trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: trinitor:70f1922e8064cfd18378ee7c87145fb72c5fa64f
Branches Tags
trinitor:master
...
compare: trinitor:master
Branches Tags
trinitor:master

2 Commits
70f1922e80 ... master

Author SHA1 Message Date
Trinitor
4e7bb096df added new Readme 2021-08-06 17:45:27 +02:00
Trinitor
ea58df86cc added kali and fixed path for securityonion 2021-08-06 17:40:32 +02:00
4 changed files with 589 additions and 111 deletions
Expand all files Collapse all files

140
README-original.md Normal file
View File

@@ -0,0 +1,140 @@
# Detection Lab
![DetectionLab](./img/DetectionLab.png)
DetectionLab is tested weekly on Saturdays via a scheduled CircleCI workflow to ensure that builds are passing.
[![CircleCI](https://circleci.com/gh/clong/DetectionLab/tree/master.svg?style=shield)](https://circleci.com/gh/clong/DetectionLab/tree/master)
![Lint Code Base](https://github.com/clong/DetectionLab/workflows/Lint%20Code%20Base/badge.svg)
[![license](https://img.shields.io/github/license/clong/DetectionLab.svg?style=flat-square)](https://github.com/clong/DetectionLab/blob/master/license.md)
![Maintenance](https://img.shields.io/maintenance/yes/2021.svg?style=flat-square)
[![GitHub last commit](https://img.shields.io/github/last-commit/clong/DetectionLab.svg?style=flat-square)](https://github.com/clong/DetectionLab/commit/master)
[![Twitter](https://img.shields.io/twitter/follow/DetectionLab.svg?style=social)](https://twitter.com/DetectionLab)
[![Slack](https://img.shields.io/badge/Slack-DetectionLab-blue)](https://join.slack.com/t/detectionlab/shared_invite/zt-mv1qnw9f-3qo2ZrB0IbIKhvinfsgYhg)
#### Donate to the project:
All of the infrastructure, building, and testing of DetectionLab is currently funded by myself in my spare time. If you find this project useful, feel free to buy me a coffee using one of the buttons below!
[![GitHub Sponsor](https://img.shields.io/badge/GitHub-Sponsor-red.svg)](https://github.com/sponsors/clong)
[![Donate](https://img.shields.io/badge/Donate-PayPal-green.svg)](https://www.paypal.com/paypalme2/clong0)
[![Donate](https://img.shields.io/badge/Donate-Crypto-blue.svg)](https://commerce.coinbase.com/checkout/838ac7a2-7b9d-4d40-b475-fd1015fdaacd)
## Purpose
This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.
Read more about Detection Lab on Medium here: https://medium.com/@clong/introducing-detection-lab-61db34bed6ae
NOTE: This lab has not been hardened in any way and runs with default vagrant credentials. Please do not connect or bridge it to any networks you care about. This lab is deliberately designed to be insecure; the primary purpose of it is to provide visibility and introspection into each host.
## Primary Lab Features:
* Microsoft Advanced Threat Analytics (https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics) is installed on the WEF machine, with the lightweight ATA gateway installed on the DC
* A Splunk forwarder is pre-installed and all indexes are pre-created. Technology add-ons are also preconfigured.
* A custom Windows auditing configuration is set via GPO to include command line process auditing and additional OS-level logging
* [Palantir's Windows Event Forwarding](http://github.com/palantir/windows-event-forwarding) subscriptions and custom channels are implemented
* Powershell transcript logging is enabled. All logs are saved to `\\wef\pslogs`
* osquery comes installed on each host and is pre-configured to connect to a [Fleet](https://kolide.co/fleet) server via TLS. Fleet is preconfigured with the configuration from [Palantir's osquery Configuration](https://github.com/palantir/osquery-configuration)
* Sysmon is installed and configured using [Olaf Hartong's open-sourced Sysmon configuration](https://github.com/olafhartong/sysmon-modular)
* All autostart items are logged to Windows Event Logs via [AutorunsToWinEventLog](https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog)
* Zeek and Suricata are pre-configured to monitor and alert on network traffic
* Apache Guacamole is installed to easily access all hosts from your local browser
---
## Building Detection Lab
When preparing to build DetectionLab locally, be sure to use the `prepare.[sh|ps1]` scripts inside of the Vagrant folder
to ensure your system passes the prerequisite checks for building DetectionLab.
* [Prerequisites](https://www.detectionlab.network/introduction/prerequisites/)
* [MacOS - Virtualbox or VMware Fusion](https://www.detectionlab.network/deployment/macosvm/)
* [Windows - Virtualbox or VMware Workstation](https://www.detectionlab.network/deployment/windowsvm/)
* [Linux - Virtualbox or VMware Workstation](https://www.detectionlab.network/deployment/linuxvm/)
* [AWS via Terraform](https://www.detectionlab.network/deployment/aws/)
* [Azure via Terraform & Ansible](https://www.detectionlab.network/deployment/azure/)
* [ESXi via Terraform & Ansible](https://www.detectionlab.network/deployment/esxi/)
* [HyperV](https://www.detectionlab.network/deployment/hyperv/)
* [LibVirt](https://www.detectionlab.network/deployment/libvirt/)
---
## DetectionLab Documentation
The primary documentation site is located at https://detectionlab.network
* [Basic Vagrant Usage](https://www.detectionlab.network/introduction/basicvagrant/)
* [Lab Information & Credentials](https://www.detectionlab.network/introduction/infoandcreds/)
* [Troubleshooting and Known Issues](https://www.detectionlab.network/deployment/troubleshooting/)
---
## Contributing
Please do all of your development in a feature branch on your own fork of DetectionLab.
Contribution guidelines can be found here: [CONTRIBUTING.md](./CONTRIBUTING.md)
## In the Media
* [DetectionLab, Chris Long Pauls Security Weekly #593](https://securityweekly.com/2019/02/08/detectionlab-chris-long-pauls-security-weekly-593/)
* [TaoSecurity - Trying DetectionLab](https://taosecurity.blogspot.com/2019/01/trying-detectionlab.html)
* [Setting up Chris Long's DetectionLab](https://www.psattack.com/articles/20171218/setting-up-chris-longs-detectionlab/)
* [Detection Lab: Visibility & Introspection for Defenders](https://isc.sans.edu/forums/diary/Detection+Lab+Visibility+Introspection+for+Defenders/23135/)
## Credits/Resources
A sizable percentage of this code was borrowed and adapted from [Stefan Scherer](https://twitter.com/stefscherer)'s [packer-windows](https://github.com/StefanScherer/packer-windows) and [adfs2](https://github.com/StefanScherer/adfs2) Github repos. A huge thanks to him for building the foundation that allowed me to design this lab environment.
# Acknowledgements
* [Microsoft Advanced Threat Analytics](https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics)
* [Splunk](https://www.splunk.com)
* [osquery](https://osquery.io)
* [Fleet](https://github.com/fleetdm/fleet)
* [Windows Event Forwarding for Network Defense](https://medium.com/@palantir/windows-event-forwarding-for-network-defense-cb208d5ff86f)
* [palantir/windows-event-forwarding](http://github.com/palantir/windows-event-forwarding)
* [osquery Across the Enterprise](https://medium.com/@palantir/osquery-across-the-enterprise-3c3c9d13ec55)
* [palantir/osquery-configuration](https://github.com/palantir/osquery-configuration)
* [Configure Event Log Forwarding in Windows Server 2012 R2](https://www.petri.com/configure-event-log-forwarding-windows-server-2012-r2)
* [Monitoring what mattersWindows Event Forwarding for everyone](https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/)
* [Use Windows Event Forwarding to help with intrusion detection](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection)
* [The Windows Event Forwarding Survival Guide](https://hackernoon.com/the-windows-event-forwarding-survival-guide-2010db7a68c4)
* [PowerShell ♥ the Blue Team](https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/)
* [Autoruns](https://www.microsoftpressstore.com/articles/article.aspx?p=2762082)
* [TA-microsoft-sysmon](https://github.com/splunk/TA-microsoft-sysmon)
* [SwiftOnSecurity - Sysmon Config](https://github.com/SwiftOnSecurity/sysmon-config)
* [ThreatHunting](https://github.com/olafhartong/ThreatHunting)
* [sysmon-modular](https://github.com/olafhartong/sysmon-modular)
* [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team)
* [Hunting for Beacons](http://findingbad.blogspot.com/2020/05/hunting-for-beacons-part-2.html)
* [Velociraptor](https://github.com/Velocidex/velociraptor)
* [BadBlood](https://github.com/davidprowe/BadBlood)
* [PurpleSharp](https://github.com/mvelazc0/PurpleSharp)
* [EVTX-ATTACK-SAMPLES](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES)
# DetectionLab Sponsors
#### Last updated: 07/09/2021
I would like to extend thanks to the following sponsors for funding DetectionLab development. If you are interested in becoming a sponsor, please visit the [sponsors page](https://github.com/sponsors/clong).
### Diamond Sponsors:
* [Veramine](https://github.com/veramine)
* [Thinkst](https://github.com/ThinkstAppliedResearch)
* [kungskal](https://github.com/kungskal)
* [CyDefUnicorn](https://github.com/CyDefUnicorn)
* [olliencc](https://github.com/olliencc)
* [snaplabsio](https://github.com/snaplabsio)
* [0x0lolbin](https://github.com/0x0lolbin)
* [materaj2](https://github.com/materaj2)
### Premium Sponsors:
* [mikeesparza](https://github.com/mikeesparza)
* [dlee35](https://github.com/dlee35)
* [chrissanders](https://github.com/chrissanders)
* [jaredhaight](https://github.com/jaredhaight)
* [iamfuntime](https://github.com/iamfuntime)
* [Luct0r](https://github.com/Luct0r)
* [secdev-01](https://github.com/secdev-01)
### Standard Sponsors:
* [braimee](https://github.com/braimee)
* [defensivedepth](https://github.com/defensivedepth)
* [kafkaesqu3](https://github.com/kafkaesqu3)
* [mdtro](https://github.com/mdtro)
* [ealaney](https://github.com/ealaney)
* [elreydetoda](https://github.com/elreydetoda)
* [DevBits1702](https://github.com/DevBits1702)
* +1 private sponsor

169
README.md
View File

@@ -1,86 +1,75 @@
# Detection Lab # DetectionLab
![DetectionLab](./img/DetectionLab.png)
DetectionLab is tested weekly on Saturdays via a scheduled CircleCI workflow to ensure that builds are passing. ## Overview
This project is based on the awesome [DetectionLab](https://www.detectionlab.network) project.
[![CircleCI](https://circleci.com/gh/clong/DetectionLab/tree/master.svg?style=shield)](https://circleci.com/gh/clong/DetectionLab/tree/master) There are only some minor changes to focus on the network analysis. A router was added and the default gateway of the virtual machines have been changed.
![Lint Code Base](https://github.com/clong/DetectionLab/workflows/Lint%20Code%20Base/badge.svg) This enabled network analyzers to inspect Internet traffic from the virtual machines.
[![license](https://img.shields.io/github/license/clong/DetectionLab.svg?style=flat-square)](https://github.com/clong/DetectionLab/blob/master/license.md)
![Maintenance](https://img.shields.io/maintenance/yes/2021.svg?style=flat-square)
[![GitHub last commit](https://img.shields.io/github/last-commit/clong/DetectionLab.svg?style=flat-square)](https://github.com/clong/DetectionLab/commit/master)
[![Twitter](https://img.shields.io/twitter/follow/DetectionLab.svg?style=social)](https://twitter.com/DetectionLab)
[![Slack](https://img.shields.io/badge/Slack-DetectionLab-blue)](https://join.slack.com/t/detectionlab/shared_invite/zt-mv1qnw9f-3qo2ZrB0IbIKhvinfsgYhg)
#### Donate to the project: Be aware: This is an unsupported setup as vagrant assumes the first network card is always used for outbound connections and used as the default gateway.
Reprovisioning might fail. As it is pretty automated it is easier to destroy a virtual machine and recreate it.
All of the infrastructure, building, and testing of DetectionLab is currently funded by myself in my spare time. If you find this project useful, feel free to buy me a coffee using one of the buttons below! There are some more optional boxes included in the Vagrant file, but not started by default. You can bring up kali, malcolm, or securityonion if you need them.
[![GitHub Sponsor](https://img.shields.io/badge/GitHub-Sponsor-red.svg)](https://github.com/sponsors/clong) ## Setup on Windows
[![Donate](https://img.shields.io/badge/Donate-PayPal-green.svg)](https://www.paypal.com/paypalme2/clong0) Run powershell as admin, and execute the following commands:
[![Donate](https://img.shields.io/badge/Donate-Crypto-blue.svg)](https://commerce.coinbase.com/checkout/838ac7a2-7b9d-4d40-b475-fd1015fdaacd) ```
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
choco install -y virtualbox vagrant git googlechrome
c:
cd \
mkdir data
cd data
& 'C:\Program Files\Git\bin\git.exe' clone https://git.trinitor.de/trinitor/DetectionLab.git
cd DetectionLab/Vagrant
C:\HashiCorp\Vagrant\bin\vagrant.exe plugin install vagrant-reload
```
## Purpose ## Usage
This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts. Start router, dc, wef, and win10. This is the default DetectionLab setup.
```
C:\HashiCorp\Vagrant\bin\vagrant.exe up
```
You can also choose the virtual machines you want to create.
Example: If you do not need the Windows Environment you can get a small network
```
C:\HashiCorp\Vagrant\bin\vagrant.exe up router malcolm kali
```
Destroy lab
```
C:\HashiCorp\Vagrant\bin\vagrant.exe destroy
```
Read more about Detection Lab on Medium here: https://medium.com/@clong/introducing-detection-lab-61db34bed6ae ## Information
* Domain Name: windomain.local
NOTE: This lab has not been hardened in any way and runs with default vagrant credentials. Please do not connect or bridge it to any networks you care about. This lab is deliberately designed to be insecure; the primary purpose of it is to provide visibility and introspection into each host. | Hostname | IPs |
|--- |--- |
|router |192.168.38.2, 192.168.39.2 |
|logger |192.168.38.105 |
|dc |192.168.38.102 |
|wef |192.168.38.103 |
|win10 |192.168.38.104 |
|kali |192.168.38.30 |
|securityonion |192.168.39.10, 192.168.38.10 |
|malcolm |192.168.39.11, 192.168.38.11 |
## Primary Lab Features: ## Usage
* Microsoft Advanced Threat Analytics (https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics) is installed on the WEF machine, with the lightweight ATA gateway installed on the DC | Name | URL | User | Password |
* A Splunk forwarder is pre-installed and all indexes are pre-created. Technology add-ons are also preconfigured. |--- |--- |--- |--- |
* A custom Windows auditing configuration is set via GPO to include command line process auditing and additional OS-level logging |Domain Admin | |vagrant |vagrant |
* [Palantir's Windows Event Forwarding](http://github.com/palantir/windows-event-forwarding) subscriptions and custom channels are implemented |Fleet |https://192.168.38.105:8412 |admin |admin123# |
* Powershell transcript logging is enabled. All logs are saved to `\\wef\pslogs` |Splunk |https://192.168.38.105:8000 |admin |changeme |
* osquery comes installed on each host and is pre-configured to connect to a [Fleet](https://kolide.co/fleet) server via TLS. Fleet is preconfigured with the configuration from [Palantir's osquery Configuration](https://github.com/palantir/osquery-configuration) |MS ATA |https://192.168.38.103 |wef\vagrant |vagrant |
* Sysmon is installed and configured using [Olaf Hartong's open-sourced Sysmon configuration](https://github.com/olafhartong/sysmon-modular) |Guacamole |http://192.168.38.105:8080/guacamole |vagrant |vagrant |
* All autostart items are logged to Windows Event Logs via [AutorunsToWinEventLog](https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog) |Velociraptor |https://192.168.38.105:9999 |admin |changeme |
* Zeek and Suricata are pre-configured to monitor and alert on network traffic |Malcolm Arkime |https://192.168.39.11 |vagrant |vagrant |
* Apache Guacamole is installed to easily access all hosts from your local browser |Malcolm Kibana |https://192.168.39.11/kibana |vagrant |vagrant |
|CyberChef |https://192.168.39.10/cyberchef/cyberchef.htm | | |
--- |Squert |https://192.168.39.10/squert/ |vagrant |vagrant |
## Building Detection Lab
When preparing to build DetectionLab locally, be sure to use the `prepare.[sh|ps1]` scripts inside of the Vagrant folder
to ensure your system passes the prerequisite checks for building DetectionLab.
* [Prerequisites](https://www.detectionlab.network/introduction/prerequisites/)
* [MacOS - Virtualbox or VMware Fusion](https://www.detectionlab.network/deployment/macosvm/)
* [Windows - Virtualbox or VMware Workstation](https://www.detectionlab.network/deployment/windowsvm/)
* [Linux - Virtualbox or VMware Workstation](https://www.detectionlab.network/deployment/linuxvm/)
* [AWS via Terraform](https://www.detectionlab.network/deployment/aws/)
* [Azure via Terraform & Ansible](https://www.detectionlab.network/deployment/azure/)
* [ESXi via Terraform & Ansible](https://www.detectionlab.network/deployment/esxi/)
* [HyperV](https://www.detectionlab.network/deployment/hyperv/)
* [LibVirt](https://www.detectionlab.network/deployment/libvirt/)
---
## DetectionLab Documentation
The primary documentation site is located at https://detectionlab.network
* [Basic Vagrant Usage](https://www.detectionlab.network/introduction/basicvagrant/)
* [Lab Information & Credentials](https://www.detectionlab.network/introduction/infoandcreds/)
* [Troubleshooting and Known Issues](https://www.detectionlab.network/deployment/troubleshooting/)
---
## Contributing
Please do all of your development in a feature branch on your own fork of DetectionLab.
Contribution guidelines can be found here: [CONTRIBUTING.md](./CONTRIBUTING.md)
## In the Media
* [DetectionLab, Chris Long Pauls Security Weekly #593](https://securityweekly.com/2019/02/08/detectionlab-chris-long-pauls-security-weekly-593/)
* [TaoSecurity - Trying DetectionLab](https://taosecurity.blogspot.com/2019/01/trying-detectionlab.html)
* [Setting up Chris Long's DetectionLab](https://www.psattack.com/articles/20171218/setting-up-chris-longs-detectionlab/)
* [Detection Lab: Visibility & Introspection for Defenders](https://isc.sans.edu/forums/diary/Detection+Lab+Visibility+Introspection+for+Defenders/23135/)
## Credits/Resources
A sizable percentage of this code was borrowed and adapted from [Stefan Scherer](https://twitter.com/stefscherer)'s [packer-windows](https://github.com/StefanScherer/packer-windows) and [adfs2](https://github.com/StefanScherer/adfs2) Github repos. A huge thanks to him for building the foundation that allowed me to design this lab environment.
# Acknowledgements # Acknowledgements
* [DetectionLab](https://www.detectionlab.network)
* [Microsoft Advanced Threat Analytics](https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics) * [Microsoft Advanced Threat Analytics](https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics)
* [Splunk](https://www.splunk.com) * [Splunk](https://www.splunk.com)
* [osquery](https://osquery.io) * [osquery](https://osquery.io)
@@ -105,36 +94,6 @@ A sizable percentage of this code was borrowed and adapted from [Stefan Scherer]
* [BadBlood](https://github.com/davidprowe/BadBlood) * [BadBlood](https://github.com/davidprowe/BadBlood)
* [PurpleSharp](https://github.com/mvelazc0/PurpleSharp) * [PurpleSharp](https://github.com/mvelazc0/PurpleSharp)
* [EVTX-ATTACK-SAMPLES](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES) * [EVTX-ATTACK-SAMPLES](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES)
* [Malcolm](https://github.com/cisagov/Malcolm)
# DetectionLab Sponsors * [SecurityOnion](https://securityonionsolutions.com/)
#### Last updated: 07/09/2021 * [Kali](https://kali.org/)
I would like to extend thanks to the following sponsors for funding DetectionLab development. If you are interested in becoming a sponsor, please visit the [sponsors page](https://github.com/sponsors/clong).
### Diamond Sponsors:
* [Veramine](https://github.com/veramine)
* [Thinkst](https://github.com/ThinkstAppliedResearch)
* [kungskal](https://github.com/kungskal)
* [CyDefUnicorn](https://github.com/CyDefUnicorn)
* [olliencc](https://github.com/olliencc)
* [snaplabsio](https://github.com/snaplabsio)
* [0x0lolbin](https://github.com/0x0lolbin)
* [materaj2](https://github.com/materaj2)
### Premium Sponsors:
* [mikeesparza](https://github.com/mikeesparza)
* [dlee35](https://github.com/dlee35)
* [chrissanders](https://github.com/chrissanders)
* [jaredhaight](https://github.com/jaredhaight)
* [iamfuntime](https://github.com/iamfuntime)
* [Luct0r](https://github.com/Luct0r)
* [secdev-01](https://github.com/secdev-01)
### Standard Sponsors:
* [braimee](https://github.com/braimee)
* [defensivedepth](https://github.com/defensivedepth)
* [kafkaesqu3](https://github.com/kafkaesqu3)
* [mdtro](https://github.com/mdtro)
* [ealaney](https://github.com/ealaney)
* [elreydetoda](https://github.com/elreydetoda)
* [DevBits1702](https://github.com/DevBits1702)
* +1 private sponsor

55
Vagrant/Vagrantfile vendored
View File

@@ -82,7 +82,6 @@ EOF
systemctl start default-gateway.service systemctl start default-gateway.service
SHELL SHELL
cfg.vm.provider "virtualbox" do |vb, override| cfg.vm.provider "virtualbox" do |vb, override|
vb.gui = false vb.gui = false
vb.name = "logger" vb.name = "logger"
@@ -99,11 +98,11 @@ EOF
config.vm.define "dc" do |cfg| config.vm.define "dc" do |cfg|
cfg.vm.box = "detectionlab/win2016" cfg.vm.box = "detectionlab/win2016"
cfg.vm.hostname = "dc" cfg.vm.hostname = "dc"
cfg.vm.boot_timeout = 600 cfg.vm.boot_timeout = 1200
cfg.winrm.transport = :plaintext cfg.winrm.transport = :plaintext
cfg.vm.communicator = "winrm" cfg.vm.communicator = "winrm"
cfg.winrm.basic_auth_only = true cfg.winrm.basic_auth_only = true
cfg.winrm.timeout = 300 cfg.winrm.timeout = 1200
cfg.winrm.retry_limit = 20 cfg.winrm.retry_limit = 20
cfg.vm.network :private_network, ip: "192.168.38.102", gateway: "192.168.38.1", dns: "8.8.8.8" cfg.vm.network :private_network, ip: "192.168.38.102", gateway: "192.168.38.1", dns: "8.8.8.8"
@@ -149,10 +148,10 @@ EOF
config.vm.define "wef" do |cfg| config.vm.define "wef" do |cfg|
cfg.vm.box = "detectionlab/win2016" cfg.vm.box = "detectionlab/win2016"
cfg.vm.hostname = "wef" cfg.vm.hostname = "wef"
cfg.vm.boot_timeout = 600 cfg.vm.boot_timeout = 1200
cfg.vm.communicator = "winrm" cfg.vm.communicator = "winrm"
cfg.winrm.basic_auth_only = true cfg.winrm.basic_auth_only = true
cfg.winrm.timeout = 300 cfg.winrm.timeout = 1200
cfg.winrm.retry_limit = 20 cfg.winrm.retry_limit = 20
cfg.vm.network :private_network, ip: "192.168.38.103", gateway: "192.168.38.1", dns: "192.168.38.102" cfg.vm.network :private_network, ip: "192.168.38.103", gateway: "192.168.38.1", dns: "192.168.38.102"
@@ -236,6 +235,50 @@ EOF
end end
end end
config.vm.define "kali", autostart: false do |cfg|
cfg.vm.box = "kalilinux/rolling"
cfg.vm.hostname = "kali"
cfg.vm.network :private_network, ip: "192.168.38.20", gateway: "192.168.38.1", dns: "8.8.8.8"
cfg.vm.network :private_network, ip: "192.168.39.20", gateway: "192.168.39.1", dns: "8.8.8.8"
cfg.vm.provision "shell", run: "always", inline: <<-SHELL
route del default gw 10.0.2.2
route add default gw 192.168.38.2
SHELL
cfg.vm.provision "shell", inline: <<-SHELL
export DEBIAN_FRONTEND=noninteractive
cat <<-'EOF' >/opt/default-gateway.sh
#!/bin/bash
route del default gw 10.0.2.2
route add default gw 192.168.38.2
EOF
cat <<-'EOF' >/etc/systemd/system/default-gateway.service
[Unit]
After=network.service
Description=default-gateway
[Service]
Type=simple
ExecStart=/opt/default-gateway.sh
[Install]
WantedBy=multi-user.target
EOF
chmod 744 /opt/default-gateway.sh
chmod 664 /etc/systemd/system/default-gateway.service
systemctl daemon-reload
systemctl enable default-gateway.service
systemctl start default-gateway.service
SHELL
cfg.vm.provider "virtualbox" do |vb|
vb.name = "kali"
vb.gui = false
vb.cpus = 2
vb.memory = "4096"
end
end
config.vm.define "securityonion", autostart: false do |cfg| config.vm.define "securityonion", autostart: false do |cfg|
cfg.vm.box = "ubuntu/trusty64" cfg.vm.box = "ubuntu/trusty64"
cfg.vm.hostname = "securityonion" cfg.vm.hostname = "securityonion"
@@ -260,7 +303,7 @@ EOF
apt-get -y install securityonion-all syslog-ng-core apt-get -y install securityonion-all syslog-ng-core
apt-get -y autoremove apt-get -y autoremove
apt-get clean apt-get clean
sosetup -y -f /vagrant/sosetup.conf sosetup -y -f /vagrant/resources/securityonion/sosetup.conf
ufw allow 443/tcp ufw allow 443/tcp
SHELL SHELL
end end

336
Vagrant/resources/securityonion/sosetup.conf Normal file
View File

@@ -0,0 +1,336 @@
################################
# sosetup.conf
################################
# This file can be used to automate sosetup.
#
# Copy this example file to your home directory:
# cp /usr/share/securityonion/sosetup.conf ~
#
# Edit your new sosetup.conf:
# nano ~/sosetup.conf
#
# Run Setup with the -f switch and the path to this file:
# sudo sosetup -f ~/sosetup.conf
################################
# Management Interface
################################
# MGMT_INTERFACE
# Which network interface should be the management interface?
# The management interface has an IP address and is NOT used for sniffing.
# We recommend that you always make this eth0 if possible for consistency.
MGMT_INTERFACE='eth2'
# MGMT_CONFIG_TYPE
# Should the management interface be configured using DHCP or static IP?
# We recommend using static IP whenever possible.
MGMT_CONFIG_TYPE='static'
# MGMT_CONFIG_TYPE='DHCP'
# If MGMT_CONFIG_TYPE=static, then provide the details here:
ADDRESS='192.168.39.10'
NETMASK='255.255.255.0'
GATEWAY='192.168.39.1'
NAMESERVER='192.168.39.1'
DOMAIN='example.com'
################################
# Sniffing interface(s)
################################
# Which interface(s) will be sniffing network traffic?
# For multiple interfaces, please separate them with spaces.
# For example:
# SNIFFING_INTERFACES='eth1 eth2'
SNIFFING_INTERFACES='eth0 eth1'
################################
# Master Server
################################
# SERVER
# If set to 1, then this box will be a Master server:
# SERVER=1
# If set to 0, then this box will connect to a separate Master server:
# SERVER=0
SERVER=1
# SERVERNAME
# If SERVER=1, then this should be 'localhost':
# SERVERNAME='localhost'
# If SERVER=0, then this should be the name/IP of the separate Master server:
# SERVERNAME='sguilserver.example.com'
SERVERNAME='localhost'
# SSH_USERNAME
# If SERVER=0, then this should be the name of an
# account on the separate Master server that has sudo privileges.
# sudo privileges can be revoked after sosetup is complete.
# SSH_USERNAME='sensor1'
SSH_USERNAME=''
# SGUIL_SERVER_NAME
# If SERVER=1, then this is the name of the Sguil server we'll create.
# You probably shouldn't change this value.
SGUIL_SERVER_NAME='securityonion'
# SGUIL_CLIENT_USERNAME
# If SERVER=1, then this is the username that we'll create
# for Sguil/Squert/ELSA.
# Please use alphanumeric characters only!
SGUIL_CLIENT_USERNAME='vagrant'
# SGUIL_CLIENT_PASSWORD_1
# If SERVER=1, then this is the password that we'll create
# for Sguil/Squert/ELSA.
# If you set a password here, you may want to change it later and/or
# shred this file.
SGUIL_CLIENT_PASSWORD_1='vagrant'
################################
# Master server services
################################
# If SERVER=0, then no server services will run.
# If SERVER=1, then the following services can be enabled/disabled.
# Do you want to run Xplico? yes/no
XPLICO_ENABLED='no'
################################
# ELSA
################################
# ELSA
# If set to YES, then this box will run ELSA components:
# ELSA=YES
# If set to NO, then this box will not run ELSA components:
# ELSA=NO
# If you want to run ELSA, then you should enable this setting on every box in your deployment.
ELSA=YES
# UPDATE_ELSA_SERVER
# If SERVER=0, then the server's elsa_web.conf will need
# to be updated and Apache restarted for it to recognize
# this new ELSA node. Restarting Apache will interrupt
# any running ELSA queries.
# To automatically update the server's elsa_web.conf and
# restart Apache, set this option to 'YES':
# UPDATE_ELSA_SERVER='YES'
# If you'd rather update the server's elsa_web.conf yourself
# and manually restart Apache, set this option to 'NO':
# UPDATE_ELSA_SERVER='NO'
UPDATE_ELSA_SERVER='YES'
# LOG_SIZE_LIMIT
# This setting controls how much disk space ELSA uses.
# 10TB = 10000000000000
# LOG_SIZE_LIMIT='10000000000000'
# 1TB = 1000000000000
# LOG_SIZE_LIMIT='1000000000000'
# 100GB = 100000000000
# LOG_SIZE_LIMIT='100000000000'
# 10GB = 10000000000
LOG_SIZE_LIMIT='10000000000'
################################
# Enable/disable services
################################
# The OSSEC agent sends OSSEC HIDS alerts into the Sguil database.
# Do you want to run the OSSEC Agent? yes/no
OSSEC_AGENT_ENABLED='no'
# OSSEC_AGENT_LEVEL specifies the level at which OSSEC alerts are sent to sguild.
OSSEC_AGENT_LEVEL='5'
# Salt allows you to manage your entire Security Onion deployment
# as one cohesive whole. It provides configuration management
# and remote code execution.
# Do you want to enable Salt? yes/no
SALT='no'
################################
# Sensor components
################################
# SENSOR
# If set to 1, then this box will run sensor components and sniff ethernet interfaces:
# SENSOR=1
# If set to 0, then this box will not run sensor components:
# SENSOR=0
SENSOR=1
################################
# Enable/disable sensor services
################################
# If SENSOR=0, then no sensor services will run.
# If SENSOR=1, then the following services can be enabled/disabled.
# BRO_ENABLED
# Do you want to run Bro? yes/no
BRO_ENABLED='yes'
# IDS_ENGINE_ENABLED
# Do you want to run an IDS engine (Snort/Suricata)? yes/no
IDS_ENGINE_ENABLED='yes'
# SNORT_AGENT_ENABLED
# Do you want to run the Snort agent? yes/no
# The Snort agent sends Snort IDS alerts to the Sguil database.
SNORT_AGENT_ENABLED='yes'
# BARNYARD2_ENABLED
# Do you want to run Barnyard2? yes/no
# Barnyard2 sends IDS alerts from Snort/Suricata to
# Sguil's Snort agent and syslog (ELSA).
BARNYARD2_ENABLED='yes'
# PCAP_ENABLED
# Do you want to run full packet capture? yes/no
PCAP_ENABLED='yes'
# PCAP_AGENT_ENABLED
# Do you want to run Sguil's pcap_agent? yes/no
# The pcap_agent allows Sguil to access the pcap store.
PCAP_AGENT_ENABLED='yes'
# PRADS_ENABLED
# Do you want to run Prads? yes/no
# Prads writes session data and asset data.
# Bro provides the same data types plus more, so most
# folks don't run Prads.
PRADS_ENABLED='no'
# SANCP_AGENT_ENABLED
# Do you want to run the sancp_agent? yes/no
# sancp_agent sends session data from Prads to Sguil.
SANCP_AGENT_ENABLED='no'
# PADS_AGENT_ENABLED
# Do you want to run the pads_agent? yes/no
# pads_agent sends asset data from Prads to Sguil.
PADS_AGENT_ENABLED='no'
# HTTP_AGENT_ENABLED
# Do you want to run the http_agent? yes/no
# http_agent sends http logs from Bro to Sguil.
# If you're running ELSA, then you probably want to disable this.
HTTP_AGENT_ENABLED='no'
# ARGUS_ENABLED
# Do you want to run Argus? yes/no
# Argus writes session data, also provided by Bro and Prads.
# Most folks don't run Argus.
ARGUS_ENABLED='no'
################################
# Rules
################################
# IDS_RULESET
# This setting is only necessary on a master server.
# Sensors automatically inherit ruleset from the master server.
# Which IDS ruleset would you like to use?
# Emerging Threats Open (no oinkcode required):
# ETOPEN
# Emerging Threats PRO (requires ETPRO oinkcode):
# ETPRO
# Sourcefire VRT (requires VRT oinkcode):
# VRT
# VRT and ET (requires VRT oinkcode):
# VRTET
IDS_RULESET='ETOPEN'
# OINKCODE
# This setting is only necessary on a master server.
# Sensors automatically inherit ruleset from the master server.
# If you're running VRT or ETPRO rulesets, you'll need to supply your
# oinkcode here.
OINKCODE=''
################################
# PF_RING Config
################################
# PF_RING_SLOTS
# The default is 4096.
# High traffic networks may need to increase this.
PF_RING_SLOTS=4096
################################
# IDS Config
################################
# IDS_ENGINE
# Which IDS engine would you like to run? snort/suricata
# Whatever you choose here will apply to the master server
# and then sensors inherit this setting from the master server.
# To run Snort:
# IDS_ENGINE='snort'
# To run Suricata:
# IDS_ENGINE='suricata'
IDS_ENGINE='snort'
# IDS_LB_PROCS
# How many PF_RING load-balanced processes would you like to run?
# This value should be lower than your number of CPU cores.
IDS_LB_PROCS='1'
# HOME_NET
# Setup by default configures Snort/Suricata's HOME_NET variable
# as RFC 1918 (192.168.0.0/16,10.0.0.0/8,172.16.0.0/12).
# If you wish to provide a custom value, enter it below,
# ensuring a comma is placed after each range, with no spaces in between.
# Ex. HOME_NET='192.168.0.0/16,10.0.0.0/8,172.16.0.0/12'
HOME_NET='192.168.0.0/16,10.0.0.0/8,172.16.0.0/12'
################################
# Bro Config
################################
# BRO_LB_PROCS
# How many PF_RING load-balanced processes would you like Bro to run?
# This value should be lower than your number of CPU cores.
BRO_LB_PROCS='1'
# EXTRACT_FILES
# Do you want Bro to automatically extract Windows EXEs and write them to disk? yes/no
EXTRACT_FILES='yes'
################################
# PCAP Config
################################
# PCAP_SIZE
# How large do you want your pcap files to be?
# The default is 150MB.
PCAP_SIZE='150'
# PCAP_RING_SIZE
# How big of a ring buffer should be allocated for netsniff-ng?
# The default is 64MB.
PCAP_RING_SIZE='64'
# PCAP_OPTIONS
# The default option here of '-c' is intended for low-volume environments.
# If monitoring lots of traffic, you will want to remove the -c to use
# netsniff-ng's default scatter/gather I/O or consider netsniff-ng's --mmap option.
PCAP_OPTIONS='-c'
################################
# Maintenance
################################
# WARN_DISK_USAGE
# Begin warning when disk usage reaches this level
WARN_DISK_USAGE='80'
# CRIT_DISK_USAGE
# Begin purging old files when disk usage reaches this level
CRIT_DISK_USAGE='90'
# DAYSTOKEEP
# Only applies to Sguil database ('securityonion_db')
DAYSTOKEEP='30'
# DAYSTOREPAIR
# Only applies to Sguil database ('securityonion_db')
DAYSTOREPAIR='7'