clong / detectionlab Goto Github PK
View Code? Open in Web Editor NEWAutomate the creation of a lab environment complete with security tooling and logging best practices
License: MIT License
detectionlab's People
Contributors
Stargazers
Watchers
Forkers
tuian 1nd0 djm300 shantanu561993 michalkoczwara dmaij adbgit h1d3r strfkr bijaye homjxi0e kevien luckied threatinteltest khalidaoty brownbelt mzje xyrodileas quikilr izogain hackmycontrolsystem mehrdad-shokri betillogalvan 5up3rc vchinnipilli orf53975 94883r lkys37en gavz subc0ol neuralnoise marcurdy thesubtlety pramos forensic65x minkione groeder gymzombie flankeraptor ther3dc0rner tmmmmmr yikez978 mlinton anarratone vysecurity paulwg charliefourindia jaredhaight singlethreaded jacobiusg secterkla secterug r3dfruitrollup usezfsyo p3t3rp4rk3r topotam anthonyv5 attaphon c002 mariahamaris olgermolla riviera12345 hhofs arollyson gitlabsyncint benberg86 ryanbreed-tp audibleblink yeahbytes shellsec itsnotapt techlord-rce qiminwang evgenisabev whobin peterhgombos smartmadre2 rudinyu spawankumar shangadi hfakar hpiquant theanalyz3r n0pe-sled abuakfah dmi3mis ahmetmanga ehinkle27 cookedanny incredibleindishell sy14r lonewolf-information-systems vanhecke openlearningdraftecho ellie35 raystyle sgachies false00 rdsece rabxdetectionlab's Issues
Win10 Hanging After Joining Domain
==> win10: PSComputerName :
==> win10: Now join the domain
==> win10: HasSucceeded : True
==> win10: ComputerName : win10
==> win10: WARNING: The changes will take effect after you restart the computer win10.
==> win10: Setting timezone to UTC
==> win10: Hint: vagrant reload win10 --provision
Vagrant timed out while attempting to connect via WinRM. This usually
means that the VM booted, but there are issues with the WinRM configuration
or network connectivity issues. Please try to `vagrant reload` or
`vagrant up` again.
port forwarding issue
- Operating System Version: Win 10
- Provider (VirtualBox/VMWare): VirtualBox
- Vagrant Version: 2.0.1
- Packer Version: 1.1.3
- Is the issue reproducible or intermittent? yes
Description of the issue:
When doing vagrant up, it stops with this error. Any help appreciated
==> dc: Setting the name of the VM: Vagrant_dc_1515109207844_92456
==> dc: Fixed port collision for 22 => 2222. Now on port 2200.
Vagrant cannot forward the specified ports on this VM, since they
would collide with some other application that is already listening
on these ports. The forwarded port to 8000 is already in use
on the host machine.
To fix this, modify your current project's Vagrantfile to use another
port. Example, where '1234' would be replaced by a unique host port:
config.vm.network :forwarded_port, guest: 8000, host: 1234
Create a build script for Windows
Now that we have a build script for POSIX based systems, it would be neat to have one for Windows users as well.
WEF question
Hey Chris, I honestly gave up on the Vagrant setup and pulled out the WEF/DC specific scripts and am starting to implement them in our environment. I have the WEF server up along with the GPOs deployed and assigned to a test OU.
I was waiting for the events to show up in the default forwarded events section of the event viewer but they were not showing up then I found them in Applications and services logs under different WEC folders. Again I don't know WEF well so is there a reason for them being in these folders vs the default forwarded events one? Also what is the reasoning behind the number and how things are broken out?
Add support for the new vmware_desktop Vagrant plugin
Build a CI/test environment to verify builds
A build environment should be created to validate that the Packer and Vagrant build processes complete successfully for VirtualBox and VMWare providers
Add NS to ELR group
Packer: vmware-iso: Error processing command: Error uploading ps script containing env vars: Couldn't determine whether destination was a folder or file
- Operating System Version: 10.12.6
- Provider (VirtualBox/VMWare): VMWare
- Vagrant Version: 2.0.2
- Packer Version: 1.2.1
- Is the issue reproducible or intermittent? Unknown as of yet
Description of the issue:
Error while building Win10 host with Packer
vmware-iso: SUCCESS: The file (or folder): "C:\Windows\System32\MusNotificationUx.exe" now owned by user "VAGRANT-10\vagrant".
vmware-iso: processed file: C:\Windows\System32\MusNotificationUx.exe
vmware-iso: Successfully processed 1 files; Failed processing 0 files
vmware-iso: correct and try again.
vmware-iso: At C:\Windows\Temp\script-5a9b3eb5-97fa-5476-63fb-290426bd4360.ps1:19 char:3
vmware-iso: + Uninstall-WindowsFeature Windows-Defender-Features
vmware-iso: + ~~~~~~~~~~~~~~~~~~~~~~~~
vmware-iso: + CategoryInfo : ObjectNotFound: (Uninstall-WindowsFeature:String) [], CommandNotFoundException
vmware-iso: + FullyQualifiedErrorId : CommandNotFoundException
vmware-iso:
==> vmware-iso: Provisioning with powershell script: ./scripts/MakeWindows10GreatAgain.ps1
vmware-iso: Making Windows 10 Great again
vmware-iso: Importing registry keys...
vmware-iso: Updating Powershell Help Library...
==> vmware-iso: Provisioning with powershell script: ./scripts/rearm-windows.ps1
==> vmware-iso: Stopping virtual machine...
==> vmware-iso: Deleting output directory...
Build 'vmware-iso' errored: Error processing command: Error uploading ps script containing env vars: Couldn't determine whether destination was a folder or file: unknown error Post http://192.168.123.136:5985/wsman: dial tcp 192.168.123.136:5985: i/o timeout
Swap Splunk for Invoke-IR ACE and Helk
This is not really an issue, but perhaps a direction that would be interessting, for users, but also for the respective devs of the 2 projects.
Alot of props for powershell based DFIR, and the HELK project contains very modular sysmon configs, a Spark analytics layer, and an integration with Invoke-IR ACE.
I feel kinda cheap raising this without actually offering to help out, but my devs skills aren't tip top =/
Different CI tests based on Packer/Vagrant modifications
Using CircleCI, we can determine which files were changed in a specific commit.
If only files in the Packer directory were added/modified, a CircleCI workflow should be created to ensure the Packer builds still complete successfully. Added bonus if this can be done using parallel CircleCI builds.
If only files in the Vagrant directory were added/modified, the existing CI tests should be used with pre-built boxes
If files in both the Packer and Vagrant directory were added/modified, the project should be built from scratch.
build_vagrant_only.sh - Don't download boxes if already present
Dependent on C: drive
- Operating System Version: W10
- Provider (VirtualBox/VMWare): Virtualbox
- Vagrant Version: 2.0.1
- Packer Version: 1.1.3
- Is the issue reproducible or intermittent? Yes
Installation on Windows 10 is heavly depends on (free-space) of C drive. Since a lot of users use C:\ only for Windows (SSD) and D:\ for general purpose, this can be optional for a default user. I tried a lot of hacks to make it work. (I installed all tools and install scripts on D, still uses C for VMs etc like C:\Users\username...)
PS: Can be done defining VAGRANT_HOME to D:\etc_directory
"slmgr.vbs /rearm" causes Vagrant and Packer to hang
I'm assuming Vagrant is waiting for a process exit, but I don't think slmgr ever officially exits or returns an exit code. Possible workaround by setting a timeout for the command in powershell?
Caldera operations are getting errors
- Operating System Version: Mac OS 10.13.2
- Provider (VirtualBox/VMWare): Virtualbox
- Vagrant Version: 2.0.1
- Packer Version: 1.0
- Is the issue reproducible or intermittent? Reproducible
Description of the issue:
Each time I attempt to run an Operation with Caldera it fails to complete. I have performed multiple vagrant reloads and multiple vagrant destroys and then vagrant up to recreate the lab but the issue still occurs on each operation.
Below is the recurring error in Caldera.
Hostname: win10
Command Line: powershell -command -
StdIn: [[powerview]] Get-DomainComputer
StdOut:
Exception calling "FindAll" with "0" argument(s): "Unknown error (0x80005000)"
At line:6306 char:20
-
else { $Results = $CompSearcher.FindAll() } -
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~- CategoryInfo : NotSpecified: (:) [], MethodInvocationException
- FullyQualifiedErrorId : COMException
Integrate Mitre's Caldera Framework
It would be awesome to automate attacks in this lab environment using Caldera
I did some testing to get it up and running tonight, and it seems like it should be pretty straightforward.
Connections to GitHub require TLS1.2 as of 2/1/2018
https://githubengineering.com/crypto-deprecation-notice/
Powershell Invote-WebRequest and (New-Object System.Net.WebClient).DownloadFile() calls need to be configured to use TLS1.2 or will fail with:
Invoke-WebRequest : The request was aborted: Could not create SSL/TLS secure channel.
Server2016 Image Doesn't Shutdown After Sysprep
==> vmware-iso: Gracefully halting virtual machine...
==> vmware-iso: Timeout while waiting for machine to shut down.
==> vmware-iso: Stopping virtual machine...
==> vmware-iso: Deleting output directory...
Build 'vmware-iso' errored: Timeout while waiting for machine to shut down.```
Vagrant scripts need pre/post setup checks
The vast majority of Vagrant scripts would benefit from pre-checks that determine if the action to be taken has already been run and post-checks that verify that the script completed successfully.
https://github.com/clong/DetectionLab/blob/master/Vagrant/scripts/install-inputsconf.ps1 is a good example. The pre-check should determine if the inputs.conf already exists and the post-check should also verify that the file is present and that the Splunk forwarder service was able to start successfully.
Pre-checks will prevent issues if a host is accidentally re-provisioned and post-checks will make the install process more robust
Interface Error upon Vagrant Up
Hi! First off - awesome work - the amount of time to get this sort of lab set up with be reduced significantly due to this effort.
For the error - is this something you've run across using Virtualbox? Everything up to this point completed without issue.
==> logger: Configuring and enabling network interfaces...
The following SSH command responded with a non-zero exit status.
Vagrant assumes that this means the command failed!
/sbin/ifdown 'eth1' || true
/sbin/ip addr flush dev 'eth1'
Remove any previous network modifications from the interfaces file
sed -e '/^#VAGRANT-BEGIN/,$ d' /etc/network/interfaces > /tmp/vagrant-network-interfaces.pre
sed -ne '/^#VAGRANT-END/,$ p' /etc/network/interfaces | tac | sed -e '/^#VAGRANT-END/,$ d' | tac > /tmp/vagrant-network-interfaces.post
cat
/tmp/vagrant-network-interfaces.pre
/tmp/vagrant-network-entry
/tmp/vagrant-network-interfaces.post \
/etc/network/interfaces
rm -f /tmp/vagrant-network-interfaces.pre
rm -f /tmp/vagrant-network-entry
rm -f /tmp/vagrant-network-interfaces.post
/sbin/ifup 'eth1'
Stdout from the command:
Failed to bring up eth1.
Stderr from the command:
/sbin/ifdown: interface eth1 not configured
/usr/sbin/fanctl: 41: /usr/sbin/fanctl: arithmetic expression: expecting primary: " (32-)/4 "
run-parts: /etc/network/if-up.d/ubuntu-fan exited with return code 2
Splunk Stops Indexing
I've run through the setup twice and both times I have now run in to this issue. Haven't done in-depth investigation yet.
After running for a few hours, splunk seems to stop indexing any new events. Looking to determine if this is a splunk/logger or a wef issue.
In both cases, it looks as though the ports are still opening/listening, and splunk is still accessible via the web app on logger.
Win10 VM sometimes shuts down shortly after finishing the build
Unsure if this is an intermittent thing with my current packer image. May be related to the license expiration. Need to dig through event logs.
Caldera doesn't start after reboot of logger
- Operating System Version: macOS 10.13.2
- Provider (VirtualBox/VMWare):VirtualBox
- Vagrant Version: 2.0.1
- Packer Version: 1.1.3
- Is the issue reproducible or intermittent?
Description of the issue:
After reboot of the logger the Caldera service does not start automatically.
When attempting to start it manually I receive the following error:
Traceback (most recent call last):
File "caldera.py", line 16, in
from app import server
File "/home/vagrant/caldera/caldera/app/server.py", line 136
async def heartbeat_init():
^
SyntaxError: invalid syntax
Missing provisionning script for the win10 virtual machine
The provisioning of the Windows 10 virtual machine failed on my box, because the script install-autorunwineventlog.ps1 is expecting the C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\AutorunsToWinEventLog directory to exist.
This directory structure is created by the download_palantir_wef.ps1 script, which is missing from the provisioning instructions for the Windows 10 VM.
Adding the following line cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: true here did the trick for me.
CircleCI using outdated code when building pull requests
After a pull request has been submitted, CircleCI attempts to kick off a build. However, the build it kicks off does not include the latest changes included in the pull request.
wef: Exception calling "DownloadFile" with "2" argument(s): "The remote name could not be resolved: 'download.splunk.com'"
I commented out the deployment of the logger and the DC seemed to go successfully however the WEF system failed and as a result I think the desktop didn't deploy.
wef: Downloading Splunk
wef: Installing & Starting Splunk
wef: Exception calling "DownloadFile" with "2" argument(s): "The remote name could not be resolved: 'download.splunk.com'"
wef: At C:\tmp\vagrant-shell.ps1:8 char:3
wef: + (New-Object System.Net.WebClient).DownloadFile('https://www.splunk. ...
wef: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
wef: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
wef: + FullyQualifiedErrorId : WebException
wef: Splunk installation complete!
==> wef: Running provisioner: shell...
wef: Running: scripts/install-windows_ta.ps1 as c:\tmp\vagrant-shell.ps1
wef: Installing the Windows TA for Splunk
wef: Installing the Windows TA
wef: Directory: C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows
wef: Mode LastWriteTime Length Name
wef: ---- ------------- ------ ----
wef: d----- 12/15/2017 11:27 PM local
wef: Sleeping for 15 seconds
wef: Start-Process : This command cannot be run due to the error: The system cannot find the file specified.
wef: At C:\tmp\vagrant-shell.ps1:15 char:1
wef: + Start-Process -FilePath "C:\Program Files\SplunkUniversalForwarder\bi ...
wef: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
wef: + CategoryInfo : InvalidOperation: (:) [Start-Process], InvalidOperationException
wef: + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.StartProcessCommand
wef: Something went wrong during installation.
The following WinRM command responded with a non-zero exit status.
Vagrant assumes that this means the command failed!
powershell -ExecutionPolicy Bypass -OutputFormat Text -file "c:\tmp\vagrant-shell.ps1"
Stdout from the command:
Installing the Windows TA for Splunk
Installing the Windows TA
Directory: C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 12/15/2017 11:27 PM local
Sleeping for 15 seconds
Something went wrong during installation.
Stderr from the command:
Start-Process : This command cannot be run due to the error: The system cannot find the file specified.
At C:\tmp\vagrant-shell.ps1:15 char:1
+ Start-Process -FilePath "C:\Program Files\SplunkUniversalForwarder\bi ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Start-Process], InvalidOperationException
+ FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.StartProcessCommand
Add more tools
- Google Chrome (GoogleChrome)
- Notepad++ (NotepadPlusPlus)
- Mimikatz (Pull from GH)
- WinRAR (winrar)
Logger box freezing at boot
- Operating System Version: Ubuntu 16.04 VM (18 GB of RAM, 6vCPUs 500GB HDD) on ESXi 6.0.0
- Provider (VirtualBox/VMWare): Virtual Box 5.2.8 (also tried 5.1)
- Vagrant Version: 2.0.1
- Packer Version: 1.2.1
- Is the issue reproducible or intermittent? reproducable
Description of the issue:
Everytime I run 'sudo vagrant up' it begins to boot the logger host, however it says 'VT-X/AMD-V hardware acceleration is not available on your system'.
I click okay, and open the settings to enable hardware acceleration in the VM settings, however they are blanked out because the VM is currently running, when I shut it down it doesn't show up in the virtualbox menu (where I would normally enable acceleration when it's off).
If I leave it run, it just sits at a blank screen with a _ flashing, I've left it for hours.
I have tried changing the Virtual box version, purging the logger box and redownloading it (whcih different versions of VB install), and a bunch of other tweeks. There isn't a option to enable acceleration in the BIOS of the Ubuntu VM (on ESXi).
Run splunk queries after splunk installs to ensure all hosts are properly logging
cannot load such file -- winrm-fs (LoadError)
- Operating System Version: Ubuntu 17.10
- Provider (VirtualBox/VMWare): VirtualBox
- Vagrant Version: 1.9.1
- Packer Version: 1.0.2
- Is the issue reproducible or intermittent?
Description of the issue:
vagrant up
causes the following error: /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require': cannot load such file -- winrm-fs (LoadError)
Had to install winrm and winrm-fs plugins
Which gave another error: WinRM::WinRMWebService (NameError)
According to this site, one of the gems broke a reference: NetDocuments-Archive/rd-winrm-plugin#29
Fix:
vagrant plugin install winrm --plugin-version 1.8.1
vagrant plugin install winrm-fs
Add NS permissions to view a bunch of logs
Microsoft-Windows-DNS-Client/Operational
Microsoft-Windows-DNS-Server/Audit
Microsoft-Windows-SMBServer/Audit
"DNS Server"
Add a build.sh script
Add a shell script that automates (and validates) the entire build process step-by-step.
Add in the command to restrict DNS server to listen on the 38.x subnet
win10: deployment errors
Sorry for another one, I kicked off just the win10 machine and got a few errors. Looks like atom stuff and splunk.
win10: gyp info it worked if it ends with ok
win10: gyp info using [email protected]
win10: gyp info using [email protected] | win32 | x64
win10: gyp http GET https://atom.io/download/electron/v1.6.15/iojs-v1.6.15.tar.gz
win10: gyp http 200 https://atom.io/download/electron/v1.6.15/iojs-v1.6.15.tar.gz
win10: gyp http GET https://atom.io/download/electron/v1.6.15/SHASUMS256.txt
win10: gyp http GET https://atom.io/download/electron/v1.6.15/win-x86/iojs.lib
win10: gyp http GET https://atom.io/download/electron/v1.6.15/win-x64/iojs.lib
win10: gyp WARN install got an error, rolling back install
win10: gyp ERR! install error
win10: gyp ERR! stack Error: getaddrinfo ENOTFOUND atom.io atom.io:443
win10: gyp ERR! stack at errnoException (dns.js:28:10)
win10: gyp ERR! stack at GetAddrInfoReqWrap.onlookup [as oncomplete] (dns.js:76:26)
win10: gyp ERR! System Windows_NT 10.0.15063
win10: gyp ERR! command "C:\\Users\\vagrant\\AppData\\Local\\atom\\app-1.23.1\\resources\\app\\apm\\bin\\node.exe" "C:\\Users\\vagrant\\AppData\\Local\\atom\\app-1.23.1\\resources\\app\\apm\\node_modules\\node-gyp\\bin\\node-gyp.js" "install" "--runtime=electron" "--target=1.6.15" "--dist-url=https://atom.io/download/electron" "--arch=x64" "--ensure"
win10: gyp ERR! cwd C:\Users\vagrant\.atom
win10: gyp ERR! node -v v6.9.5
win10: gyp ERR! node-gyp -v v3.4.0
win10: gyp ERR! not ok
win10:
Another error
win10: Stop-Service : Service 'SplunkForwarder Service (splunkforwarder)' cannot be stopped due to the following error:
win10: Cannot stop splunkforwarder service on computer '.'.
win10: At C:\tmp\vagrant-shell.ps1:7 char:1
win10: + Stop-Service splunkforwarder
win10: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
win10: + CategoryInfo : CloseError: (System.ServiceProcess.ServiceController:ServiceController) [Stop-Service],
win10: ServiceCommandException
win10: + FullyQualifiedErrorId : CouldNotStopService,Microsoft.PowerShell.Commands.StopServiceCommand
win10: WARNING: Waiting for service 'SplunkForwarder Service (splunkforwarder)' to start...
win10: WARNING: Waiting for service 'SplunkForwarder Service (splunkforwarder)' to start...
Packer error when compiling dotnet assemblies
- Operating System Version: Windows 10
- Provider (VirtualBox/VMWare): VirtualBox
- Vagrant Version: 2.0.2
- Packer Version: 1.2.1
- Is the issue reproducible or intermittent? Reproducible
Description of the issue:
Error while building Win10 host with Packer
==> virtualbox-iso: Provisioning with shell script: ./scripts/compile-dotnet-assemblies.bat
virtualbox-iso:
virtualbox-iso: C:\Users\vagrant>if "AMD64" == "AMD64" goto 64BIT
virtualbox-iso:
virtualbox-iso: C:\Users\vagrant>C:\Windows\microsoft.net\framework\v4.0.30319\ngen.exe update /force /queue
virtualbox-iso: Microsoft (R) CLR Native Image Generator - Version 4.7.2556.0
virtualbox-iso: Copyright (c) Microsoft Corporation. All rights reserved.
virtualbox-iso:
virtualbox-iso: C:\Users\vagrant>C:\Windows\microsoft.net\framework64\v4.0.30319\ngen.exe update /force /queue
virtualbox-iso: Microsoft (R) CLR Native Image Generator - Version 4.7.2556.0
virtualbox-iso: Copyright (c) Microsoft Corporation. All rights reserved.
virtualbox-iso:
virtualbox-iso: C:\Users\vagrant>C:\Windows\microsoft.net\framework\v4.0.30319\ngen.exe executequeueditems
virtualbox-iso: Microsoft (R) CLR Native Image Generator - Version 4.7.2556.0
....
virtualbox-iso: 1> Compiling assembly System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 (CLR v4.0.30319) ...
virtualbox-iso: 1> Compiling assembly Microsoft.WindowsAuthenticationProtocols.Commands, Version=10.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=amd64 (CLR v4.0.30319) ...
virtualbox-iso: 1> Compiling assembly System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 (CLR v4.0.30319) ...
virtualbox-iso: 1> Compiling assembly Microsoft.WSMan.Management, Version=3.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil (CLR v4.0.30319) ...
virtualbox-iso: 1> Compiling assembly System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 (CLR v4.0.30319) ...
virtualbox-iso: 1> Compiling assembly Microsoft.WSMan.Management.Activities, Version=3.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil (CLR v4.0.30319) ...
virtualbox-iso: 1> Compiling assembly System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 (CLR v4.0.30319) ...
virtualbox-iso: 1> Compiling assembly Microsoft.WSMan.Runtime, Version=3.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil (CLR v4.0.30319) ...
virtualbox-iso: 2> Compiling assembly System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 (CLR v4.0.30319) ...
virtualbox-iso: 2> Compiling assembly MiguiControls, Version=1.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil (CLR v4.0.30319) ...
virtualbox-iso: 1> Compiling assembly System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 (CLR v4.0.30319) ...
virtualbox-iso: 1> Compiling assembly MMCEx, Version=3.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil (CLR v4.0.30319) ...
virtualbox-iso: 1> Compiling assembly System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 (CLR v4.0.30319) ...
virtualbox-iso: 1> Compiling assembly MMCFxCommon, Version=3.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil (CLR v4.0.30319) ...
virtualbox-iso: 1> Compiling assembly System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 (CLR v4.0.30319) ...
virtualbox-iso: 1> Compiling assembly napinit, Version=10.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil (CLR v4.0.30319) ...
virtualbox-iso: 1> Compiling assembly System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 (CLR v4.0.30319) ...
virtualbox-iso: 1> Compiling assembly SecurityAuditPoliciesSnapIn, Version=10.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil (CLR v4.0.30319) ...
virtualbox-iso: 1> Compiling assembly System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 (CLR v4.0.30319) ...
virtualbox-iso: 1> Compiling assembly SrpUxSnapIn, Version=10.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil (CLR v4.0.30319) ...
virtualbox-iso: 1> Compiling assembly System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 (CLR v4.0.30319) ...
virtualbox-iso: 1> Compiling assembly System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 (CLR v4.0.30319) ...
virtualbox-iso: 1> Compiling assembly System.Management.Automation, Version=3.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil (CLR v4.0.30319) ...
virtualbox-iso: 2> Compiling assembly System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 (CLR v4.0.30319) ...
virtualbox-iso: 2> Compiling assembly TaskScheduler, Version=10.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil (CLR v4.0.30319) ...
virtualbox-iso: The system cannot find the file specified. (Exception from HRESULT: 0x80070002)
==> virtualbox-iso: Deregistering and deleting VM...
==> virtualbox-iso: Deleting output directory...
Build 'virtualbox-iso' errored: Script exited with non-zero exit status: 4294967295
==> Some builds didn't complete successfully and had errors:
--> virtualbox-iso: Script exited with non-zero exit status: 4294967295
==> Builds finished but no artifacts were created.
Connect all osquery agents via Kolide
Sysmon v7
Heads up here @clong , Swift has yet to update the config to schema 4 (SwiftOnSecurity/sysmon-config#45). During my build today, it downloaded sysmon v7 and failed to launch sysmon due to schema 3.30 on the Swift config. Changed it manually, and back in operation.
Implement snapshot splitting in Fleet
Breaks osquery snapshot events into multiple events for more effective searching. Implemented in this PR: osquery/osquery#3838
Fleet packs aren't populating due to bug with ConfigImporter
root@logger:/home/vagrant/osquery-configuration/Endpoints/Windows# /home/vagrant/configimporter/configimporter -host https://localhost:8412 -user 'admin' -config osquery_to_import.conf
Running import with the following parameters:
USER: admin
HOST: https://localhost:8412
CONFIG FILE: osquery_to_import.conf
DRY RUN: false
Response Status: 422 Unprocessable Entity
Validation Failed
=================
options - invalid type for 'logger_snapshot_event_type'
Quick fix is just to ignore the logger_snapshot_event_type from the config
Add powershell to enable SMBv1 Auditing
logger: mysqladmin: connect to server at 'mysql' failed
First, thank you for doing this. Last week I was looking into setting up WEF and this morning I saw the ISC post. Never used Vagrant or packer so took me a little to figure that out. Also had to disable desktop and firewall AV so that the download of the ISOs would work. This issue may be related to that as the gateway AV has been enabled now
When I ran "vagrant up" it started to build the Ubuntu box but gets stuck here.
logger: ca2a791aeb35: Verifying Checksum
logger: ca2a791aeb35: Download complete
logger: ca2a791aeb35: Pull complete
logger: Digest: sha256:1f95a2ba07ea2ee2800ec8ce3b5370ed4754b0a71d9d11c0c35c934e9708dcf1
logger: Status: Downloaded newer image for mysql:5.7
logger: mysqladmin: [Warning] Using a password on the command line interface can be insecure.
logger: mysqladmin: connect to server at 'mysql' failed
logger: error: 'Unknown MySQL server host 'mysql' (110)'
logger: Check that mysqld is running on mysql and that the port is 3306.
logger: You can check this by doing 'telnet mysql 3306'
logger: .
logger: mysqladmin:
logger: [Warning] Using a password on the command line interface can be insecure.
logger: mysqladmin: connect to server at 'mysql' failed
logger: error: 'Unknown MySQL server host 'mysql' (110)'
logger: Check that mysqld is running on mysql and that the port is 3306.
logger: You can check this by doing 'telnet mysql 3306'
VMWare <-> Vagrant port forwarding issues
WinRM timeout when running Windows 2016 Packer Build
- Operating System Version: Ubuntu 17.10
- Provider (VirtualBox/VMWare): VirtualBox
- Vagrant Version:
- Packer Version:
- Is the issue reproducible or intermittent? Y
Description of the issue:
The script kept timing out when installing the Windows 2016 updates. Changing the values in the config file resolved the issue. You could put something in the readme for people with slower lab machines.
Mimikatz is not downloading correctly
wef: At C:\tmp\vagrant-shell.ps1:24 char:1
wef: + Invoke-WebRequest -Uri "https://github.com/gentilkiwi/mimikatz/releas ...
wef: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
wef: + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
wef: eption
wef: + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
"host" field in Powershell index is not being matched to the actual source host
Check Transforms/Props to see why this isn't working properly
Build script doesn't have logic to decide to use "md5" or "md5sum"
The script should evaluate which programs are available on the system and ensure the parsing is correct for both programs
https://github.com/clong/DetectionLab/blob/master/build_vagrant_only.sh#L172-L188
Fleet is unreachable after VM is suspended/restored
Fix auditing GPOs to not include registry stuff
==> dc: The following warnings were encountered during computer policy processing:
==> dc: Windows failed to apply the Group Policy Registry settings. Group Policy Registry settings might have its own log file. Please click on the "More information" link.
==> dc: User Policy update has completed successfully.
==> dc: For more detailed information, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.
build.sh - Line 132
-
Operating System Version: Ubuntu 16.04.3 (With all patches)
-
Provider (VirtualBox/VMWare): VirtualBox 5.0.40_Ubuntu r115130
-
Vagrant Version: Vagrant 2.0.2
-
Packer Version: 1.2.0
-
Is the issue reproducible or intermittent? Reproducible
Description of the issue:
I've worked through several previous issues with the script, but noticed that the script only provides error output if I run as my local user (without sudo). However, the below issue only errors out when I run with sudo.
I'm getting the below error, but only when I run with sudo. When I remove the IF statement (as it is just a check on the packer version) the script fails with no error message. I'm unable to determine what is failing and where.
Lab02:/data/DetectionLab-master$ ./build.sh virtualbox
Lab02:/data/DetectionLab-master$ sudo !!
sudo ./build.sh virtualbox
./build.sh: line 132: packer: command not found
./build.sh: line 132: [: ==: unary operator expected
OSX Displays "Application Out of Memory" Error After "vagrant up"
Seems to be happening after VMWare upgrade from 8.5.7 -> 8.5.8. Unsure of root cause at this time.
Set WEC server to refresh 60
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.