# Forensics - Create VM Extension on Linux

__Notebook Version:__ 1.0<br>
__Python Version:__ Python 3.6 (including Python 3.6 - AzureML)<br>
__Required Packages:__ Azure 4.0.0<br>
__OS Supported:__<br>
    -  Linux
__Platforms Supported:__<br>
    -  Azure Notebooks Free Compute
    -  Azure Notebooks DSVM
__Data Source Required:__<br>
    -  no
    
### Description
The notebook provides sample code to create custom script extension on Azure IaaS Windows virtual machins.

<font color=red>When you switch between Azure Notebooks Free Compute and Data Science Virtual Machine (DSVM), you may need to select Python version: please select Python 3.6 for Free Compute, and Python 3.6 - AzureML for DSVM.</font>

## Prerequisite check

In [None]:
# only run once, current version 0.1.2
!pip install --upgrade Sentinel-Utilities

In [None]:
import SentinelUtils
# checking Python version
check = SentinelUtils.version_management.ModuleVersionCheck()
py_check = check.validate_python('3.6.0')
if py_check.requirement_met == False:
    print('Please select Python 3.6 or Python 3.6 - AzureML at the upper right corner')
else:
    print('Please continue')

In [None]:
# checking required packages
mods_check = check.validate_installed_modules(['Azure>=4.0.0'])
for mod_info in mods_check:
    if mod_info.requirement_met == False:
        print('Please install {} {} at the following cell.'.format(mod_info.name, mod_info.required_version))

In [None]:
# Please install required packages based on the check at last cell
#!pip install azure

## Table of Contents

1. Retrieve Azure Resource Information
2. Authentication to Azure Resource Management 
3. Create VM Extension
4. Delete VMN Extension

## 1. Retrieve Azure Resource Information

In [None]:
path = %env PATH
dsvm = False
if '/dsvm/' in path:
    dsvm = True

# information from config.json
if dsvm == False:
    # Run this if you are using Free Compute
    tenant_id = SentinelUtils.config_reader.ConfigReader.read_config_values("config.json")[0]
    subscription_id = SentinelUtils.config_reader.ConfigReader.read_config_values("config.json")[1]
    resource_group = SentinelUtils.config_reader.ConfigReader.read_config_values("config.json")[2]
else:
    # Run this if you are using DSVM.  You need to copy the values from config.json, if the file has no value, then you need to go to Log Analytics Portal to get the information.
    tenant_id = input('tenant_id:')
    subscription_id = input('subscription_id:')
    resource_group = input('resource_group:')

## 2. Authentication to Azure Resource Management

In [None]:
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.compute import ComputeManagementClient
from azure.mgmt.network import NetworkManagementClient
from azure.mgmt.compute.models import DiskCreateOption

1. Select Authentication Methods<br>
If multi-factors authentication is enabled for your tenant, you must use Service Principal to authentication to Azure resource management.  Otherwise, you may choose either Service Principal or User ID/Password.

In [None]:
import ipywidgets as widgets
from IPython.display import display
auth_method = ['Service Principal', 'User ID/Password']
selected_auth = widgets.Dropdown(options=auth_method, value=auth_method[0],description='Auth Method:')
display(selected_auth)

2. Authentication

In [None]:
if selected_auth.value == 'Service Principal':
    credentials = ServicePrincipalCredentials(
        client_id=input('client_id:'), 
        secret=input('secret:'), 
        tenant=tenant_id)
else:
    from azure.common.credentials import UserPassCredentials
    import getpass
    uid = input('User ID:')
    pwd = getpass.getpass()
    credentials = UserPassCredentials(uid, pwd)
    
client = ResourceManagementClient(credentials, subscription_id)

## 3. Create VM Extension

1. Initialization

In [None]:
resource_group_client = ResourceManagementClient(credentials, subscription_id)
compute_client = ComputeManagementClient(credentials, subscription_id)
network_client = NetworkManagementClient(credentials, subscription_id)

In [None]:
# User input
vm_extension_name = 'sentinelmemoryinvestigator'
vm_name = input('vm_name:')

2. Get Vm extension Information

In [None]:
vm = compute_client.virtual_machines.get(resource_group, vm_name, expand='instanceView')
ext = vm.instance_view.extensions

In [None]:
def has_vm_agent(vm):
    try:
        return vm.instance_view.vm_agent is not None
    except:
        return False

In [None]:
def has_vm_extensions(vm):
    try:
        return vm.instance_view.extensions is not None
    except:
        return False
    
def get_customscript_extensions(vm):
    try:
        exts = vm.instance_view.extensions
        if exts is not None:
            return list(ext for ext in exts if ext.type == 'Microsoft.Azure.Extensions.CustomScript')
        else:
            return None
    except:
        return None
    
def delete_vm_extension():
    async_vm_extension_delete = compute_client.virtual_machine_extensions.delete(resource_group, vm_name, vm_extension_name)
    vm_ext_delete = async_vm_extension_delete.result()

In [None]:
if has_vm_agent(vm) == False:
    print('No guest agent on the VM, VM Extension does not support')
else:
    exts = get_customscript_extensions(vm)
    if get_customscript_extensions(vm) is not None:
        print('VM has custom script extension installed altready, need to delete the VM extension first to continue')
    else:
        print('Continue')

In [None]:
# Delete VM Extension
#async_vm_extension_delete = delete_vm_extension()

3. Create VM Extension on Windows VM

In [None]:
# Set CIS endpoint VMExtensionProperties
api_version = '2015-06-15'
command_key = 'commandToExecute'
command_to_execute = 'sudo sh hello.sh'
type_handler_version = '2.0'
type_publisher = 'Microsoft.Azure.Extensions'
resource_type = 'virtualMachines'
extension_type = 'CustomScript'
file_uris = ['https://pitestgenstorage.blob.core.windows.net/vmextension/hello.sh?sp=r&st=2019-03-20T00:41:07Z&se=2019-04-06T08:41:07Z&spr=https&sv=2018-03-28&sig=Zf8oy5XsJlZ9TwKCfmMmV6hLcRtJRWSBlx9sAoYZygM%3D&sr=b']

In [None]:
# Add settings
import json
protected_settings = {}
protected_settings[command_key] = command_to_execute

settings = {}
settings['fileUris'] = file_uris

In [None]:
# Initialize VM Extension object
import azure
vm_extensions = azure.mgmt.compute.models.VirtualMachineExtension(
    location = vm.location,
    publisher = type_publisher,
    virtual_machine_extension_type = extension_type,
    type_handler_version = type_handler_version,
    auto_upgrade_minor_version = True,
    settings = settings,
    protected_settings = protected_settings
)

In [None]:
# Create VM extension
async_vm_extension_creation = compute_client.virtual_machine_extensions.create_or_update(
        resource_group,
        vm.name,
        vm_extension_name,
        vm_extensions
    )

vm_ext = async_vm_extension_creation.result()

In [None]:
vm_ext.__dir__()
print(vm_ext.provisioning_state)

4. Delete VM Extension as a final step

In [None]:
async_vm_extension_delete = delete_vm_extension()