cyberdefenders / detectionlabelk Goto Github PK

View Code? Open in Web Editor NEW

538.0 28.0 101.0 78.49 MB

DetectionLabELK is a fork from DetectionLab with ELK stack instead of Splunk.

License: MIT License

Batchfile 7.41% PowerShell 53.31% Ruby 1.74% HCL 5.81% Shell 31.73%

vagrant detectionlab osquery elk packer dfir threat-hunting

detectionlabelk's Introduction

DetectionLabELK

DetectionLabELK is a fork from Chris Long's DetectionLab with ELK stack instead of Splunk.

Description:

DetectionLabELK is the perfect lab to use if you would like to build effective detection capabilities. It has been designed with defenders in mind. Its primary purpose is to allow blueteams to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.

Use cases:

A popular use case for DetectionLabELK is when you consider adopting MITRE ATT&CK framework and would like to develop detections for its tactics. You can use DetectionLabELK to quickly run atomic tests, see what logs are being generated and compare it to your production environment. This way you can:

Validate that your production logging is working as expected.
Ensure that your SIEM is collecting the correct events.
Enhance alerts quality by reducing false positives and eliminating false negatives.
Minimize coverage gaps.

Lab Information:

Domain Name: windomain.local
Windows Admininstrator login: vagrant:vagrant
Fleet login: https://192.168.38.105:8412 - vagrant:vagrant
Kibana login: http://192.168.38.105:5601 - vagrant:vagrant
Microsoft ATA login: https://192.168.38.103 - vagrant:vagrant
Guacamole login: http://192.168.38.105:8080/guacamole - vagrant:vagrant
Velociraptor: https://192.168.38.105:9999 - vagrant:vagrant

Primary Lab Features:

Microsoft Advanced Threat Analytics is installed on the WEF machine, with the lightweight ATA gateway installed on the DC
Windoes Evenet forwarder along with Winlogbeat are pre-installed and all indexes are pre-created on ELK. Technology add-ons for Windows are also preconfigured.
A custom Windows auditing configuration is set via GPO to include command line process auditing and additional OS-level logging
Palantir's Windows Event Forwarding subscriptions and custom channels are implemented
Powershell transcript logging is enabled. All logs are saved to \\wef\pslogs
osquery comes installed on each host and is pre-configured to connect to a Fleet server via TLS. Fleet is preconfigured with the configuration from Palantir's osquery Configuration
Sysmon is installed and configured using Olaf's open-sourced configuration
All autostart items are logged to Windows Event Logs via AutorunsToWinEventLog
SMBv1 Auditing is enabled

Lab Hosts:

DC - Windows 2016 Domain Controller
- WEF Server Configuration GPO
- Powershell logging GPO
- Enhanced Windows Auditing policy GPO
- Sysmon
- osquery
- Elastic Beats Forwarder (Forwards Sysmon & osquery)
- Sysinternals Tools
- Microsft Advanced Threat Analytics Lightweight Gateway
WEF - Windows 2016 Server
- Microsoft Advanced Threat Analytics
- Windows Event Collector
- Windows Event Subscription Creation
- Powershell transcription logging share
- Sysmon
- osquery
- Elastic Beats Forwarder (Forwards WinEventLog & Powershell & Sysmon & osquery)
- Sysinternals tools
Win10 - Windows 10 Workstation
- Simulates employee workstation
- Sysmon
- osquery
- Sysinternals Tools
Logger - Ubuntu 18.04
- Kibana
- Fleet osquery Manager
- Bro
- Suricata
- Elastic Beats Forwarder (Forwards Bro logs & Suricata & osquery)
- Guacamole
- Velociraptor

Requirements

55GB+ of free disk space
16GB+ of RAM
Vagrant 2.2.2 or newer
Virtualbox

Deployment Options

Use Vagrant Cloud Boxes - ETA ~2 hours.
- Install Vagrant on your system.
- Install Packer on your system.
- Install the Vagrant-Reload plugin by running the following command: vagrant plugin install vagrant-reload.
- Download DetectionLabELK to your local machine by running git clone https://github.com/cyberdefenders/DetectionLabELK.git from command line OR download it directly via this link.
- cd to "DetectionLabELK/Vagrant" and execute vagrant up.
Build Boxes From Scratch - ETA ~5 hours.
- Install Vagrant on your system.
- Install Packer on your system.
- Install "Vagrant-Reload" plugin by running the following command: vagrant plugin install vagrant-reload.
- Download DetectionLabELK to your local machine by running git clone https://github.com/cyberdefenders/DetectionLabELK.git from command line OR download it directly via this link.
- cd to "DetectionLabELK" base directory and build the lab by executing ./build.sh virtualbox (Mac & Linux) or ./build.ps1 virtualbox (Windows).

Troubleshooting:

To verify that building process completed successfully, ensure you are in DetectionLabELK/Vagrant directory and run vagrant status. The four machines (wef,dc,logger and win10) should be running. if one of the machines was not running, execute vagrant reload <host>. If you would like to pause the whole lab, execute vagrant suspend and resume it using vagrant resume.
Deployment logs will be present in the Vagrant folder as vagrant_up_<host>.log

Lab Access:

Navigate to https://192.168.38.105:8080/guacamole in a browser to access Guacamole. Default credentials are vagrant:vagrant.
Navigate to https://192.168.38.105:5601 in a browser to access the Kibana dashboard on logger. Default credentials are vagrant:vagrant.
Navigate to https://192.168.38.105:8412 in a browser to access the Fleet server on logger. Default credentials are vagrant:vagrant.
Navigate to https://192.168.38.103 in a browser to access Microsoft ATA. Default credentials are vagrant:vagrant.
Navigate to https://192.168.38.105:9999 in a browser to access velociraptor. Default credentials are vagrant:vagrant.

Support: If you face any problem, please open a new issue and provide relevant log file.

detectionlabelk's People

Contributors

Stargazers

Watchers

Forkers

m00zh33 yehias blue-infosec 5l1v3r1 xuacker ricobandy tquentin m2khosravi mohsen-imani i85yl64 mo-94 ihab000 superuser5 leftp evilmog materaj2 sea-cpu alessiodallapiazza otilrac bigbrobro megatronga jessefmoore stephenharuna webhead404 ceyhuncamli rahmiy 0xbrainstorm pbutler6163 cybert3ch duzvik und3rf10w dmaynor acealchemycyberblaze ccais yussaffi najashark splunk-app-and-ta-development alexdjones jaocabete slooppe 6un9-h0-dan cybersecuritycircle tracywhodoesnot onesorzer0es ikevinz dom110 sensi-1337 noodled who1smrrobot originalpwnster 3gbcyber dwtcourses cybersheepdog yasin0ps syloktools robertpascal archangel-michael ltvthang johnjohnsp1 cruiser2016 hu-ma y0d4a zha0 wushock03 q-a-z rainysexy alexeysolovyev darksidesfear ekmixon pvrmza dfayolle xeqtter nishanthkumarpathi cybersissons rasmim stefanaustin pharaohbr hjmark2010 webyeti pthomp red-spect3r data-gami rfieldng rafaeldrs ssshuvo13 nejibnbm imnhema l0ann z-madi mooolight harikiran96 t3rrorm1rror rainser timwinkler alvinklein w159 cyberayen cnenno yuanfh

detectionlabelk's Issues

Issue with DetectionLabELK on macOS arm64 using VMware Fusion

MacBook with M1 Chip (ARM64 architecture)
Operating System: macOS Sonoma Version 14.0
VMware Fusion Player Version 13.0.2 (21581413)
Vagrant version: 2.3.7

Description of the issue:

I've been trying to set up DetectionLabELK on my MacBook with an M1 chip using VMware Fusion Player Version 13.0.2 (21581413), but I'm encountering a timeout issue when Vagrant attempts to start the VMware machine.

I have modified the Vagrantfile to increase the boot timeout: cfg.vm.boot_timeout = 600.

When I execute the vagrant up command, a pop-up window with the virtual machine opens, but nothing happens. I see a play button, but there's no reaction.

However, it still receives a timeout error approximately 2 minutes after starting the machine.
The error message is:

Vagrant timed out while trying to start the VMware machine. This
error is caused by VMware never successfully starting the engine.
This can often be fixed by simply retrying. If the error persists,
please verify that VMware is functional. This is not a Vagrant
issue

I also tried manually starting the machine with ubuntu-18.04-amd64.vmx directly from the file, but it still did not work.

Additional Information:

I've successfully installed and run an Ubuntu server VM on the same VMware Fusion using Vagrant without any issues. This leads me to believe that the problem might be specific to the Vagrantfile configuration used by DetectionLabELK or its integration with the Vagrant-VMware plugin. There may be a discrepancy or misconfiguration in the Vagrantfile that's causing the VM not to start correctly.

Has anyone else encountered this issue or have any suggestions for resolving it?

Ping the l0 when verifying fleet service is up

clong/DetectionLab@6393da6

Vagrant Up Error -- Failed to fix the broken static IP for eth1.

Operating System Version: Ubuntu Server 20.04.1 LTS with xfce4
Provider (VirtualBox/VMWare): VirtualBox
Vagrant Version: 2.2.14
Packer Version: 1.6.6
Are you using stock boxes (downloaded) or were they built from scratch using Packer? Stock boxes.
Is the issue reproducible or intermittent? Reproducible

Please verify that you are building from an updated Master branch before filing an issue.
Pulled the latest master branch today.

Description of the issue:

I get the following error when I run vagrant up. I tried to grab vagrant_up_$host.log so I could include it in this issue but it doesn't appear to get created.

    logger: [+] python-pip was successfully installed!
    logger: Incorrect IP Address settings detected. Attempting to fix.
    logger: Unknown interface eth1
    logger: Unknown interface eth1
    logger: [22:24:18]: Failed to fix the broken static IP for eth1. Exiting because this will cause problems with other VMs.
The SSH command responded with a non-zero exit status. Vagrant
assumes that this means the command failed. The output for this command
should be in the log above. Please read the output to determine what
went wrong.

How can I move or copy the lab to an offline machine?

Operating System Version:Windows Server 2016
Provider (VirtualBox/VMWare): VirtuLBox
Vagrant Version:2.2.15
Packer Version:1.7.2
Are you using stock boxes (downloaded) or were they built from scratch using Packer?
stock boxes
Is the issue reproducible or intermittent?
reproducible

Please verify that you are building from an updated Master branch before filing an issue.

Description of the issue:

I tried to move the entire lab to another machine (a machine without internet), copy the virtualmachines directory and configured virtualbox to use this directory as default for VMs, copied the ~.vadrant.d and ~.virtualbox directories also, but when try to start the machines, i got an error.

I also tried to create the same directory that this output tells me, but it didn't works neither.

Error message:

c:\Users\U42857\Downloads\DetectionLab\DetectionLabELK-master\Vagrant>vagrant up
Bringing machine 'logger' up with 'virtualbox' provider...
Bringing machine 'dc' up with 'virtualbox' provider...
Bringing machine 'wef' up with 'virtualbox' provider...
Bringing machine 'win10' up with 'virtualbox' provider...
==> logger: This machine used to live in E:/detectionlabELK/DetectionLabELK-master/Vagrant but it's now at c:/Users/U42857/Downloads/DetectionLab/DetectionLabELK-master/Vagrant.
==> logger: Depending on your current provider you may need to change the name of
==> logger: the machine to run it as a different machine.
Your VM has become "inaccessible." Unfortunately, this is a critical error
with VirtualBox that Vagrant can not cleanly recover from. Please open VirtualBox
and clear out your inaccessible virtual machines or find a way to fix
them.

sed error preventing application installs

Operating System Version: 5.10.0-kali6-amd64 #1 SMP Debian 5.10.26-1kali2 (2021-04-01) x86_64 GNU/Linux
Provider (VirtualBox/VMWare): VirtualBox
Vagrant Version: 2.2.14
Packer Version: 1.6.6
Are you using stock boxes (downloaded) or were they built from scratch using Packer? Stock
Is the issue reproducible or intermittent? Reproducible

While going through the provisioning process I consistently got the following sed error in bootstrap.sh.

    logger: Running: /tmp/vagrant-shell20210407-219889-2sjeh9.sh
    logger: sed: cannot rename /etc/sed35GO1d: Operation not permitted

I was able to verify that the 8.8.8.8 dns server was successfully placed into resolv.conf by manually ssh'ing into the logger box and looking at the contents. But the subsequent call to apt_install_prerequisites() didn't produce errors, but it also didn't do anything. I did this multiple times while attempting to trace the source of the issue. For debugging purposes, I added an echo statement after the sed line

sed -i 's/nameserver 127.0.0.53/nameserver 8.8.8.8/g' /etc/resolv.conf && chattr +i /etc/resolv.conf
echo "Edited DNS settings..."

For some odd reason, I still receive the sed error, but the apt_install_prerequisites() call then worked and began to install the apps. I haven't had much time to dig into it, but a stab in the dark makes me think maybe it's something to do with the state of the file when chattr is called since what I've read sed creates a temp file when doing an inline edit? Which is what that file in the error likely is. I haven't tested putting chattr on the next line, but that may fix it as well. Below is an extended version of the above:

==> logger: Running provisioner: shell...
    logger: Running: /tmp/vagrant-shell20210407-219889-2sjeh9.sh
    logger: sed: cannot rename /etc/sed35GO1d: Operation not permitted
    logger: [15:24:12]: Adding apt repositories...
    logger: Hit:1 http://archive.ubuntu.com/ubuntu bionic InRelease
    logger: Hit:2 http://security.ubuntu.com/ubuntu bionic-security InRelease
    logger: Hit:3 http://ppa.launchpad.net/apt-fast/stable/ubuntu bionic InRelease
    logger: Hit:4 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
    logger: Hit:5 http://archive.ubuntu.com/ubuntu bionic-backports InRelease
    logger: Hit:6 http://ppa.launchpad.net/oisf/suricata-stable/ubuntu bionic InRelease
    logger: Hit:7 http://ppa.launchpad.net/rmescandon/yq/ubuntu bionic InRelease
    logger: Reading package lists...
    logger: Hit:1 http://ppa.launchpad.net/apt-fast/stable/ubuntu bionic InRelease
    logger: Hit:2 http://archive.ubuntu.com/ubuntu bionic InRelease
    logger: Hit:3 http://security.ubuntu.com/ubuntu bionic-security InRelease
    logger: Hit:4 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
    logger: Hit:5 http://archive.ubuntu.com/ubuntu bionic-backports InRelease
    logger: Hit:6 http://ppa.launchpad.net/oisf/suricata-stable/ubuntu bionic InRelease
    logger: Hit:7 http://ppa.launchpad.net/rmescandon/yq/ubuntu bionic InRelease
    logger: Reading package lists...
    logger: Hit:1 http://security.ubuntu.com/ubuntu bionic-security InRelease
    logger: Hit:2 http://archive.ubuntu.com/ubuntu bionic InRelease
    logger: Hit:3 http://ppa.launchpad.net/apt-fast/stable/ubuntu bionic InRelease
    logger: Hit:4 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
    logger: Hit:5 http://archive.ubuntu.com/ubuntu bionic-backports InRelease
    logger: Hit:6 http://ppa.launchpad.net/oisf/suricata-stable/ubuntu bionic InRelease
    logger: Hit:7 http://ppa.launchpad.net/rmescandon/yq/ubuntu bionic InRelease
    logger: Reading package lists...
    logger: [15:24:30]: Running apt-get clean...
    logger: [15:24:30]: Running apt-get update...
    logger: [15:24:34]: Running apt-fast install...
    logger: [apt-fast 15:24:34]

Now the app services are up and listening, but it looks like I have one more error I need to resolve. I'll probably put that into a separate issue depending on what I find.

Waiting for WinRM to become availabre

Operating System Version: Windows 11 Enterprise
Provider (VirtualBox/VMWare): Virtualbox
Vagrant Version: 2.2.19
Packer Version: 1.7.10
Are you using stock boxes (downloaded) or were they built from scratch using Packer? From scratch
Is the issue reproducible or intermittent? reproducible

Please verify that you are building from an updated Master branch before filing an issue.

Cannot build from scratch. Stop while waiting from WinRM and that´s it. Took almost 11 hours to return the error.

Can you please help?

Logger host build issue - zeek

Operating System Version: Debian GNU/Linux 10 (buster)
Provider (VirtualBox/VMWare): Virtualbox 6.1.4 r136177
Vagrant Version: 2.2.7
Packer Version: 1.5.4
Are you using stock boxes (downloaded) or were they built from scratch using Packer? : from scratch ./build.sh virtualbox
Is the issue reproducible or intermittent? reproducible

Description of the issue:

While building the logger host, I'm running into the following error message that causes the build to stop:

$ build.sh virtualbox
...
$ tail -n 400  Vagrant/vagrant_up_logger.log 
    logger: [15:00:50]: Installing Zeek...
...
    logger: Requirement already satisfied: smmap>=3.0.1 in /usr/local/lib/python2.7/dist-packages (from smmap2>=2.0.0->gitdb2<3,>=2->gitpython->zkg)
    logger: Traceback (most recent call last):
    logger:   File "/usr/local/bin/zkg", line 2243, in <module>
    logger:     
    logger: main()
    logger:   File "/usr/local/bin/zkg", line 2237, in main
    logger:     
    logger: manager = create_manager(args, config)
    logger:   File "/usr/local/bin/zkg", line 334, in create_manager
    logger:     
    logger: error = manager.add_source(name=key, git_url=value)
    logger:   File "/usr/local/lib/python2.7/dist-packages/zeekpkg/manager.py", line 402, in add_source
    logger:     
    logger: parse_result = urllib.parse.urlparse(git_url)
    logger: AttributeError
    logger: : 
    logger: 'module' object has no attribute 'parse'
    logger: Traceback (most recent call last):
    logger:   File "/usr/local/bin/zkg", line 2243, in <module>
    logger:     
    logger: main()
    logger:   File "/usr/local/bin/zkg", line 2237, in main
    logger:     
    logger: manager = create_manager(args, config)
    logger:   File "/usr/local/bin/zkg", line 334, in create_manager
    logger:     
    logger: error = manager.add_source(name=key, git_url=value)
    logger:   File "/usr/local/lib/python2.7/dist-packages/zeekpkg/manager.py", line 402, in add_source
    logger:     
    logger: parse_result = urllib.parse.urlparse(git_url)
    logger: AttributeError
    logger: : 
    logger: 'module' object has no attribute 'parse'
    logger: Traceback (most recent call last):
    logger:   File "/usr/local/bin/zkg", line 2243, in <module>
    logger:     
    logger: main()
    logger:   File "/usr/local/bin/zkg", line 2237, in main
    logger:     
    logger: manager = create_manager(args, config)
    logger:   File "/usr/local/bin/zkg", line 334, in create_manager
    logger:     
    logger: error = manager.add_source(name=key, git_url=value)
    logger:   File "/usr/local/lib/python2.7/dist-packages/zeekpkg/manager.py", line 402, in add_source
    logger:     
    logger: parse_result = urllib.parse.urlparse(git_url)
    logger: AttributeError
    logger: : 
    logger: 'module' object has no attribute 'parse'
    logger: Job for zeek.service failed because the control process exited with error code.
    logger: See "systemctl status zeek.service" and "journalctl -xe" for details.
    logger: Zeek attempted to start but is not running. Exiting
The SSH command responded with a non-zero exit status. Vagrant
assumes that this means the command failed. The output for this command
should be in the log above. Please read the output to determine what
went wrong.

Link to Gist Containing Build Logs:

https://gist.github.com/2xyo/d826bbaeeb556740320bb2a3677e8b4f

Logger host build issue - Failed to start logstash.service

Operating System Version: Debian GNU/Linux 10 (buster)
Provider (VirtualBox/VMWare): Virtualbox 6.1.4 r136177
Vagrant Version: 2.2.7
Packer Version: 1.5.4
Are you using stock boxes (downloaded) or were they built from scratch using Packer? : from scratch ./build.sh virtualbox
Is the issue reproducible or intermittent? reproducible

Description of the issue:

While building the logger host, I'm running into the following error message that causes the build to stop:

$ build.sh virtualbox
...
$ tail Vagrant/vagrant_up_logger.log 
    logger: Unpacking logstash (1:7.6.1-1) ...
    logger: Setting up logstash (1:7.6.1-1) ...
    logger: Using provided startup.options file: /etc/logstash/startup.options
    logger: OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
    logger: OpenJDK 64-Bit Server VM warning: Options -Xverify:none and -noverify were deprecated in JDK 13 and will likely be removed in a future release.
    logger: 2020-03-23T09:37:59.152Z [main] WARN FilenoUtil : Native subprocess control requires open access to sun.nio.ch
    logger: Pass '--add-opens java.base/sun.nio.ch=org.jruby.dist' or '=org.jruby.core' to enable.
    logger: Errno::EBADF: Bad file descriptor - systemctl
    logger:             spawn at org/jruby/RubyProcess.java:1636
    logger:             spawn at org/jruby/RubyKernel.java:1667
    logger:         popen_run at /usr/share/logstash/vendor/jruby/lib/ruby/stdlib/open3.rb:202
    logger:            popen3 at /usr/share/logstash/vendor/jruby/lib/ruby/stdlib/open3.rb:98
    logger:           execute at /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/pleaserun-0.0.30/lib/pleaserun/detector.rb:74
    logger:    detect_systemd at /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/pleaserun-0.0.30/lib/pleaserun/detector.rb:29
    logger:   detect_platform at /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/pleaserun-0.0.30/lib/pleaserun/detector.rb:24
    logger:            detect at /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/pleaserun-0.0.30/lib/pleaserun/detector.rb:18
    logger:    setup_defaults at /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/pleaserun-0.0.30/lib/pleaserun/cli.rb:153
    logger:           execute at /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/pleaserun-0.0.30/lib/pleaserun/cli.rb:119
    logger:               run at /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/clamp-0.6.5/lib/clamp/command.rb:67
    logger:               run at /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/pleaserun-0.0.30/lib/pleaserun/cli.rb:114
    logger:               run at /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/clamp-0.6.5/lib/clamp/command.rb:132
    logger:            <main> at /usr/share/logstash/lib/systeminstall/pleasewrap.rb:12
    logger: Unable to install system startup script for Logstash.
    logger: chmod: cannot access '/etc/default/logstash'
    logger: : No such file or directory
    logger: dpkg: error processing package logstash (--configure):
    logger:  installed logstash package post-installation script subprocess returned error exit status 1
    logger: Setting up kibana (7.6.1) ...
    logger: Setting up elasticsearch-curator (5.8.1) ...
    logger: Setting up filebeat (7.6.1) ...
    logger: Processing triggers for systemd (237-3ubuntu10.38) ...
    logger: Processing triggers for ureadahead (0.100.0-21) ...
    logger: Errors were encountered while processing:
    logger: 
    logger:  logstash
    logger: E
    logger: : 
    logger: Sub-process /usr/bin/dpkg returned an error code (1)
    logger: Synchronizing state of elasticsearch.service with SysV service script with /lib/systemd/systemd-sysv-install.
    logger: Executing: /lib/systemd/systemd-sysv-install enable elasticsearch
    logger: Created symlink /etc/systemd/system/multi-user.target.wants/elasticsearch.service → /usr/lib/systemd/system/elasticsearch.service.
    logger: Synchronizing state of kibana.service with SysV service script with /lib/systemd/systemd-sysv-install.
    logger: Executing: /lib/systemd/systemd-sysv-install enable kibana
    logger: Failed to enable unit: Unit file logstash.service does not exist.
    logger: Failed to start logstash.service: Unit logstash.service not found.
    logger: Enabled suricata
    logger: Synchronizing state of filebeat.service with SysV service script with /lib/systemd/systemd-sysv-install.
    logger: Executing: /lib/systemd/systemd-sysv-install enable filebeat

Link to Gist Containing Build Logs:

https://gist.github.com/2xyo/8be429ffce54f484aca1924c95e98438#file-vagrant_up_logger-log-L3089

### Related issues:

Failed Build - Could not find cyberdefenders/win2016

Operating System Version: Windows 10
Provider (VirtualBox/VMWare): Vmware
Vagrant Version: Vagrant 2.3.0
Packer Version: 1.8.3
Are you using stock boxes (downloaded) or were they built from scratch using Packer? Stock Boxes
Is the issue reproducible or intermittent? reproducible

Please verify that you are building from an updated Master branch before filing an issue.

Description of the issue:

While trying to build the environment for the first time the build fails stating that the Cloud Box could not be found.

PS C:\Data\git\DetectionLabELK\Vagrant> vagrant up dc
Bringing machine 'dc' up with 'vmware_desktop' provider...
==> dc: Box 'cyberdefenders/win2016' could not be found. Attempting to find and install...
    dc: Box Provider: vmware_desktop, vmware_fusion, vmware_workstation
    dc: Box Version: >= 0
==> dc: Loading metadata for box 'cyberdefenders/win2016'
    dc: URL: https://vagrantcloud.com/cyberdefenders/win2016
The box you're attempting to add doesn't support the provider
you requested. Please find an alternate box or use an alternate
provider. Double-check your requested provider to verify you didn't
simply misspell it.

If you're adding a box from HashiCorp's Vagrant Cloud, make sure the box is
released.

Name: cyberdefenders/win2016
Address: https://vagrantcloud.com/cyberdefenders/win2016
Requested provider: ["vmware_desktop", "vmware_fusion", "vmware_workstation"]
PS C:\Data\git\DetectionLabELK\Vagrant>
-->

post_build_checks still looking for a splunk instance.

Operating System Version: Win10
Provider (VirtualBox/VMWare): VirtualBox
Vagrant Version: 2.2.18
Packer Version: 1.7.7
Are you using stock boxes (downloaded) or were they built from scratch using Packer? Scratch with Packer.
Is the issue reproducible or intermittent? Yes

Please verify that you are building from an updated Master branch before filing an issue.

Description of the issue:

post_build_checks() in build.ps1 script is still checking for a Splunk instance, instead of ELK.

[post_build_checks] Running Splunk Check.
[download] Running for https://192.168.38.105:8000/en-US/account/login?return_to=%2Fen-US%2F, looking for This browser is not supported by Splunk
Error occured on webrequest: Exception calling "DownloadString" with "1" argument(s): "Unable to connect to the remote server"
[post_build_checks] Splunk Result: False

No vmware support

No vmware providers support in vagrant images win10 and win2016

vagrant up gives an error..

Operating System Version: Windows 10 Pro
Provider (VirtualBox/VMWare): Hyper-V (10.0.19041.1)
Vagrant Version: 2.2.14
Packer Version: 1.6.6
Are you using stock boxes (downloaded) or were they built from scratch using Packer?
I will try both. But at first i started with downloaded boxes. Error occured at that try.
Is the issue reproducible or intermittent? Reproducible

Please verify that you are building from an updated Master branch before filing an issue.
Yes, i downloaded Master branch just before the try and use it.

Description of the issue:

I just triggered "varant up" command. varant asked me type of the type of the switch.I choosed 1- default switch.
Then it asked for user and pwd for SMB folders. I gave them. Bu while running it stoped abnormalu with below logs..

logger: [+] git was successfully installed!
logger: [12:42:50]: [TEST] Validating that unzip is correctly installed...
logger: [+] unzip was successfully installed!
logger: [12:42:50]: [TEST] Validating that yq is correctly installed...
logger: [+] yq was successfully installed!
logger: [12:42:50]: [TEST] Validating that mysql-server is correctly installed...
logger: [+] mysql-server was successfully installed!
logger: [12:42:50]: [TEST] Validating that redis-server is correctly installed...
logger: [+] redis-server was successfully installed!
logger: [12:42:50]: [TEST] Validating that python-pip is correctly installed...
logger: [+] python-pip was successfully installed!
logger: Device "eth1" does not exist.
logger: Incorrect IP Address settings detected. Attempting to fix.
logger: Unknown interface eth1
logger: Device "eth1" does not exist.
logger: Unknown interface eth1
logger: eth1: error fetching interface information: Device not found
logger: [12:42:51]: Failed to fix the broken static IP for eth1. Exiting because this will cause problems with other VMs.

The SSH command responded with a non-zero exit status. Vagrant
assumes that this means the command failed. The output for this command
should be in the log above. Please read the output to determine what
went wrong.

Error during vagrat up

Operating System Version:
Provider (VirtualBox/VMWare): Virtualbox
Vagrant Version: 2.2.10
Packer Version: 1.6.4
Are you using stock boxes (downloaded) or were they built from scratch using Packer? stock
Is the issue reproducible or intermittent? reproducable

Please verify that you are building from an updated Master branch before filing an issue.

Description of the issue:

Link to Gist Containing Build Logs:

is there a plan to support vmware?

im getting this error

==> dc: Box 'cyberdefenders/win2016' could not be found. Attempting to find and install...
dc: Box Provider: vmware_desktop, vmware_fusion, vmware_workstation
dc: Box Version: >= 0
==> dc: Loading metadata for box 'cyberdefenders/win2016'
dc: URL: https://vagrantcloud.com/cyberdefenders/win2016
The box you're attempting to add doesn't support the provider
you requested. Please find an alternate box or use an alternate
provider. Double-check your requested provider to verify you didn't
simply misspell it.

If you're adding a box from HashiCorp's Vagrant Cloud, make sure the box is
released.

Name: cyberdefenders/win2016
Address: https://vagrantcloud.com/cyberdefenders/win2016
Requested provider: ["vmware_desktop", "vmware_fusion", "vmware_workstation"]

which seems to me that VMware is not supported. is there any plans to do so?

build.ps1 on windows, with virtualbox, stop up machine after dc

Operating System Version: Windows 10
Provider (VirtualBox/VMWare): VirtualBox
Vagrant Version: 2.2.1
Packer Version: 1.6.2
Are you using stock boxes (downloaded) or were they built from scratch using Packer? build from packer
Is the issue reproducible or intermittent? reproduce

Please verify that you are building from an updated Master branch before filing an issue.

Description of the issue:

build.ps1 on windows, with virtualbox, stop up machine after dc.
I can go ahead manually lauching vagrant up commands

Logger install incomplete - ETH1 does not exist

Operating System Version: Windows 10
Provider (VirtualBox/VMWare): VMWare
Vagrant Version: 2.2.17
Packer Version: 1.7.4
Are you using stock boxes (downloaded) or were they built from scratch using Packer? Stock Boxes
Is the issue reproducible or intermittent? Reproducible

Please verify that you are building from an updated Master branch before filing an issue. Yes pulling the latest Master

Description of the issue:

Fails on the Logger install. I have seen people with a similar issue but tickets are closed with no solutions

This same problem has occurred 4-5 times, I am trying to install on a D drive but have full admin rights.

Thanks for any help/advice, please see log below -

logger: [13:08:09]: [TEST] Validating that redis-server is correctly installed...
logger: [+] redis-server was successfully installed!
logger: [13:08:09]: [TEST] Validating that python-pip is correctly installed...
logger: [+] python-pip was successfully installed!
logger: Device "eth1" does not exist.
logger: Incorrect IP Address settings detected. Attempting to fix.
logger: Unknown interface eth1
logger: Device "eth1" does not exist.
logger: Unknown interface eth1
logger: eth1: error fetching interface information: Device not found
logger: [13:08:10]: Failed to fix the broken static IP for eth1. Exiting because this will cause problems with other VMs.

logger /tmp/vagrant-shell: line 141: Curl Command not found

Operating System Version: Windows 11
Provider (VirtualBox/VMWare): VirtualBox
Vagrant Version: 2.4.1
Packer Version:
Are you using stock boxes (downloaded) or were they built from scratch using Packer? Downloaded
Is the issue reproducible or intermittent? Reproducible

Please verify that you are building from an updated Master branch before filing an issue.

Description of the issue:

Link to Gist Containing Build Logs:

Win10 host build issue - Powersploit/ART install failed

Operating System Version: Debian GNU/Linux 10 (buster)
Provider (VirtualBox/VMWare): Virtualbox 6.1.4 r136177
Vagrant Version: 2.2.7
Packer Version: 1.5.4
Are you using stock boxes (downloaded) or were they built from scratch using Packer? : from box
Is the issue reproducible or intermittent? reproducible

Description of the issue:

While building the win10 host, I'm running into the following error message:

$ vagrant logger up dc wef win10
...
$ tail Vagrant/vagrant_up_win10.log 

==> win10: Running provisioner: shell...
    win10: Running: scripts/install-redteam.ps1 as c:\tmp\vagrant-shell.ps1
    win10: [11:07] Installing Red Team Tooling...
    win10: [11:07] Determining latest release of Mimikatz...
    win10: [11:07] Downloading Powersploit...
    win10: powershell.exe : Copy-Item : Operation did not complete successfully because the file contains a virus or 
    win10:     + CategoryInfo          : NotSpecified: (Copy-Item : Ope...ins a virus or :String) [], RemoteException
    win10:     + FullyQualifiedErrorId : NativeCommandError
    win10: potentially unwanted software.
    win10: At C:\tmp\vagrant-shell.ps1:37 char:3
    win10: +   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
    win10: +   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    win10:     + CategoryInfo          : WriteError: (Find-AVSignature.ps1:FileInfo) [Copy-Item], IOExceptio 
    win10:    n
    win10:     + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
    win10:    Command
    win10:  
    win10: Copy-Item : Operation did not complete successfully because the file contains a virus or 
    win10: potentially unwanted software.
    win10: At C:\tmp\vagrant-shell.ps1:37 char:3
    win10: +   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
    win10: +   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    win10:     + CategoryInfo          : WriteError: (Invoke-DllInjection.ps1:FileInfo) [Copy-Item], IOExcep 
    win10:    tion
    win10:     + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
    win10:    Command
    win10:  
    win10: Copy-Item : Operation did not complete successfully because the file contains a virus or 
    win10: potentially unwanted software.
    win10: At C:\tmp\vagrant-shell.ps1:37 char:3
    win10: +   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
    win10: +   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    win10:     + CategoryInfo          : WriteError: (Invoke-ReflectivePEInjection.ps1:FileInfo) [Copy-Item] 
    win10:    , IOException
    win10:     + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
    win10:    Command
    win10:  
    win10: Copy-Item : Operation did not complete successfully because the file contains a virus or 
    win10: potentially unwanted software.
    win10: At C:\tmp\vagrant-shell.ps1:37 char:3
    win10: +   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
    win10: +   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    win10:     + CategoryInfo          : WriteError: (Invoke-Shellcode.ps1:FileInfo) [Copy-Item], IOExceptio 
    win10:    n
    win10:     + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
    win10:    Command
    win10:  
    win10: Copy-Item : Operation did not complete successfully because the file contains a virus or 
    win10: potentially unwanted software.
    win10: At C:\tmp\vagrant-shell.ps1:37 char:3
    win10: +   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
    win10: +   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    win10:     + CategoryInfo          : WriteError: (Invoke-WmiCommand.ps1:FileInfo) [Copy-Item], IOExcepti 
    win10:    on
    win10:     + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
    win10:    Command
    win10:  
    win10: Copy-Item : Operation did not complete successfully because the file contains a virus or 
    win10: potentially unwanted software.
    win10: At C:\tmp\vagrant-shell.ps1:37 char:3
    win10: +   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
    win10: +   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    win10:     + CategoryInfo          : WriteError: (index.md:FileInfo) [Copy-Item], IOException
    win10:     + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
    win10:    Command
    win10:  
    win10: Copy-Item : Operation did not complete successfully because the file contains a virus or 
    win10: potentially unwanted software.
    win10: At C:\tmp\vagrant-shell.ps1:37 char:3
    win10: +   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
    win10: +   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    win10:     + CategoryInfo          : WriteError: (Get-GPPAutologon.ps1:FileInfo) [Copy-Item], IOExceptio 
    win10:    n
    win10:     + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
    win10:    Command
    win10:  
    win10: Copy-Item : Operation did not complete successfully because the file contains a virus or 
    win10: potentially unwanted software.
    win10: At C:\tmp\vagrant-shell.ps1:37 char:3
    win10: +   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
    win10: +   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    win10:     + CategoryInfo          : WriteError: (Get-Keystrokes.ps1:FileInfo) [Copy-Item], IOException
    win10:     + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
    win10:    Command
    win10:  
    win10: Copy-Item : Operation did not complete successfully because the file contains a virus or 
    win10: potentially unwanted software.
    win10: At C:\tmp\vagrant-shell.ps1:37 char:3
    win10: +   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
    win10: +   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    win10:     + CategoryInfo          : WriteError: (Get-MicrophoneAudio.ps1:FileInfo) [Copy-Item], IOExcep 
    win10:    tion
    win10:     + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
    win10:    Command
    win10:  
    win10: Copy-Item : Operation did not complete successfully because the file contains a virus or 
    win10: potentially unwanted software.
    win10: At C:\tmp\vagrant-shell.ps1:37 char:3
    win10: +   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
    win10: +   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    win10:     + CategoryInfo          : WriteError: (Get-TimedScreenshot.ps1:FileInfo) [Copy-Item], IOExcep 
    win10:    tion
    win10:     + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
    win10:    Command
    win10:  
    win10: Copy-Item : Operation did not complete successfully because the file contains a virus or 
    win10: potentially unwanted software.
    win10: At C:\tmp\vagrant-shell.ps1:37 char:3
    win10: +   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
    win10: +   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    win10:     + CategoryInfo          : WriteError: (Get-VaultCredential.ps1:FileInfo) [Copy-Item], IOExcep 
    win10:    tion
    win10:     + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
    win10:    Command
    win10:  
    win10: Copy-Item : Operation did not complete successfully because the file contains a virus or 
    win10: potentially unwanted software.
    win10: At C:\tmp\vagrant-shell.ps1:37 char:3
    win10: +   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
    win10: +   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    win10:     + CategoryInfo          : WriteError: (Invoke-CredentialInjection.ps1:FileInfo) [Copy-Item],  
    win10:    IOException
    win10:     + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
    win10:    Command
    win10:  
    win10: Copy-Item : Operation did not complete successfully because the file contains a virus or 
    win10: potentially unwanted software.
    win10: At C:\tmp\vagrant-shell.ps1:37 char:3
    win10: +   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
    win10: +   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    win10:     + CategoryInfo          : WriteError: (Invoke-Mimikatz.ps1:FileInfo) [Copy-Item], IOException
    win10:     + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
    win10:    Command
    win10:  
    win10: Copy-Item : Operation did not complete successfully because the file contains a virus or 
    win10: potentially unwanted software.
    win10: At C:\tmp\vagrant-shell.ps1:37 char:3
    win10: +   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
    win10: +   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    win10:     + CategoryInfo          : WriteError: (Invoke-NinjaCopy.ps1:FileInfo) [Copy-Item], IOExceptio 
    win10:    n
    win10:     + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
    win10:    Command
    win10:  
    win10: Copy-Item : Operation did not complete successfully because the file contains a virus or 
    win10: potentially unwanted software.
    win10: At C:\tmp\vagrant-shell.ps1:37 char:3
    win10: +   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
    win10: +   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    win10:     + CategoryInfo          : WriteError: (Invoke-TokenManipulation.ps1:FileInfo) [Copy-Item], IO 
    win10:    Exception
    win10:     + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
    win10:    Command
    win10:  
    win10: Copy-Item : Operation did not complete successfully because the file contains a virus or 
    win10: potentially unwanted software.
    win10: At C:\tmp\vagrant-shell.ps1:37 char:3
    win10: +   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
    win10: +   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    win10:     + CategoryInfo          : WriteError: (Out-Minidump.ps1:FileInfo) [Copy-Item], IOException
    win10:     + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
    win10:    Command
    win10:  
    win10: Copy-Item : Operation did not complete successfully because the file contains a virus or 
    win10: potentially unwanted software.
    win10: At C:\tmp\vagrant-shell.ps1:37 char:3
    win10: +   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
    win10: +   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    win10:     + CategoryInfo          : WriteError: (VolumeShadowCopyTools.ps1:FileInfo) [Copy-Item], IOExc 
    win10:    eption
    win10:     + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
    win10:    Command
    win10:  
    win10: Copy-Item : Operation did not complete successfully because the file contains a virus or 
    win10: potentially unwanted software.
    win10: At C:\tmp\vagrant-shell.ps1:37 char:3
    win10: +   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
    win10: +   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    win10:     + CategoryInfo          : WriteError: (Mayhem.psm1:FileInfo) [Copy-Item], IOException
    win10:     + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
    win10:    Command
    win10:  
    win10: Copy-Item : Operation did not complete successfully because the file contains a virus or 
    win10: potentially unwanted software.
    win10: At C:\tmp\vagrant-shell.ps1:37 char:3
    win10: +   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
    win10: +   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    win10:     + CategoryInfo          : WriteError: (Persistence.psm1:FileInfo) [Copy-Item], IOException
    win10:     + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
    win10:    Command
    win10:  
    win10: Copy-Item : Operation did not complete successfully because the file contains a virus or 
    win10: potentially unwanted software.
    win10: At C:\tmp\vagrant-shell.ps1:37 char:3
    win10: +   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
    win10: +   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    win10:     + CategoryInfo          : WriteError: (Invoke-Portscan.ps1:FileInfo) [Copy-Item], IOException
    win10:     + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
    win10:    Command
    win10:  
    win10: Copy-Item : Operation did not complete successfully because the file contains a virus or 
    win10: potentially unwanted software.
    win10: At C:\tmp\vagrant-shell.ps1:37 char:3
    win10: +   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
    win10: +   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    win10:     + CategoryInfo          : WriteError: (Out-EncodedCommand.ps1:FileInfo) [Copy-Item], IOExcept 
    win10:    ion
    win10:     + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
    win10:    Command
    win10:  
    win10: Copy-Item : Operation did not complete successfully because the file contains a virus or 
    win10: potentially unwanted software.
    win10: At C:\tmp\vagrant-shell.ps1:37 char:3
    win10: +   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
    win10: +   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    win10:     + CategoryInfo          : WriteError: (Out-EncryptedScript.ps1:FileInfo) [Copy-Item], IOExcep 
    win10:    tion
    win10:     + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
    win10:    Command
    win10:  
    win10: Copy-Item : Operation did not complete successfully because the file contains a virus or 
    win10: potentially unwanted software.
    win10: At C:\tmp\vagrant-shell.ps1:37 char:3
    win10: +   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
    win10: +   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    win10:     + CategoryInfo          : WriteError: (Remove-Comment.ps1:FileInfo) [Copy-Item], IOException
    win10:     + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
    win10:    Command
    win10:  
    win10: Copy-Item : Operation did not complete successfully because the file contains a virus or 
    win10: potentially unwanted software.
    win10: At C:\tmp\vagrant-shell.ps1:37 char:3
    win10: +   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
    win10: +   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    win10:     + CategoryInfo          : NotSpecified: (:) [Copy-Item], IOException
    win10:     + FullyQualifiedErrorId : System.IO.IOException,Microsoft.PowerShell.Commands.CopyItemCommand
    win10:  
    win10: [11:08] Downloading Atomic Red Team...
    win10: [11:09] Red Team tooling installation complete!
The following WinRM command responded with a non-zero exit status.
Vagrant assumes that this means the command failed!

powershell -ExecutionPolicy Bypass -OutputFormat Text -file "c:\tmp\vagrant-shell.ps1"

Stdout from the command:

[11:07] Installing Red Team Tooling...
[11:07] Determining latest release of Mimikatz...
[11:07] Downloading Powersploit...
[11:08] Downloading Atomic Red Team...
[11:09] Red Team tooling installation complete!


Stderr from the command:

powershell.exe : Copy-Item : Operation did not complete successfully because the file contains a virus or 
    + CategoryInfo          : NotSpecified: (Copy-Item : Ope...ins a virus or :String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
potentially unwanted software.
At C:\tmp\vagrant-shell.ps1:37 char:3
+   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (Find-AVSignature.ps1:FileInfo) [Copy-Item], IOExceptio 
   n
    + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
   Command
 
Copy-Item : Operation did not complete successfully because the file contains a virus or 
potentially unwanted software.
At C:\tmp\vagrant-shell.ps1:37 char:3
+   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (Invoke-DllInjection.ps1:FileInfo) [Copy-Item], IOExcep 
   tion
    + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
   Command
 
Copy-Item : Operation did not complete successfully because the file contains a virus or 
potentially unwanted software.
At C:\tmp\vagrant-shell.ps1:37 char:3
+   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (Invoke-ReflectivePEInjection.ps1:FileInfo) [Copy-Item] 
   , IOException
    + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
   Command
 
Copy-Item : Operation did not complete successfully because the file contains a virus or 
potentially unwanted software.
At C:\tmp\vagrant-shell.ps1:37 char:3
+   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (Invoke-Shellcode.ps1:FileInfo) [Copy-Item], IOExceptio 
   n
    + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
   Command
 
Copy-Item : Operation did not complete successfully because the file contains a virus or 
potentially unwanted software.
At C:\tmp\vagrant-shell.ps1:37 char:3
+   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (Invoke-WmiCommand.ps1:FileInfo) [Copy-Item], IOExcepti 
   on
    + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
   Command
 
Copy-Item : Operation did not complete successfully because the file contains a virus or 
potentially unwanted software.
At C:\tmp\vagrant-shell.ps1:37 char:3
+   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (index.md:FileInfo) [Copy-Item], IOException
    + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
   Command
 
Copy-Item : Operation did not complete successfully because the file contains a virus or 
potentially unwanted software.
At C:\tmp\vagrant-shell.ps1:37 char:3
+   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (Get-GPPAutologon.ps1:FileInfo) [Copy-Item], IOExceptio 
   n
    + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
   Command
 
Copy-Item : Operation did not complete successfully because the file contains a virus or 
potentially unwanted software.
At C:\tmp\vagrant-shell.ps1:37 char:3
+   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (Get-Keystrokes.ps1:FileInfo) [Copy-Item], IOException
    + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
   Command
 
Copy-Item : Operation did not complete successfully because the file contains a virus or 
potentially unwanted software.
At C:\tmp\vagrant-shell.ps1:37 char:3
+   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (Get-MicrophoneAudio.ps1:FileInfo) [Copy-Item], IOExcep 
   tion
    + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
   Command
 
Copy-Item : Operation did not complete successfully because the file contains a virus or 
potentially unwanted software.
At C:\tmp\vagrant-shell.ps1:37 char:3
+   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (Get-TimedScreenshot.ps1:FileInfo) [Copy-Item], IOExcep 
   tion
    + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
   Command
 
Copy-Item : Operation did not complete successfully because the file contains a virus or 
potentially unwanted software.
At C:\tmp\vagrant-shell.ps1:37 char:3
+   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (Get-VaultCredential.ps1:FileInfo) [Copy-Item], IOExcep 
   tion
    + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
   Command
 
Copy-Item : Operation did not complete successfully because the file contains a virus or 
potentially unwanted software.
At C:\tmp\vagrant-shell.ps1:37 char:3
+   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (Invoke-CredentialInjection.ps1:FileInfo) [Copy-Item],  
   IOException
    + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
   Command
 
Copy-Item : Operation did not complete successfully because the file contains a virus or 
potentially unwanted software.
At C:\tmp\vagrant-shell.ps1:37 char:3
+   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (Invoke-Mimikatz.ps1:FileInfo) [Copy-Item], IOException
    + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
   Command
 
Copy-Item : Operation did not complete successfully because the file contains a virus or 
potentially unwanted software.
At C:\tmp\vagrant-shell.ps1:37 char:3
+   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (Invoke-NinjaCopy.ps1:FileInfo) [Copy-Item], IOExceptio 
   n
    + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
   Command
 
Copy-Item : Operation did not complete successfully because the file contains a virus or 
potentially unwanted software.
At C:\tmp\vagrant-shell.ps1:37 char:3
+   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (Invoke-TokenManipulation.ps1:FileInfo) [Copy-Item], IO 
   Exception
    + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
   Command
 
Copy-Item : Operation did not complete successfully because the file contains a virus or 
potentially unwanted software.
At C:\tmp\vagrant-shell.ps1:37 char:3
+   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (Out-Minidump.ps1:FileInfo) [Copy-Item], IOException
    + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
   Command
 
Copy-Item : Operation did not complete successfully because the file contains a virus or 
potentially unwanted software.
At C:\tmp\vagrant-shell.ps1:37 char:3
+   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (VolumeShadowCopyTools.ps1:FileInfo) [Copy-Item], IOExc 
   eption
    + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
   Command
 
Copy-Item : Operation did not complete successfully because the file contains a virus or 
potentially unwanted software.
At C:\tmp\vagrant-shell.ps1:37 char:3
+   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (Mayhem.psm1:FileInfo) [Copy-Item], IOException
    + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
   Command
 
Copy-Item : Operation did not complete successfully because the file contains a virus or 
potentially unwanted software.
At C:\tmp\vagrant-shell.ps1:37 char:3
+   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (Persistence.psm1:FileInfo) [Copy-Item], IOException
    + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
   Command
 
Copy-Item : Operation did not complete successfully because the file contains a virus or 
potentially unwanted software.
At C:\tmp\vagrant-shell.ps1:37 char:3
+   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (Invoke-Portscan.ps1:FileInfo) [Copy-Item], IOException
    + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
   Command
 
Copy-Item : Operation did not complete successfully because the file contains a virus or 
potentially unwanted software.
At C:\tmp\vagrant-shell.ps1:37 char:3
+   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (Out-EncodedCommand.ps1:FileInfo) [Copy-Item], IOExcept 
   ion
    + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
   Command
 
Copy-Item : Operation did not complete successfully because the file contains a virus or 
potentially unwanted software.
At C:\tmp\vagrant-shell.ps1:37 char:3
+   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (Out-EncryptedScript.ps1:FileInfo) [Copy-Item], IOExcep 
   tion
    + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
   Command
 
Copy-Item : Operation did not complete successfully because the file contains a virus or 
potentially unwanted software.
At C:\tmp\vagrant-shell.ps1:37 char:3
+   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (Remove-Comment.ps1:FileInfo) [Copy-Item], IOException
    + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem 
   Command
 
Copy-Item : Operation did not complete successfully because the file contains a virus or 
potentially unwanted software.
At C:\tmp\vagrant-shell.ps1:37 char:3
+   Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\Sys ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Copy-Item], IOException
    + FullyQualifiedErrorId : System.IO.IOException,Microsoft.PowerShell.Commands.CopyItemCommand

Obviously fix: disable Windows defender

Link to Gist Containing Build Logs:

https://gist.github.com/2xyo/298611b1349daac5143ac1ae7ba210b8

cyberdefenders / detectionlabelk Goto Github PK

detectionlabelk's Introduction

DetectionLabELK

Description:

Use cases:

Lab Information:

Primary Lab Features:

Lab Hosts:

Requirements

Deployment Options

Troubleshooting:

Lab Access:

detectionlabelk's People

Contributors

Stargazers

Watchers

Forkers

detectionlabelk's Issues

Description of the issue:

Description of the issue:

Description of the issue:

Error message:

Description of the issue:

Link to Gist Containing Build Logs:

Description of the issue:

Link to Gist Containing Build Logs:

Description of the issue:

Description of the issue:

Description of the issue:

Description of the issue:

Link to Gist Containing Build Logs:

Description of the issue:

Description of the issue:

Description of the issue:

Link to Gist Containing Build Logs:

Description of the issue:

Link to Gist Containing Build Logs:

Recommend Projects

Recommend Topics

Recommend Org

Jobs