Skip to content
Permalink
Browse files

Update Splunk apps, create vagrantfile_minimum, bugfixes

  • Loading branch information...
clong committed Mar 2, 2019
1 parent ef566fc commit 93183a95e25c0437b753712e5f2c16f6f37ea25d
@@ -2,8 +2,7 @@
* Provider (VirtualBox/VMWare):
* Vagrant Version:
* Packer Version:
* Are you using stock boxes (downloaded) or were they built from scratch using Packer?
* Is the issue reproducible or intermittent?

### Description of the issue:


@@ -56,6 +56,8 @@ Vagrant.configure("2") do |config|
cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
@@ -118,6 +120,8 @@ Vagrant.configure("2") do |config|
cfg.vm.provision "shell", path: "scripts/install-windows_ta.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
@@ -158,10 +162,10 @@ Vagrant.configure("2") do |config|
config.vm.define "win10" do |cfg|
cfg.vm.box = "../Boxes/windows_10_virtualbox.box"
cfg.vm.hostname = "win10"
cfg.vm.boot_timeout = 600
cfg.vm.boot_timeout = 6000
cfg.vm.communicator = "winrm"
cfg.winrm.basic_auth_only = true
cfg.winrm.timeout = 300
cfg.winrm.timeout = 600
cfg.winrm.retry_limit = 20
cfg.vm.network :private_network, ip: "192.168.38.104", gateway: "192.168.38.1", dns: "192.168.38.102"

@@ -175,6 +179,8 @@ Vagrant.configure("2") do |config|
cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false
cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false
@@ -0,0 +1,216 @@
Vagrant.configure("2") do |config|

config.vm.define "logger" do |cfg|
cfg.vm.box = "bento/ubuntu-16.04"
cfg.vm.hostname = "logger"
config.vm.provision :shell, path: "bootstrap.sh"
cfg.vm.network :private_network, ip: "192.168.38.105", gateway: "192.168.38.1", dns: "8.8.8.8"

cfg.vm.provider "vmware_fusion" do |v, override|
v.vmx["displayname"] = "logger"
v.memory = 2048
v.cpus = 1
v.gui = true
end

cfg.vm.provider "vmware_desktop" do |v, override|
v.vmx["displayname"] = "logger"
v.memory = 4096
v.cpus = 2
v.gui = true
end

cfg.vm.provider "virtualbox" do |vb, override|
vb.gui = true
vb.name = "logger"
vb.customize ["modifyvm", :id, "--memory", 4096]
vb.customize ["modifyvm", :id, "--cpus", 2]
vb.customize ["modifyvm", :id, "--vram", "32"]
vb.customize ["modifyvm", :id, "--nicpromisc2", "allow-all"]
vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
end
end

config.vm.define "dc" do |cfg|
cfg.vm.box = "../Boxes/windows_2016_virtualbox.box"
cfg.vm.hostname = "dc"
cfg.vm.boot_timeout = 600
# use the plaintext WinRM transport and force it to use basic authentication.
# NB this is needed because the default negotiate transport stops working
# after the domain controller is installed.
# see https://groups.google.com/forum/#!topic/vagrant-up/sZantuCM0q4
cfg.winrm.transport = :plaintext
cfg.vm.communicator = "winrm"
cfg.winrm.basic_auth_only = true
cfg.winrm.timeout = 300
cfg.winrm.retry_limit = 20
cfg.vm.network :private_network, ip: "192.168.38.102", gateway: "192.168.38.1"

cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "192.168.38.102"
cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
cfg.vm.provision "reload"
cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/configure-ou.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/configure-wef-gpo.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/configure-powershelllogging.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/configure-AuditingPolicyGPOs.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false
cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false
cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: false

cfg.vm.provider "vmware_fusion" do |v, override|
override.vm.box = "../Boxes/windows_2016_vmware.box"
v.vmx["displayname"] = "dc.windomain.local"
v.memory = 2560
v.cpus = 2
v.gui = true
end

cfg.vm.provider "vmware_desktop" do |v, override|
override.vm.box = "../Boxes/windows_2016_vmware.box"
v.vmx["displayname"] = "dc.windomain.local"
v.memory = 2560
v.cpus = 2
v.gui = true
v.enable_vmrun_ip_lookup = false
end

cfg.vm.provider "virtualbox" do |vb, override|
vb.gui = true
vb.name = "dc.windomain.local"
vb.default_nic_type = "82545EM"
vb.customize ["modifyvm", :id, "--memory", 2560]
vb.customize ["modifyvm", :id, "--cpus", 2]
vb.customize ["modifyvm", :id, "--vram", "32"]
vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
end
end

config.vm.define "wef" do |cfg|
cfg.vm.box = "../Boxes/windows_2016_virtualbox.box"
cfg.vm.hostname = "wef"
cfg.vm.boot_timeout = 600
cfg.vm.communicator = "winrm"
cfg.winrm.basic_auth_only = true
cfg.winrm.timeout = 300
cfg.winrm.retry_limit = 20
cfg.vm.network :private_network, ip: "192.168.38.103", gateway: "192.168.38.1", dns: "192.168.38.102"

cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.103 -dns 192.168.38.102"
cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
cfg.vm.provision "reload"
cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: false
cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false
cfg.vm.provision "shell", path: "scripts/install-wefsubscriptions.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-windows_ta.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/configure-pslogstranscriptsshare.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false
cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: false

cfg.vm.provider "vmware_fusion" do |v, override|
override.vm.box = "../Boxes/windows_2016_vmware.box"
v.vmx["displayname"] = "wef.windomain.local"
v.memory = 2048
v.cpus = 2
v.gui = true
end

cfg.vm.provider "vmware_desktop" do |v, override|
override.vm.box = "../Boxes/windows_2016_vmware.box"
v.vmx["displayname"] = "wef.windomain.local"
v.memory = 2048
v.cpus = 2
v.gui = true
v.enable_vmrun_ip_lookup = false
end

cfg.vm.provider "virtualbox" do |vb, override|
vb.gui = true
vb.name = "wef.windomain.local"
vb.default_nic_type = "82545EM"
vb.customize ["modifyvm", :id, "--memory", 2048]
vb.customize ["modifyvm", :id, "--cpus", 2]
vb.customize ["modifyvm", :id, "--vram", "32"]
vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
end
end

config.vm.define "win10" do |cfg|
cfg.vm.box = "../Boxes/windows_10_virtualbox.box"
cfg.vm.hostname = "win10"
cfg.vm.boot_timeout = 600
cfg.vm.communicator = "winrm"
cfg.winrm.basic_auth_only = true
cfg.winrm.timeout = 300
cfg.winrm.retry_limit = 20
cfg.vm.network :private_network, ip: "192.168.38.104", gateway: "192.168.38.1", dns: "192.168.38.102"

cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.104 -dns 192.168.38.102"
cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
cfg.vm.provision "reload"
cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/MakeWindows10GreatAgain.ps1", privileged: false
cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false
cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false

cfg.vm.provider "vmware_fusion" do |v, override|
override.vm.box = "../Boxes/windows_10_vmware.box"
v.vmx["displayname"] = "win10.windomain.local"
v.vmx["gui.fullscreenatpoweron"] = "FALSE"
v.vmx["gui.viewModeAtPowerOn"] = "windowed"
v.vmx["gui.fitguestusingnativedisplayresolution"] = "FALSE"
v.memory = 2048
v.cpus = 1
v.gui = true
end

cfg.vm.provider "vmware_desktop" do |v, override|
override.vm.box = "../Boxes/windows_10_vmware.box"
v.vmx["displayname"] = "win10.windomain.local"
v.vmx["gui.fullscreenatpoweron"] = "FALSE"
v.vmx["gui.viewModeAtPowerOn"] = "windowed"
v.memory = 2048
v.cpus = 1
v.gui = true
v.enable_vmrun_ip_lookup = false
end

cfg.vm.provider "virtualbox" do |vb, override|
vb.gui = true
vb.name = "win10.windomain.local"
vb.default_nic_type = "82545EM"
vb.customize ["modifyvm", :id, "--memory", 2048]
vb.customize ["modifyvm", :id, "--cpus", 1]
vb.customize ["modifyvm", :id, "--vram", "32"]
vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
end
end
end
@@ -76,11 +76,11 @@ install_splunk() {
/opt/splunk/bin/splunk add index threathunting -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_forwarder/splunk-add-on-for-microsoft-windows_500.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/add-on-for-microsoft-sysmon_800.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/asn-lookup-generator_012.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/asn-lookup-generator_100.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/force-directed-app-for-splunk_200.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/punchcard-custom-visualization_130.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/sankey-diagram-custom-visualization_130.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_11.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_12.tgz -auth 'admin:changeme'
# Add custom Macro definitions for ThreatHunting App
cp /vagrant/resources/splunk_server/macros.conf /opt/splunk/etc/apps/ThreatHunting/local

Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@@ -0,0 +1,14 @@
# Purpose: Install additional packages from Chocolatey.

If (-not (Test-Path "C:\ProgramData\chocolatey")) {
Write-Host "Installing Chocolatey"
iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))
} else {
Write-Host "Chocolatey is already installed."
}

Write-Host "Installing Chocolatey extras..."
choco install -y wireshark
choco install -y microsoft-message-analyzer

Write-Host "Utilties installation complete!"
@@ -0,0 +1,44 @@
# Purpose: Installs Mimikatz and Powersploit into c:\Tools\Mimikatz. Used to install redteam related tooling.

# Disable Windows Defender realtime scanning before downloading Mimikatz and drop the firewall
If ($env:computername -eq "win10") {
If (Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender")
{
Remove-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Recurse -Force
}
gpupdate /force | Out-String
Set-MpPreference -ExclusionPath C:\commander.exe, C:\Tools
set-MpPreference -DisableRealtimeMonitoring $true
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
}

# Purpose: Downloads and unzips a copy of the latest Mimikatz trunk
Write-Host "Determining latest release of Mimikatz..."
# GitHub requires TLS 1.2 as of 2/27
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$tag = (Invoke-WebRequest "https://api.github.com/repos/gentilkiwi/mimikatz/releases" -UseBasicParsing | ConvertFrom-Json)[0].tag_name
$mimikatzDownloadUrl = "https://github.com/gentilkiwi/mimikatz/releases/download/$tag/mimikatz_trunk.zip"
$mimikatzRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\mimikatz_trunk.zip'
if (-not (Test-Path $mimikatzRepoPath))
{
Invoke-WebRequest -Uri "$mimikatzDownloadUrl" -OutFile $mimikatzRepoPath
Expand-Archive -path "$mimikatzRepoPath" -destinationpath 'c:\Tools\Mimikatz' -Force
}
else
{
Write-Host "Mimikatz was already installed. Moving On."
}

# Download and unzip a copy of PowerSploit
Write-Host "Downloading Powersploit..."
# GitHub requires TLS 1.2 as of 2/27
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$powersploitDownloadUrl = "https://github.com/PowerShellMafia/PowerSploit/archive/master.zip"
$powersploitRepoPath = "C:\Users\vagrant\AppData\Local\Temp\powersploit.zip"
if (-not (Test-Path $powersploitRepoPath)) {
Invoke-WebRequest -Uri "$powersploitDownloadUrl" -OutFile $powersploitRepoPath
Expand-Archive -path "$powersploitRepoPath" -destinationpath 'c:\Tools\PowerSploit' -Force
Copy-Item "c:\Tools\PowerSploit\PowerSploit-master\*" "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" -Recurse -Force
} else {
Write-Host "PowerSploit was already installed. Moving On."
}
Oops, something went wrong.

0 comments on commit 93183a9

Please sign in to comment.
You can’t perform that action at this time.