149 lines
4.4 KiB
YAML
149 lines
4.4 KiB
YAML
---
|
|
|
|
- name: Set HostOnly DNS Address
|
|
win_dns_client:
|
|
adapter_names: '*'
|
|
ipv4_addresses:
|
|
- 192.168.38.102
|
|
- 8.8.8.8
|
|
log_path: C:\dns_log.txt
|
|
|
|
- name: Install git
|
|
win_chocolatey:
|
|
name: git
|
|
state: present
|
|
|
|
- name: Check if existing DetectionLab directory
|
|
win_stat:
|
|
path: 'c:\DetectionLab'
|
|
register: dir
|
|
|
|
- name: Git clone Detectionlab
|
|
win_shell: git clone https://github.com/clong/DetectionLab.git
|
|
args:
|
|
chdir: 'c:\'
|
|
when: not dir.stat.exists
|
|
|
|
- name: Copy scripts to c:\vagrant
|
|
win_shell: Copy-Item -Recurse c:\DetectionLab\Vagrant c:\vagrant
|
|
args:
|
|
creates: c:\vagrant\Vagrantfile
|
|
|
|
- name: Join the Domain
|
|
win_shell: .\\provision.ps1
|
|
args:
|
|
chdir: 'c:\vagrant\scripts'
|
|
register: wef_join_domain
|
|
changed_when: "'HasSucceeded : True' in wef_join_domain.stdout"
|
|
failed_when: '"failed to join domain" in wef_join_domain.stderr'
|
|
|
|
- debug: msg="{{ wef_join_domain.stdout_lines }}"
|
|
|
|
- name: Reboot After Joining the Domain
|
|
win_reboot:
|
|
msg: "Joining the domain. Rebooting..."
|
|
pre_reboot_delay: 15
|
|
reboot_timeout: 600
|
|
post_reboot_delay: 60
|
|
when: wef_join_domain.changed
|
|
|
|
- name: Download Microsoft ATA
|
|
win_get_url:
|
|
url: http://download.microsoft.com/download/4/9/1/491394D1-3F28-4261-ABC6-C836A301290E/ATA1.9.iso
|
|
dest: "C:\\Users\\vagrant\\AppData\\Local\\Temp\\Microsoft ATA 1.9.iso"
|
|
timeout: 3600
|
|
|
|
- name: Check if DetectionLab Clear Event Logs has been done
|
|
win_stat:
|
|
path: 'c:\Windows\.detectionlab_clear_done'
|
|
register: clearevt
|
|
|
|
- block:
|
|
- name: Clear Event Logs
|
|
win_shell: "wevtutil el | Select-String -notmatch \"Microsoft-Windows-LiveId\" | Foreach-Object {wevtutil cl \"$_\"}"
|
|
|
|
- name: Add marker for DetectionLab Clear Event
|
|
win_file:
|
|
path: 'c:\Windows\.detectionlab_clear_done'
|
|
state: touch
|
|
when: not clearevt.stat.exists
|
|
|
|
- name: Downloading the Palantir WEF Configuration
|
|
win_shell: ".\\download_palantir_wef.ps1"
|
|
args:
|
|
chdir: 'c:\vagrant\scripts'
|
|
register: palantir_wef
|
|
failed_when: "'Exception' in palantir_wef.stdout"
|
|
changed_when: "' already exists. Moving On.' not in palantir_wef.stdout"
|
|
|
|
- debug: msg="{{ palantir_wef.stdout_lines }}"
|
|
|
|
- name: Installing WEF Subscriptions
|
|
win_shell: ".\\install-wefsubscriptions.ps1"
|
|
args:
|
|
chdir: 'c:\vagrant\scripts'
|
|
register: wef_subscriptions
|
|
failed_when: "'Exception' in wef_subscriptions.stdout"
|
|
changed_when: "'already installed, moving on...' not in wef_subscriptions.stdout"
|
|
|
|
- debug: msg="{{ wef_subscriptions.stdout_lines }}"
|
|
|
|
- name: Installing the Splunk Universal Forwarder
|
|
win_shell: ".\\install-splunkuf.ps1"
|
|
args:
|
|
chdir: 'c:\vagrant\scripts'
|
|
register: splunkuf
|
|
failed_when: "'Exception' in splunkuf.stdout"
|
|
changed_when: "' already installed. Moving on.' not in splunkuf.stdout"
|
|
|
|
- debug: msg="{{ splunkuf.stdout_lines }}"
|
|
|
|
- name: Install Splunk Windows TA
|
|
win_shell: ".\\install-windows_ta.ps1"
|
|
args:
|
|
chdir: 'c:\vagrant\scripts'
|
|
register: windowsta
|
|
failed_when: "'Exception' in windowsta.stdout"
|
|
changed_when: "' already installed. Moving on.' not in windowsta.stdout"
|
|
|
|
- debug: msg="{{ windowsta.stdout_lines }}"
|
|
|
|
- name: Installing the Powershell Log Transcription Share
|
|
win_shell: ".\\configure-pslogstranscriptsshare.ps1"
|
|
args:
|
|
chdir: 'c:\vagrant\scripts'
|
|
creates: c:\pslogs
|
|
register: pstranscriptshare
|
|
failed_when: "'Exception' in pstranscriptshare.stdout"
|
|
|
|
- debug: msg="{{ pstranscriptshare.stdout_lines }}"
|
|
when: pstranscriptshare.stdout_lines is defined
|
|
|
|
- name: Installing the EVTX Event Samples
|
|
win_shell: ".\\install-evtx-attack-samples.ps1"
|
|
args:
|
|
chdir: 'c:\vagrant\scripts'
|
|
register: evtxeventsamples
|
|
failed_when: "'Exception' in evtxeventsamples.stdout"
|
|
changed_when: "' were already installed. Moving On.' not in evtxeventsamples.stdout"
|
|
|
|
- debug: msg="{{ evtxeventsamples.stdout_lines }}"
|
|
|
|
- name: Installing Microsoft Advanced Threat Analytics
|
|
win_shell: ".\\install-microsoft-ata.ps1"
|
|
args:
|
|
chdir: 'c:\vagrant\scripts'
|
|
register: windowsata
|
|
failed_when: "'Exception' in windowsata.stdout"
|
|
changed_when: "' was already installed. Moving On.' not in windowsata.stdout"
|
|
|
|
- debug: msg="{{ windowsata.stdout_lines }}"
|
|
|
|
- name: Configure WEF with raw Commands
|
|
win_shell: "{{ item }}"
|
|
with_items:
|
|
- "wevtutil el | Select-String -notmatch \"Microsoft-Windows-LiveId\" | Foreach-Object {wevtutil cl \"$_\"}"
|
|
- "Set-SmbServerConfiguration -AuditSmb1Access $true -Force"
|
|
|
|
|