /opt/packer
cd /opt/packer || exit 1 cd /opt/packer || exit 1
wget --progress=bar:force https://releases.hashicorp.com/packer/1.6.0/packer_1.6.0_linux_amd64.zip wget --progress=bar:force https://releases.hashicorp.com/packer/1.6.3/packer_1.6.3_linux_amd64.zip
unzip packer_1.6.0_linux_amd64.zip unzip packer_1.6.3_linux_amd64.zip
cp packer /usr/local/bin/packer cp packer /usr/local/bin/packer
# Make the Packer images headless # Make the Packer images headless

23
ci/manual_machine_bootstrap_vmware.sh
View File

@@ -14,9 +14,9 @@ apt-get install -y linux-headers-"$(uname -r)" build-essential unzip git ufw apa
pip install awscli --upgrade --user pip install awscli --upgrade --user
cp /root/.local/bin/aws /usr/local/bin/aws && chmod +x /usr/local/bin/aws cp /root/.local/bin/aws /usr/local/bin/aws && chmod +x /usr/local/bin/aws
wget -O VMware-Workstation-Full-15.5.6-16341506.x86_64.bundle "https://download3.vmware.com/software/wkst/file/VMware-Workstation-Full-15.5.6-16341506.x86_64.bundle" wget -O VMware-Workstation-Full-16.0.0-16894299.x86_64.bundle "https://download3.vmware.com/software/wkst/file/VMware-Workstation-Full-16.0.0-16894299.x86_64.bundle"
chmod +x VMware-Workstation-Full-15.5.6-16341506.x86_64.bundle chmod +x VMware-Workstation-Full-16.0.0-16894299.x86_64.bundle
sudo sh VMware-Workstation-Full-15.5.6-16341506.x86_64.bundle --console --required --eulas-agreed --set-setting vmware-workstation serialNumber $SERIALNUMBER sudo sh VMware-Workstation-Full-16.0.0-16894299.x86_64.bundle --console --required --eulas-agreed --set-setting vmware-workstation serialNumber $SERIALNUMBER
# Set up firewall # Set up firewall
ufw allow ssh ufw allow ssh
@@ -37,8 +37,8 @@ vagrant plugin install vagrant-reload
vagrant plugin install vagrant-vmware-desktop vagrant plugin install vagrant-vmware-desktop
echo $LICENSEFILE | base64 -d > /tmp/license.lic echo $LICENSEFILE | base64 -d > /tmp/license.lic
vagrant plugin license vagrant-vmware-desktop /tmp/license.lic vagrant plugin license vagrant-vmware-desktop /tmp/license.lic
wget --progress=bar:force "https://releases.hashicorp.com/vagrant-vmware-utility/1.0.11/vagrant-vmware-utility_1.0.11_x86_64.deb" wget --progress=bar:force "https://releases.hashicorp.com/vagrant-vmware-utility/1.0.12/vagrant-vmware-utility_1.0.12_x86_64.deb"
dpkg -i vagrant-vmware-utility_1.0.11_x86_64.deb dpkg -i vagrant-vmware-utility_1.0.12_x86_64.deb
# Make the Vagrant instances headless # Make the Vagrant instances headless
cd /opt/DetectionLab/Vagrant || exit 1 cd /opt/DetectionLab/Vagrant || exit 1
@@ -47,8 +47,8 @@ sed -i 's/v.gui = true/v.gui = false/g' Vagrantfile
# Install Packer # Install Packer
mkdir /opt/packer mkdir /opt/packer
cd /opt/packer || exit 1 cd /opt/packer || exit 1
wget --progress=bar:force https://releases.hashicorp.com/packer/1.6.0/packer_1.6.0_linux_amd64.zip wget --progress=bar:force https://releases.hashicorp.com/packer/1.6.3/packer_1.6.3_linux_amd64.zip
unzip packer_1.6.0_linux_amd64.zip unzip packer_1.6.3_linux_amd64.zip
cp packer /usr/local/bin/packer cp packer /usr/local/bin/packer
# Make the Packer images headless # Make the Packer images headless
@@ -56,3 +56,12 @@ cd /opt/DetectionLab/Packer || exit 1
for file in *.json; do for file in *.json; do
sed -i 's/"headless": false,/"headless": true,/g' "$file"; sed -i 's/"headless": false,/"headless": true,/g' "$file";
done done
echo '# This file is automatically generated.
# Hand-editing this file is not recommended.
network0.name = "Bridged"
network0.device = "vmnet0"
network1.name = "HostOnly"
network1.device = "vmnet1"
network2.name = "NAT"
network2.device = "vmnet8"' > /etc/vmware/netmap.conf