diff --git a/.gitignore b/.gitignore index 5df85c83b..273c0e792 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,7 @@ # ignore attack_range.yml that might include local custom changes attack_range.yml poetry.lock +terraform/ansible/*vars.json #keys *.key diff --git a/.gitpod.Dockerfile b/.gitpod.Dockerfile deleted file mode 100644 index 6f7d7c8cb..000000000 --- a/.gitpod.Dockerfile +++ /dev/null @@ -1,14 +0,0 @@ -FROM gitpod/workspace-full:2022-05-08-14-31-53 - -RUN sudo apt-get update && \ - sudo apt-get install -y python3.8 git unzip python3-pip awscli curl vim lsb-release software-properties-common - -RUN sudo curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash - -RUN brew install terraform - -RUN curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add - && \ - sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main" && \ - sudo apt-get update && sudo apt-get install packer - -RUN curl -sSL https://raw.githubusercontent.com/python-poetry/poetry/master/get-poetry.py | python - diff --git a/.gitpod.yml b/.gitpod.yml deleted file mode 100644 index 2806cb1b9..000000000 --- a/.gitpod.yml +++ /dev/null @@ -1,21 +0,0 @@ -# This configuration file was automatically generated by Gitpod. -# Please adjust to your needs (see https://www.gitpod.io/docs/config-gitpod-file) -# and commit this file to your remote git repository to share the goodness with others. - - -image: - file: .gitpod.Dockerfile - -tasks: - - command: | - cd terraform/azure - terraform init - cd ../.. - cd terraform/aws - terraform init - cd ../.. - export PATH=$PATH:$HOME/.poetry/bin - poetry install - poetry shell - - diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 000000000..6c08f501f --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,4 @@ +{ + "editor.defaultFormatter": "ms-python.black-formatter", + "editor.formatOnSave": true +} \ No newline at end of file diff --git a/README.md b/README.md index 3332dc646..16381d085 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,3 @@ - - - -

@@ -14,8 +10,10 @@

# Splunk Attack Range ⚔️ +> [!WARNING] +> Packer was removed to simplify the deployment process. ![Attack Range Log](docs/attack_range.png) -The Splunk Attack Range is an open-source project maintained by the Splunk Threat Research Team. It builds instrumented cloud and local environments, simulates attacks, and forwards the data into a Splunk instance. This environment can then be used to develop and test the effectiveness of detections. +The Splunk Attack Range is an open-source project maintained by the Splunk Threat Research Team. It builds instrumented cloud (AWS, Azure) and local environments (Virtualbox), simulates attacks, and forwards the data into a Splunk instance. This environment can then be used to develop and test the effectiveness of detections. ## Purpose 🛡 The Attack Range is a detection development platform, which solves three main challenges in detection engineering: @@ -55,6 +53,7 @@ The deployment of Attack Range consists of: - Nginx Server - Linux Server - Zeek Server +- Snort Server Which can be added/removed/configured using [attack_range.yml](https://github.com/splunk/attack_range/blob/develop/attack_range.yml). @@ -69,6 +68,8 @@ The following log sources are collected from the machines: - Nginx logs (```index = proxy```) - Network Logs with Splunk Stream (```index = main```) - Attack Simulation Logs from Atomic Red Team and Caldera (```index = attack```) +- Zeek Logs (```index = zeek```) +- Snort Logs (```index = snort```) ## Running 🏃‍♀️ Attack Range supports different actions: @@ -83,11 +84,6 @@ python attack_range.py configure python attack_range.py build ``` -### Packer Attack Range -``` -python attack_range.py packer --image_name windows-2016 -``` - ### Show Attack Range Infrastructure ``` python attack_range.py show diff --git a/attack_range.yml b/attack_range.yml index 1cb21ba88..8e411713a 100644 --- a/attack_range.yml +++ b/attack_range.yml @@ -4,5 +4,4 @@ general: cloud_provider: "aws" key_name: "ar" windows_servers: - - hostname: ar-win - image: windows-2016-v3-0-0 \ No newline at end of file + - hostname: ar-win \ No newline at end of file diff --git a/configs/attack_range_default.yml b/configs/attack_range_default.yml index 509d38445..3ab66969d 100644 --- a/configs/attack_range_default.yml +++ b/configs/attack_range_default.yml @@ -16,12 +16,6 @@ general: # This allow comma-separated blocks # ip_whitelist = 0.0.0.0/0,35.153.82.195/32 - version: "3.0.0" - # The current released version of Attack Range. - - use_prebuilt_images_with_packer: "0" - # Enable/Disable usage of packer to create pre-built images by setting this to 1 or 0. - crowdstrike_falcon: "0" # Enable/Disable CrowdStrike Falcon by setting this to 1 or 0. @@ -46,9 +40,6 @@ general: install_contentctl: "0" # Install splunk/contentctl on linux servers - advanced_logging: "0" - # Enable verbose windows security logs by setting this to 1. - aws: region: "us-west-2" # Region used in AWS. This should be the same as the region configured in AWS CLI. @@ -102,8 +93,6 @@ local: # Attack Range Local used Virtualbox and Vagrant to build the Attack Range. splunk_server: - splunk_image: "splunk-v3-0-0" - # Name of the image of the Splunk Server. Packer is used to build this image. install_es: "0" # Enable/Disable Enterprise Security by setting this to 1 or 0. @@ -114,15 +103,45 @@ splunk_server: s3_bucket_url: "https://attack-range-appbinaries.s3-us-west-2.amazonaws.com" # S3 bucket containing the Splunk Apps which will be installed in Attack Range. - splunk_url: "https://download.splunk.com/products/splunk/releases/9.0.2/linux/splunk-9.0.2-17e00c557dc1-Linux-x86_64.tgz" + splunk_url: "https://download.splunk.com/products/splunk/releases/9.3.0/linux/splunk-9.3.0-51ccf43db5bd-Linux-x86_64.tgz" # Url to download Splunk Enterprise. - splunk_uf_url: "https://download.splunk.com/products/universalforwarder/releases/9.0.2/linux/splunkforwarder-9.0.2-17e00c557dc1-linux-2.6-amd64.deb" + splunk_uf_url: "https://download.splunk.com/products/universalforwarder/releases/9.3.0/linux/splunkforwarder-9.3.0-51ccf43db5bd-linux-2.6-amd64.deb" # Url to download Splunk Universal Forwarder Linux. - splunk_uf_win_url: "https://download.splunk.com/products/universalforwarder/releases/9.0.2/windows/splunkforwarder-9.0.2-17e00c557dc1-x64-release.msi" + splunk_uf_win_url: "https://download.splunk.com/products/universalforwarder/releases/9.3.0/windows/splunkforwarder-9.3.0-51ccf43db5bd-x64-release.msi" # Url to download Splunk Universal Forwarder Windows. + splunk_apps: + - splunk-add-on-for-microsoft-windows_880.tgz + - splunk-timeline-custom-visualization_162.tgz + - status-indicator-custom-visualization_150.tgz + - splunk-sankey-diagram-custom-visualization_160.tgz + - punchcard-custom-visualization_150.tgz + - splunk_attack_range_reporting-1.0.9.tar.gz + - splunk-common-information-model-cim_532.tgz + - DA-ESS-ContentUpdate-latest.tar.gz + - python-for-scientific-computing-for-linux-64-bit_420.tgz + - splunk-machine-learning-toolkit_541.tgz + - splunk-security-essentials_380.tgz + - splunk-add-on-for-sysmon_400.tgz + - splunk-add-on-for-sysmon-for-linux_100.tgz + - splunk-add-on-for-amazon-web-services-aws_760.tgz + - splunk-add-on-for-microsoft-office-365_451.tgz + - splunk-add-on-for-amazon-kinesis-firehose_131r7d1d093.tgz + - splunk-add-on-for-unix-and-linux_910.tgz + - ta-for-zeek_108.tgz + - splunk-add-on-for-nginx_322.tgz + - phantom-app-for-splunk_4035.tgz + - TA-osquery.tar.gz + - splunk-add-on-for-microsoft-cloud-services_530.tgz + - splunk-add-on-for-crowdstrike-fdr_150.tgz + - vmware-carbon-black-cloud_115.tgz + - splunk-add-on-for-carbon-black_210.tgz + - TA-aurora-0.2.0.tar.gz + - snort-alert-for-splunk_111.tgz + # List of Splunk Apps to install on the Splunk Server + byo_splunk: "0" # Enable/Disable Bring your own Splunk by setting this to 1 or 0. @@ -139,9 +158,6 @@ phantom_server: phantom_server: "0" # Enable/Disable Phantom Server - phantom_image: "phantom-v3-0-0" - # name of the image of the Phantom Server. Packer is used to build this images. - phantom_app: "splunk_soar-unpriv-6.2.1.305-7c40b403-el7-x86_64.tgz" # name of the Splunk SOAR package located in apps folder @@ -158,8 +174,8 @@ windows_servers_default: hostname: ar-win # Define the hostname for the Windows Server. - windows_image: windows-2016-v3-0-0 - # Name of the image of the Windows Server. Packer is used to build this images. + windows_image: "windows-server-2019" + # Name of the image of the Windows Server. create_domain: "0" # Create Domain will turn this Windows Server into a Domain Controller. Enable by setting this to 1. @@ -180,13 +196,13 @@ windows_servers_default: aurora_agent: "0" # Install Aurora Agent + advanced_logging: "0" + # Enable verbose windows security logs by setting this to 1. + linux_servers_default: hostname: ar-linux # Define the hostname for the Linux Server. - linux_image: linux-v3-0-0 - # Name of the image of the Linux Server. Packer is used to build this image. - sysmon_config: "SysMonLinux-CatchAll.xml" # Specify a Sysmon config located under configs/ . @@ -201,9 +217,6 @@ nginx_server: hostname: "nginx" # Specify the image used for Nginx Server. - nginx_image: nginx-web-proxy-v3-0-0 - # Name of the image of the Web proxy. Packer is used to build this images. - proxy_server_ip: "10.0.1.12" # Specify what ip to proxy. @@ -214,22 +227,13 @@ zeek_server: zeek_server: "0" # Enable Zeek Server by setting this to 1. - zeek_image: "zeek-v3-0-0" -# Specify the image used for Zeek Server. +snort_server: + snort_server: "0" + # Enable Snort Server by setting this to 1. simulation: atomic_red_team_repo: redcanaryco # Specify the repository owner for Atomic Red Team. atomic_red_team_branch: master - # Specify the branch for Atomic Red Team. - - prelude: "0" - # Install Prelude by setting this to 1. - - prelude_operator_url: "https://download.prelude.org/latest?arch=x64&platform=linux&variant=zip&edition=headless" - # Specify where to download Prelude Operator from. - - prelude_account_email: "test@test.com" -# Email account login into a Prelude Operator UI. -# Required for connecting to redirector, can be found on the GUI under connect -> deploy manual redirector -> accountEmail. + # Specify the branch for Atomic Red Team. \ No newline at end of file diff --git a/configs/github_actions_config_aws.yml b/configs/github_actions_config_aws.yml index 174af0db2..8b9c39ca4 100644 --- a/configs/github_actions_config_aws.yml +++ b/configs/github_actions_config_aws.yml @@ -8,6 +8,5 @@ aws: private_key_path: "~/.ssh/ar-github-actions" windows_servers: - hostname: ar-win - windows_image: windows-2016-v3-0-0 linux_servers: - hostname: ar-linux \ No newline at end of file diff --git a/configs/github_actions_config_azure.yml b/configs/github_actions_config_azure.yml index 2712a0245..ae6ec4460 100644 --- a/configs/github_actions_config_azure.yml +++ b/configs/github_actions_config_azure.yml @@ -9,6 +9,5 @@ azure: subscription_id: "xxx" windows_servers: - hostname: ar-win - windows_image: windows-2016-v3-0-0 linux_servers: - hostname: ar-linux \ No newline at end of file diff --git a/docs/attack_range_architecture.png b/docs/attack_range_architecture.png index eaeceede2..f4d94ee46 100644 Binary files a/docs/attack_range_architecture.png and b/docs/attack_range_architecture.png differ diff --git a/docs/source/Attack_Range_AWS.md b/docs/source/Attack_Range_AWS.md index 3e36a3474..0c365625d 100644 --- a/docs/source/Attack_Range_AWS.md +++ b/docs/source/Attack_Range_AWS.md @@ -67,13 +67,6 @@ unzip terraform.zip && \ mv terraform /usr/local/bin/ ```` -Install Packer: -````bash -curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add - -sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main" -sudo apt-get update && sudo apt-get install packer -```` - Install the AWS CLI: ````bash apt-get install -y awscli diff --git a/docs/source/Attack_Range_Azure.md b/docs/source/Attack_Range_Azure.md index 7b00c86f9..68e81f31e 100644 --- a/docs/source/Attack_Range_Azure.md +++ b/docs/source/Attack_Range_Azure.md @@ -55,13 +55,6 @@ unzip terraform.zip && \ mv terraform /usr/local/bin/ ```` -Install Packer: -````bash -curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add - -sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main" -sudo apt-get update && sudo apt-get install packer -```` - Install the Azure CLI: ````bash apt-get install -y azure-cli diff --git a/docs/source/Attack_Range_Config.md b/docs/source/Attack_Range_Config.md index c316dff94..e3db567bb 100644 --- a/docs/source/Attack_Range_Config.md +++ b/docs/source/Attack_Range_Config.md @@ -8,30 +8,24 @@ The `attack_range_default.yml` defines all default values for the Attack Range. ````yml general: attack_range_password: "Pl3ase-k1Ll-me:p" -# Attack Range Master Password for all accounts in Attack Range. + # Attack Range Master Password for all accounts in Attack Range. cloud_provider: "aws" -# Cloud Provider: aws/azure/local + # Cloud Provider: aws/azure/local key_name: "attack-range-key-pair" -# The key name is the name of the AWS key pair and at the same time an unique identifier for Attack Ranges. + # The key name is the name of the AWS key pair and at the same time an unique identifier for Attack Ranges. attack_range_name: "ar" -# Attack range Name let you build multiple Attack Ranges by changing this parameter. + # Attack range Name let you build multiple Attack Ranges by changing this parameter. ip_whitelist: "0.0.0.0/0" -# Blocks from which Attack Range machines can be reached. -# This allow comma-separated blocks -# ip_whitelist = 0.0.0.0/0,35.153.82.195/32 - - version: "3.0.0" -# The current released version of Attack Range. - - use_prebuilt_images_with_packer: "0" -# Enable/Disable usage of packer to create pre-built images by setting this to 1 or 0. + # Blocks from which Attack Range machines can be reached. + # This allow comma-separated blocks + # ip_whitelist = 0.0.0.0/0,35.153.82.195/32 crowdstrike_falcon: "0" -# Enable/Disable Crowdstrike Falcon by setting this to 1 or 0. + # Enable/Disable CrowdStrike Falcon by setting this to 1 or 0. crowdstrike_agent_name: "WindowsSensor.exe" crowdstrike_customer_ID: "" @@ -39,52 +33,61 @@ general: crowdstrike_logs_access_key_id: "" crowdstrike_logs_secret_access_key: "" crowdstrike_logs_sqs_url: "" -# All these fields are needed to automatically deploy a Crowdstrike Agent and ingest Crowdstrike Falcon logs into the Splunk Server. -# See the chapter Crowdstrike Falcon in the docs page Attack Range Features. + # All these fields are needed to automatically deploy a CrowdStrike Agent and ingest CrowdStrike Falcon logs into the Splunk Server. + # See the chapter CrowdStrike Falcon in the docs page Attack Range Features. carbon_black_cloud: "0" -# Enable/Disable VMWare Carbon Black Cloud by setting this to 1 or 0. + # Enable/Disable VMWare Carbon Black Cloud by setting this to 1 or 0. carbon_black_cloud_agent_name: "installer_vista_win7_win8-64-3.8.0.627.msi" carbon_black_cloud_company_code: "" carbon_black_cloud_s3_bucket: "" -# All these fields are needed to automatically deploy a Carbon Black Agent and ingest Carbon Black logs into the Splunk Server. -# See the chapter Carbon Black in the docs page Attack Range Features. + # All these fields are needed to automatically deploy a Carbon Black Agent and ingest Carbon Black logs into the Splunk Server. + # See the chapter Carbon Black in the docs page Attack Range Features. install_contentctl: "0" -# Install contentctl packages on linux hosts + # Install splunk/contentctl on linux servers aws: region: "us-west-2" -# Region used in AWS. This should be the same as the region configured in AWS CLI. + # Region used in AWS. This should be the same as the region configured in AWS CLI. private_key_path: "~/.ssh/id_rsa" -# Path to your private key. This needs to match the public key uploaded to AWS. + # Path to your private key. This needs to match the public key uploaded to AWS. cloudtrail: "0" -# Enable/Disable collection of Cloudtrail logs by setting this to 1 or 0. + # Enable/Disable collection of CloudTrail logs by setting this to 1 or 0. cloudtrail_sqs_queue: "https://sqs.us-west-2.amazonaws.com/111111111111/cloudtrail-cloud-attack-range" -# Cloudtrail SQS queue. See the chapter AWS Cloudtrail in the docs page Attack Range Cloud. + # Cloudtrail SQS queue. See the chapter AWS CloudTrail in the docs page Attack Range Cloud. use_elastic_ips: "1" -# Enable/disable usage of Elastic IPs by setting this to 1 or 0. + # Enable/disable usage of Elastic IPs by setting this to 1 or 0. + + use_remote_state: "0" + # Store the state file in s3 and dynamoDB instead of local + + tf_remote_state_s3_bucket: "test" + # Specify the already created S3 bucket in the same region + + tf_remote_state_dynamo_db_table: "test" +# Specify the already created DynamoDB table in the same region azure: location: "West Europe" -# Region used in Azure. + # Region used in Azure. subscription_id: "xxx" -# Azure subscription ID. + # Azure subscription ID. private_key_path: "~/.ssh/id_rsa" -# Path to your private key. + # Path to your private key. public_key_path: "~/.ssh/id_rsa.pub" -# Path to your public key. + # Path to your public key. azure_logging: "0" -# Enable/Disable Azure logs and onboard them into the Splunk Server by setting this to 1 or 0. + # Enable/Disable Azure logs and onboard them into the Splunk Server by setting this to 1 or 0. client_id: "xxx" client_secret: "xxx" @@ -98,100 +101,115 @@ local: # Attack Range Local used Virtualbox and Vagrant to build the Attack Range. splunk_server: - splunk_image: "splunk-v3-0-0" -# Name of the image of the Splunk Server. Packer is used to build this image. install_es: "0" -# Enable/Disable Enterprise Security by setting this to 1 or 0. + # Enable/Disable Enterprise Security by setting this to 1 or 0. - splunk_es_app: "splunk-enterprise-security_701.spl" -# File name of the Enterprise Security spl file. Needs to be located in the apps folder. + splunk_es_app: "splunk-enterprise-security_731.spl" + # File name of the Enterprise Security spl file. Needs to be located in the apps folder. s3_bucket_url: "https://attack-range-appbinaries.s3-us-west-2.amazonaws.com" -# S3 bucket containing the Splunk Apps which will be installed in Attack Range. - - splunk_url: "https://download.splunk.com/products/splunk/releases/9.0.2/linux/splunk-9.0.2-17e00c557dc1-Linux-x86_64.tgz" -# Url to download Splunk Enterprise. - - splunk_uf_url: "https://download.splunk.com/products/universalforwarder/releases/9.0.2/linux/splunkforwarder-9.0.2-17e00c557dc1-linux-2.6-amd64.deb" -# Url to download Splunk Universal Forwarder Linux. - - splunk_uf_win_url: "https://download.splunk.com/products/universalforwarder/releases/9.0.2/windows/splunkforwarder-9.0.2-17e00c557dc1-x64-release.msi" -# Url to download Splunk Universal Forwarder Windows. + # S3 bucket containing the Splunk Apps which will be installed in Attack Range. + + splunk_url: "https://download.splunk.com/products/splunk/releases/9.3.0/linux/splunk-9.3.0-51ccf43db5bd-Linux-x86_64.tgz" + # Url to download Splunk Enterprise. + + splunk_uf_url: "https://download.splunk.com/products/universalforwarder/releases/9.3.0/linux/splunkforwarder-9.3.0-51ccf43db5bd-linux-2.6-amd64.deb" + # Url to download Splunk Universal Forwarder Linux. + + splunk_uf_win_url: "https://download.splunk.com/products/universalforwarder/releases/9.3.0/windows/splunkforwarder-9.3.0-51ccf43db5bd-x64-release.msi" + # Url to download Splunk Universal Forwarder Windows. + + splunk_apps: + - splunk-add-on-for-microsoft-windows_880.tgz + - splunk-timeline-custom-visualization_162.tgz + - status-indicator-custom-visualization_150.tgz + - splunk-sankey-diagram-custom-visualization_160.tgz + - punchcard-custom-visualization_150.tgz + - splunk_attack_range_reporting-1.0.9.tar.gz + - splunk-common-information-model-cim_532.tgz + - DA-ESS-ContentUpdate-latest.tar.gz + - python-for-scientific-computing-for-linux-64-bit_420.tgz + - splunk-machine-learning-toolkit_541.tgz + - splunk-security-essentials_380.tgz + - splunk-add-on-for-sysmon_400.tgz + - splunk-add-on-for-sysmon-for-linux_100.tgz + - splunk-add-on-for-amazon-web-services-aws_760.tgz + - splunk-add-on-for-microsoft-office-365_451.tgz + - splunk-add-on-for-amazon-kinesis-firehose_131r7d1d093.tgz + - splunk-add-on-for-unix-and-linux_910.tgz + - ta-for-zeek_108.tgz + - splunk-add-on-for-nginx_322.tgz + - phantom-app-for-splunk_4035.tgz + - TA-osquery.tar.gz + - splunk-add-on-for-microsoft-cloud-services_530.tgz + - splunk-add-on-for-crowdstrike-fdr_150.tgz + - vmware-carbon-black-cloud_115.tgz + - splunk-add-on-for-carbon-black_210.tgz + - TA-aurora-0.2.0.tar.gz + - snort-alert-for-splunk_111.tgz + # List of Splunk Apps to install on the Splunk Server byo_splunk: "0" -# Enable/Disable Bring your own Splunk by setting this to 1 or 0. + # Enable/Disable Bring your own Splunk by setting this to 1 or 0. byo_splunk_ip: "" -# Specify Splunk IP address when you enable BYO Splunk. + # Specify Splunk IP address when you enable BYO Splunk. ingest_bots3_data: "0" -# Ingest BOTS data to Attack Range. + # Ingest BOTS data to Attack Range. install_dltk: "0" # Install Deep Learning Toolkit. phantom_server: phantom_server: "0" -# Enable/Disable Phantom Server by setting this to 1 or 0. - - phantom_image: "phantom-v3-0-0" -# name of the image of the Phantom Server. Packer is used to build this images. - - phantom_community_username: user -# Specify the username needed to login to my.phantom.us to download Phantom. -# This must be changed to a real username. -# You can register at https://www.splunk.com/en_us/download/soar-free-trial.html. + # Enable/Disable Phantom Server - phantom_community_password: password -# Specify the password used to login to my.phantom.us to download Phantom. -# This must be changed to a real password. -# You can register at https://www.splunk.com/en_us/download/soar-free-trial.html. - - phantom_repo_url: https://repo.phantom.us/phantom/5.2/base/7/x86_64/phantom_repo-5.2.1.78411-1.x86_64.rpm -# Specify the Phantom install RPM. - - phantom_version: "5.2.1.78411-1" -# Fields the Phantom Version. + phantom_app: "splunk_soar-unpriv-6.2.1.305-7c40b403-el7-x86_64.tgz" + # name of the Splunk SOAR package located in apps folder phantom_byo: "0" -# Enable/Disable Bring your own Phantom by setting this to 1 or 0. + # Enable/Disable Bring your own Phantom phantom_byo_ip: "" -# Specify Phantom IP address when you enabled byo Phantom. + # Specify Phantom IP address when you enabled byo phantom phantom_byo_api_token: "" -# Phantom Api Token. +# Phantom Api Token windows_servers_default: hostname: ar-win -# Define the hostname for the Windows Server. + # Define the hostname for the Windows Server. - windows_image: windows-2016-v3-0-0 -# name of the image of the Windows Server. Packer is used to build this images. + windows_image: "windows-server-2019" + # Name of the image of the Windows Server. create_domain: "0" -# Create Domain will turn this Windows Server into a Domain Controller. Enable by setting this to 1. + # Create Domain will turn this Windows Server into a Domain Controller. Enable by setting this to 1. join_domain: "0" -# Join a domain by setting this to 1 or 0. + # Join a domain by setting this to 1 or 0. win_sysmon_config: "SwiftOnSecurity.xml" -# Specify a Sysmon config located under configs/ . + # Specify a Sysmon config located under configs/ . install_red_team_tools: "0" -# Install different read team tools by setting this to 1 or 0. + # Install different read team tools by setting this to 1 or 0. bad_blood: "0" -# Install Bad Blood by setting this to 1 or 0. -# More information in chapter Bad Blood under Attack Range Features. + # Install Bad Blood by setting this to 1 or 0. + # More information in chapter Bad Blood under Attack Range Features. + + aurora_agent: "0" + # Install Aurora Agent + + advanced_logging: "0" + # Enable verbose windows security logs by setting this to 1. linux_servers_default: hostname: ar-linux -# Define the hostname for the Linux Server. - - linux_image: linux-v3-0-0 -# Name of the image of the Linux Server. Packer is used to build this image. + # Define the hostname for the Linux Server. sysmon_config: "SysMonLinux-CatchAll.xml" # Specify a Sysmon config located under configs/ . @@ -202,41 +220,29 @@ kali_server: nginx_server: nginx_server: "0" -# Enable Nginx Server by setting this to 1. + # Enable Nginx Server by setting this to 1. hostname: "nginx" -# Specify the image used for Nginx Server. - - nginx_image: nginx-web-proxy-v3-0-0 -# name of the image of the Web proxy. Packer is used to build this images. + # Specify the image used for Nginx Server. proxy_server_ip: "10.0.1.12" -# Specify what ip to proxy. + # Specify what ip to proxy. proxy_server_port: "8000" # Specify what port to proxy. zeek_server: zeek_server: "0" -# Enable Zeek Server by setting this to 1. + # Enable Zeek Server by setting this to 1. - zeek_image: "zeek-v3-0-0" -# Specify the image used for Zeek Server. +snort_server: + snort_server: "0" + # Enable Snort Server by setting this to 1. simulation: atomic_red_team_repo: redcanaryco -# Specify the repository owner for Atomic Red Team. + # Specify the repository owner for Atomic Red Team. atomic_red_team_branch: master -# Specify the branch for Atomic Red Team. - - prelude: "0" -# Install Prelude by setting this to 1. - - prelude_operator_url: "https://download.prelude.org/latest?arch=x64&platform=linux&variant=zip&edition=headless" -# Specify where to download Prelude Operator from. - - prelude_account_email: "test@test.com" -# Email account login into a Prelude Operator UI. -# Required for connecting to redirector, can be found on the GUI under connect -> deploy manual redirector -> accountEmail. + # Specify the branch for Atomic Red Team. ```` diff --git a/docs/source/Attack_Range_Features.md b/docs/source/Attack_Range_Features.md index 9f0a8cb7c..0eb06bf5b 100644 --- a/docs/source/Attack_Range_Features.md +++ b/docs/source/Attack_Range_Features.md @@ -1,18 +1,5 @@ # Attack Range Features -## Fast build time with Packer -Attack Range supports to prebuilt images and therefore improve the build time to 5 minutes. You can use the following `attack_range.yml` configuration as an example: -````yml -general: - attack_range_password: "ChangeMe123!" - cloud_provider: "aws" - key_name: "ar" - use_prebuilt_images_with_packer: "1" -windows_servers: - - hostname: ar-win - image: windows-2016-v3-0-0 -```` - ## CrowdStrike Falcon A CrowdStrike Falcon agent can be automatically installed on the Windows Servers in Attack Range. It is required that the agent is downloaded into the apps folder before running the build command. The logs can ingested automatically to the Splunk server when you have the CrowdStrike Falcon Data Replicator (FDR) entitlement. You can use the following `attack_range.yml` configuration: ````yml diff --git a/docs/source/Attack_Simulation.md b/docs/source/Attack_Simulation.md index c5d8ebfc0..3c8a25b35 100644 --- a/docs/source/Attack_Simulation.md +++ b/docs/source/Attack_Simulation.md @@ -21,45 +21,5 @@ or you can execute a given playbook: python attack_range.py simulate -e PurpleSharp -t ar-win-ar-ar-0 -p configs/purplesharp_playbook_T1003.pb ``` -## Prelude -[Prelude Operator](https://www.preludesecurity.com/products/operator) can be automatically configured and deployed with a Splunk Attack Range allowing a user to easily launch attacks via Operator on a running range using the pre-installed Penuma agents. To get started with Prelude follow these simple steps: - -1. Install [Prelude Operator](https://www.prelude.org/download) on your local machine -2. Configure an attack range with Prelude (configure the [accountEmail](#Prelude-accountEmail) setting) -3. Build an attack range -4. Add [a manual new redirector](#Add-a-manual-redirector) to Prelude Operator - -For an overview on how Prelude works inside the attack range see the general architecture below: - -![Prelude Attack Range Architecture 3 0](https://user-images.githubusercontent.com/1476868/174927368-210623eb-2165-491e-8e2f-861f2f002fb2.png) - -### A few things to note from this architecture: - -* A Headless Operator/Redirector is installed on the Splunk server, this means a user **needs**: - 1. Operator installed in their local machine (can be downloaded [here](https://www.prelude.org/download)) to connect and manage it, see screenshot below. - 2. Or talk through it via the API on TCP port -* Pneuma is installed and supported on the Windows (server and domain controller) and Linux machines ONLY today -* Pneuma connects back to the Headless Operator/Redirector via TCP port 2323 - -### Prelude accountEmail - -When an Splunk Attack Range is configured it will need to know the auto generated `accountEmail` to connect to. This can be obtained via the Prelude Operator client via clicking on **Connect** -> **Deploy Manual Redirectors**, see screenshot below for an example. - -image - -Once an Attack Range has successfully been built with Prelude Operator the `show` command will include a token and FQDN like below: - -``` -Access Prelude Operator UI via: - redirector FQDN > 18.225.27.90 - Token: fbe9254b-5fb8-44d2-a02c-31e0a10f62c9 -``` - -### Add a manual redirector - -This should then be inserted in the **Deploy Manual Redirectors** form on the locally installed Operator, click on `Add` to be able to attack these hosts via Operator. If all worked well you should end up with a list of hosts and a purple "Your are connected" message above available like the screenshot below. - -image - ## Kali Linux [Kali Linux](https://www.kali.org/) is an open-source Debian-based Linux distribution geared towards various information security tasks such as Penetration Testing, Security Research, Computer Forensics, and Reverse Engineering. Attack Range AWS and local is able to build a Kali Linux instance. diff --git a/modules/attack_range_controller.py b/modules/attack_range_controller.py index 01e31e4ed..ec25baa43 100644 --- a/modules/attack_range_controller.py +++ b/modules/attack_range_controller.py @@ -30,10 +30,6 @@ def stop(self) -> None: def resume(self) -> None: pass - @abc.abstractmethod - def packer(self, image_name) -> None: - pass - @abc.abstractmethod def simulate(self, engine, target, technique, playbook) -> None: pass diff --git a/modules/aws_controller.py b/modules/aws_controller.py index ea42f79b5..dcbb2f2ce 100644 --- a/modules/aws_controller.py +++ b/modules/aws_controller.py @@ -21,93 +21,77 @@ class AwsController(AttackRangeController): def __init__(self, config: dict): super().__init__(config) - statefile = self.config['general']['attack_range_name'] + ".terraform.tfstate" - self.config['general']["statepath"] = os.path.join(os.path.dirname(__file__), '../terraform/aws/state', statefile) + statefile = self.config["general"]["attack_range_name"] + ".terraform.tfstate" + self.config["general"]["statepath"] = os.path.join( + os.path.dirname(__file__), "../terraform/aws/state", statefile + ) - if not aws_service.check_region(self.config['aws']['region']): - self.logger.error("AWS cli region and region in config file are not the same.") + if not aws_service.check_region(self.config["aws"]["region"]): + self.logger.error( + "AWS cli region and region in config file are not the same." + ) sys.exit(1) - backend_path_tmp = os.path.join(os.path.dirname(__file__), '../terraform/aws/backend.tf.tmp') - backend_path = os.path.join(os.path.dirname(__file__), '../terraform/aws/backend.tf') + backend_path_tmp = os.path.join( + os.path.dirname(__file__), "../terraform/aws/backend.tf.tmp" + ) + backend_path = os.path.join( + os.path.dirname(__file__), "../terraform/aws/backend.tf" + ) if self.config["aws"]["use_remote_state"] == "1": - with open(backend_path_tmp, 'r') as file : + with open(backend_path_tmp, "r") as file: filedata = file.read() - filedata = filedata.replace('[region]', self.config['aws']['region']) - filedata = filedata.replace('[bucket]', self.config['aws']['tf_remote_state_s3_bucket']) - filedata = filedata.replace('[name]', self.config['general']['attack_range_name']) - filedata = filedata.replace('[dynamodb_table]', self.config['aws']['tf_remote_state_dynamo_db_table']) - with open(backend_path, 'w+') as file: + filedata = filedata.replace("[region]", self.config["aws"]["region"]) + filedata = filedata.replace( + "[bucket]", self.config["aws"]["tf_remote_state_s3_bucket"] + ) + filedata = filedata.replace( + "[name]", self.config["general"]["attack_range_name"] + ) + filedata = filedata.replace( + "[dynamodb_table]", + self.config["aws"]["tf_remote_state_dynamo_db_table"], + ) + with open(backend_path, "w+") as file: file.write(filedata) else: if os.path.isfile(backend_path): os.remove(backend_path) - working_dir = os.path.join(os.path.dirname(__file__), '../terraform/aws') - self.terraform = Terraform(working_dir=working_dir,variables=config, parallelism=15, state= self.config['general']["statepath"]) + working_dir = os.path.join(os.path.dirname(__file__), "../terraform/aws") + self.terraform = Terraform( + working_dir=working_dir, + variables=config, + parallelism=15, + state=self.config["general"]["statepath"], + ) - #if self.config['general']['use_prebuilt_images_with_packer'] == "0": - for i in range(len(self.config['windows_servers'])): - image_name = self.config['windows_servers'][i]['windows_image'] - if image_name.startswith("windows-2016"): - self.config['windows_servers'][i]['windows_ami'] = "Windows_Server-2016-English-Full-Base-*" - elif image_name.startswith("windows-2019"): - self.config['windows_servers'][i]['windows_ami'] = "Windows_Server-2019-English-Full-Base-*" - else: - self.logger.error("Image " + image_name + " not supported.") - sys.exit(1) - + for i in range(len(self.config["windows_servers"])): + image_name = self.config["windows_servers"][i]["windows_image"] + if image_name.startswith("windows-server-2016"): + self.config["windows_servers"][i][ + "windows_ami" + ] = "Windows_Server-2016-English-Full-Base-*" + + elif image_name.startswith("windows-server-2019"): + self.config["windows_servers"][i][ + "windows_ami" + ] = "Windows_Server-2019-English-Full-Base-*" def build(self) -> None: self.logger.info("[action] > build\n") - - if self.config['general']['use_prebuilt_images_with_packer'] == "1": - images = [] - if self.config['splunk_server']['byo_splunk'] == "0": - images.append(self.config['splunk_server']['splunk_image']) - for windows_server in self.config['windows_servers']: - images.append(windows_server['windows_image']) - for linux_server in self.config['linux_servers']: - images.append(linux_server['linux_image']) - if self.config["nginx_server"]["nginx_server"] == "1": - images.append(self.config["nginx_server"]["nginx_image"]) - if self.config["zeek_server"]["zeek_server"] == "1": - images.append(self.config["zeek_server"]["zeek_image"]) - if self.config["phantom_server"]["phantom_server"] == "1": - images.append(self.config["phantom_server"]["phantom_image"]) - - self.logger.info("Check if images are available in region " + self.config['aws']['region']) - - for image in images: - if not aws_service.ami_available(image, self.config['aws']['region']): - self.logger.info("Image " + image + " is not available in region " + self.config['aws']['region']) - self.logger.info("Checking if image " + image + " is available in other regions.") - result = aws_service.ami_available_other_region(image) - if result: - self.logger.info("Found image " + image + " in region " + result['region'] + ". Copy it to region " + self.config['aws']['region']) - aws_service.copy_image( - image, - result['image_id'], - result['region'], - self.config['aws']['region'] - ) - else: - self.logger.info("Image " + image + " need to be built with packer.") - self.packer(image) - else: - self.logger.info("Image " + image + " is available in region " + self.config['aws']['region']) - - cwd = os.getcwd() - os.system('cd ' + os.path.join(os.path.dirname(__file__), '../terraform/aws') + '&& terraform init -migrate-state') - os.system('cd ' + cwd) + os.system( + "cd " + + os.path.join(os.path.dirname(__file__), "../terraform/aws") + + "&& terraform init -migrate-state" + ) + os.system("cd " + cwd) return_code, stdout, stderr = self.terraform.apply( - capture_output='yes', - skip_plan=True, - no_color=IsNotFlagged + capture_output="yes", skip_plan=True, no_color=IsNotFlagged ) if not return_code: @@ -115,143 +99,65 @@ def build(self) -> None: self.show() - def destroy(self) -> None: self.logger.info("[action] > destroy\n") cwd = os.getcwd() - os.system('cd ' + os.path.join(os.path.dirname(__file__), '../terraform/aws') + '&& terraform init ') - os.system('cd ' + cwd) + os.system( + "cd " + + os.path.join(os.path.dirname(__file__), "../terraform/aws") + + "&& terraform init " + ) + os.system("cd " + cwd) return_code, stdout, stderr = self.terraform.destroy( - capture_output='yes', - no_color=IsNotFlagged, - force=IsNotFlagged, - auto_approve=True + capture_output="yes", + no_color=IsNotFlagged, + force=IsNotFlagged, + auto_approve=True, ) - - self.logger.info("attack_range has been destroy using terraform successfully") - - - def packer(self, image_name) -> None: - self.logger.info("Create golden image for " + image_name + ". This can take up to 30 minutes.\n") - only_cmd_arg = "" - path_packer_file = "" - - self.config['general']['use_prebuilt_images_with_packer'] = "0" - - if image_name.startswith("splunk"): - only_cmd_arg = "amazon-ebs.splunk-ubuntu" - path_packer_file = "packer/splunk_server/splunk_aws.pkr.hcl" - command = ["packer", "build", "-force", - "-var", "general=" + json.dumps(self.config["general"]), - "-var", "aws=" + json.dumps(self.config["aws"]), - "-var", "splunk_server=" + json.dumps(self.config["splunk_server"]), - "-only=" + only_cmd_arg, path_packer_file] - - elif image_name.startswith("windows"): - only_cmd_arg = "amazon-ebs.windows" - path_packer_file = "packer/windows_server/windows_aws.pkr.hcl" - - if image_name.startswith("windows-2016"): - images = { - "aws_image": "Windows_Server-2016-English-Full-Base-*", - "azure_publisher": "MicrosoftWindowsServer", - "azure_offer": "WindowsServer", - "azure_sku": "2016-Datacenter", - "name": "windows-2016" - } - elif image_name.startswith("windows-2019"): - images = { - "aws_image": "Windows_Server-2019-English-Full-Base-*", - "azure_publisher": "MicrosoftWindowsServer", - "azure_offer": "WindowsServer", - "azure_sku": "2019-Datacenter", - "name": "windows-2019" - } - else: - self.logger.error("Image not supported.") - sys.exit(1) - - command = ["packer", "build", "-force", - "-var", "general=" + json.dumps(self.config["general"]), - "-var", "aws=" + json.dumps(self.config["aws"]), - "-var", "splunk_server=" + json.dumps(self.config["splunk_server"]), - "-var", "images=" + json.dumps(images), - "-only=" + only_cmd_arg, path_packer_file] - - elif image_name.startswith("linux"): - only_cmd_arg = "amazon-ebs.ubuntu" - path_packer_file = "packer/linux_server/linux_aws.pkr.hcl" - command = ["packer", "build", "-force", - "-var", "general=" + json.dumps(self.config["general"]), - "-var", "aws=" + json.dumps(self.config["aws"]), - "-var", "splunk_server=" + json.dumps(self.config["splunk_server"]), - "-only=" + only_cmd_arg, path_packer_file] - - elif image_name.startswith("phantom"): - only_cmd_arg = "amazon-ebs.phantom" - path_packer_file = "packer/phantom_server/phantom_aws.pkr.hcl" - command = ["packer", "build", "-force", - "-var", "general=" + json.dumps(self.config["general"]), - "-var", "aws=" + json.dumps(self.config["aws"]), - "-var", "splunk_server=" + json.dumps(self.config["splunk_server"]), - "-var", "phantom_server=" + json.dumps(self.config["phantom_server"]), - "-only=" + only_cmd_arg, path_packer_file] - - elif image_name.startswith("zeek"): - only_cmd_arg = "amazon-ebs.ubuntu" - path_packer_file = "packer/zeek_server/zeek_aws.pkr.hcl" - command = ["packer", "build", "-force", - "-var", "general=" + json.dumps(self.config["general"]), - "-var", "aws=" + json.dumps(self.config["aws"]), - "-var", "splunk_server=" + json.dumps(self.config["splunk_server"]), - "-only=" + only_cmd_arg, path_packer_file] - - elif image_name.startswith("nginx"): - only_cmd_arg = "amazon-ebs.nginx-web-proxy" - path_packer_file = "packer/nginx_server/nginx_aws.pkr.hcl" - command = ["packer", "build", "-force", - "-var", "general=" + json.dumps(self.config["general"]), - "-var", "aws=" + json.dumps(self.config["aws"]), - "-var", "splunk_server=" + json.dumps(self.config["splunk_server"]), - "-only=" + only_cmd_arg, path_packer_file] - - if only_cmd_arg == "": - self.logger.error("Image not supported.") - sys.exit(1) - - # disable packer color clears up output - envvars = dict(os.environ) - envvars["PACKER_NO_COLOR"] = "1" - try: - process = subprocess.Popen(command, env=envvars, shell=False, universal_newlines=True, stdout=subprocess.PIPE) - except KeyboardInterrupt: - process.send_signal(signal.SIGINT) - while True: - output = process.stdout.readline() - if process.poll() is not None: - break - if output: - print(output.strip()) - rc = process.poll() + self.logger.info("attack_range has been destroy using terraform successfully") def stop(self, instances_ids=None) -> None: instances = [] if instances_ids is None: - instances = aws_service.get_all_instances(self.config['general']['key_name'], self.config['general']['attack_range_name'], self.config['aws']['region']) + instances = aws_service.get_all_instances( + self.config["general"]["key_name"], + self.config["general"]["attack_range_name"], + self.config["aws"]["region"], + ) else: - instances = aws_service.get_instances_by_ids(instances_ids, self.config['general']['key_name'], self.config['general']['key_name'], self.config['general']['attack_range_name'], self.config['aws']['region']) - aws_service.change_ec2_state(instances, 'stopped', self.logger, self.config['aws']['region']) + instances = aws_service.get_instances_by_ids( + instances_ids, + self.config["general"]["key_name"], + self.config["general"]["key_name"], + self.config["general"]["attack_range_name"], + self.config["aws"]["region"], + ) + aws_service.change_ec2_state( + instances, "stopped", self.logger, self.config["aws"]["region"] + ) def resume(self, instances_ids=None) -> None: instances = [] if instances_ids is None: - instances = aws_service.get_all_instances(self.config['general']['key_name'], self.config['general']['attack_range_name'], self.config['aws']['region']) + instances = aws_service.get_all_instances( + self.config["general"]["key_name"], + self.config["general"]["attack_range_name"], + self.config["aws"]["region"], + ) else: - instances = aws_service.get_instances_by_ids(instances_ids, self.config['general']['key_name'], self.config['general']['key_name'], self.config['general']['attack_range_name'], self.config['aws']['region']) - aws_service.change_ec2_state(instances, 'running', self.logger, self.config['aws']['region']) + instances = aws_service.get_instances_by_ids( + instances_ids, + self.config["general"]["key_name"], + self.config["general"]["key_name"], + self.config["general"]["attack_range_name"], + self.config["aws"]["region"], + ) + aws_service.change_ec2_state( + instances, "running", self.logger, self.config["aws"]["region"] + ) def simulate(self, engine, target, technique, playbook) -> None: self.logger.info("[action] > simulate\n") @@ -261,62 +167,179 @@ def simulate(self, engine, target, technique, playbook) -> None: if engine == "PurpleSharp": simulation_controller = PurplesharpSimulationController(self.config) simulation_controller.simulate(target, technique, playbook) - def show(self) -> None: self.logger.info("[action] > show\n") - instances = aws_service.get_all_instances(self.config['general']['key_name'], self.config['general']['attack_range_name'], self.config['aws']['region']) + instances = aws_service.get_all_instances( + self.config["general"]["key_name"], + self.config["general"]["attack_range_name"], + self.config["aws"]["region"], + ) response = [] messages = [] instances_running = False splunk_ip = "" for instance in instances: - if instance['State']['Name'] == 'running': + if instance["State"]["Name"] == "running": instances_running = True - response.append([instance['Tags'][0]['Value'], instance['State']['Name'], - instance['NetworkInterfaces'][0]['Association']['PublicIp'], instance['InstanceId']]) - instance_name = instance['Tags'][0]['Value'] + response.append( + [ + instance["Tags"][0]["Value"], + instance["State"]["Name"], + instance["NetworkInterfaces"][0]["Association"]["PublicIp"], + instance["InstanceId"], + ] + ) + instance_name = instance["Tags"][0]["Value"] if instance_name.startswith("ar-splunk"): - splunk_ip = instance['NetworkInterfaces'][0]['Association']['PublicIp'] - messages.append("\nAccess Guacamole via:\n\tWeb > http://" + instance['NetworkInterfaces'][0]['Association']['PublicIp'] + ":8080/guacamole" + "\n\tusername: Admin \n\tpassword: " + self.config['general']['attack_range_password']) + splunk_ip = instance["NetworkInterfaces"][0]["Association"][ + "PublicIp" + ] + messages.append( + "\nAccess Guacamole via:\n\tWeb > http://" + + instance["NetworkInterfaces"][0]["Association"]["PublicIp"] + + ":8080/guacamole" + + "\n\tusername: Admin \n\tpassword: " + + self.config["general"]["attack_range_password"] + ) if self.config["splunk_server"]["install_es"] == "1": - messages.append("\nAccess Splunk via:\n\tWeb > https://" + instance['NetworkInterfaces'][0]['Association']['PublicIp'] + ":8000\n\tSSH > ssh -i" + self.config['aws']['private_key_path'] + " ubuntu@" + instance['NetworkInterfaces'][0]['Association']['PublicIp'] + "\n\tusername: admin \n\tpassword: " + self.config['general']['attack_range_password']) + messages.append( + "\nAccess Splunk via:\n\tWeb > https://" + + instance["NetworkInterfaces"][0]["Association"][ + "PublicIp" + ] + + ":8000\n\tSSH > ssh -i" + + self.config["aws"]["private_key_path"] + + " ubuntu@" + + instance["NetworkInterfaces"][0]["Association"][ + "PublicIp" + ] + + "\n\tusername: admin \n\tpassword: " + + self.config["general"]["attack_range_password"] + ) else: - messages.append("\nAccess Splunk via:\n\tWeb > http://" + instance['NetworkInterfaces'][0]['Association']['PublicIp'] + ":8000\n\tSSH > ssh -i" + self.config['aws']['private_key_path'] + " ubuntu@" + instance['NetworkInterfaces'][0]['Association']['PublicIp'] + "\n\tusername: admin \n\tpassword: " + self.config['general']['attack_range_password']) + messages.append( + "\nAccess Splunk via:\n\tWeb > http://" + + instance["NetworkInterfaces"][0]["Association"][ + "PublicIp" + ] + + ":8000\n\tSSH > ssh -i" + + self.config["aws"]["private_key_path"] + + " ubuntu@" + + instance["NetworkInterfaces"][0]["Association"][ + "PublicIp" + ] + + "\n\tusername: admin \n\tpassword: " + + self.config["general"]["attack_range_password"] + ) elif instance_name.startswith("ar-phantom"): - if "splunk_soar-unpriv-6" in self.config["phantom_server"]["phantom_app"]: - messages.append("\nAccess Phantom via:\n\tWeb > https://" + instance['NetworkInterfaces'][0]['Association']['PublicIp'] + ":8443" + "\n\tSSH > ssh -i" + self.config['aws']['private_key_path'] + " centos@" + instance['NetworkInterfaces'][0]['Association']['PublicIp'] + "\n\tusername: soar_local_admin \n\tpassword: " + self.config['general']['attack_range_password']) + if ( + "splunk_soar-unpriv-6" + in self.config["phantom_server"]["phantom_app"] + ): + messages.append( + "\nAccess Phantom via:\n\tWeb > https://" + + instance["NetworkInterfaces"][0]["Association"][ + "PublicIp" + ] + + ":8443" + + "\n\tSSH > ssh -i" + + self.config["aws"]["private_key_path"] + + " centos@" + + instance["NetworkInterfaces"][0]["Association"][ + "PublicIp" + ] + + "\n\tusername: soar_local_admin \n\tpassword: " + + self.config["general"]["attack_range_password"] + ) else: - messages.append("\nAccess Phantom via:\n\tWeb > https://" + instance['NetworkInterfaces'][0]['Association']['PublicIp'] + ":8443" + "\n\tSSH > ssh -i" + self.config['aws']['private_key_path'] + " centos@" + instance['NetworkInterfaces'][0]['Association']['PublicIp'] + "\n\tusername: admin \n\tpassword: " + self.config['general']['attack_range_password']) + messages.append( + "\nAccess Phantom via:\n\tWeb > https://" + + instance["NetworkInterfaces"][0]["Association"][ + "PublicIp" + ] + + ":8443" + + "\n\tSSH > ssh -i" + + self.config["aws"]["private_key_path"] + + " centos@" + + instance["NetworkInterfaces"][0]["Association"][ + "PublicIp" + ] + + "\n\tusername: admin \n\tpassword: " + + self.config["general"]["attack_range_password"] + ) elif instance_name.startswith("ar-win"): - messages.append("\nAccess Windows via:\n\tRDP > rdp://" + instance['NetworkInterfaces'][0]['Association']['PublicIp'] + ":3389\n\tusername: Administrator \n\tpassword: " + self.config['general']['attack_range_password']) + messages.append( + "\nAccess Windows via:\n\tRDP > rdp://" + + instance["NetworkInterfaces"][0]["Association"]["PublicIp"] + + ":3389\n\tusername: Administrator \n\tpassword: " + + self.config["general"]["attack_range_password"] + ) elif instance_name.startswith("ar-linux"): - messages.append("\nAccess Linux via:\n\tSSH > ssh -i" + self.config['aws']['private_key_path'] + " ubuntu@" + instance['NetworkInterfaces'][0]['Association']['PublicIp'] + "\n\tusername: ubuntu \n\tpassword: " + self.config['general']['attack_range_password']) + messages.append( + "\nAccess Linux via:\n\tSSH > ssh -i" + + self.config["aws"]["private_key_path"] + + " ubuntu@" + + instance["NetworkInterfaces"][0]["Association"]["PublicIp"] + + "\n\tusername: ubuntu \n\tpassword: " + + self.config["general"]["attack_range_password"] + ) elif instance_name.startswith("ar-kali"): - messages.append("\nAccess Kali via:\n\tSSH > ssh -i" + self.config['aws']['private_key_path'] + " kali@" + instance['NetworkInterfaces'][0]['Association']['PublicIp'] + "\n\tusername: kali \n\tpassword: " + self.config['general']['attack_range_password']) + messages.append( + "\nAccess Kali via:\n\tSSH > ssh -i" + + self.config["aws"]["private_key_path"] + + " kali@" + + instance["NetworkInterfaces"][0]["Association"]["PublicIp"] + + "\n\tusername: kali \n\tpassword: " + + self.config["general"]["attack_range_password"] + ) elif instance_name.startswith("ar-nginx"): - messages.append("\nAccess Nginx Web Proxy via:\n\tSSH > ssh -i" + self.config['aws']['private_key_path'] + " ubuntu@" + instance['NetworkInterfaces'][0]['Association']['PublicIp'] + "\n\tusername: kali \n\tpassword: " + self.config['general']['attack_range_password']) + messages.append( + "\nAccess Nginx Web Proxy via:\n\tSSH > ssh -i" + + self.config["aws"]["private_key_path"] + + " ubuntu@" + + instance["NetworkInterfaces"][0]["Association"]["PublicIp"] + + "\n\tusername: kali \n\tpassword: " + + self.config["general"]["attack_range_password"] + ) elif instance_name.startswith("ar-zeek"): - messages.append("\nAccess Zeek via:\n\tSSH > ssh -i" + self.config['aws']['private_key_path'] + " ubuntu@" + instance['NetworkInterfaces'][0]['Association']['PublicIp'] + "\n\tusername: ubuntu \n\tpassword: " + self.config['general']['attack_range_password']) + messages.append( + "\nAccess Zeek via:\n\tSSH > ssh -i" + + self.config["aws"]["private_key_path"] + + " ubuntu@" + + instance["NetworkInterfaces"][0]["Association"]["PublicIp"] + + "\n\tusername: ubuntu \n\tpassword: " + + self.config["general"]["attack_range_password"] + ) + elif instance_name.startswith("ar-snort"): + messages.append( + "\nAccess Snort via:\n\tSSH > ssh -i" + + self.config["aws"]["private_key_path"] + + " ubuntu@" + + instance["NetworkInterfaces"][0]["Association"]["PublicIp"] + + "\n\tusername: ubuntu \n\tpassword: " + + self.config["general"]["attack_range_password"] + ) else: - response.append([instance['Tags'][0]['Value'], - instance['State']['Name']]) - - if self.config['simulation']['prelude'] == "1": - prelude_token = self.get_prelude_token('/var/tmp/.prelude_session_token') - messages.append("\nAccess Prelude Operator UI via:\n\tredirector FQDN > " + splunk_ip + "\n\tToken: " + prelude_token + "\n\tSee guide details: https://github.com/splunk/attack_range/wiki/Prelude-Operator") + response.append( + [instance["Tags"][0]["Value"], instance["State"]["Name"]] + ) print() - print('Status Virtual Machines\n') + print("Status Virtual Machines\n") if len(response) > 0: if instances_running: - print(tabulate(response, headers=[ - 'Name', 'Status', 'IP Address', 'Instance ID'])) + print( + tabulate( + response, + headers=["Name", "Status", "IP Address", "Instance ID"], + ) + ) for msg in messages: print(msg) else: - print(tabulate(response, headers=['Name', 'Status', 'Instance ID'])) + print(tabulate(response, headers=["Name", "Status", "Instance ID"])) print() else: @@ -324,95 +347,147 @@ def show(self) -> None: def dump(self, dump_name, search, earliest, latest) -> None: self.logger.info("Dump log data") - dump_search = "search " + search + " earliest=-" + earliest + " latest=" + latest + " | sort 0 _time" + dump_search = ( + "search " + + search + + " earliest=-" + + earliest + + " latest=" + + latest + + " | sort 0 _time" + ) self.logger.info("Dumping Splunk Search: " + dump_search) - out = open(os.path.join(os.path.dirname(__file__), "../" + dump_name), 'wb') + out = open(os.path.join(os.path.dirname(__file__), "../" + dump_name), "wb") - splunk_instance = "ar-splunk-" + self.config['general']['key_name'] + '-' + self.config['general']['attack_range_name'] - splunk_sdk.export_search(aws_service.get_single_instance_public_ip(splunk_instance, self.config['general']['key_name'], self.config['general']['attack_range_name'], self.config['aws']['region']), - s=dump_search, - password=self.config['general']['attack_range_password'], - out=out) + splunk_instance = ( + "ar-splunk-" + + self.config["general"]["key_name"] + + "-" + + self.config["general"]["attack_range_name"] + ) + splunk_sdk.export_search( + aws_service.get_single_instance_public_ip( + splunk_instance, + self.config["general"]["key_name"], + self.config["general"]["attack_range_name"], + self.config["aws"]["region"], + ), + s=dump_search, + password=self.config["general"]["attack_range_password"], + out=out, + ) out.close() self.logger.info("[Completed]") def replay(self, file_name, index, sourcetype, source) -> None: ansible_vars = {} - ansible_vars['file_name'] = file_name - ansible_vars['ansible_user'] = 'ubuntu' - ansible_vars['ansible_ssh_private_key_file'] = self.config['aws']['private_key_path'] - ansible_vars['attack_range_password'] = self.config['general']['attack_range_password'] - ansible_vars['ansible_port'] = 22 - ansible_vars['sourcetype'] = sourcetype - ansible_vars['source'] = source - ansible_vars['index'] = index - - splunk_instance = "ar-splunk-" + self.config['general']['key_name'] + '-' + self.config['general']['attack_range_name'] - splunk_ip = aws_service.get_single_instance_public_ip(splunk_instance, self.config['general']['key_name'], self.config['general']['attack_range_name'], self.config['aws']['region']) - cmdline = "-i %s, -u %s" % (splunk_ip, ansible_vars['ansible_user']) - runner = ansible_runner.run(private_data_dir=os.path.join(os.path.dirname(__file__), '../'), - cmdline=cmdline, - roles_path=os.path.join(os.path.dirname(__file__), 'ansible/roles'), - playbook=os.path.join(os.path.dirname(__file__), 'ansible/data_replay.yml'), - extravars=ansible_vars) - - - def get_prelude_token(self, token_path): - token = '' - try: - prelude_token_file = open(token_path,'r') - token = prelude_token_file.read() - except Exception as e: - self.logger.error("was not able to read prelude token from {}".format(token_path)) - return token - + ansible_vars["file_name"] = file_name + ansible_vars["ansible_user"] = "ubuntu" + ansible_vars["ansible_ssh_private_key_file"] = self.config["aws"][ + "private_key_path" + ] + ansible_vars["attack_range_password"] = self.config["general"][ + "attack_range_password" + ] + ansible_vars["ansible_port"] = 22 + ansible_vars["sourcetype"] = sourcetype + ansible_vars["source"] = source + ansible_vars["index"] = index + + splunk_instance = ( + "ar-splunk-" + + self.config["general"]["key_name"] + + "-" + + self.config["general"]["attack_range_name"] + ) + splunk_ip = aws_service.get_single_instance_public_ip( + splunk_instance, + self.config["general"]["key_name"], + self.config["general"]["attack_range_name"], + self.config["aws"]["region"], + ) + cmdline = "-i %s, -u %s" % (splunk_ip, ansible_vars["ansible_user"]) + runner = ansible_runner.run( + private_data_dir=os.path.join(os.path.dirname(__file__), "../"), + cmdline=cmdline, + roles_path=os.path.join(os.path.dirname(__file__), "ansible/roles"), + playbook=os.path.join(os.path.dirname(__file__), "ansible/data_replay.yml"), + extravars=ansible_vars, + ) def create_remote_backend(self, backend_name) -> None: if not aws_service.check_s3_bucket(backend_name): - self.logger.info("Can not access remote S3 bucket with name " + backend_name) + self.logger.info( + "Can not access remote S3 bucket with name " + backend_name + ) self.logger.info("Try to create a S3 for remote backend.") - aws_service.create_s3_bucket(backend_name, self.config['aws']['region'], self.logger) + aws_service.create_s3_bucket( + backend_name, self.config["aws"]["region"], self.logger + ) # create DynamoDB - aws_service.create_dynamoo_db(backend_name, self.config['aws']['region'], self.logger) + aws_service.create_dynamoo_db( + backend_name, self.config["aws"]["region"], self.logger + ) - self.config['aws']['private_key_path'] = str(Path(backend_name + '.key').resolve()) - self.config['general']['key_name'] = backend_name + self.config["aws"]["private_key_path"] = str( + Path(backend_name + ".key").resolve() + ) + self.config["general"]["key_name"] = backend_name # privat key in secrets manager if not aws_service.check_secret_exists(backend_name): - key_material = aws_service.create_key_pair(backend_name, self.config['aws']['region'], self.logger) - aws_service.create_secret(backend_name, key_material, self.config, self.logger) - - with open(os.path.join(os.path.dirname(__file__), '../attack_range.yml'), 'w') as outfile: + key_material = aws_service.create_key_pair( + backend_name, self.config["aws"]["region"], self.logger + ) + aws_service.create_secret( + backend_name, key_material, self.config, self.logger + ) + + with open( + os.path.join(os.path.dirname(__file__), "../attack_range.yml"), "w" + ) as outfile: yaml.dump(self.config, outfile, default_flow_style=False, sort_keys=False) # write versions.tf j2_env = Environment( - loader=FileSystemLoader(os.path.join(os.path.dirname(__file__), '../terraform/aws')), - trim_blocks=True) - template = j2_env.get_template('versions.tf.j2') - output = template.render(backend_name=backend_name, region=self.config['aws']['region']) - with open('terraform/aws/versions.tf', 'w') as f: - output = output.encode('ascii', 'ignore').decode('ascii') + loader=FileSystemLoader( + os.path.join(os.path.dirname(__file__), "../terraform/aws") + ), + trim_blocks=True, + ) + template = j2_env.get_template("versions.tf.j2") + output = template.render( + backend_name=backend_name, region=self.config["aws"]["region"] + ) + with open("terraform/aws/versions.tf", "w") as f: + output = output.encode("ascii", "ignore").decode("ascii") f.write(output) - def delete_remote_backend(self, backend_name) -> None: - aws_service.delete_s3_bucket(backend_name, self.config['aws']['region'], self.logger) - aws_service.delete_dynamo_db(backend_name, self.config['aws']['region'], self.logger) + aws_service.delete_s3_bucket( + backend_name, self.config["aws"]["region"], self.logger + ) + aws_service.delete_dynamo_db( + backend_name, self.config["aws"]["region"], self.logger + ) aws_service.delete_secret(backend_name, self.logger) - aws_service.delete_key_pair(backend_name, self.config['aws']['region'], self.logger) + aws_service.delete_key_pair( + backend_name, self.config["aws"]["region"], self.logger + ) try: - os.remove(os.path.join(os.path.dirname(__file__), '../terraform/aws/versions.tf')) + os.remove( + os.path.join(os.path.dirname(__file__), "../terraform/aws/versions.tf") + ) except Exception as e: self.logger.error(e) try: - os.remove(os.path.join(os.path.dirname(__file__), '../', backend_name + '.key')) + os.remove( + os.path.join(os.path.dirname(__file__), "../", backend_name + ".key") + ) except Exception as e: self.logger.error(e) - def init_remote_backend(self, backend_name) -> None: if not aws_service.check_s3_bucket(backend_name): self.logger.error("Can't find S3 bucket with name " + backend_name) @@ -423,16 +498,23 @@ def init_remote_backend(self, backend_name) -> None: aws_service.get_secret_key(backend_name, self.logger) config = aws_service.get_secret_config(backend_name, self.logger) - config['aws']['private_key_path'] = str(Path(backend_name + '.key').resolve()) - with open(os.path.join(os.path.dirname(__file__), '../attack_range.yml'), 'w') as outfile: + config["aws"]["private_key_path"] = str(Path(backend_name + ".key").resolve()) + with open( + os.path.join(os.path.dirname(__file__), "../attack_range.yml"), "w" + ) as outfile: yaml.dump(config, outfile, default_flow_style=False, sort_keys=False) # write versions.tf j2_env = Environment( - loader=FileSystemLoader(os.path.join(os.path.dirname(__file__), '../terraform/aws')), - trim_blocks=True) - template = j2_env.get_template('versions.tf.j2') - output = template.render(backend_name=backend_name, region=self.config['aws']['region']) - with open('terraform/aws/versions.tf', 'w') as f: - output = output.encode('ascii', 'ignore').decode('ascii') + loader=FileSystemLoader( + os.path.join(os.path.dirname(__file__), "../terraform/aws") + ), + trim_blocks=True, + ) + template = j2_env.get_template("versions.tf.j2") + output = template.render( + backend_name=backend_name, region=self.config["aws"]["region"] + ) + with open("terraform/aws/versions.tf", "w") as f: + output = output.encode("ascii", "ignore").decode("ascii") f.write(output) diff --git a/modules/azure_controller.py b/modules/azure_controller.py index e7b880887..b8aacdbca 100644 --- a/modules/azure_controller.py +++ b/modules/azure_controller.py @@ -18,209 +18,102 @@ class AzureController(AttackRangeController): def __init__(self, config: dict): super().__init__(config) - statefile = self.config['general']['attack_range_name'] + ".terraform.tfstate" - self.config['general']["statepath"] = os.path.join(os.path.dirname(__file__), '../terraform/azure/state', statefile) + statefile = self.config["general"]["attack_range_name"] + ".terraform.tfstate" + self.config["general"]["statepath"] = os.path.join( + os.path.dirname(__file__), "../terraform/azure/state", statefile + ) - working_dir = os.path.join(os.path.dirname(__file__), '../terraform/azure') + working_dir = os.path.join(os.path.dirname(__file__), "../terraform/azure") if self.config["azure"]["subscription_id"] == "xxx": - print("ERROR: please add subcription_id into the azure configuration section in attack_range.yml.") + print( + "ERROR: please add subcription_id into the azure configuration section in attack_range.yml." + ) sys.exit(1) os.environ["AZURE_SUBSCRIPTION_ID"] = self.config["azure"]["subscription_id"] - self.terraform = Terraform(working_dir=working_dir,variables=config, parallelism=15, state= self.config['general']["statepath"]) - - if self.config['general']['use_prebuilt_images_with_packer'] == "0": - for i in range(len(self.config['windows_servers'])): - image_name = self.config['windows_servers'][i]['windows_image'] - if image_name.startswith("windows-2016"): - self.config['windows_servers'][i]['azure_publisher'] = "MicrosoftWindowsServer" - self.config['windows_servers'][i]['azure_offer'] = "WindowsServer" - self.config['windows_servers'][i]['azure_sku'] = "2016-Datacenter" - - elif image_name.startswith("windows-2019"): - self.config['windows_servers'][i]['azure_publisher'] = "MicrosoftWindowsServer" - self.config['windows_servers'][i]['azure_offer'] = "WindowsServer" - self.config['windows_servers'][i]['azure_sku'] = "2019-Datacenter" + self.terraform = Terraform( + working_dir=working_dir, + variables=config, + parallelism=15, + state=self.config["general"]["statepath"], + ) - elif image_name.startswith("windows-10"): - self.config['windows_servers'][i]['azure_publisher'] = "microsoftwindowsdesktop" - self.config['windows_servers'][i]['azure_offer'] = "windows-10" - self.config['windows_servers'][i]['azure_sku'] = "win10-21h2-pro" + for i in range(len(self.config["windows_servers"])): + image_name = self.config["windows_servers"][i]["windows_image"] + if image_name.startswith("windows-server-2016"): + self.config["windows_servers"][i][ + "azure_publisher" + ] = "MicrosoftWindowsServer" + self.config["windows_servers"][i]["azure_offer"] = "WindowsServer" + self.config["windows_servers"][i]["azure_sku"] = "2016-Datacenter" + + elif image_name.startswith("windows-server-2019"): + self.config["windows_servers"][i][ + "azure_publisher" + ] = "MicrosoftWindowsServer" + self.config["windows_servers"][i]["azure_offer"] = "WindowsServer" + self.config["windows_servers"][i]["azure_sku"] = "2019-Datacenter" - elif image_name.startswith("windows-11"): - self.config['windows_servers'][i]['azure_publisher'] = "microsoftwindowsdesktop" - self.config['windows_servers'][i]['azure_offer'] = "windows-11" - self.config['windows_servers'][i]['azure_sku'] = "win11-21h2-pro" + elif image_name.startswith("windows-10"): + self.config["windows_servers"][i][ + "azure_publisher" + ] = "microsoftwindowsdesktop" + self.config["windows_servers"][i]["azure_offer"] = "windows-10" + self.config["windows_servers"][i]["azure_sku"] = "win10-21h2-pro" - else: - self.logger.error("Image " + image_name + " not supported.") - sys.exit(1) + elif image_name.startswith("windows-11"): + self.config["windows_servers"][i][ + "azure_publisher" + ] = "microsoftwindowsdesktop" + self.config["windows_servers"][i]["azure_offer"] = "windows-11" + self.config["windows_servers"][i]["azure_sku"] = "win11-21h2-pro" + else: + self.logger.error("Image " + image_name + " not supported.") + sys.exit(1) def build(self) -> None: self.logger.info("[action] > build\n") - - if self.config['general']['use_prebuilt_images_with_packer'] == "1": - images = [] - if self.config['splunk_server']['byo_splunk'] == "0": - images.append(self.config['splunk_server']['splunk_image']) - for windows_server in self.config['windows_servers']: - images.append(windows_server['windows_image']) - for linux_server in self.config['linux_servers']: - images.append(linux_server['linux_image']) - if self.config["phantom_server"]["phantom_server"] == "1": - images.append(self.config["phantom_server"]["phantom_image"]) - - for ar_image in images: - self.logger.info("Check if image " + ar_image + " is available in region " + self.config['azure']['location']) - if not azure_service.check_image_available(ar_image, self.config['azure']['location']): - self.logger.info("Image " + ar_image + " is not available in region " + self.config['azure']['location'] + ". Create a golden image with packer.") - self.packer(ar_image) - else: - self.logger.info("Image " + ar_image + " is available in region " + self.config['azure']['location']) - cwd = os.getcwd() - os.system('cd ' + os.path.join(os.path.dirname(__file__), '../terraform/azure') + '&& terraform init ') - os.system('cd ' + cwd) + os.system( + "cd " + + os.path.join(os.path.dirname(__file__), "../terraform/azure") + + "&& terraform init " + ) + os.system("cd " + cwd) return_code, stdout, stderr = self.terraform.apply( - capture_output='yes', - skip_plan=True, - no_color=IsNotFlagged + capture_output="yes", skip_plan=True, no_color=IsNotFlagged ) if not return_code: self.logger.info("attack_range has been built using terraform successfully") self.show() - def destroy(self) -> None: self.logger.info("[action] > destroy\n") return_code, stdout, stderr = self.terraform.destroy( - capture_output='yes', - no_color=IsNotFlagged, - force=IsNotFlagged, - auto_approve=True + capture_output="yes", + no_color=IsNotFlagged, + force=IsNotFlagged, + auto_approve=True, ) self.logger.info("attack_range has been destroy using terraform successfully") def stop(self) -> None: - azure_service.change_instance_state(self.config['general']['key_name'], self.config['general']['attack_range_name'], 'stopped', self.logger) + azure_service.change_instance_state( + self.config["general"]["key_name"], + self.config["general"]["attack_range_name"], + "stopped", + self.logger, + ) def resume(self) -> None: - azure_service.change_instance_state(self.config['general']['key_name'], self.config['general']['attack_range_name'], 'running', self.logger) - - def packer(self, image_name) -> None: - self.logger.info("Create golden image for " + image_name + ". This can take up to 30 minutes.\n") - azure_service.create_ressource_group(self.config['azure']['location']) - only_cmd_arg = "" - path_packer_file = "" - - self.config['general']['use_prebuilt_images_with_packer'] = "0" - - if image_name.startswith("splunk"): - only_cmd_arg = "azure-arm.splunk-ubuntu-18-04" - path_packer_file = "packer/splunk_server/splunk_azure.pkr.hcl" - command = ["packer", "build", "-force", - "-var", "general=" + json.dumps(self.config["general"]), - "-var", "azure=" + json.dumps(self.config["azure"]), - "-var", "splunk_server=" + json.dumps(self.config["splunk_server"]), - "-only=" + only_cmd_arg, path_packer_file] - - elif image_name.startswith("windows"): - only_cmd_arg = "azure-arm.windows" - path_packer_file = "packer/windows_server/windows_azure.pkr.hcl" - - if image_name.startswith("windows-2016"): - images = { - "aws_image": "Windows_Server-2016-English-Full-Base-*", - "azure_publisher": "MicrosoftWindowsServer", - "azure_offer": "WindowsServer", - "azure_sku": "2016-Datacenter", - "name": "windows-2016" - } - elif image_name.startswith("windows-2019"): - images = { - "aws_image": "Windows_Server-2019-English-Full-Base-*", - "azure_publisher": "MicrosoftWindowsServer", - "azure_offer": "WindowsServer", - "azure_sku": "2019-Datacenter", - "name": "windows-2019" - } - elif image_name.startswith("windows-2022"): - images = { - "aws_image": "Windows_Server-2022-English-Full-Base-*", - "azure_publisher": "MicrosoftWindowsServer", - "azure_offer": "WindowsServer", - "azure_sku": "2022-Datacenter", - "name": "windows-2022" - } - elif image_name.startswith("windows-10"): - images = { - "aws_image": "Windows_Server-2016-English-Full-Base-*", - "azure_publisher": "microsoftwindowsdesktop", - "azure_offer": "windows-10", - "azure_sku": "win10-21h2-pro", - "name": "windows-10" - } - elif image_name.startswith("windows-11"): - images = { - "aws_image": "Windows_Server-2016-English-Full-Base-*", - "azure_publisher": "microsoftwindowsdesktop", - "azure_offer": "windows-11", - "azure_sku": "win11-21h2-pro", - "name": "windows-11" - } - else: - self.logger.error("Image not supported.") - sys.exit(1) - - command = ["packer", "build", "-force", - "-var", "general=" + json.dumps(self.config["general"]), - "-var", "azure=" + json.dumps(self.config["azure"]), - "-var", "splunk_server=" + json.dumps(self.config["splunk_server"]), - "-var", "images=" + json.dumps(images), - "-only=" + only_cmd_arg, path_packer_file] - - elif image_name.startswith("linux"): - only_cmd_arg = "azure-arm.ubuntu-18-04" - path_packer_file = "packer/linux_server/linux_azure.pkr.hcl" - command = ["packer", "build", "-force", - "-var", "general=" + json.dumps(self.config["general"]), - "-var", "azure=" + json.dumps(self.config["azure"]), - "-var", "splunk_server=" + json.dumps(self.config["splunk_server"]), - "-only=" + only_cmd_arg, path_packer_file] - - elif image_name.startswith("phantom"): - only_cmd_arg = "azure-arm.phantom" - path_packer_file = "packer/phantom_server/phantom_azure.pkr.hcl" - command = ["packer", "build", "-force", - "-var", "general=" + json.dumps(self.config["general"]), - "-var", "azure=" + json.dumps(self.config["azure"]), - "-var", "splunk_server=" + json.dumps(self.config["splunk_server"]), - "-var", "phantom_server=" + json.dumps(self.config["phantom_server"]), - "-only=" + only_cmd_arg, path_packer_file] - - if only_cmd_arg == "": - self.logger.error("Image not supported.") - sys.exit(1) - - # disable packer color clears up output - envvars = dict(os.environ) - envvars["PACKER_NO_COLOR"] = "1" - - try: - process = subprocess.Popen(command, env=envvars, shell=False, universal_newlines=True, stdout=subprocess.PIPE) - except KeyboardInterrupt: - process.send_signal(signal.SIGINT) - - while True: - output = process.stdout.readline() - if process.poll() is not None: - break - if output: - print(output.strip()) - rc = process.poll() - + azure_service.change_instance_state( + self.config["general"]["key_name"], + self.config["general"]["attack_range_name"], + "running", + self.logger, + ) def simulate(self, engine, target, technique, playbook) -> None: self.logger.info("[action] > simulate\n") @@ -231,118 +124,206 @@ def simulate(self, engine, target, technique, playbook) -> None: simulation_controller = PurplesharpSimulationController(self.config) simulation_controller.simulate(target, technique, playbook) - def show(self) -> None: self.logger.info("[action] > show\n") - instances = azure_service.get_all_instances(self.config['general']['key_name'], self.config['general']['attack_range_name']) + instances = azure_service.get_all_instances( + self.config["general"]["key_name"], + self.config["general"]["attack_range_name"], + ) response = [] messages = [] instances_running = False splunk_ip = "" for instance in instances: - if instance['vm_obj'].instance_view.statuses[1].display_status == "VM running": + if ( + instance["vm_obj"].instance_view.statuses[1].display_status + == "VM running" + ): instances_running = True - response.append([instance['vm_obj'].name, - instance['vm_obj'].instance_view.statuses[1].display_status, instance['public_ip']]) - instance_name = instance['vm_obj'].name + response.append( + [ + instance["vm_obj"].name, + instance["vm_obj"].instance_view.statuses[1].display_status, + instance["public_ip"], + ] + ) + instance_name = instance["vm_obj"].name if instance_name.startswith("ar-splunk"): - splunk_ip = instance['public_ip'] - messages.append("\nAccess Guacamole via:\n\tWeb > http://" + instance['public_ip'] + ":8080/guacamole" + "\n\tusername: Admin \n\tpassword: " + self.config['general']['attack_range_password']) + splunk_ip = instance["public_ip"] + messages.append( + "\nAccess Guacamole via:\n\tWeb > http://" + + instance["public_ip"] + + ":8080/guacamole" + + "\n\tusername: Admin \n\tpassword: " + + self.config["general"]["attack_range_password"] + ) if self.config["splunk_server"]["install_es"] == "1": - messages.append("\n\nAccess Splunk via:\n\tWeb > https://" + instance['public_ip'] + ":8000\n\tSSH > ssh -i" + self.config['azure']['private_key_path'] + " ubuntu@" + instance['public_ip'] + "\n\tusername: admin \n\tpassword: " + self.config['general']['attack_range_password']) + messages.append( + "\n\nAccess Splunk via:\n\tWeb > https://" + + instance["public_ip"] + + ":8000\n\tSSH > ssh -i" + + self.config["azure"]["private_key_path"] + + " ubuntu@" + + instance["public_ip"] + + "\n\tusername: admin \n\tpassword: " + + self.config["general"]["attack_range_password"] + ) else: - messages.append("\n\nAccess Splunk via:\n\tWeb > http://" + instance['public_ip'] + ":8000\n\tSSH > ssh -i" + self.config['azure']['private_key_path'] + " ubuntu@" + instance['public_ip'] + "\n\tusername: admin \n\tpassword: " + self.config['general']['attack_range_password']) + messages.append( + "\n\nAccess Splunk via:\n\tWeb > http://" + + instance["public_ip"] + + ":8000\n\tSSH > ssh -i" + + self.config["azure"]["private_key_path"] + + " ubuntu@" + + instance["public_ip"] + + "\n\tusername: admin \n\tpassword: " + + self.config["general"]["attack_range_password"] + ) elif instance_name.startswith("ar-phantom"): - messages.append("\nAccess Phantom via:\n\tWeb > https://" + instance['public_ip'] + ":8443" + "\n\tSSH > ssh -i" + self.config['azure']['private_key_path'] + " centos@" + instance['public_ip'] + "\n\tusername: admin \n\tpassword: " + self.config['general']['attack_range_password']) + messages.append( + "\nAccess Phantom via:\n\tWeb > https://" + + instance["public_ip"] + + ":8443" + + "\n\tSSH > ssh -i" + + self.config["azure"]["private_key_path"] + + " centos@" + + instance["public_ip"] + + "\n\tusername: soar_local_admin \n\tpassword: " + + self.config["general"]["attack_range_password"] + ) elif instance_name.startswith("ar-win"): - messages.append("\nAccess Windows via:\n\tRDP > rdp://" + instance['public_ip'] + ":3389\n\tusername: AzureAdmin \n\tpassword: " + self.config['general']['attack_range_password']) + messages.append( + "\nAccess Windows via:\n\tRDP > rdp://" + + instance["public_ip"] + + ":3389\n\tusername: AzureAdmin \n\tpassword: " + + self.config["general"]["attack_range_password"] + ) elif instance_name.startswith("ar-linux"): - messages.append("\nAccess Linux via:\n\tSSH > ssh -i" + self.config['azure']['private_key_path'] + " ubuntu@" + instance['public_ip'] + "\n\tusername: ubuntu \n\tpassword: " + self.config['general']['attack_range_password']) + messages.append( + "\nAccess Linux via:\n\tSSH > ssh -i" + + self.config["azure"]["private_key_path"] + + " ubuntu@" + + instance["public_ip"] + + "\n\tusername: ubuntu \n\tpassword: " + + self.config["general"]["attack_range_password"] + ) elif instance_name.startswith("ar-kali"): - messages.append("\nAccess Kali via:\n\tSSH > ssh -i" + self.config['azure']['private_key_path'] + " kali@" + instance['public_ip'] + "\n\tusername: kali \n\tpassword: " + self.config['general']['attack_range_password']) + messages.append( + "\nAccess Kali via:\n\tSSH > ssh -i" + + self.config["azure"]["private_key_path"] + + " kali@" + + instance["public_ip"] + + "\n\tusername: kali \n\tpassword: " + + self.config["general"]["attack_range_password"] + ) elif instance_name.startswith("ar-nginx"): - messages.append("\nAccess Nginx Web Proxy via:\n\tSSH > ssh -i" + self.config['azure']['private_key_path'] + " ubuntu@" + instance['public_ip'] + "\n\tusername: kali \n\tpassword: " + self.config['general']['attack_range_password']) + messages.append( + "\nAccess Nginx Web Proxy via:\n\tSSH > ssh -i" + + self.config["azure"]["private_key_path"] + + " ubuntu@" + + instance["public_ip"] + + "\n\tusername: kali \n\tpassword: " + + self.config["general"]["attack_range_password"] + ) else: - response.append([instance['vm_obj'].name, - instance['vm_obj'].instance_view.statuses[1].display_status]) - - if self.config['simulation']['prelude'] == "1": - prelude_token = self.get_prelude_token('/var/tmp/.prelude_session_token') - messages.append("\nAccess Prelude Operator UI via:\n\tredirector FQDN > " + splunk_ip + "\n\tToken: " + prelude_token + "\n\tSee guide details: https://github.com/splunk/attack_range/wiki/Prelude-Operator") + response.append( + [ + instance["vm_obj"].name, + instance["vm_obj"].instance_view.statuses[1].display_status, + ] + ) print() - print('Status Virtual Machines\n') + print("Status Virtual Machines\n") if len(response) > 0: if instances_running: - print(tabulate(response, headers=[ - 'Name', 'Status', 'IP Address'])) + print(tabulate(response, headers=["Name", "Status", "IP Address"])) for msg in messages: print(msg) else: - print(tabulate(response, headers=['Name', 'Status'])) + print(tabulate(response, headers=["Name", "Status"])) print() else: print("ERROR: Can't find configured Attack Range Instances") - def dump(self, dump_name, search, earliest, latest) -> None: self.logger.info("Dump log data") - dump_search = "search " + search + " earliest=-" + earliest + " latest=" + latest + " | sort 0 _time" + dump_search = ( + "search " + + search + + " earliest=-" + + earliest + + " latest=" + + latest + + " | sort 0 _time" + ) self.logger.info("Dumping Splunk Search: " + dump_search) - out = open(os.path.join(os.path.dirname(__file__), "../" + dump_name), 'wb') + out = open(os.path.join(os.path.dirname(__file__), "../" + dump_name), "wb") - splunk_instance = "ar-splunk-" + self.config['general']['key_name'] + '-' + self.config['general']['attack_range_name'] - splunk_sdk.export_search(azure_service.get_instance(splunk_instance, self.config['general']['key_name'], self.config['general']['attack_range_name'])['public_ip'], - s=dump_search, - password=self.config['general']['attack_range_password'], - out=out) + splunk_instance = ( + "ar-splunk-" + + self.config["general"]["key_name"] + + "-" + + self.config["general"]["attack_range_name"] + ) + splunk_sdk.export_search( + azure_service.get_instance( + splunk_instance, + self.config["general"]["key_name"], + self.config["general"]["attack_range_name"], + )["public_ip"], + s=dump_search, + password=self.config["general"]["attack_range_password"], + out=out, + ) out.close() self.logger.info("[Completed]") - def replay(self, file_name, index, sourcetype, source) -> None: ansible_vars = {} - ansible_vars['file_name'] = file_name - ansible_vars['ansible_user'] = 'ubuntu' - ansible_vars['ansible_ssh_private_key_file'] = self.config['azure']['private_key_path'] - ansible_vars['attack_range_password'] = self.config['general']['attack_range_password'] - ansible_vars['ansible_port'] = 22 - ansible_vars['sourcetype'] = sourcetype - ansible_vars['source'] = source - ansible_vars['index'] = index - - splunk_instance = "ar-splunk-" + self.config['general']['key_name'] + '-' + self.config['general']['attack_range_name'] - splunk_ip = azure_service.get_instance(splunk_instance, self.config['general']['key_name'], self.config['general']['attack_range_name'])['public_ip'] - cmdline = "-i %s, -u %s" % (splunk_ip, ansible_vars['ansible_user']) - runner = ansible_runner.run(private_data_dir=os.path.join(os.path.dirname(__file__), '../'), - cmdline=cmdline, - roles_path=os.path.join(os.path.dirname(__file__), 'ansible/roles'), - playbook=os.path.join(os.path.dirname(__file__), 'ansible/data_replay.yml'), - extravars=ansible_vars) - - - def get_prelude_token(self, token_path): - token = '' - try: - prelude_token_file = open(token_path,'r') - token = prelude_token_file.read() - except Exception as e: - self.logger.error("was not able to read prelude token from {}".format(token_path)) - return token - + ansible_vars["file_name"] = file_name + ansible_vars["ansible_user"] = "ubuntu" + ansible_vars["ansible_ssh_private_key_file"] = self.config["azure"][ + "private_key_path" + ] + ansible_vars["attack_range_password"] = self.config["general"][ + "attack_range_password" + ] + ansible_vars["ansible_port"] = 22 + ansible_vars["sourcetype"] = sourcetype + ansible_vars["source"] = source + ansible_vars["index"] = index + + splunk_instance = ( + "ar-splunk-" + + self.config["general"]["key_name"] + + "-" + + self.config["general"]["attack_range_name"] + ) + splunk_ip = azure_service.get_instance( + splunk_instance, + self.config["general"]["key_name"], + self.config["general"]["attack_range_name"], + )["public_ip"] + cmdline = "-i %s, -u %s" % (splunk_ip, ansible_vars["ansible_user"]) + runner = ansible_runner.run( + private_data_dir=os.path.join(os.path.dirname(__file__), "../"), + cmdline=cmdline, + roles_path=os.path.join(os.path.dirname(__file__), "ansible/roles"), + playbook=os.path.join(os.path.dirname(__file__), "ansible/data_replay.yml"), + extravars=ansible_vars, + ) def create_remote_backend(self, backend_name) -> None: self.logger.error("Command not supported with azure provider.") pass - def delete_remote_backend(self, backend_name) -> None: self.logger.error("Command not supported with azure provider.") pass - def init_remote_backend(self, backend_name) -> None: self.logger.error("Command not supported with azure provider.") - pass \ No newline at end of file + pass diff --git a/modules/config_handler.py b/modules/config_handler.py index a34ad8958..26586041b 100644 --- a/modules/config_handler.py +++ b/modules/config_handler.py @@ -9,17 +9,43 @@ class ConfigHandler: @classmethod def read_config(self, config_path: str) -> dict: - yml_dict_default = YmlReader.load_file(os.path.join(os.path.dirname(__file__), '../configs/attack_range_default.yml')) - yml_dict = YmlReader.load_file(os.path.join(os.path.dirname(__file__), '../', config_path)) - - parent_keys = ['general', 'aws', 'azure', 'splunk_server', 'phantom_server', 'kali_server', 'nginx_server', 'simulation', 'zeek_server'] + yml_dict_default = YmlReader.load_file( + os.path.join( + os.path.dirname(__file__), "../configs/attack_range_default.yml" + ) + ) + yml_dict = YmlReader.load_file( + os.path.join(os.path.dirname(__file__), "../", config_path) + ) + + parent_keys = [ + "general", + "aws", + "azure", + "splunk_server", + "phantom_server", + "kali_server", + "nginx_server", + "simulation", + "zeek_server", + "snort_server", + ] for parent_key in parent_keys: if parent_key in yml_dict: for key in yml_dict[parent_key]: yml_dict_default[parent_key][key] = yml_dict[parent_key][key] - parent_keys_servers = ['windows_servers', 'linux_servers'] + # Convert splunk_apps to comma-separated string + if ( + "splunk_server" in yml_dict_default + and "splunk_apps" in yml_dict_default["splunk_server"] + ): + yml_dict_default["splunk_server"]["splunk_apps"] = ",".join( + yml_dict_default["splunk_server"]["splunk_apps"] + ) + + parent_keys_servers = ["windows_servers", "linux_servers"] for parent_key in parent_keys_servers: if parent_key not in yml_dict: @@ -30,55 +56,96 @@ def read_config(self, config_path: str) -> dict: i = 0 yml_dict_default[parent_key] = [] for windows_server in yml_dict[parent_key]: - yml_dict_default[parent_key].append(yml_dict_default[parent_key + '_default'].copy()) + yml_dict_default[parent_key].append( + yml_dict_default[parent_key + "_default"].copy() + ) for key in windows_server: yml_dict_default[parent_key][i][key] = windows_server[key] i = i + 1 - yml_dict_default.pop('windows_servers_default') - yml_dict_default.pop('linux_servers_default') + yml_dict_default.pop("windows_servers_default") + yml_dict_default.pop("linux_servers_default") return yml_dict_default @classmethod def validate_config(self, config: dict) -> None: - if config['general']['attack_range_password'] in ['ChangeMe123!', 'Pl3ase-k1Ll-me:p']: + if config["general"]["attack_range_password"] in [ + "ChangeMe123!", + "Pl3ase-k1Ll-me:p", + ]: print("ERROR: please change attack_range_password in attack_range.yml") - sys.exit(1) + sys.exit(1) i = 0 - for windows_server in config['windows_servers']: - if windows_server['create_domain'] == "0" and windows_server['bad_blood'] == "1": + for windows_server in config["windows_servers"]: + if ( + windows_server["create_domain"] == "0" + and windows_server["bad_blood"] == "1" + ): print("ERROR: bad_blood is only allowed on the domain controller.") - sys.exit(1) + sys.exit(1) - if (i > 0) and windows_server['create_domain'] == "1": - print("ERROR: create_domain=1 is only allowed for the first windows server in the list windows_servers.") - sys.exit(1) + if (i > 0) and windows_server["create_domain"] == "1": + print( + "ERROR: create_domain=1 is only allowed for the first windows server in the list windows_servers." + ) + sys.exit(1) i = i + 1 # windows 10 and 11 only allowed in Azure - if config['nginx_server']['nginx_server'] == "1" and config['general']['cloud_provider'] == "azure": + if ( + config["nginx_server"]["nginx_server"] == "1" + and config["general"]["cloud_provider"] == "azure" + ): print("ERROR: Nginx Server not supported in Azure.") - sys.exit(1) + sys.exit(1) - if config['kali_server']['kali_server'] == "1" and config['general']['cloud_provider'] == "azure": + if ( + config["kali_server"]["kali_server"] == "1" + and config["general"]["cloud_provider"] == "azure" + ): print("ERROR: Kali Server not supported in Azure.") - sys.exit(1) + sys.exit(1) - if config['zeek_server']['zeek_server'] == "1" and config['general']['cloud_provider'] == "azure": + if ( + config["zeek_server"]["zeek_server"] == "1" + and config["general"]["cloud_provider"] == "azure" + ): print("ERROR: Zeek Server not supported in Azure.") - sys.exit(1) + sys.exit(1) + + if ( + config["snort_server"]["snort_server"] == "1" + and config["general"]["cloud_provider"] == "azure" + ): + print("ERROR: Snort Server not supported in Azure.") + sys.exit(1) - if config['general']['carbon_black_cloud'] == "1" and config['general']['cloud_provider'] == "azure": - print("ERROR: Carbon Black Cloud or Crowdstrike Falcon can only used in AWS.") + if ( + config["general"]["carbon_black_cloud"] == "1" + and config["general"]["cloud_provider"] == "azure" + ): + print( + "ERROR: Carbon Black Cloud or Crowdstrike Falcon can only used in AWS." + ) sys.exit(1) - if config['phantom_server']['phantom_server'] == "1" and config['phantom_server']['phantom_byo'] == "1": - print("ERROR: You can either create a phantom server or activate bring your own phantom but not both.") + if ( + config["phantom_server"]["phantom_server"] == "1" + and config["phantom_server"]["phantom_byo"] == "1" + ): + print( + "ERROR: You can either create a phantom server or activate bring your own phantom but not both." + ) sys.exit(1) - if config['splunk_server']['byo_splunk'] == "1" and (config['phantom_server']['phantom_byo'] == "1" or config['phantom_server']['phantom_server'] == "1"): - print("ERROR: You can not use a phantom server or bring your own phantom when you use a bring your own splunk.") - sys.exit(1) \ No newline at end of file + if config["splunk_server"]["byo_splunk"] == "1" and ( + config["phantom_server"]["phantom_byo"] == "1" + or config["phantom_server"]["phantom_server"] == "1" + ): + print( + "ERROR: You can not use a phantom server or bring your own phantom when you use a bring your own splunk." + ) + sys.exit(1) diff --git a/packer/ansible/atomic_red_team.yml b/packer/ansible/atomic_red_team.yml deleted file mode 100644 index 5e0a2200f..000000000 --- a/packer/ansible/atomic_red_team.yml +++ /dev/null @@ -1,10 +0,0 @@ -- hosts: all - gather_facts: True - vars: - ansible_connection: winrm - ansible_port: 5986 -# ansible_winrm_transport: basic - ansible_winrm_server_cert_validation: ignore -# ansible_winrm_read_timeout_sec: 600 - roles: - - atomic_red_team diff --git a/packer/ansible/attack_data.yml b/packer/ansible/attack_data.yml deleted file mode 100644 index 1c8e42ef7..000000000 --- a/packer/ansible/attack_data.yml +++ /dev/null @@ -1,10 +0,0 @@ -- hosts: all - gather_facts: False - vars: - ansible_connection: winrm - ansible_port: 5986 -# ansible_winrm_transport: basic - ansible_winrm_server_cert_validation: ignore -# ansible_winrm_read_timeout_sec: 600 - roles: - - attack_data diff --git a/packer/ansible/attack_replay.yml b/packer/ansible/attack_replay.yml deleted file mode 100644 index 46a41dd7e..000000000 --- a/packer/ansible/attack_replay.yml +++ /dev/null @@ -1,4 +0,0 @@ -- hosts: all - gather_facts: False - roles: - - attack_replay diff --git a/packer/ansible/linux_server.yml b/packer/ansible/linux_server.yml deleted file mode 100644 index eb7f79b54..000000000 --- a/packer/ansible/linux_server.yml +++ /dev/null @@ -1,14 +0,0 @@ -- hosts: all - gather_facts: False - become: true - roles: - - role: linux_common - when: use_prebuilt_images_with_packer == "0" - - role: linux_universal_forwarder - when: (use_prebuilt_images_with_packer == "0") and (install_contentctl == "0") - - role: linux_osquery - when: (use_prebuilt_images_with_packer == "0") and (install_contentctl == "0") - - role: linux_sysmon - when: (use_prebuilt_images_with_packer == "0") and (install_contentctl == "0") - - role: linux_install_art - when: (use_prebuilt_images_with_packer == "0") and (install_contentctl == "0") \ No newline at end of file diff --git a/packer/ansible/phantom_server.yml b/packer/ansible/phantom_server.yml deleted file mode 100644 index 185e10976..000000000 --- a/packer/ansible/phantom_server.yml +++ /dev/null @@ -1,6 +0,0 @@ -- hosts: all - gather_facts: False - become: true - roles: - - role: phantom - when: use_prebuilt_images_with_packer == "0" diff --git a/packer/ansible/purplesharp.yml b/packer/ansible/purplesharp.yml deleted file mode 100644 index 3dbf11534..000000000 --- a/packer/ansible/purplesharp.yml +++ /dev/null @@ -1,10 +0,0 @@ -- hosts: all - gather_facts: True - vars: - ansible_connection: winrm - ansible_port: 5986 -# ansible_winrm_transport: basic - ansible_winrm_server_cert_validation: ignore -# ansible_winrm_read_timeout_sec: 600 - roles: - - purplesharp diff --git a/packer/ansible/roles/atomic_red_team/files/atomic_red_team.txt b/packer/ansible/roles/atomic_red_team/files/atomic_red_team.txt deleted file mode 100644 index 2ad4986bf..000000000 --- a/packer/ansible/roles/atomic_red_team/files/atomic_red_team.txt +++ /dev/null @@ -1,6 +0,0 @@ -How to run Atomic Red Team: - -1) Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force -2) Invoke-AtomicTest T1003.002 -GetPrereqs -3) Invoke-AtomicTest T1003.002 -Confirm:$false -TimeoutSeconds 300 -ExecutionLogPath C:\AtomicRedTeam\atc_execution.csv -4) Invoke-AtomicTest T1003.002 -Cleanup \ No newline at end of file diff --git a/packer/ansible/roles/atomic_red_team/tasks/main.yml b/packer/ansible/roles/atomic_red_team/tasks/main.yml deleted file mode 100644 index 821cd5955..000000000 --- a/packer/ansible/roles/atomic_red_team/tasks/main.yml +++ /dev/null @@ -1,48 +0,0 @@ ---- -# - name: Check we have installed Atomic Red Team -# win_stat: -# path: 'C:\AtomicRedTeam' -# register: atr_folder - -- name: Enable strong dotnet crypto - win_regedit: - key: "{{ item }}" - value: SchUseStrongCrypto - datatype: dword - data: 1 - with_items: - - "HKLM:\\SOFTWARE\\Microsoft\\.NetFramework\\v4.0.30319" - - "HKLM:\\SOFTWARE\\Wow6432Node\\Microsoft\\.NetFramework\\v4.0.30319" - -- name: Check installed providers - win_shell: Get-PackageProvider - register: providers - changed_when: false - -- name: Install NuGet Provider - win_shell: | - Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force - when: providers.stdout is not search("NuGet") - -- name: Install Atomic Red Team - win_shell: | - Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Internet Explorer\Main" -Name "DisableFirstRunCustomize" -Value 2 - IEX (IWR https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1) - Install-AtomicRedTeam -Force - IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicsfolder.ps1' -UseBasicParsing) - Install-AtomicsFolder -Force -RepoOwner "{{ art_repository }}" -Branch "{{ art_branch }}" - -- set_fact: - techniques: "{{ art_run_techniques.split(',') }}" - -- include_tasks: "run_art_test.yml" - with_items: "{{ techniques }}" - when: run_specific_atomic_tests == "False" - -- include_tasks: "run_specific_atomics.yml" - when: run_specific_atomic_tests == "True" - -- name: Copy atomic red team description - win_copy: - src: atomic_red_team.txt - dest: C:\Users\Administrator\Desktop\Atomic_Red_Team.txt diff --git a/packer/ansible/roles/atomic_red_team/tasks/run_art_test.yml b/packer/ansible/roles/atomic_red_team/tasks/run_art_test.yml deleted file mode 100644 index 70665c6ef..000000000 --- a/packer/ansible/roles/atomic_red_team/tasks/run_art_test.yml +++ /dev/null @@ -1,53 +0,0 @@ -- set_fact: - technique: "{{ item }}" - -- debug: - var: technique - -- name: Get requirements for Atomic Red Team Technique - win_shell: | - Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force - Invoke-AtomicTest "{{ technique }}" -GetPrereqs - register: requirements - -# - debug: -# var: requirements - -- name: Run specified Atomic Red Team Technique - win_shell: | - Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force - Invoke-AtomicTest "{{ technique }}" -Confirm:$false -TimeoutSeconds 300 -ExecutionLogPath C:\AtomicRedTeam\atc_execution.csv - register: output_art - when: var_str == 'no' - -- name: Save output atomic red team - set_fact: - output_art: "{{ output_art }}" - cacheable: yes - when: var_str == 'no' - -- name: Run specified Atomic Red Team Technique - win_shell: | - Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force - {{ var_str }} - Invoke-AtomicTest "{{ technique }}" -InputArgs $myArgs -Confirm:$false -TimeoutSeconds 300 -ExecutionLogPath C:\AtomicRedTeam\atc_execution.csv - register: output_art_var - when: var_str != 'no' - -- name: Save output atomic red team with vars - set_fact: - output_art_var: "{{ output_art_var }}" - cacheable: yes - when: var_str != 'no' - -# - debug: -# var: output - -- name: Cleanup after execution - win_shell: | - Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force - Invoke-AtomicTest "{{ technique }}" -Cleanup - register: cleanup - -# - debug: -# var: cleanup diff --git a/packer/ansible/roles/atomic_red_team/tasks/run_specific_atomics.yml b/packer/ansible/roles/atomic_red_team/tasks/run_specific_atomics.yml deleted file mode 100644 index 7c06fb8d6..000000000 --- a/packer/ansible/roles/atomic_red_team/tasks/run_specific_atomics.yml +++ /dev/null @@ -1,40 +0,0 @@ -- set_fact: - test: "{{ art_run_tests }}" - -- debug: - var: art_run_techniques - -- debug: - var: test - -- name: Get requirements for Atomic Red Team Technique - win_shell: | - Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force - Invoke-AtomicTest "{{ art_run_techniques }}" -TestName "{{ test }}" -GetPrereqs - register: requirements - -# - debug: -# var: requirements - -- name: Run specified Atomic Red Team Technique - win_shell: | - Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force - Invoke-AtomicTest "{{ art_run_techniques }}" -TestName "{{ test }}" -Confirm:$false -TimeoutSeconds 300 -ExecutionLogPath C:\AtomicRedTeam\atc_execution.csv - register: output_art - -- name: Save output atomic red team - set_fact: - output_art: "{{ output_art }}" - cacheable: yes - -# - debug: -# var: output - -- name: Cleanup after execution - win_shell: | - Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force - Invoke-AtomicTest "{{ art_run_techniques }}" -TestName "{{ test }}" -Cleanup - register: cleanup - -# - debug: -# var: cleanup diff --git a/packer/ansible/roles/attack_replay/tasks/main.yml b/packer/ansible/roles/attack_replay/tasks/main.yml deleted file mode 100644 index 0a18defb6..000000000 --- a/packer/ansible/roles/attack_replay/tasks/main.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- - -- name: Upload replay - copy: - src: ../../attack_data/{{ dump_name }}/{{ out }} - dest: /tmp/{{ out }} - -- name: Call oneshot import - uri: - url: https://localhost:8089/services/data/inputs/oneshot - validate_certs: no - method: POST - user: admin - password: "{{ splunk_password }}" - force_basic_auth: yes - body_format: form-urlencoded - body: - name: /tmp/{{ out }} - sourcetype: "{{ sourcetype }}" - rename-source: "{{ source }}" - index: "{{ index }}" - status_code: 201 diff --git a/packer/ansible/roles/badblood/tasks/install_badblood.yml b/packer/ansible/roles/badblood/tasks/install_badblood.yml deleted file mode 100644 index ca32eb8af..000000000 --- a/packer/ansible/roles/badblood/tasks/install_badblood.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- name: check if c:\BadBlood dir exist - win_stat: - path: 'C:\BadBlood' - register: badblood_path - tags: - - badblood - - -- name: Git clone BadBlood - win_shell: git clone https://github.com/davidprowe/BadBlood.git C:\BadBlood - when: windows_domain_controller_run_badblood == "1" and badblood_path.stat.exists == false - tags: - - badblood - diff --git a/packer/ansible/roles/badblood/tasks/main.yml b/packer/ansible/roles/badblood/tasks/main.yml deleted file mode 100644 index 07381bdb6..000000000 --- a/packer/ansible/roles/badblood/tasks/main.yml +++ /dev/null @@ -1,9 +0,0 @@ -- include_tasks: "install_badblood.yml" - when: windows_domain_controller_run_badblood == "1" - tags: - - badblood -- include_tasks: "run_badblood.yml" - when: windows_domain_controller_run_badblood == "1" - tags: - - badblood - diff --git a/packer/ansible/roles/badblood/tasks/run_badblood.yml b/packer/ansible/roles/badblood/tasks/run_badblood.yml deleted file mode 100644 index f03f4794c..000000000 --- a/packer/ansible/roles/badblood/tasks/run_badblood.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: Run BadBlood - win_shell: C:\BadBlood\Invoke-BadBlood.ps1 -NonInteractive - tags: - - badblood diff --git a/packer/ansible/roles/guacamole/tasks/main.yml b/packer/ansible/roles/guacamole/tasks/main.yml deleted file mode 100644 index 2c92e7b6e..000000000 --- a/packer/ansible/roles/guacamole/tasks/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- - -- include: install_packages.yml -- include: setup_tomcat.yml -- include: guacamole_server.yml -- include: guacamole_client.yml \ No newline at end of file diff --git a/packer/ansible/roles/linux_osquery/files/osquery_install.sh b/packer/ansible/roles/linux_osquery/files/osquery_install.sh deleted file mode 100644 index 060d4b8cf..000000000 --- a/packer/ansible/roles/linux_osquery/files/osquery_install.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash -export OSQUERY_KEY=1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B -sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys $OSQUERY_KEY -sudo add-apt-repository --yes 'deb [arch=amd64] https://pkg.osquery.io/deb deb main' -sudo apt-get update -sudo apt-get install osquery \ No newline at end of file diff --git a/packer/ansible/roles/linux_universal_forwarder/tasks/install_universal_forwarder.yml b/packer/ansible/roles/linux_universal_forwarder/tasks/install_universal_forwarder.yml deleted file mode 100644 index ef1cd4a44..000000000 --- a/packer/ansible/roles/linux_universal_forwarder/tasks/install_universal_forwarder.yml +++ /dev/null @@ -1,57 +0,0 @@ ---- -# This playbook install the Splunk Universal Forwarder - -- name: add splunk group - become: true - group: name=splunk state=present - -- name: add splunk user - become: true - user: name=splunk comment="Splunk service user" shell=/usr/sbin/nologin groups=splunk createhome=yes - -- name: make /opt writetable by splunk - become: true - file: path=/opt mode=777 - -- name: checking if splunk is install - stat: path=/opt/splunkforwarder - register: splunk_path - -- name: is splunk UF installed? - debug: msg='splunk is already installed under /opt/splunkforwarder' - when: splunk_path.stat.exists - -- name: Install splunk uf - become: yes - apt: deb="{{ splunk_uf_url }}" - when: splunk_path.stat.exists == false - -- name: copy outputs.conf to forward data to splunk server - template: - src: outputs.conf.j2 - dest: /opt/splunkforwarder/etc/system/local/outputs.conf - owner: splunk - group: splunk - force: yes - -- name: splunk license acceptance - become: true - command: "/opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --no-prompt --seed-passwd Pl3ase-k1Ll-me:p" - -- name: Stop splunk uf - become: true - command: "/opt/splunkforwarder/bin/splunk stop" - -- name: setup to start at boot - become: true - command: "/opt/splunkforwarder/bin/splunk enable boot-start" - when: cloud_provider != "local" - -- name: setup to start at boot - become: true - command: "/opt/splunkforwarder/bin/splunk enable boot-start" - when: cloud_provider == "local" - -- name: Start splunk uf - become: true - command: "/opt/splunkforwarder/bin/splunk start" \ No newline at end of file diff --git a/packer/ansible/roles/nginx_web_proxy/tasks/configure_outputs_conf.yml b/packer/ansible/roles/nginx_web_proxy/tasks/configure_outputs_conf.yml deleted file mode 100644 index afa2852cb..000000000 --- a/packer/ansible/roles/nginx_web_proxy/tasks/configure_outputs_conf.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -# check and copy outputs.conf to forward data to splunk - -- name: check if /opt/splunkforwarder/etc/system/local dir exist - stat: - path: "/opt/splunkforwarder/etc/system/local" - register: dep_dir_path - -- name: report if /opt/splunkforwarder/etc/system/local - debug: - msg: WARNING - /opt/splunkforwarder/etc/system/local not exist - check your splunk_uf installation! - when: dep_dir_path.stat.exists == false - -- name: copy outputs.conf to forward data to splunk server - template: - src: outputs.conf.j2 - dest: /opt/splunkforwarder/etc/system/local/outputs.conf - when: dep_dir_path.stat.exists \ No newline at end of file diff --git a/packer/ansible/roles/nginx_web_proxy/tasks/create_deploymentclient.yml b/packer/ansible/roles/nginx_web_proxy/tasks/create_deploymentclient.yml deleted file mode 100644 index 984f631e9..000000000 --- a/packer/ansible/roles/nginx_web_proxy/tasks/create_deploymentclient.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -# check and copy deploymentclient to act as a deployment client of splunk - -- name: check if /opt/splunkforwarder/etc/system/local dir exist - stat: - path: "/opt/splunkforwarder/etc/system/local" - register: dep_dir_path - -- name: report if /opt/splunkforwarder/etc/system/local - debug: - msg: WARNING - /opt/splunkforwarder/etc/system/local not exist - check your splunk_uf installation! - when: dep_dir_path.stat.exists == false - -- name: copy deploymentclient.conf to act as a deployment client of splunk - template: - src: deploymentclient.conf.j2 - dest: /opt/splunkforwarder/etc/system/local/deploymentclient.conf - when: dep_dir_path.stat.exists - - \ No newline at end of file diff --git a/packer/ansible/roles/nginx_web_proxy/tasks/install_deb_uf.yml b/packer/ansible/roles/nginx_web_proxy/tasks/install_deb_uf.yml deleted file mode 100644 index e677d2a86..000000000 --- a/packer/ansible/roles/nginx_web_proxy/tasks/install_deb_uf.yml +++ /dev/null @@ -1,58 +0,0 @@ ---- -# This playbook install the Splunk Universal Forwarder in linux Debian - -- name: add splunk group - become: true - tags: - - install - - security - group: name=splunk state=present - -- name: add splunk user - become: true - tags: - - install - - security - user: name=splunk comment="Splunk service user" shell=/usr/sbin/nologin groups=splunk createhome=yes - -- name: make /opt writetable by splunk - become: true - tags: - - install - file: path=/opt mode=777 - -- name: checking if splunk is install - tags: install - stat: path=/opt/splunkforwarder - register: splunk_path - -- name: is splunk UF installed? - tags: install - debug: msg='splunk is already installed under /opt/splunkforwarder' - when: splunk_path.stat.exists == false - -- name: download the splunk linux uf deb - become: true - get_url: - url: "{{ splunk_uf_url }}" - dest: /tmp/splunkforwarder-latest.deb - when: splunk_path.stat.exists == false - -- name: dpkg install the deb - become: true - apt: - deb: /tmp/splunkforwarder-latest.deb - register: apt_status - until: apt_status is success - delay: 60 - retries: 5 - when: splunk_path.stat.exists == false - - -- name: splunk license acceptance - become: true - command: "/opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --no-prompt" - -- name: setup to start at boot - become: true - command: "/opt/splunkforwarder/bin/splunk enable boot-start" diff --git a/packer/ansible/roles/nginx_web_proxy/tasks/splunkuf.yml b/packer/ansible/roles/nginx_web_proxy/tasks/splunkuf.yml deleted file mode 100644 index ea85b35dc..000000000 --- a/packer/ansible/roles/nginx_web_proxy/tasks/splunkuf.yml +++ /dev/null @@ -1,67 +0,0 @@ ---- -# This playbook install the Splunk Universal Forwarder - -- name: add splunk group - become: true - tags: - - install - - security - group: name=splunk state=present - -- name: add splunk user - become: true - tags: - - install - - security - user: name=splunk comment="Splunk service user" shell=/usr/sbin/nologin groups=splunk createhome=yes - -- name: make /opt writetable by splunk - become: true - tags: - - install - file: path=/opt mode=777 - -- name: checking if splunk is install - tags: install - stat: path=/opt/splunkforwarder - register: splunk_path - -- name: is splunk UF installed? - tags: install - debug: msg='splunk is already installed under /opt/splunkforwarder' - when: splunk_path.stat.exists - -- name: Install splunk uf - become: true - apt: deb="{{ splunk_uf_url }}" - when: splunk_path.stat.exists == false - register: apt_status - until: apt_status is success - delay: 6 - retries: 10 - -- name: copy outputs.conf to forward data to splunk server - template: - src: outputs.conf.j2 - dest: /opt/splunkforwarder/etc/system/local/outputs.conf - -- name: copy deploymentclient.conf to act as a deployment client of splunk - template: - src: deploymentclient.conf.j2 - dest: /opt/splunkforwarder/etc/system/local/deploymentclient.conf - -- name: copy inputs.conf - copy: - src: inputs.conf - dest: /opt/splunkforwarder/etc/system/local/inputs.conf - owner: splunk - group: splunk - force: yes - -- name: splunk license acceptance - become: true - command: "/opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --no-prompt" - -- name: setup to start at boot - become: true - command: "/opt/splunkforwarder/bin/splunk enable boot-start" diff --git a/packer/ansible/roles/osquery_linux/files/custom_osquery.conf b/packer/ansible/roles/osquery_linux/files/custom_osquery.conf deleted file mode 100644 index efaa19615..000000000 --- a/packer/ansible/roles/osquery_linux/files/custom_osquery.conf +++ /dev/null @@ -1,173 +0,0 @@ -{ - "platform": "linux", - "queries": { - "process_events":{ - "query": "SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time, uid FROM process_events WHERE path NOT IN ('/bin/sed', '/usr/bin/tr', '/bin/gawk', '/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/usr/bin/jq', '/bin/cut', '/bin/uname', '/bin/basename') and cmdline NOT LIKE '%_key%' AND cmdline NOT LIKE '%secret%';", - "interval": 10, - "description": "Process events collected from the audit framework" - }, - "socket_events":{ - "query": "SELECT action, auid, family, local_address, local_port, path, pid, remote_address, remote_port, success, time FROM socket_events WHERE success=1 AND path NOT IN ('/usr/bin/hostname') AND remote_address NOT IN ('127.0.0.1', '169.254.169.254', '', '0000:0000:0000:0000:0000:0000:0000:0001', '::1', '0000:0000:0000:0000:0000:ffff:7f00:0001', 'unknown', '0.0.0.0', '0000:0000:0000:0000:0000:0000:0000:0000');", - "interval": 10, - "description": "Socket events collected from the audit framework" - }, - "file_events": { - "query": "SELECT * FROM file_events;", - "interval": 10, - "description": "File events collected from file integrity monitoring", - "removed":false - }, - "apt_sources": { - "query": "SELECT * FROM apt_sources;", - "interval": 86400, - "description": "Display apt package manager sources.", - "snapshot": true, - "platform": "ubuntu" - }, - "authorized_keys": { - "query": "SELECT * FROM users CROSS JOIN authorized_keys USING (uid);", - "interval": 86400, - "description": "A line-delimited authorized_keys table." - }, - "behavioral_reverse_shell": { - "query": "SELECT DISTINCT(processes.pid), processes.parent, processes.name, processes.path, processes.cmdline, processes.cwd, processes.root, processes.uid, processes.gid, processes.start_time, process_open_sockets.remote_address, process_open_sockets.remote_port, (SELECT cmdline FROM processes AS parent_cmdline WHERE pid=processes.parent) AS parent_cmdline FROM processes JOIN process_open_sockets USING (pid) LEFT OUTER JOIN process_open_files ON processes.pid = process_open_files.pid WHERE (name='sh' OR name='bash') AND remote_address NOT IN ('0.0.0.0', '::', '') AND remote_address NOT LIKE '10.%' AND remote_address NOT LIKE '192.168.%';", - "interval": 600, - "description": "Find shell processes that have open sockets" - }, - "deb_packages": { - "query": "SELECT * FROM deb_packages;", - "interval": 86400, - "description": "Display all installed DEB packages", - "snapshot": true, - "platform": "ubuntu" - }, - "dns_resolvers": { - "query": "SELECT * FROM dns_resolvers;", - "interval": 3600, - "description": "DNS resolvers used by the host" - }, - "ec2_instance_metadata": { - "query": "SELECT * FROM ec2_instance_metadata;", - "interval": 3600, - "description": "Retrieve the EC2 metadata for this endpoint" - }, - "ec2_instance_metadata_snapshot": { - "query": "SELECT * FROM ec2_instance_metadata;", - "interval": 86400, - "description": "Snapshot query to retrieve the EC2 metadata for this endpoint", - "snapshot": true - }, - "ec2_instance_tags": { - "query": "SELECT * FROM ec2_instance_tags;", - "interval": 3600, - "description": "Retrieve the EC2 tags for this endpoint" - }, - "ec2_instance_tags_snapshot": { - "query": "SELECT * FROM ec2_instance_tags;", - "interval": 86400, - "description": "Snapshot query to retrieve the EC2 tags for this instance", - "snapshot": true - }, - "ld_preload": { - "query": "SELECT process_envs.pid, process_envs.key, process_envs.value, processes.name, processes.path, processes.cmdline, processes.cwd FROM process_envs join processes USING (pid) WHERE key = 'LD_PRELOAD';", - "interval": 60, - "description": "Any processes that run with an LD_PRELOAD environment variable", - "snapshot": true - }, - "ld_so_preload_exists": { - "query": "SELECT * FROM file WHERE path='/etc/ld.so.preload' AND path!='';", - "interval": 3600, - "description": "Generates an event if ld.so.preload is present - used by rootkits such as Jynx", - "snapshot": true - }, - "listening_ports": { - "query": "SELECT pid, port, processes.path, cmdline, cwd FROM listening_ports JOIN processes USING (pid) WHERE port!=0;", - "interval": 86400, - "description": "Gather information about processes that are listening on a socket.", - "snapshot": true - }, - "processes_snapshot": { - "query": "select name, path, cmdline, cwd, on_disk from processes;", - "interval": 86400, - "description": "A snapshot of all processes running on the host. Useful for outlier analysis.", - "snapshot": true - }, - "rpm_packages": { - "query": "SELECT name, version, release, arch FROM rpm_packages;", - "interval": 86400, - "description": "Display all installed RPM packages", - "snapshot": true, - "platform": "centos" - }, - "runtime_perf": { - "query": "SELECT ov.version AS os_version, ov.platform AS os_platform, ov.codename AS os_codename, i.*, p.resident_size, p.user_time, p.system_time, time.minutes AS counter, db.db_size_mb AS database_size from osquery_info i, os_version ov, processes p, time, (SELECT (SUM(size) / 1024) / 1024.0 AS db_size_mb FROM (SELECT value FROM osquery_flags WHERE name = 'database_path' LIMIT 1) flags, file WHERE path LIKE flags.value || '%%' AND type = 'regular') db WHERE p.pid = i.pid;", - "interval": 1800, - "description": "Records system/user time, db size, and many other system metrics" - }, - "shell_history": { - "query": "SELECT * FROM users CROSS JOIN shell_history USING (uid);", - "interval": 3600, - "description": "Record shell history for all users on system (instead of just root)" - }, - "suid_bin": { - "query": "SELECT * FROM suid_bin;", - "interval": 86400, - "description": "Display any SUID binaries that are owned by root" - }, - "user_ssh_keys": { - "query": "SELECT * FROM users CROSS JOIN user_ssh_keys USING (uid);", - "interval": 86400, - "description": "Returns the private keys in the users ~/.ssh directory and whether or not they are encrypted" - }, - "users": { - "query": "SELECT * FROM users;", - "interval": 86400, - "description": "Local system users." - }, - "users_snapshot": { - "query": "SELECT * FROM users;", - "interval": 86400, - "description": "Local system users.", - "snapshot": true - }, - "yum_sources": { - "query": "SELECT name, baseurl, enabled, gpgcheck FROM yum_sources;", - "interval": 86400, - "description": "Display yum package manager sources", - "snapshot": true, - "platform": "centos" - } - }, - "file_paths": { - "configuration": [ - "/etc/passwd", - "/etc/shadow", - "/etc/ld.so.preload", - "/etc/ld.so.conf", - "/etc/ld.so.conf.d/%%", - "/etc/pam.d/%%", - "/etc/resolv.conf", - "/etc/rc%/%%", - "/etc/my.cnf", - "/etc/modules", - "/etc/hosts", - "/etc/hostname", - "/etc/fstab", - "/etc/crontab", - "/etc/cron%/%%", - "/etc/init/%%", - "/etc/rsyslog.conf" - ], - "binaries": [ - "/usr/bin/%%", - "/usr/sbin/%%", - "/bin/%%", - "/sbin/%%", - "/usr/local/bin/%%", - "/usr/local/sbin/%%" - ] - }, - "events": { - "disable_subscribers": ["user_events"] - } -} \ No newline at end of file diff --git a/packer/ansible/roles/osquery_linux/files/custom_osquery.flags b/packer/ansible/roles/osquery_linux/files/custom_osquery.flags deleted file mode 100644 index 07b1f7f89..000000000 --- a/packer/ansible/roles/osquery_linux/files/custom_osquery.flags +++ /dev/null @@ -1,11 +0,0 @@ ---host_identifier=uuid ---audit_allow_config=true ---audit_allow_sockets ---audit_persist=true ---disable_audit=false ---events_expiry=1 ---events_max=500000 ---logger_min_status=1 ---logger_plugin=filesystem ---config_plugin=filesystem ---database_path='/var/osquery/osquery.db' \ No newline at end of file diff --git a/packer/ansible/roles/osquery_linux/files/deb_template_inputs.conf b/packer/ansible/roles/osquery_linux/files/deb_template_inputs.conf deleted file mode 100644 index cf39a27be..000000000 --- a/packer/ansible/roles/osquery_linux/files/deb_template_inputs.conf +++ /dev/null @@ -1,3 +0,0 @@ -[monitor:///var/log/osquery/osqueryd.results.log] -index = osquery -sourcetype = osquery:results \ No newline at end of file diff --git a/packer/ansible/roles/osquery_linux/files/osquery_install.sh b/packer/ansible/roles/osquery_linux/files/osquery_install.sh deleted file mode 100644 index 060d4b8cf..000000000 --- a/packer/ansible/roles/osquery_linux/files/osquery_install.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash -export OSQUERY_KEY=1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B -sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys $OSQUERY_KEY -sudo add-apt-repository --yes 'deb [arch=amd64] https://pkg.osquery.io/deb deb main' -sudo apt-get update -sudo apt-get install osquery \ No newline at end of file diff --git a/packer/ansible/roles/osquery_linux/files/template.osquery.conf b/packer/ansible/roles/osquery_linux/files/template.osquery.conf deleted file mode 100644 index 01a42237f..000000000 --- a/packer/ansible/roles/osquery_linux/files/template.osquery.conf +++ /dev/null @@ -1,151 +0,0 @@ -{ - // Configure the daemon below: - "options": { - // Select the osquery config plugin. - //"config_plugin": "filesystem", - - // Select the osquery logging plugin. - //"logger_plugin": "filesystem", - - // The log directory stores info, warning, and errors. - // If the daemon uses the 'filesystem' logging retriever then the log_dir - // will also contain the query results. - "logger_path": "/var/log/osquery", - - // Set 'disable_logging' to true to prevent writing any info, warning, error - // logs. If a logging plugin is selected it will still write query results. - "disable_logging": "false", - - // Splay the scheduled interval for queries. - // This is very helpful to prevent system performance impact when scheduling - // large numbers of queries that run a smaller or similar intervals. - "schedule_splay_percent": "10", - - // A filesystem path for disk-based backing storage used for events and - // query results differentials. See also 'use_in_memory_database'. - //"database_path": "/var/osquery/osquery.db", - - // Comma-delimited list of table names to be disabled. - // This allows osquery to be launched without certain tables. - //"disable_tables": "foo_bar,time", - - // Comma-delimited list of table names to be enabled. - // This allows osquery to be launched with certain tables only. - //"enable_tables": "foo_bar,time", - - "utc": "true" - }, - - // Define a schedule of queries: - "schedule": { - "crontab": { - "query" : "SELECT * FROM crontab;", - "interval": 300 - }, - "system_profile": { - "query": "SELECT * FROM osquery_schedule" - }, - // This is a simple example query that outputs basic system information. - "system_info": { - // The exact query to run. - "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;", - // The interval in seconds to run this query, not an exact interval. - "interval": 3600 - } - }, - - // Decorators are normal queries that append data to every query. - "decorators": { - "load": [ - "SELECT uuid AS host_uuid FROM system_info;", - "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;" - ] - }, - - // Add default osquery packs or install your own. - // - // There are several 'default' packs installed with 'make install' or via - // packages and/or Homebrew. - // - // Linux: /usr/share/osquery/packs - // OS X: /var/osquery/packs - // Homebrew: /usr/local/share/osquery/packs - // make install: {PREFIX}/share/osquery/packs - // new pack folder path: /opt/osquery/share/osquery/packs - //"packs": { - // "osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf", - // "incident-response": "/usr/share/osquery/packs/incident-response.conf", - // "it-compliance": "/usr/share/osquery/packs/it-compliance.conf", - // // "osx-attacks": "/usr/share/osquery/packs/osx-attacks.conf", - // "vuln-management": "/usr/share/osquery/packs/vuln-management.conf", - // "hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf", - // "ossec-rootkit": "/usr/share/osquery/packs/ossec-rootkit.conf", - // "attack-range": "/usr/share/osquery/packs/attack-range.conf" - // // "windows-hardening": "C:\\Program Files\\osquery\\packs\\windows-hardening.conf", - // // "windows-attacks": "C:\\Program Files\\osquery\\packs\\windows-attacks.conf" - //} - "packs": { - "osquery-monitoring": "/opt/osquery/share/osquery/packs/osquery-monitoring.conf", - "incident-response": "/opt/osquery/share/osquery/packs/incident-response.conf", - "it-compliance": "/opt/osquery/share/osquery/packs/it-compliance.conf", - // "osx-attacks": "/opt/osquery/share/osquery/packs/osx-attacks.conf", - "vuln-management": "/opt/osquery/share/osquery/packs/vuln-management.conf", - "hardware-monitoring": "/opt/osquery/share/osquery/packs/hardware-monitoring.conf", - "ossec-rootkit": "/opt/osquery/share/osquery/packs/ossec-rootkit.conf", - "attack-range": "/opt/osquery/share/osquery/packs/attack-range.conf" - // "windows-hardening": "C:\\Program Files\\osquery\\packs\\windows-hardening.conf", - // "windows-attacks": "C:\\Program Files\\osquery\\packs\\windows-attacks.conf" - }, - - // Provides feature vectors for osquery to leverage in simple statistical - // analysis of results data. - // - // Currently this configuration is only used by Windows in the Powershell - // Events table, wherein character_frequencies is a list of doubles - // representing the aggregate occurrence of character values in Powershell - // Scripts. A default configuration is provided which was adapated from - // Lee Holmes cobbr project: - // https://gist.github.com/cobbr/acbe5cc7a186726d4e309070187beee6 - // - "feature_vectors": { - "character_frequencies": [ - 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, - 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, - 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, - 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, - 0.0, 0.0, 0.0, 0.0, 0.0, 0.00045, 0.01798, - 0.0, 0.03111, 0.00063, 0.00027, 0.0, 0.01336, 0.0133, - 0.00128, 0.0027, 0.00655, 0.01932, 0.01917, 0.00432, 0.0045, - 0.00316, 0.00245, 0.00133, 0.001029, 0.00114, 0.000869, 0.00067, - 0.000759, 0.00061, 0.00483, 0.0023, 0.00185, 0.01342, 0.00196, - 0.00035, 0.00092, 0.027875, 0.007465, 0.016265, 0.013995, 0.0490895, - 0.00848, 0.00771, 0.00737, 0.025615, 0.001725, 0.002265, 0.017875, - 0.016005, 0.02533, 0.025295, 0.014375, 0.00109, 0.02732, 0.02658, - 0.037355, 0.011575, 0.00451, 0.005865, 0.003255, 0.005965, 0.00077, - 0.00621, 0.00222, 0.0062, 0.0, 0.00538, 0.00122, 0.027875, - 0.007465, 0.016265, 0.013995, 0.0490895, 0.00848, 0.00771, 0.00737, - 0.025615, 0.001725, 0.002265, 0.017875, 0.016005, 0.02533, 0.025295, - 0.014375, 0.00109, 0.02732, 0.02658, 0.037355, 0.011575, 0.00451, - 0.005865, 0.003255, 0.005965, 0.00077, 0.00771, 0.002379, 0.00766, - 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, - 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, - 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, - 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, - 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, - 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, - 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, - 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, - 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, - 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, - 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, - 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, - 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, - 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, - 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, - 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, - 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, - 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, - 0.0, 0.0, 0.0 - ] - } -} \ No newline at end of file diff --git a/packer/ansible/roles/osquery_linux/tasks/collect_osquery_logs.yml b/packer/ansible/roles/osquery_linux/tasks/collect_osquery_logs.yml deleted file mode 100644 index 877ef2c73..000000000 --- a/packer/ansible/roles/osquery_linux/tasks/collect_osquery_logs.yml +++ /dev/null @@ -1,11 +0,0 @@ -- name: make /var/log/osquery dir accessible to everyone (rwx) - become: true - command: chmod a+rwx /var/log/osquery -R - -- name: copy osquery_deb_inputs.conf as inputs.conf to capture osquery logs - copy: - src: deb_template_inputs.conf - dest: /opt/splunkforwarder/etc/system/local/inputs.conf - owner: splunk - group: splunk - force: yes \ No newline at end of file diff --git a/packer/ansible/roles/osquery_linux/tasks/configure_outputs_conf.yml b/packer/ansible/roles/osquery_linux/tasks/configure_outputs_conf.yml deleted file mode 100644 index afa2852cb..000000000 --- a/packer/ansible/roles/osquery_linux/tasks/configure_outputs_conf.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -# check and copy outputs.conf to forward data to splunk - -- name: check if /opt/splunkforwarder/etc/system/local dir exist - stat: - path: "/opt/splunkforwarder/etc/system/local" - register: dep_dir_path - -- name: report if /opt/splunkforwarder/etc/system/local - debug: - msg: WARNING - /opt/splunkforwarder/etc/system/local not exist - check your splunk_uf installation! - when: dep_dir_path.stat.exists == false - -- name: copy outputs.conf to forward data to splunk server - template: - src: outputs.conf.j2 - dest: /opt/splunkforwarder/etc/system/local/outputs.conf - when: dep_dir_path.stat.exists \ No newline at end of file diff --git a/packer/ansible/roles/osquery_linux/tasks/create_deploymentclient.yml b/packer/ansible/roles/osquery_linux/tasks/create_deploymentclient.yml deleted file mode 100644 index 984f631e9..000000000 --- a/packer/ansible/roles/osquery_linux/tasks/create_deploymentclient.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -# check and copy deploymentclient to act as a deployment client of splunk - -- name: check if /opt/splunkforwarder/etc/system/local dir exist - stat: - path: "/opt/splunkforwarder/etc/system/local" - register: dep_dir_path - -- name: report if /opt/splunkforwarder/etc/system/local - debug: - msg: WARNING - /opt/splunkforwarder/etc/system/local not exist - check your splunk_uf installation! - when: dep_dir_path.stat.exists == false - -- name: copy deploymentclient.conf to act as a deployment client of splunk - template: - src: deploymentclient.conf.j2 - dest: /opt/splunkforwarder/etc/system/local/deploymentclient.conf - when: dep_dir_path.stat.exists - - \ No newline at end of file diff --git a/packer/ansible/roles/osquery_linux/tasks/install_deb_uf.yml b/packer/ansible/roles/osquery_linux/tasks/install_deb_uf.yml deleted file mode 100644 index e9dbc7e60..000000000 --- a/packer/ansible/roles/osquery_linux/tasks/install_deb_uf.yml +++ /dev/null @@ -1,45 +0,0 @@ ---- -# This playbook install the Splunk Universal Forwarder in linux Debian - -- name: add splunk group - become: true - tags: - - install - - security - group: name=splunk state=present - -- name: add splunk user - become: true - tags: - - install - - security - user: name=splunk comment="Splunk service user" shell=/usr/sbin/nologin groups=splunk createhome=yes - -- name: make /opt writetable by splunk - become: true - tags: - - install - file: path=/opt mode=777 - -- name: checking if splunk is install - tags: install - stat: path=/opt/splunkforwarder - register: splunk_path - -- name: is splunk UF installed? - tags: install - debug: msg='splunk is already installed under /opt/splunkforwarder' - when: splunk_path.stat.exists - -- name: Install splunk uf - become: true - apt: deb="{{ splunk_uf_url }}" - when: splunk_path.stat.exists == false - -- name: splunk license acceptance - become: true - command: "/opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --no-prompt" - -- name: setup to start at boot - become: true - command: "/opt/splunkforwarder/bin/splunk enable boot-start" diff --git a/packer/ansible/roles/osquery_linux/tasks/install_osquery_linux.yml b/packer/ansible/roles/osquery_linux/tasks/install_osquery_linux.yml deleted file mode 100644 index 583b3904c..000000000 --- a/packer/ansible/roles/osquery_linux/tasks/install_osquery_linux.yml +++ /dev/null @@ -1,75 +0,0 @@ ---- -# This playbook install the isquery in linux machine - -- name: drop the osquery_install.sh script /tmp - become: true - copy: - src: osquery_install.sh - dest: /tmp/osquery_install.sh - mode: 0777 - -- name: check if osquery service exist - stat: path=/etc/init.d/osqueryd - register: service_status - -- name: is osquery service exist? if yes stop it! - become: true - service: - name: osquery - state: stopped - when: service_status.stat.exists - -- name: run osquery_install.sh - become: true - command: sh /tmp/osquery_install.sh - -- name: clean the script - become: true - command: rm /tmp/osquery_install.sh - -- name: copy template.osquery.conf /etc/osquery/osquery.conf - become: true - copy: - src: template.osquery.conf - dest: /etc/osquery/osquery.conf - -- name: copy template.osquery.conf /var/osquery/osquery.conf - become: true - copy: - src: template.osquery.conf - dest: /var/osquery/osquery.conf - -- name: copy custom osquery conf template as /opt/osquery/share/osquery/packs/attack-range.conf - become: true - copy: - src: "{{ custom_osquery_conf }}" - dest: /opt/osquery/share/osquery/packs/attack-range.conf - -- name: copy custom osquery flags template as /etc/osquery/osquery.flags - become: true - copy: - src: "{{ custom_osquery_conf_flag }}" - dest: /etc/osquery/osquery.flags - -- name: activate osqueryd service - become: true - service: - name: osqueryd - state: started - -- name: osqueryd service enable - become: true - command: systemctl enable osqueryd - register: osq_service_status - -- name: osqueryd service status check - become: true - command: systemctl status osqueryd - register: osq_service_status - -- name: osquery service status stdout - debug: msg="{{ osq_service_status.stdout }}" - - - - diff --git a/packer/ansible/roles/osquery_linux/tasks/main.yml b/packer/ansible/roles/osquery_linux/tasks/main.yml deleted file mode 100644 index 4c8f71391..000000000 --- a/packer/ansible/roles/osquery_linux/tasks/main.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -- include: install_osquery_linux.yml -- include: install_deb_uf.yml -- include: configure_outputs_conf.yml -- include: create_deploymentclient.yml -- include: collect_osquery_logs.yml - - -- name: Restart splunk uf - become: true - command: "systemctl restart SplunkForwarder" - when: cloud_provider != "local" - -- name: Restart splunk uf - become: true - command: "/opt/splunkforwarder/bin/splunk restart" - when: cloud_provider == "local" \ No newline at end of file diff --git a/packer/ansible/roles/osquery_linux/templates/deploymentclient.conf.j2 b/packer/ansible/roles/osquery_linux/templates/deploymentclient.conf.j2 deleted file mode 100644 index 983ed0b7c..000000000 --- a/packer/ansible/roles/osquery_linux/templates/deploymentclient.conf.j2 +++ /dev/null @@ -1,4 +0,0 @@ -[deployment-client] - -[target-broker:deploymentServer] -targetUri= {{ splunk_indexer_ip }}:8089 diff --git a/packer/ansible/roles/osquery_linux/templates/outputs.conf.j2 b/packer/ansible/roles/osquery_linux/templates/outputs.conf.j2 deleted file mode 100644 index 9373b03b2..000000000 --- a/packer/ansible/roles/osquery_linux/templates/outputs.conf.j2 +++ /dev/null @@ -1,5 +0,0 @@ -[tcpout] -defaultGroup=my_indexers - -[tcpout:my_indexers] -server={{ splunk_indexer_ip }}:9997 diff --git a/packer/ansible/roles/phantom/tasks/install_phantom.yml b/packer/ansible/roles/phantom/tasks/install_phantom.yml deleted file mode 100644 index 2ff983b5f..000000000 --- a/packer/ansible/roles/phantom/tasks/install_phantom.yml +++ /dev/null @@ -1,91 +0,0 @@ ---- -# Install Phantom from RPM on a fresh CentOS 7 instance - -- name: Copy Splunk SOAR to server - become: true - become_user: centos - unarchive: - src: "../../apps/{{ phantom_app }}" - dest: /home/centos - -- name: Creates directory - file: - path: /opt/soar - state: directory - -- name: prepare phantom install script without apps - become_user: centos - shell: sudo /home/centos/splunk-soar/soar-prepare-system --splunk-soar-home /opt/soar --no-prompt - -- name: copy splunk soar folder - shell: cp -r /home/centos/splunk-soar /home/phantom/splunk-soar - -- name: chown splunk soar folder - shell: chown -R phantom. /home/phantom/splunk-soar - -# - name: Copy Splunk SOAR to server -# become_user: phantom -# unarchive: -# src: "../../apps/{{ phantom_app }}" -# dest: /home/phantom - -- name: run the phantom install script - become_user: phantom - shell: ./soar-install --splunk-soar-home /opt/soar --no-prompt --ignore-warnings - args: - chdir: /home/phantom/splunk-soar - -# - name: upgrade all packages -# yum: -# name: '*' -# state: latest - -# - name: check if phantom is installed -# stat: path=/opt/phantom -# register: phantom_path - -# - name: debug print if phantom is installed -# debug: msg='phantom is already installed under /opt/phantom' -# when: phantom_path.stat.exists - - -# - name: install the phantom setup rpm from the community repository -# yum: -# name: '{{ phantom_repo_url }}' -# state: present - -# # installing apps takes 15+ minutes longer, so later we will install just the apps we need -# - name: run the phantom install script without apps -# shell: printf "{{phantom_community_username}}\n{{phantom_community_password}}\n" | /opt/phantom/bin/phantom_setup.sh install --no-prompt --without-apps --version={{phantom_version}} -# async: 1800 -# poll: 60 - -# - name: install whois app -# yum: -# name: https://repo.phantom.us/phantom/4.10/apps/x86_64/phantom_whois-2.1.0.x86_64.rpm -# state: present - -# - name: install maxmind app -# yum: -# name: https://repo.phantom.us/phantom/4.10/apps/x86_64/phantom_maxmind-2.0.23.x86_64.rpm -# state: present - -# - name: install dns app -# yum: -# name: https://repo.phantom.us/phantom/4.10/apps/x86_64/phantom_dns-2.0.22.x86_64.rpm -# state: present - -# - name: install phishtank app -# yum: -# name: https://repo.phantom.us/phantom/4.10/apps/x86_64/phantom_phishtank-2.0.1.x86_64.rpm -# state: present - -# - name: install splunk app -# yum: -# name: https://repo.phantom.us/phantom/4.10/apps/x86_64/phantom_splunk-2.2.3.x86_64.rpm -# state: present - -# - name: install winrm app -# yum: -# name: https://repo.phantom.us/phantom/4.10/apps/x86_64/phantom_winrm-2.0.1.x86_64.rpm -# state: present \ No newline at end of file diff --git a/packer/ansible/roles/phantom/tasks/main.yml b/packer/ansible/roles/phantom/tasks/main.yml deleted file mode 100644 index 27c2d6922..000000000 --- a/packer/ansible/roles/phantom/tasks/main.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -# This playbook contains common tasks in this role - -- include: install_phantom.yml - when: cloud_provider != "local" - -- include: install_phantom_local.yml - when: cloud_provider == "local" \ No newline at end of file diff --git a/packer/ansible/roles/prelude/files/prelude-operator.service b/packer/ansible/roles/prelude/files/prelude-operator.service deleted file mode 100644 index 3858d1c7c..000000000 --- a/packer/ansible/roles/prelude/files/prelude-operator.service +++ /dev/null @@ -1,20 +0,0 @@ -# Expects Headless Operator binary under headless under: /opt/prelude -# Safe this file to /etc/systemd/system/prelude-operator.service, then run: systemctl daemon-reload -# You can configure specific account by writing ACCOUNT_EMAIL var under /opt/prelude/env -# example: -# ACCOUNT_EMAIL=a8b6a79c-c98b-11ec-ba35-3f30ad1005c5@desktop.prelude.org -# Writes logs to syslog - -[Unit] -Description=Prelude Operator - -[Service] -EnvironmentFile=/opt/prelude/env -ExecStart=/opt/prelude/headless --accountEmail=${ACCOUNT_EMAIL} --sessionToken=${SESSION_TOKEN} -StandardOutput=syslog -StandardError=syslog -SyslogIdentifier=prelude-operator - -[Install] -WantedBy=multi-user.target - diff --git a/packer/ansible/roles/prelude/tasks/install.yml b/packer/ansible/roles/prelude/tasks/install.yml deleted file mode 100644 index 58666fe8e..000000000 --- a/packer/ansible/roles/prelude/tasks/install.yml +++ /dev/null @@ -1,48 +0,0 @@ ---- -- name: Make /opt/prelude - file: - path: /opt/prelude - state: directory - mode: '0755' - -- name: Download Prelude Operator Linux Headless /opt/prelude/headless.zip - get_url: - url: "{{ prelude_operator_url }}" - dest: /opt/prelude/headless.zip - -- name: Install unzip - apt: - name: unzip - state: latest - -- name: Unzip headless.zip - unarchive: - src: /opt/prelude/headless.zip - dest: /opt/prelude - remote_src: yes - -- name: Generate Session Token - shell: uuidgen - register: prelude_session_token - -- name: Copy env, configures Prelude Email Account - template: - src: env - dest: /opt/prelude/env - -- name: Copy systemd file - copy: - src: prelude-operator.service - dest: /etc/systemd/system/prelude-operator.service - mode: 644 - -- name: Start Prelude Operator service - systemd: - name: prelude-operator.service - state: started - -- name: Write Session Token to file - delegate_to: localhost - become: false - local_action: copy content="{{ prelude_session_token.stdout }}" dest=/var/tmp/.prelude_session_token force=yes - diff --git a/packer/ansible/roles/prelude/tasks/main.yml b/packer/ansible/roles/prelude/tasks/main.yml deleted file mode 100644 index 1e960e640..000000000 --- a/packer/ansible/roles/prelude/tasks/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- - -- include: install.yml - when: prelude == "1" - tags: - - prelude diff --git a/packer/ansible/roles/prelude/templates/env b/packer/ansible/roles/prelude/templates/env deleted file mode 100644 index 014729a04..000000000 --- a/packer/ansible/roles/prelude/templates/env +++ /dev/null @@ -1,4 +0,0 @@ -## Prelude Creds -ACCOUNT_EMAIL={{ prelude_account_email }} -SESSION_TOKEN= {{ prelude_session_token.stdout }} - diff --git a/packer/ansible/roles/purplesharp/files/T1003.001.pb b/packer/ansible/roles/purplesharp/files/T1003.001.pb deleted file mode 100644 index a797f1a92..000000000 --- a/packer/ansible/roles/purplesharp/files/T1003.001.pb +++ /dev/null @@ -1,16 +0,0 @@ -{ - "type": "local", - "sleep": 0, - "playbooks": [ - { - "name": "OS Credential Dumping", - "enabled": true, - "tasks": [ - { - "name": "Lsass Process Dump using Win32 API MiniDumpWriteDump", - "technique_id": "T1003.001" - } - ] - } - ] -} diff --git a/packer/ansible/roles/purplesharp/tasks/main.yml b/packer/ansible/roles/purplesharp/tasks/main.yml deleted file mode 100644 index 64a278e88..000000000 --- a/packer/ansible/roles/purplesharp/tasks/main.yml +++ /dev/null @@ -1,16 +0,0 @@ - -- name: Download Latest PurpleSharp Binary - win_shell: | - [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls, [Net.SecurityProtocolType]::Tls11, [Net.SecurityProtocolType]::Tls12, [Net.SecurityProtocolType]::Ssl3 - [Net.ServicePointManager]::SecurityProtocol = 'Tls, Tls11, Tls12, Ssl3' - If (-not (Test-Path c:\Tools\PurpleSharp)) { New-Item -Path c:\Tools\ -Name PurpleSharp -ItemType directory } - $tag = (Invoke-WebRequest 'https://api.github.com/repos/mvelazc0/PurpleSharp/releases' -UseBasicParsing | ConvertFrom-Json)[0].tag_name - $purplesharpDownloadUrl = 'https://github.com/mvelazc0/PurpleSharp/releases/download/' + $tag + '/PurpleSharp_x64.exe' - If (-not (Test-Path c:\Tools\PurpleSharp\PurpleSharp.exe)) { Invoke-WebRequest -Uri $purplesharpDownloadUrl -OutFile c:\Tools\PurpleSharp\PurpleSharp.exe } - -- include_tasks: "run_simulation_playbook.yml" - when: run_simulation_playbook - -- include_tasks: "run_simulation_techniques.yml" - with_items: "{{ techniques }}" - when: not run_simulation_playbook diff --git a/packer/ansible/roles/purplesharp/tasks/run_simulation_playbook.yml b/packer/ansible/roles/purplesharp/tasks/run_simulation_playbook.yml deleted file mode 100644 index 835000984..000000000 --- a/packer/ansible/roles/purplesharp/tasks/run_simulation_playbook.yml +++ /dev/null @@ -1,20 +0,0 @@ - -- debug: - var: simulation_playbook - -- name: Copy Simulation Playbook to Host - win_copy: - src: "{{ simulation_playbook }}" - dest: "C:\\Tools\\PurpleSharp\\{{ simulation_playbook }}" - -- name: Run PurpleSharp Simulation Playbook - win_command: "PurpleSharp.exe /pb {{ simulation_playbook }}" - register: output_purplesharp - args: - chdir: C:\\Tools\\PurpleSharp - -- name: Save PurpleSharp output - set_fact: - output_purplesharp: "{{ output_purplesharp }}" - cacheable: yes - #when: var_str == 'no' \ No newline at end of file diff --git a/packer/ansible/roles/purplesharp/tasks/run_simulation_techniques.yml b/packer/ansible/roles/purplesharp/tasks/run_simulation_techniques.yml deleted file mode 100644 index 46d9d9acc..000000000 --- a/packer/ansible/roles/purplesharp/tasks/run_simulation_techniques.yml +++ /dev/null @@ -1,21 +0,0 @@ - -- debug: - var: techniques - -- name: Run PurpleSharp Simulation Techniques - block: - - name: Run PurpleSharp Simulation Techniques - win_command: PurpleSharp.exe /t "{{ techniques }}" - register: output_purplesharp - args: - chdir: C:\\Tools\\PurpleSharp - # Fail this step when PurpleSharp reports the simulation has failed. - # The PurpleSharp output details will still be printed for the user to review details. - failed_when: "'Simulation Failed' in output_purplesharp.stdout" - - always: - - name: Save PurpleSharp output - set_fact: - output_purplesharp: "{{ output_purplesharp }}" - cacheable: yes - #when: var_str == 'no' diff --git a/packer/ansible/roles/reboot/tasks/main.yml b/packer/ansible/roles/reboot/tasks/main.yml deleted file mode 100644 index fe9de7eed..000000000 --- a/packer/ansible/roles/reboot/tasks/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- name: Reboot - reboot: - reboot_timeout: 600 \ No newline at end of file diff --git a/packer/ansible/roles/red_team_tools/tasks/main.yml b/packer/ansible/roles/red_team_tools/tasks/main.yml deleted file mode 100644 index 1d9e34dce..000000000 --- a/packer/ansible/roles/red_team_tools/tasks/main.yml +++ /dev/null @@ -1,83 +0,0 @@ ---- -- name: Git clone SharpHound - win_shell: git clone https://github.com/BloodHoundAD/SharpHound3.git C:\tools\SharpHound3 - when: install_red_team_tools == "1" - -- name: Git clone MailSniper - win_shell: git clone https://github.com/dafthack/MailSniper.git C:\tools\MailSniper - when: install_red_team_tools == "1" - -- name: Git clone juicy-potato - win_shell: git clone https://github.com/decoder-it/juicy-potato.git C:\tools\juicy-potato - when: install_red_team_tools == "1" - -- name: Git clone SharpChrome - win_shell: git clone https://github.com/djhohnstein/SharpChrome.git C:\tools\SharpChrome - when: install_red_team_tools == "1" - -- name: Git clone Egress-Assess - win_shell: git clone https://github.com/FortyNorthSecurity/Egress-Assess.git C:\tools\Egress-Assess - when: install_red_team_tools == "1" - -- name: Git clone SharpGPOAbuse - win_shell: git clone https://github.com/FSecureLABS/SharpGPOAbuse.git C:\tools\SharpGPOAbuse - when: install_red_team_tools == "1" - -- name: Git clone Mimikatz - win_shell: git clone https://github.com/gentilkiwi/mimikatz.git C:\tools\mimikatz - when: install_red_team_tools == "1" - -- name: Git clone Seatbelt - win_shell: git clone https://github.com/GhostPack/Seatbelt.git C:\tools\Seatbelt - when: install_red_team_tools == "1" - -- name: Git clone DAMP - win_shell: git clone https://github.com/HarmJ0y/DAMP.git C:\tools\DAMP - when: install_red_team_tools == "1" - -- name: Git clone UACME - win_shell: git clone https://github.com/hfiref0x/UACME.git C:\tools\UACME - when: install_red_team_tools == "1" - -- name: Git clone SpoolSample - win_shell: git clone https://github.com/leechristensen/SpoolSample.git C:\tools\SpoolSample - when: install_red_team_tools == "1" - -- name: Git clone PowerUpSQL - win_shell: git clone https://github.com/NetSPI/PowerUpSQL.git C:\tools\PowerUpSQL - when: install_red_team_tools == "1" - -- name: Git clone PowerShdll - win_shell: git clone https://github.com/p3nt4/PowerShdll.git C:\tools\PowerShdll - when: install_red_team_tools == "1" - -- name: Git clone PowerSploit - win_shell: git clone https://github.com/PowerShellMafia/PowerSploit.git C:\tools\PowerSploit - when: install_red_team_tools == "1" - -- name: Git clone MiscTools - win_shell: git clone https://github.com/rasta-mouse/MiscTools.git C:\tools\MiscTools - when: install_red_team_tools == "1" - -- name: Git clone Sherlock - win_shell: git clone https://github.com/rasta-mouse/Sherlock.git C:\tools\Sherlock - when: install_red_team_tools == "1" - -- name: Git clone Watson - win_shell: git clone https://github.com/rasta-mouse/Watson.git C:\tools\Watson - when: install_red_team_tools == "1" - -- name: Git clone SharpView - win_shell: git clone https://github.com/tevora-threat/SharpView.git C:\tools\SharpView - when: install_red_team_tools == "1" - -- name: Git clone donut - win_shell: git clone https://github.com/TheWover/donut.git C:\tools\donut - when: install_red_team_tools == "1" - -- name: install sysinternals - win_shell: C:\\ProgramData\\chocolatey\\bin\\choco.exe install sysinternals --fail-on-unfound --yes --no-progress --limit-output --timeout 2700 --ignore-checksums - when: install_red_team_tools == "1" - - - diff --git a/packer/ansible/roles/splunk_phantom/files/authorize.conf b/packer/ansible/roles/splunk_phantom/files/authorize.conf deleted file mode 100644 index a643ff6ae..000000000 --- a/packer/ansible/roles/splunk_phantom/files/authorize.conf +++ /dev/null @@ -1,7 +0,0 @@ -[role_admin] -grantableRoles = admin -importRoles = phantom;power;user -list_settings = disabled -list_storage_passwords = disabled -srchIndexesDefault = attack;dns;fw;mail;main;proxy;unix;win -srchMaxTime = 8640000 diff --git a/packer/ansible/roles/splunk_phantom/tasks/add_phantom_role.yml b/packer/ansible/roles/splunk_phantom/tasks/add_phantom_role.yml deleted file mode 100644 index 6265f4b7e..000000000 --- a/packer/ansible/roles/splunk_phantom/tasks/add_phantom_role.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- - -- name: copy authorize.conf to give admin phantom capabilities - copy: - src: authorize.conf - dest: /opt/splunk/etc/system/local/authorize.conf - owner: splunk - group: splunk - force: yes diff --git a/packer/ansible/roles/splunk_phantom/tasks/install_phantom_app.yml b/packer/ansible/roles/splunk_phantom/tasks/install_phantom_app.yml deleted file mode 100644 index ff9a258d6..000000000 --- a/packer/ansible/roles/splunk_phantom/tasks/install_phantom_app.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- - -- name: Check if Phantom App exists - stat: - path: /opt/splunk/etc/apps/phantom - register: phantom_app_check - -- name: download phantom app from S3 bucket - get_url: - url: '{{ s3_bucket_url }}/{{ phantom_app }}' - dest: /tmp/phantom_app.tgz - when: phantom_app_check.stat.exists == False - -- name: Install phantom app via REST - uri: - url: "https://127.0.0.1:8089/services/apps/local" - method: POST - user: "admin" - password: "{{ splunk_admin_password }}" - validate_certs: false - body: "name=/tmp/phantom_app.tgz&update=true&filename=true" - headers: - Content-Type: "application/x-www-form-urlencoded" - status_code: [ 200, 201 ] - timeout: 30 - when: phantom_app_check.stat.exists == False - notify: restart splunk diff --git a/packer/ansible/roles/splunk_phantom/tasks/main.yml b/packer/ansible/roles/splunk_phantom/tasks/main.yml deleted file mode 100644 index a8d627888..000000000 --- a/packer/ansible/roles/splunk_phantom/tasks/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- include: install_phantom_app.yml - when: phantom_server == "1" or phantom_byo == "1" - -- include: add_phantom_role.yml - when: phantom_server == "1" or phantom_byo == "1" diff --git a/packer/ansible/roles/splunk_phantom/templates/phantom.j2 b/packer/ansible/roles/splunk_phantom/templates/phantom.j2 deleted file mode 100644 index fa98fca59..000000000 --- a/packer/ansible/roles/splunk_phantom/templates/phantom.j2 +++ /dev/null @@ -1,15 +0,0 @@ -[enable_logging] -value = false - -[phantom] -value = {"f4ebdb46-3687-44b9-be72-d6b90597cff0": {"proxy": "", "user": "automation", "ph_auth_config_id": "f4ebdb46-3687-44b9-be72-d6b90597cff0", "custom_name": "phantom", "server": "https://54.185.241.145", "default": true}} - -[verify_certs] -value = 0 - -[field_mapping] - -[version] - -[accepted] -value = false diff --git a/packer/ansible/roles/splunk_phantom_configure/files/phantom.conf b/packer/ansible/roles/splunk_phantom_configure/files/phantom.conf deleted file mode 100644 index e26397cba..000000000 --- a/packer/ansible/roles/splunk_phantom_configure/files/phantom.conf +++ /dev/null @@ -1,5 +0,0 @@ -[enable_logging] -value = false - -[verify_certs] -value = 0 diff --git a/packer/ansible/roles/splunk_phantom_configure/tasks/configure_phantom_BYO_app.yml b/packer/ansible/roles/splunk_phantom_configure/tasks/configure_phantom_BYO_app.yml deleted file mode 100644 index 6f0b1aa29..000000000 --- a/packer/ansible/roles/splunk_phantom_configure/tasks/configure_phantom_BYO_app.yml +++ /dev/null @@ -1,69 +0,0 @@ ---- - -- name: create local folder for phantom app - file: - path: /opt/splunk/etc/apps/phantom/local - state: directory - owner: splunk - group: splunk - -- name: copy phantom.conf to splunk server - copy: - src: phantom.conf - dest: /opt/splunk/etc/apps/phantom/local/phantom.conf - owner: splunk - group: splunk - -- name: restart splunk - service: name=splunk state=restarted - become: yes - -#- name: fetch phantom api token -# uri: -# url: https://{{ phantom_server_private_ip }}/rest/ph_user/2/token -# method: GET -# user: admin -# password: "{{ phantom_admin_password }}" -# force_basic_auth: yes -# validate_certs: no -# register: api_token - -- name: Connect Splunk Phantom App with Phantom - shell: curl -k -u "admin:{{ splunk_admin_password }}" --data '{"verify_certs":"false","enable_logging":"false","config":[{"ph-auth-token":"{{ phantom_api_token | replace("=","%3D") | replace("+","%2B") }}","server":"https://{{ phantom_byo_ip }}","custom_name":"phantom","default":false,"user":"","ph_auth_config_id":"193b2ffc-48fb-4087-bc75-c44184e7fa07","proxy":"","validate":true}],"accepted":"true","save":true}' https://localhost:8089/services/update_phantom_config?output_mode=json - register: shell_output - -# - name: Debug output -# debug: -# var: shell_output - -- name: restart splunk - service: name=splunk state=restarted - become: yes - - -# - name: Connect Splunk Phantom App with Phantom -# uri: -# url: https://127.0.0.1:8089/services/update_phantom_config -# method: POST -# user: "admin" -# password: "{{ splunk_admin_password }}" -# validate_certs: false -# body: -# verify_certs: false -# enable_logging: false -# config: -# - ph-auth-token: "{{ api_token.json.key }}" -# server: "https://{{ phantom_server_private_ip }}" -# custom_name: "" -# default: false -# user: "" -# ph_auth_config_id: "193b2ffc-48fb-4087-bc75-c44184e7fa07" -# proxy: "" -# validate: true -# accepted: true -# save: true -# body_format: json -# status_code: [ 200, 201 ] -# timeout: 30 -# notify: restart splunk -# register: rest_output diff --git a/packer/ansible/roles/splunk_phantom_configure/tasks/configure_phantom_app.yml b/packer/ansible/roles/splunk_phantom_configure/tasks/configure_phantom_app.yml deleted file mode 100644 index 961d552d1..000000000 --- a/packer/ansible/roles/splunk_phantom_configure/tasks/configure_phantom_app.yml +++ /dev/null @@ -1,69 +0,0 @@ ---- - -- name: create local folder for phantom app - file: - path: /opt/splunk/etc/apps/phantom/local - state: directory - owner: splunk - group: splunk - -- name: copy phantom.conf to splunk server - copy: - src: phantom.conf - dest: /opt/splunk/etc/apps/phantom/local/phantom.conf - owner: splunk - group: splunk - -- name: restart splunk - service: name=splunk state=restarted - become: yes - -- name: fetch phantom api token - uri: - url: https://{{ phantom_server_private_ip }}/rest/ph_user/2/token - method: GET - user: admin - password: "{{ phantom_admin_password }}" - force_basic_auth: yes - validate_certs: no - register: api_token - -- name: Connect Splunk Phantom App with Phantom - shell: curl -k -u "admin:{{ splunk_admin_password }}" --data '{"verify_certs":"false","enable_logging":"false","config":[{"ph-auth-token":"{{ api_token.json.key | replace("=","%3D") | replace("+","%2B") }}","server":"https://{{ phantom_server_private_ip }}","custom_name":"phantom","default":false,"user":"","ph_auth_config_id":"193b2ffc-48fb-4087-bc75-c44184e7fa07","proxy":"","validate":true}],"accepted":"true","save":true}' https://localhost:8089/services/update_phantom_config?output_mode=json - register: shell_output - -# - name: Debug output -# debug: -# var: shell_output - -- name: restart splunk - service: name=splunk state=restarted - become: yes - - -# - name: Connect Splunk Phantom App with Phantom -# uri: -# url: https://127.0.0.1:8089/services/update_phantom_config -# method: POST -# user: "admin" -# password: "{{ splunk_admin_password }}" -# validate_certs: false -# body: -# verify_certs: false -# enable_logging: false -# config: -# - ph-auth-token: "{{ api_token.json.key }}" -# server: "https://{{ phantom_server_private_ip }}" -# custom_name: "" -# default: false -# user: "" -# ph_auth_config_id: "193b2ffc-48fb-4087-bc75-c44184e7fa07" -# proxy: "" -# validate: true -# accepted: true -# save: true -# body_format: json -# status_code: [ 200, 201 ] -# timeout: 30 -# notify: restart splunk -# register: rest_output diff --git a/packer/ansible/roles/splunk_phantom_configure/tasks/main.yml b/packer/ansible/roles/splunk_phantom_configure/tasks/main.yml deleted file mode 100644 index 71f46daac..000000000 --- a/packer/ansible/roles/splunk_phantom_configure/tasks/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- include: configure_phantom_app.yml - when: phantom_server == "1" - -- include: configure_phantom_BYO_app.yml - when: phantom_byo == "1" \ No newline at end of file diff --git a/packer/ansible/roles/splunk_server/files/phantom.conf b/packer/ansible/roles/splunk_server/files/phantom.conf deleted file mode 100644 index e26397cba..000000000 --- a/packer/ansible/roles/splunk_server/files/phantom.conf +++ /dev/null @@ -1,5 +0,0 @@ -[enable_logging] -value = false - -[verify_certs] -value = 0 diff --git a/packer/ansible/roles/splunk_server/handlers/main.yml b/packer/ansible/roles/splunk_server/handlers/main.yml deleted file mode 100644 index 7e97b88f3..000000000 --- a/packer/ansible/roles/splunk_server/handlers/main.yml +++ /dev/null @@ -1,3 +0,0 @@ -- name: restart splunk - service: name=splunk state=restarted - become: yes diff --git a/packer/ansible/roles/splunk_server/tasks/main.yml b/packer/ansible/roles/splunk_server/tasks/main.yml deleted file mode 100644 index b1c28a1f4..000000000 --- a/packer/ansible/roles/splunk_server/tasks/main.yml +++ /dev/null @@ -1,43 +0,0 @@ ---- -# This playbook contains common tasks in this role - -- include: splunk.yml -- include: configure_inputs.yml -- include: configure_indexes.yml -- include: configure_limits.yml -- include: configure_web_conf.yml -- include: configure_server_conf.yml -- include: create_serverclass.yml -- include: install_app_from_s3.yml - with_items: - - "splunk-add-on-for-microsoft-windows_880.tgz" - - "splunk-timeline-custom-visualization_162.tgz " - - "status-indicator-custom-visualization_150.tgz" - - "splunk-sankey-diagram-custom-visualization_160.tgz" - - "punchcard-custom-visualization_150.tgz" - - "splunk_attack_range_reporting-1.0.9.tar.gz" - - "splunk-common-information-model-cim_532.tgz " - - "DA-ESS-ContentUpdate-latest.tar.gz" - - "python-for-scientific-computing-for-linux-64-bit_420.tgz " - - "splunk-machine-learning-toolkit_541.tgz" - - "splunk-security-essentials_380.tgz" - - "splunk-add-on-for-sysmon_400.tgz " - - "splunk-add-on-for-sysmon-for-linux_100.tgz" - - "splunk-add-on-for-amazon-web-services-aws_760.tgz" - - "splunk-add-on-for-microsoft-office-365_451.tgz" - - "splunk-add-on-for-amazon-kinesis-firehose_131r7d1d093.tgz" - - "splunk-add-on-for-unix-and-linux_910.tgz" - - "ta-for-zeek_108.tgz" - - "splunk-add-on-for-nginx_322.tgz" - - "phantom-app-for-splunk_4035.tgz" - - "TA-osquery.tar.gz" - - "splunk-add-on-for-microsoft-cloud-services_530.tgz" - - "splunk-add-on-for-crowdstrike-fdr_150.tgz" - - "vmware-carbon-black-cloud_115.tgz" - - "splunk-add-on-for-carbon-black_210.tgz" - - "TA-aurora-0.2.0.tar.gz" -- include: configure_attack_range_dashboard.yml -- include: configure_escu.yml -- include: configure_props.yml -- include: configure_cim.yml -- include: configure_phantom.yml diff --git a/packer/ansible/roles/splunk_server/tasks/splunk.yml b/packer/ansible/roles/splunk_server/tasks/splunk.yml deleted file mode 100644 index 1d24ff421..000000000 --- a/packer/ansible/roles/splunk_server/tasks/splunk.yml +++ /dev/null @@ -1,55 +0,0 @@ ---- -# This playbook install the apps required in a server - -- name: add splunk group - group: name=splunk state=present - -- name: add splunk user - user: name=splunk comment="Splunk service user" shell=/usr/sbin/nologin groups=splunk createhome=yes - -- name: make /opt writetable by splunk - file: path=/opt mode=777 - -- name: checking if splunk is install - stat: path=/opt/splunk - register: splunk_path - -- name: is splunk installed? - debug: msg='splunk is already installed under /opt/splunk' - when: splunk_path.stat.exists - -- name: download splunk - get_url: - url: "{{ splunk_url }}" - dest: /opt/splunk.tgz - when: splunk_path.stat.exists == false - -- name: install splunk binary - unarchive: remote_src=yes src=/opt/splunk.tgz dest=/opt/ owner=splunk group=splunk creates=yes - become: yes - become_user: splunk - when: splunk_path.stat.exists == false - -- name: migrate to WiredTiger - blockinfile: - path: /opt/splunk/etc/system/local/server.conf - insertafter: EOF - create: yes - block: | - [kvstore] - storageEngine=wiredTiger - -- name: accept license and start splunk - shell: /opt/splunk/bin/splunk start --accept-license --answer-yes --no-prompt --seed-passwd Pl3ase-k1Ll-me:p - become: yes - become_user: splunk - when: splunk_path.stat.exists == false - -- name: enable boot-start - shell: /opt/splunk/bin/splunk enable boot-start -user splunk - when: splunk_path.stat.exists == false - -- name: restart splunk - service: - name: splunkd - state: restarted diff --git a/packer/ansible/roles/splunk_server/templates/inputs_stream.conf.j2 b/packer/ansible/roles/splunk_server/templates/inputs_stream.conf.j2 deleted file mode 100644 index 69b3ab306..000000000 --- a/packer/ansible/roles/splunk_server/templates/inputs_stream.conf.j2 +++ /dev/null @@ -1,5 +0,0 @@ -[streamfwd://streamfwd] -index = network -splunk_stream_app_location = http{% if install_es == "1" %}s{% endif %}://localhost:8000/en-us/custom/splunk_app_stream/ -stream_forwarder_id = -disabled = 0 diff --git a/packer/ansible/roles/sysmon_linux/files/deb_template_inputs.conf b/packer/ansible/roles/sysmon_linux/files/deb_template_inputs.conf deleted file mode 100644 index 88d7027dd..000000000 --- a/packer/ansible/roles/sysmon_linux/files/deb_template_inputs.conf +++ /dev/null @@ -1,9 +0,0 @@ -[journald://sysmon] -interval = 30 -journalctl-quiet = true -journalctl-include-fields = PRIORITY,_SYSTEMD_UNIT,_SYSTEMD_CGROUP,_TRANSPORT,_PID,_UID,_MACHINE_ID,_GID,_COMM,_EXE -journalctl-exclude-fields = __MONOTONIC_TIMESTAMP,__SOURCE_REALTIME_TIMESTAMP -journalctl-filter = _SYSTEMD_UNIT=sysmon.service -index = unix -source = Syslog:Linux-Sysmon/Operational -sourcetype = sysmon:linux \ No newline at end of file diff --git a/packer/ansible/roles/sysmon_linux/tasks/configure_inputs.yml b/packer/ansible/roles/sysmon_linux/tasks/configure_inputs.yml deleted file mode 100644 index 7c8f484b3..000000000 --- a/packer/ansible/roles/sysmon_linux/tasks/configure_inputs.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: copy deb_inputs.conf as inputs.conf to capture sysmon for linux logs - copy: - src: deb_template_inputs.conf - dest: /opt/splunkforwarder/etc/system/local/inputs.conf - owner: splunk - group: splunk - force: yes diff --git a/packer/ansible/roles/sysmon_linux/tasks/configure_outputs_conf.yml b/packer/ansible/roles/sysmon_linux/tasks/configure_outputs_conf.yml deleted file mode 100644 index afa2852cb..000000000 --- a/packer/ansible/roles/sysmon_linux/tasks/configure_outputs_conf.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -# check and copy outputs.conf to forward data to splunk - -- name: check if /opt/splunkforwarder/etc/system/local dir exist - stat: - path: "/opt/splunkforwarder/etc/system/local" - register: dep_dir_path - -- name: report if /opt/splunkforwarder/etc/system/local - debug: - msg: WARNING - /opt/splunkforwarder/etc/system/local not exist - check your splunk_uf installation! - when: dep_dir_path.stat.exists == false - -- name: copy outputs.conf to forward data to splunk server - template: - src: outputs.conf.j2 - dest: /opt/splunkforwarder/etc/system/local/outputs.conf - when: dep_dir_path.stat.exists \ No newline at end of file diff --git a/packer/ansible/roles/sysmon_linux/tasks/create_deploymentclient.yml b/packer/ansible/roles/sysmon_linux/tasks/create_deploymentclient.yml deleted file mode 100644 index 984f631e9..000000000 --- a/packer/ansible/roles/sysmon_linux/tasks/create_deploymentclient.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -# check and copy deploymentclient to act as a deployment client of splunk - -- name: check if /opt/splunkforwarder/etc/system/local dir exist - stat: - path: "/opt/splunkforwarder/etc/system/local" - register: dep_dir_path - -- name: report if /opt/splunkforwarder/etc/system/local - debug: - msg: WARNING - /opt/splunkforwarder/etc/system/local not exist - check your splunk_uf installation! - when: dep_dir_path.stat.exists == false - -- name: copy deploymentclient.conf to act as a deployment client of splunk - template: - src: deploymentclient.conf.j2 - dest: /opt/splunkforwarder/etc/system/local/deploymentclient.conf - when: dep_dir_path.stat.exists - - \ No newline at end of file diff --git a/packer/ansible/roles/sysmon_linux/tasks/install_deb_uf.yml b/packer/ansible/roles/sysmon_linux/tasks/install_deb_uf.yml deleted file mode 100644 index e9dbc7e60..000000000 --- a/packer/ansible/roles/sysmon_linux/tasks/install_deb_uf.yml +++ /dev/null @@ -1,45 +0,0 @@ ---- -# This playbook install the Splunk Universal Forwarder in linux Debian - -- name: add splunk group - become: true - tags: - - install - - security - group: name=splunk state=present - -- name: add splunk user - become: true - tags: - - install - - security - user: name=splunk comment="Splunk service user" shell=/usr/sbin/nologin groups=splunk createhome=yes - -- name: make /opt writetable by splunk - become: true - tags: - - install - file: path=/opt mode=777 - -- name: checking if splunk is install - tags: install - stat: path=/opt/splunkforwarder - register: splunk_path - -- name: is splunk UF installed? - tags: install - debug: msg='splunk is already installed under /opt/splunkforwarder' - when: splunk_path.stat.exists - -- name: Install splunk uf - become: true - apt: deb="{{ splunk_uf_url }}" - when: splunk_path.stat.exists == false - -- name: splunk license acceptance - become: true - command: "/opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --no-prompt" - -- name: setup to start at boot - become: true - command: "/opt/splunkforwarder/bin/splunk enable boot-start" diff --git a/packer/ansible/roles/sysmon_linux/tasks/install_sysmon_linux.yml b/packer/ansible/roles/sysmon_linux/tasks/install_sysmon_linux.yml deleted file mode 100644 index 402b42ba0..000000000 --- a/packer/ansible/roles/sysmon_linux/tasks/install_sysmon_linux.yml +++ /dev/null @@ -1,48 +0,0 @@ -# this playbook installs sysmon for linux (https://github.com/Sysinternals/SysmonForLinux) - -- name: get version - become: true - ansible.builtin.shell: lsb_release -rs - register: result - -- name: add the microsoft repo - become: true - get_url: - url: https://packages.microsoft.com/config/ubuntu/{{ result.stdout }}/packages-microsoft-prod.deb - dest: /tmp/packages-microsoft-prod.deb - -- name: dpkg install the deb - become: true - apt: - deb: /tmp/packages-microsoft-prod.deb - -- name: install sysinternalsebpf - become: true - apt: - name: sysinternalsebpf - state: latest - update_cache: yes - -- name: install sysmonforlinux - become: true - apt: - name: sysmonforlinux - state: latest - update_cache: yes - -- name: copy sysmon config template - become: true - template: - src: "{{ sysmon_linux_template }}.j2" - dest: "/tmp/{{ sysmon_linux_template }}" - -- name: launch with config - become: true - ansible.builtin.shell: sysmon -accepteula -i /tmp/{{ sysmon_linux_template }} - -- name: install powershell - become: true - apt: - name: powershell - state: latest - update_cache: yes \ No newline at end of file diff --git a/packer/ansible/roles/sysmon_linux/tasks/main.yml b/packer/ansible/roles/sysmon_linux/tasks/main.yml deleted file mode 100644 index d2f053f13..000000000 --- a/packer/ansible/roles/sysmon_linux/tasks/main.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- include: install_deb_uf.yml -- include: configure_outputs_conf.yml -- include: install_sysmon_linux.yml -- include: create_deploymentclient.yml -- include: configure_inputs.yml - -- name: restart splunk - become: true - command: "systemctl restart SplunkForwarder" \ No newline at end of file diff --git a/packer/ansible/roles/sysmon_linux/templates/AttackRangeSysmon.xml.j2 b/packer/ansible/roles/sysmon_linux/templates/AttackRangeSysmon.xml.j2 deleted file mode 100644 index d094960a2..000000000 --- a/packer/ansible/roles/sysmon_linux/templates/AttackRangeSysmon.xml.j2 +++ /dev/null @@ -1,1031 +0,0 @@ -{{ ansible_managed | comment('xml') }} - - - - - - md5,sha256,IMPHASH - - - - - - - - - - - - - - - - "C:\Windows\system32\wermgr.exe" "-queuereporting_svc" - C:\Windows\system32\DllHost.exe /Processid - C:\Windows\system32\wbem\wmiprvse.exe -Embedding - C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding - C:\Windows\system32\wermgr.exe -upload - C:\Windows\system32\SearchIndexer.exe /Embedding - C:\windows\system32\wermgr.exe -queuereporting - \??\C:\Windows\system32\autochk.exe * - \SystemRoot\System32\smss.exe - C:\Windows\System32\RuntimeBroker.exe -Embedding - C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe - C:\Windows\System32\TokenBrokerCookies.exe - C:\Windows\System32\plasrv.exe - C:\Windows\System32\wifitask.exe - C:\Windows\system32\CompatTelRunner.exe - C:\Windows\system32\PrintIsolationHost.exe - C:\Windows\system32\SppExtComObj.Exe - C:\Windows\system32\audiodg.exe - C:\Windows\system32\conhost.exe - C:\Windows\system32\mobsync.exe - C:\Windows\system32\musNotification.exe - C:\Windows\system32\musNotificationUx.exe - C:\Windows\system32\powercfg.exe - C:\Windows\system32\sndVol.exe - C:\Windows\system32\sppsvc.exe - C:\Windows\system32\wbem\WmiApSrv.exe - AppContainer - %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows - C:\windows\system32\wermgr.exe -queuereporting - C:\WINDOWS\system32\devicecensus.exe UserCxt - C:\Windows\System32\usocoreworker.exe -Embedding - C:\Windows\system32\SearchIndexer.exe - - C:\Windows\system32\svchost.exe -k appmodel -s StateRepository - C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc - C:\Windows\system32\svchost.exe -k appmodel - C:\Windows\system32\svchost.exe -k appmodel -p -s tiledatamodelsvc - C:\Windows\system32\svchost.exe -k camera -s FrameServer - C:\Windows\system32\svchost.exe -k dcomlaunch -s LSM - C:\Windows\system32\svchost.exe -k dcomlaunch -s PlugPlay - C:\Windows\system32\svchost.exe -k defragsvc - C:\Windows\system32\svchost.exe -k devicesflow -s DevicesFlowUserSvc - C:\Windows\system32\svchost.exe -k imgsvc - C:\Windows\system32\svchost.exe -k localService -s EventSystem - C:\Windows\system32\svchost.exe -k localService -s bthserv - C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc - C:\Windows\system32\svchost.exe -k localService -s nsi - C:\Windows\system32\svchost.exe -k localService -s w32Time - C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation - C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s Dhcp - C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s EventLog - C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s TimeBrokerSvc - C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s WFDSConMgrSvc - C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -s BTAGService - C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService - C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted - C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SensrSvc - C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -p -s SSDPSRV - C:\Windows\system32\svchost.exe -k localServiceNoNetwork - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s WPDBusEnum - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s fhsvc - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s DeviceAssociationService - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s NcbService - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s SensorService - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s NgcSvc - C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -p -s NgcCtnrSvc - C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SCardSvr - C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv - C:\Windows\System32\svchost.exe -k netsvcs -p -s SessionEnv - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WdiSystemHost - C:\Windows\System32\svchost.exe -k localSystemNetworkRestricted -p -s WdiSystemHost - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted - C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc - C:\Windows\system32\svchost.exe -k netsvcs -p -s ncaSvc - C:\Windows\system32\svchost.exe -k netsvcs -s BDESVC - C:\Windows\System32\svchost.exe -k netsvcs -p -s BDESVC - C:\Windows\system32\svchost.exe -k netsvcs -p -s BITS - C:\Windows\system32\svchost.exe -k netsvcs -s BITS - C:\Windows\system32\svchost.exe -k netsvcs -s CertPropSvc - C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc - C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo - C:\Windows\system32\svchost.exe -k netsvcs -s Gpsvc - C:\Windows\system32\svchost.exe -k netsvcs -s ProfSvc - C:\Windows\system32\svchost.exe -k netsvcs -s SENS - C:\Windows\system32\svchost.exe -k netsvcs -s SessionEnv - C:\Windows\system32\svchost.exe -k netsvcs -s Themes - C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt - C:\Windows\system32\svchost.exe -k netsvcs - C:\Windows\system32\svchost.exe -k networkService -p -s DoSvc - C:\Windows\system32\svchost.exe -k networkService -s Dnscache - C:\Windows\system32\svchost.exe -k networkService -s LanmanWorkstation - C:\Windows\system32\svchost.exe -k networkService -s NlaSvc - C:\Windows\system32\svchost.exe -k networkService -s TermService - C:\Windows\system32\svchost.exe -k networkService - C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted - C:\Windows\system32\svchost.exe -k rPCSS - C:\Windows\system32\svchost.exe -k secsvcs - C:\Windows\system32\svchost.exe -k swprv - C:\Windows\system32\svchost.exe -k unistackSvcGroup - C:\Windows\system32\svchost.exe -k utcsvc - C:\Windows\system32\svchost.exe -k wbioSvcGroup - C:\Windows\system32\svchost.exe -k werSvcGroup - C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc - C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC - C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc - C:\Windows\system32\svchost.exe -k wsappx -s ClipSVC - C:\Windows\system32\svchost.exe -k wsappx - C:\Windows\system32\svchost.exe -k netsvcs - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted - C:\Windows\system32\deviceenroller.exe /c /AutoEnrollMDM - - "C:\Program Files (x86)\Microsoft\Edge Dev\Application\msedge.exe" --type= - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe - C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\Ngen.exe - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe - C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe - - C:\Program Files\Microsoft Office\Office16\MSOSYNC.EXE - C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE - C:\Program Files\Microsoft Office\Office16\msoia.exe - C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe - - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe - - C:\Program Files\Windows Media Player\wmpnscfg.exe - - "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type= - "C:\Program Files\Google\Chrome\Application\chrome.exe" --type= - - - - - - - - - - C:\Users - .exe - \Device\HarddiskVolumeShadowCopy - - - - - - OneDrive.exe - C:\Windows\system32\backgroundTaskHost.exe - setup - install - Update\ - redist.exe - msiexec.exe - TrustedInstaller.exe - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - C:\Users - \ - - - - - - - - - - - - - - - - microsoft - windows - Intel - - - - - - - - - - - cryptdll.dll - SolarWinds.Orion.Core.BusinessLayer.dll - netsetupsvc.dll - - - - - - - - - - - C:\Windows\system32\wbem\WmiPrvSE.exe - C:\Windows\system32\svchost.exe - C:\Windows\system32\wininit.exe - C:\Windows\system32\csrss.exe - C:\Windows\system32\services.exe - C:\Windows\system32\winlogon.exe - C:\Windows\system32\audiodg.exe - C:\Windows\system32\kernel32.dll - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe - - - - - - - - - - - - - - - - - - - - - C:\Program Files\VMware\VMware Tools\vmtoolsd.exe - C:\Windows\system32\taskeng.exe - Sysmon.exe - GoogleUpdate.exe - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe - C:\Program Files\Windows Defender\MsMpEng.exe - C:\Program Files\Microsoft VS Code\Code.exe - C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe - C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe - C:\Windows\system32\mmc.exe - C:\Program Files\Microsoft VS Code\Code.exe - C:\Windows\system32\sihost.exe - C:\Program Files\Windows Defender\MsMpEng.exe - c:\Program Files\Microsoft VS Code\resources\app\out\vs\workbench\services\files\node\watcher\win32\CodeHelper.exe - C:\Windows\system32\ApplicationFrameHost.exe - C:\Windows\System32\taskhostw.exe - C:\Windows\System32\RuntimeBroker.exe - - - - - - - - - - - - \Start Menu - \Startup\ - \Content.Outlook\ - \Downloads\ - .application - .appref-ms - .bat - .chm - .cmd - .cmdline - .crx - .dmp - .docm - .dll - .exe - .exe.log - .jar - .jnlp - .jse - .hta - .job - .pptm - .ps1 - .sys - .scr - .vbe - .vbs - .xlsm - proj - .sln - C:\Users\Default - C:\Windows\system32\Drivers - C:\Windows\SysWOW64\Drivers - C:\Windows\system32\GroupPolicy\Machine\Scripts - C:\Windows\system32\GroupPolicy\User\Scripts - C:\Windows\system32\Wbem - C:\Windows\SysWOW64\Wbem - C:\Windows\system32\WindowsPowerShell - C:\Windows\SysWOW64\WindowsPowerShell - C:\Windows\Tasks\ - C:\Windows\system32\Tasks - C:\Windows\SysWOW64\Tasks - \Device\HarddiskVolumeShadowCopy - - C:\Windows\AppPatch\Custom - VirtualStore - - .xls - .ppt - .rtf - .txt - .lnk - netsetupsvc.dll - SolarWinds.Orion.Core.BusinessLayer.dll - - - - - - - C:\Program Files (x86)\EMET 5.5\EMET_Service.exe - - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe - - C:\Windows\system32\smss.exe - C:\Windows\system32\CompatTelRunner.exe - \\?\C:\Windows\system32\wbem\WMIADAP.EXE - C:\Windows\system32\mobsync.exe - C:\Windows\system32\DriverStore\Temp\ - C:\Windows\system32\wbem\Performance\ - C:\Windows\Installer\ - - C:\$WINDOWS.~BT\Sources\ - C:\Windows\winsxs\amd64_microsoft-windows - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - CurrentVersion\Run - Policies\Explorer\Run - Group Policy\Scripts - Windows\System\Scripts - CurrentVersion\Windows\Load - CurrentVersion\Windows\Run - CurrentVersion\Winlogon\Shell - CurrentVersion\Winlogon\System - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit - HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 - HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute - HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug - UserInitMprLogonScript - user shell folders\startup - - \ServiceDll - \ServiceManifest - \ImagePath - \Start - - Control\Terminal Server\WinStations\RDP-Tcp\PortNumber - Control\Terminal Server\fSingleSessionPerUser - fDenyTSConnections - LastLoggedOnUser - RDP-tcp\PortNumber - Services\PortProxy\v4tov4 - - \command\ - \ddeexec\ - {86C86720-42A0-1069-A2E8-08002B30309D} - exefile - - \InprocServer32\(Default) - - \Hidden - \ShowSuperHidden - \HideFileExt - - Classes\*\ - Classes\AllFilesystemObjects\ - Classes\Directory\ - Classes\Drive\ - Classes\Folder\ - Classes\PROTOCOLS\ - ContextMenuHandlers\ - CurrentVersion\Shell - HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks - HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad - HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers - - HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\ - - HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram - - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\ - - HKLM\SYSTEM\CurrentControlSet\Services\WinSock - \ProxyServer - - HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider - HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ - HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders - HKLM\Software\Microsoft\Netsh - - HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ - HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles - \EnableFirewall - \DoNotAllowExceptions - HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List - HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List - - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\ - HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\ - HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\ - - Microsoft\Office\Outlook\Addins\ - Office Test\ - Security\Trusted Documents\TrustRecords - - Internet Explorer\Toolbar\ - Internet Explorer\Extensions\ - Browser Helper Objects\ - \DisableSecuritySettingsCheck - \3\1206 - \3\2500 - \3\1809 - - HKLM\Software\Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\ - HKLM\Software\Classes\WOW6432Node\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\ - HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\ - HKLM\Software\Classes\WOW6432Node\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\ - - \UrlUpdateInfo - \InstallSource - \EulaAccepted - - \DisableAntiSpyware - \DisableAntiVirus - \SpynetReporting - DisableRealtimeMonitoring - \SubmitSamplesConsent - - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy - - HKLM\Software\Microsoft\Security Center\ - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth - - HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom - HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB - VirtualStore - - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ - HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\ - HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\ - HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\ - \FriendlyName - HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default) - HKLM\Software\Microsoft\Tracing\RASAPI32 - - \LowerCaseLongPath - \Publisher - \BinProductVersion - \DriverVersion - \DriverVerVersion - \LinkDate - Compatibility Assistant\Store\ - - \ - HKLM\SYSTEM\CurrentControlSet\Services - Software\Microsoft\Powershell\1\ShellIds - - - - - - - - \{CAFEEFAC- - CreateKey - HKLM\COMPONENTS - - HKLM\Software\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache - - Toolbar\WebBrowser - Browser\ITBar7Height - Browser\ITBar7Layout - Internet Explorer\Toolbar\Locked - Toolbar\WebBrowser\{47833539-D0C5-4125-9FA8-0819E2EAAC93} - }\PreviousPolicyAreas - \Control\WMI\Autologger\ - HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start - \Lsa\OfflineJoin\CurrentValue - HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\ - _Classes\AppX - HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\ - - HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LsaPid - HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache - HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains - - \Services\BITS\Start - \services\clr_optimization_v2.0.50727_32\Start - \services\clr_optimization_v2.0.50727_64\Start - \services\clr_optimization_v4.0.30319_32\Start - \services\clr_optimization_v4.0.30319_64\Start - \services\deviceAssociationService\Start - \services\fhsvc\Start - \services\nal\Start - \services\trustedInstaller\Start - \services\tunnel\Start - \services\usoSvc\Start - - \UserChoice\ProgId - \UserChoice\Hash - \OpenWithList\MRUList - Shell Extentions\Cached - - HKLM\System\CurrentControlSet\Control\Lsa\Audit\SpecialGroups - SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\PSScriptOrder - SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\SOM-ID - SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\GPO-ID - SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\IsPowershell - SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\ExecTime - SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\PSScriptOrder - SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\SOM-ID - SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\GPO-ID - SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\IsPowershell - SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\ExecTime - \safer\codeidentifiers\0\HASHES\{ - - VirtualStore\MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\ - HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ - - C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe - HKCR\VLC. - HKCR\iTunes. - - HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{945a8954-c147-4acd-923f-40c45405a658} - - - - - - - - - - - Downloads - Temp\7z - Startup - .bat - .cmd - .doc - .hta - .lnk - .ppt - .ps1 - .ps2 - .reg - .jse - .vb - .vbe - .vbs - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ntapvsrq - \srvsvc - \wkssvc - \lsass - \winreg - \spoolss - Anonymous Pipe - c:\windows\system32\inetsrv\w3wp.exe - - - \SQLLocal\MSSQLSERVER - \SQLLocal\INSTANCE01 - \SQLLocal\SQLEXPRESS - \SQLLocal\COMMVAULT - \SQLLocal\RTCLOCAL - \SQLLocal\RTC - \SQLLocal\TMSM - Program Files (x86)\Microsoft SQL Server\110\DTS\binn\dtexec.exe - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - .arpa. - .arpa - .msftncsi.com - ..localmachine - localhost - - -pushp.svc.ms - .b-msedge.net - .bing.com - .hotmail.com - .live.com - .live.net - .s-microsoft.com - .microsoft.com - .microsoftonline.com - .microsoftstore.com - .ms-acdc.office.com - .msedge.net - .msn.com - .msocdn.com - .skype.com - .skype.net - .windows.com - .windows.net.nsatc.net - .windowsupdate.com - .xboxlive.com - login.windows.net - C:\ProgramData\Microsoft\Windows Defender\Platform\ - - .activedirectory.windowsazure.com - .aria.microsoft.com - .msauth.net - .msftauth.net - .opinsights.azure.com - osi.office.net - loki.delve.office.com - management.azure.com - messaging.office.com - outlook.office365.com - portal.azure.com - protection.outlook.com - substrate.office.com - - .mozaws.net - .mozilla.com - .mozilla.net - .mozilla.org - .spotify.com - .spotify.map.fastly.net - clients1.google.com - clients2.google.com - clients3.google.com - clients4.google.com - clients5.google.com - clients6.google.com - safebrowsing.googleapis.com - - .akadns.net - .netflix.com - aspnetcdn.com - ajax.googleapis.com - cdnjs.cloudflare.com - fonts.googleapis.com - .typekit.net - cdnjs.cloudflare.com - .stackassets.com - .steamcontent.com - - .disqus.com - .fontawesome.com - disqus.com - - .1rx.io - .2mdn.net - .adadvisor.net - .adap.tv - .addthis.com - .adform.net - .adnxs.com - .adroll.com - .adrta.com - .adsafeprotected.com - .adsrvr.org - .advertising.com - .amazon-adsystem.com - .amazon-adsystem.com - .analytics.yahoo.com - .aol.com - .betrad.com - .bidswitch.net - .casalemedia.com - .chartbeat.net - .cnn.com - .convertro.com - .criteo.com - .criteo.net - .crwdcntrl.net - .demdex.net - .domdex.com - .dotomi.com - .doubleclick.net - .doubleverify.com - .emxdgt.com - .exelator.com - .google-analytics.com - .googleadservices.com - .googlesyndication.com - .googletagmanager.com - .googlevideo.com - .gstatic.com - .gvt1.com - .gvt2.com - .ib-ibi.com - .jivox.com - .mathtag.com - .moatads.com - .moatpixel.com - .mookie1.com - .myvisualiq.net - .netmng.com - .nexac.com - .openx.net - .optimizely.com - .outbrain.com - .pardot.com - .phx.gbl - .pinterest.com - .pubmatic.com - .quantcount.com - .quantserve.com - .revsci.net - .rfihub.net - .rlcdn.com - .rubiconproject.com - .scdn.co - .scorecardresearch.com - .serving-sys.com - .sharethrough.com - .simpli.fi - .sitescout.com - .smartadserver.com - .snapads.com - .spotxchange.com - .taboola.com - .taboola.map.fastly.net - .tapad.com - .tidaltv.com - .trafficmanager.net - .tremorhub.com - .tribalfusion.com - .turn.com - .twimg.com - .tynt.com - .w55c.net - .ytimg.com - .zorosrv.com - 1rx.io - adservice.google.com - ampcid.google.com - clientservices.googleapis.com - googleadapis.l.google.com - imasdk.googleapis.com - l.google.com - ml314.com - mtalk.google.com - update.googleapis.com - www.googletagservices.com - - .pscp.tv - - .digicert.com - .globalsign.com - .globalsign.net - msocsp.com - ocsp.msocsp.com - pki.goog - ocsp.godaddy.com - amazontrust.com - ocsp.sectigo.com - pki-goog.l.google.com - .usertrust.com - ocsp.comodoca.com - ocsp.verisign.com - ocsp.entrust.net - ocsp.identrust.com - status.rapidssl.com - status.thawte.com - ocsp.int-x3.letsencrypt.org - - - - - - - - - - - - - - diff --git a/packer/ansible/roles/sysmon_linux/templates/SysMonLinux-CatchAll.xml.j2 b/packer/ansible/roles/sysmon_linux/templates/SysMonLinux-CatchAll.xml.j2 deleted file mode 100644 index cc2ad6d70..000000000 --- a/packer/ansible/roles/sysmon_linux/templates/SysMonLinux-CatchAll.xml.j2 +++ /dev/null @@ -1,34 +0,0 @@ -{{ ansible_managed | comment('xml') }} - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/packer/ansible/roles/sysmon_linux/templates/SysmonConfig-Neo23x0-server.xml.j2 b/packer/ansible/roles/sysmon_linux/templates/SysmonConfig-Neo23x0-server.xml.j2 deleted file mode 100755 index 8a585f8ee..000000000 --- a/packer/ansible/roles/sysmon_linux/templates/SysmonConfig-Neo23x0-server.xml.j2 +++ /dev/null @@ -1,116 +0,0 @@ -{{ ansible_managed | comment('xml') }} - - - - MD5,SHA1,SHA256,IMPHASH - - - - - microsoft - windows - - - - splunk - btool.exe - SnareCore - nxlog - Microsoft Monitoring Agent\Agent\MonitoringHost.exe - ClearMyTracksByProcess - - - - lsass.exe - winlogon.exe - svchost.exe - - - - - - - - - - Windows\CurrentVersion\Run - Windows\CurrentVersion\Image File Execution Options - CurrentControlSet\Services - Microsoft\Windows NT\CurrentVersion\Winlogon - Microsoft\Windows\CurrentVersion\Policies\Explorer - Microsoft\Windows\CurrentVersion\RunOnce - System\CurrentControlSet\Services\Tcpip\parameters - - - - - - - - 80 - 443 - 8080 - 3389 - cmd.exe - PsExe - winexe - powershell - cscript - mstsc - RTS2App - RTS3App - wmic - - - - - - lsass.exe - - - wmiprvse.exe - GoogleUpdate.exe - LTSVC.exe - taskmgr.exe - VBoxService.exe # Virtual Box - vmtoolsd.exe - taskmgr.exe - \Citrix\System32\wfshell.exe #Citrix process in C:\Program Files (x86)\Citrix\System32\wfshell.exe - C:\Windows\System32\lsm.exe # System process under C:\Windows\System32\lsm.exe - Microsoft.Identity.AadConnect.Health.AadSync.Host.exe # Microsoft Azure AD Connect Health Sync Agent - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection # Symantec - - - - - verclsid.exe - svchost.exe - - - - 0x1F0FFF - 0x1F1FFF - 0x1F2FFF - 0x1F3FFF - - 0x1FFFFF - unknown - - - diff --git a/packer/ansible/roles/sysmon_linux/templates/SysmonConfig-Neo23x0-workstations.xml.j2 b/packer/ansible/roles/sysmon_linux/templates/SysmonConfig-Neo23x0-workstations.xml.j2 deleted file mode 100755 index db513d3a0..000000000 --- a/packer/ansible/roles/sysmon_linux/templates/SysmonConfig-Neo23x0-workstations.xml.j2 +++ /dev/null @@ -1,88 +0,0 @@ -{{ ansible_managed | comment('xml') }} - - - - MD5,SHA1,SHA256,IMPHASH - - - - - microsoft - windows - - - - System - - - - WmiPrvSE.exe - FireSvc.exe - - - - - - - - - - Windows\CurrentVersion\Run - Windows\CurrentVersion\Image File Execution Options - CurrentControlSet\Services - Microsoft\Windows NT\CurrentVersion\Winlogon - Microsoft\Windows\CurrentVersion\Policies\Explorer - Microsoft\Windows\CurrentVersion\RunOnce - System\CurrentControlSet\Services\Tcpip\parameters - - - - - - - - chrome.exe - iexplore.exe - firefox.exe - 8080 - - - - - - - - - diff --git a/packer/ansible/roles/sysmon_linux/templates/SysmonConfig-TSwift.xml.j2 b/packer/ansible/roles/sysmon_linux/templates/SysmonConfig-TSwift.xml.j2 deleted file mode 100644 index 190bccd76..000000000 --- a/packer/ansible/roles/sysmon_linux/templates/SysmonConfig-TSwift.xml.j2 +++ /dev/null @@ -1,1075 +0,0 @@ -{{ ansible_managed | comment('xml') }} - - - - - - md5,sha256,IMPHASH - - - - - - - - - - - - - - - - "C:\Windows\system32\wermgr.exe" "-queuereporting_svc" - C:\Windows\system32\DllHost.exe /Processid - C:\Windows\system32\wbem\wmiprvse.exe -Embedding - C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding - C:\Windows\system32\wermgr.exe -upload - C:\Windows\system32\SearchIndexer.exe /Embedding - C:\windows\system32\wermgr.exe -queuereporting - \??\C:\Windows\system32\autochk.exe * - \SystemRoot\System32\smss.exe - C:\Windows\System32\RuntimeBroker.exe -Embedding - C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe - C:\Windows\System32\TokenBrokerCookies.exe - C:\Windows\System32\plasrv.exe - C:\Windows\System32\wifitask.exe - C:\Windows\system32\CompatTelRunner.exe - C:\Windows\system32\PrintIsolationHost.exe - C:\Windows\system32\SppExtComObj.Exe - C:\Windows\system32\audiodg.exe - C:\Windows\system32\conhost.exe - C:\Windows\system32\mobsync.exe - C:\Windows\system32\musNotification.exe - C:\Windows\system32\musNotificationUx.exe - C:\Windows\system32\powercfg.exe - C:\Windows\system32\sndVol.exe - C:\Windows\system32\sppsvc.exe - C:\Windows\system32\wbem\WmiApSrv.exe - AppContainer - %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows - C:\windows\system32\wermgr.exe -queuereporting - C:\WINDOWS\system32\devicecensus.exe UserCxt - C:\Windows\System32\usocoreworker.exe -Embedding - C:\Windows\system32\SearchIndexer.exe - - C:\Windows\system32\svchost.exe -k appmodel -s StateRepository - C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc - C:\Windows\system32\svchost.exe -k appmodel - C:\Windows\system32\svchost.exe -k appmodel -p -s tiledatamodelsvc - C:\Windows\system32\svchost.exe -k camera -s FrameServer - C:\Windows\system32\svchost.exe -k dcomlaunch -s LSM - C:\Windows\system32\svchost.exe -k dcomlaunch -s PlugPlay - C:\Windows\system32\svchost.exe -k defragsvc - C:\Windows\system32\svchost.exe -k devicesflow -s DevicesFlowUserSvc - C:\Windows\system32\svchost.exe -k imgsvc - C:\Windows\system32\svchost.exe -k localService -s EventSystem - C:\Windows\system32\svchost.exe -k localService -s bthserv - C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc - C:\Windows\system32\svchost.exe -k localService -s nsi - C:\Windows\system32\svchost.exe -k localService -s w32Time - C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation - C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s Dhcp - C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s EventLog - C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s TimeBrokerSvc - C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s WFDSConMgrSvc - C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -s BTAGService - C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService - C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted - C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SensrSvc - C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -p -s SSDPSRV - C:\Windows\system32\svchost.exe -k localServiceNoNetwork - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s WPDBusEnum - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s fhsvc - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s DeviceAssociationService - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s NcbService - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s SensorService - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s NgcSvc - C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -p -s NgcCtnrSvc - C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SCardSvr - C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv - C:\Windows\System32\svchost.exe -k netsvcs -p -s SessionEnv - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WdiSystemHost - C:\Windows\System32\svchost.exe -k localSystemNetworkRestricted -p -s WdiSystemHost - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted - C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc - C:\Windows\system32\svchost.exe -k netsvcs -p -s ncaSvc - C:\Windows\system32\svchost.exe -k netsvcs -s BDESVC - C:\Windows\System32\svchost.exe -k netsvcs -p -s BDESVC - C:\Windows\system32\svchost.exe -k netsvcs -p -s BITS - C:\Windows\system32\svchost.exe -k netsvcs -s BITS - C:\Windows\system32\svchost.exe -k netsvcs -s CertPropSvc - C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc - C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo - C:\Windows\system32\svchost.exe -k netsvcs -s Gpsvc - C:\Windows\system32\svchost.exe -k netsvcs -s ProfSvc - C:\Windows\system32\svchost.exe -k netsvcs -s SENS - C:\Windows\system32\svchost.exe -k netsvcs -s SessionEnv - C:\Windows\system32\svchost.exe -k netsvcs -s Themes - C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt - C:\Windows\system32\svchost.exe -k netsvcs - C:\Windows\system32\svchost.exe -k networkService -p -s DoSvc - C:\Windows\system32\svchost.exe -k networkService -s Dnscache - C:\Windows\system32\svchost.exe -k networkService -s LanmanWorkstation - C:\Windows\system32\svchost.exe -k networkService -s NlaSvc - C:\Windows\system32\svchost.exe -k networkService -s TermService - C:\Windows\system32\svchost.exe -k networkService - C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted - C:\Windows\system32\svchost.exe -k rPCSS - C:\Windows\system32\svchost.exe -k secsvcs - C:\Windows\system32\svchost.exe -k swprv - C:\Windows\system32\svchost.exe -k unistackSvcGroup - C:\Windows\system32\svchost.exe -k utcsvc - C:\Windows\system32\svchost.exe -k wbioSvcGroup - C:\Windows\system32\svchost.exe -k werSvcGroup - C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc - C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC - C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc - C:\Windows\system32\svchost.exe -k wsappx -s ClipSVC - C:\Windows\system32\svchost.exe -k wsappx - C:\Windows\system32\svchost.exe -k netsvcs - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted - C:\Windows\system32\deviceenroller.exe /c /AutoEnrollMDM - - "C:\Program Files (x86)\Microsoft\Edge Dev\Application\msedge.exe" --type= - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe - C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\Ngen.exe - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe - C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe - - C:\Program Files\Microsoft Office\Office16\MSOSYNC.EXE - C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE - C:\Program Files\Microsoft Office\Office16\msoia.exe - C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe - - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe - - C:\Program Files\Windows Media Player\wmpnscfg.exe - - "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type= - "C:\Program Files\Google\Chrome\Application\chrome.exe" --type= - - - - - - - - - - C:\Users - .exe - \Device\HarddiskVolumeShadowCopy - - - - - - OneDrive.exe - C:\Windows\system32\backgroundTaskHost.exe - setup - install - Update\ - redist.exe - msiexec.exe - TrustedInstaller.exe - - - - - - - - - - - - - - - - - C:\Users - C:\Recycle - C:\ProgramData - C:\Windows\Temp - \ - C:\perflogs - C:\intel - C:\Windows\fonts - C:\Windows\system32\config - - at.exe - certutil.exe - cmd.exe - cmstp.exe - cscript.exe - driverquery.exe - dsquery.exe - hh.exe - infDefaultInstall.exe - java.exe - javaw.exe - javaws.exe - mmc.exe - msbuild.exe - mshta.exe - msiexec.exe - nbtstat.exe - net.exe - net1.exe - notepad.exe - nslookup.exe - powershell.exe - qprocess.exe - qwinsta.exe - qwinsta.exe - reg.exe - regsvcs.exe - regsvr32.exe - rundll32.exe - rwinsta.exe - sc.exe - schtasks.exe - taskkill.exe - tasklist.exe - wmic.exe - wscript.exe - - nc.exe - ncat.exe - psexec.exe - psexesvc.exe - tor.exe - vnc.exe - vncservice.exe - vncviewer.exe - winexesvc.exe - nmap.exe - psinfo.exe - - 22 - 23 - 25 - 143 - 3389 - 5800 - 5900 - 444 - - 1080 - 3128 - 8080 - - 1723 - 9001 - 9030 - - - - - - - C:\ProgramData\Microsoft\Windows Defender\Platform\ - AppData\Local\Microsoft\Teams\current\Teams.exe - .microsoft.com - microsoft.com.akadns.net - microsoft.com.nsatc.net - - 127.0.0.1 - fe80:0:0:0 - - - - - - - - - - - - - - - C:\Users - \ - - - - - - - - - - - - - - - - microsoft - windows - Intel - - - - - - - - - - - - - - - - - - - - - - C:\Windows\system32\wbem\WmiPrvSE.exe - C:\Windows\system32\svchost.exe - C:\Windows\system32\wininit.exe - C:\Windows\system32\csrss.exe - C:\Windows\system32\services.exe - C:\Windows\system32\winlogon.exe - C:\Windows\system32\audiodg.exe - C:\Windows\system32\kernel32.dll - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \Start Menu - \Startup\ - \Content.Outlook\ - \Downloads\ - .application - .appref-ms - .bat - .chm - .cmd - .cmdline - .crx - .dmp - .docm - .dll - .exe - .exe.log - .jar - .jnlp - .jse - .hta - .job - .pptm - .ps1 - .sys - .scr - .vbe - .vbs - .xlsm - proj - .sln - C:\Users\Default - C:\Windows\system32\Drivers - C:\Windows\SysWOW64\Drivers - C:\Windows\system32\GroupPolicy\Machine\Scripts - C:\Windows\system32\GroupPolicy\User\Scripts - C:\Windows\system32\Wbem - C:\Windows\SysWOW64\Wbem - C:\Windows\system32\WindowsPowerShell - C:\Windows\SysWOW64\WindowsPowerShell - C:\Windows\Tasks\ - C:\Windows\system32\Tasks - C:\Windows\SysWOW64\Tasks - \Device\HarddiskVolumeShadowCopy - - C:\Windows\AppPatch\Custom - VirtualStore - - .xls - .ppt - .rtf - - - - - - - C:\Program Files (x86)\EMET 5.5\EMET_Service.exe - - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe - - C:\Windows\system32\smss.exe - C:\Windows\system32\CompatTelRunner.exe - \\?\C:\Windows\system32\wbem\WMIADAP.EXE - C:\Windows\system32\mobsync.exe - C:\Windows\system32\DriverStore\Temp\ - C:\Windows\system32\wbem\Performance\ - C:\Windows\Installer\ - - C:\$WINDOWS.~BT\Sources\ - C:\Windows\winsxs\amd64_microsoft-windows - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - CurrentVersion\Run - Policies\Explorer\Run - Group Policy\Scripts - Windows\System\Scripts - CurrentVersion\Windows\Load - CurrentVersion\Windows\Run - CurrentVersion\Winlogon\Shell - CurrentVersion\Winlogon\System - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit - HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 - HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute - HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug - UserInitMprLogonScript - user shell folders\startup - - \ServiceDll - \ServiceManifest - \ImagePath - \Start - - Control\Terminal Server\WinStations\RDP-Tcp\PortNumber - Control\Terminal Server\fSingleSessionPerUser - fDenyTSConnections - LastLoggedOnUser - RDP-tcp\PortNumber - Services\PortProxy\v4tov4 - - \command\ - \ddeexec\ - {86C86720-42A0-1069-A2E8-08002B30309D} - exefile - - \InprocServer32\(Default) - - \Hidden - \ShowSuperHidden - \HideFileExt - - Classes\*\ - Classes\AllFilesystemObjects\ - Classes\Directory\ - Classes\Drive\ - Classes\Folder\ - Classes\PROTOCOLS\ - ContextMenuHandlers\ - CurrentVersion\Shell - HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks - HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad - HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers - - HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\ - - HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram - - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\ - - HKLM\SYSTEM\CurrentControlSet\Services\WinSock - \ProxyServer - - HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider - HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ - HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders - HKLM\Software\Microsoft\Netsh - - HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ - HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles - \EnableFirewall - \DoNotAllowExceptions - HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List - HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List - - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\ - HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\ - HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\ - - Microsoft\Office\Outlook\Addins\ - Office Test\ - Security\Trusted Documents\TrustRecords - - Internet Explorer\Toolbar\ - Internet Explorer\Extensions\ - Browser Helper Objects\ - \DisableSecuritySettingsCheck - \3\1206 - \3\2500 - \3\1809 - - HKLM\Software\Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\ - HKLM\Software\Classes\WOW6432Node\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\ - HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\ - HKLM\Software\Classes\WOW6432Node\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\ - - \UrlUpdateInfo - \InstallSource - \EulaAccepted - - \DisableAntiSpyware - \DisableAntiVirus - \SpynetReporting - DisableRealtimeMonitoring - \SubmitSamplesConsent - - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy - - HKLM\Software\Microsoft\Security Center\ - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth - - HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom - HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB - VirtualStore - - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ - HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\ - HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\ - HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\ - \FriendlyName - HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default) - HKLM\Software\Microsoft\Tracing\RASAPI32 - - \LowerCaseLongPath - \Publisher - \BinProductVersion - \DriverVersion - \DriverVerVersion - \LinkDate - Compatibility Assistant\Store\ - - \ - - - - - - - - \{CAFEEFAC- - CreateKey - HKLM\COMPONENTS - - HKLM\Software\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache - - Toolbar\WebBrowser - Browser\ITBar7Height - Browser\ITBar7Layout - Internet Explorer\Toolbar\Locked - Toolbar\WebBrowser\{47833539-D0C5-4125-9FA8-0819E2EAAC93} - }\PreviousPolicyAreas - \Control\WMI\Autologger\ - HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start - \Lsa\OfflineJoin\CurrentValue - HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\ - _Classes\AppX - HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\ - - HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LsaPid - HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache - HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains - - \Services\BITS\Start - \services\clr_optimization_v2.0.50727_32\Start - \services\clr_optimization_v2.0.50727_64\Start - \services\clr_optimization_v4.0.30319_32\Start - \services\clr_optimization_v4.0.30319_64\Start - \services\deviceAssociationService\Start - \services\fhsvc\Start - \services\nal\Start - \services\trustedInstaller\Start - \services\tunnel\Start - \services\usoSvc\Start - - \UserChoice\ProgId - \UserChoice\Hash - \OpenWithList\MRUList - Shell Extentions\Cached - - HKLM\System\CurrentControlSet\Control\Lsa\Audit\SpecialGroups - SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\PSScriptOrder - SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\SOM-ID - SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\GPO-ID - SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\IsPowershell - SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\ExecTime - SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\PSScriptOrder - SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\SOM-ID - SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\GPO-ID - SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\IsPowershell - SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\ExecTime - \safer\codeidentifiers\0\HASHES\{ - - VirtualStore\MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\ - HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ - - C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe - HKCR\VLC. - HKCR\iTunes. - - HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{945a8954-c147-4acd-923f-40c45405a658} - - - - - - - - - - - Downloads - Temp\7z - Startup - .bat - .cmd - .doc - .hta - .lnk - .ppt - .ps1 - .ps2 - .reg - .jse - .vb - .vbe - .vbs - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - .arpa. - .arpa - .msftncsi.com - ..localmachine - localhost - - -pushp.svc.ms - .b-msedge.net - .bing.com - .hotmail.com - .live.com - .live.net - .s-microsoft.com - .microsoft.com - .microsoftonline.com - .microsoftstore.com - .ms-acdc.office.com - .msedge.net - .msn.com - .msocdn.com - .skype.com - .skype.net - .windows.com - .windows.net.nsatc.net - .windowsupdate.com - .xboxlive.com - login.windows.net - C:\ProgramData\Microsoft\Windows Defender\Platform\ - - .activedirectory.windowsazure.com - .aria.microsoft.com - .msauth.net - .msftauth.net - .opinsights.azure.com - osi.office.net - loki.delve.office.com - management.azure.com - messaging.office.com - outlook.office365.com - portal.azure.com - protection.outlook.com - substrate.office.com - - .mozaws.net - .mozilla.com - .mozilla.net - .mozilla.org - .spotify.com - .spotify.map.fastly.net - clients1.google.com - clients2.google.com - clients3.google.com - clients4.google.com - clients5.google.com - clients6.google.com - safebrowsing.googleapis.com - - .akadns.net - .netflix.com - aspnetcdn.com - ajax.googleapis.com - cdnjs.cloudflare.com - fonts.googleapis.com - .typekit.net - cdnjs.cloudflare.com - .stackassets.com - .steamcontent.com - - .disqus.com - .fontawesome.com - disqus.com - - .1rx.io - .2mdn.net - .adadvisor.net - .adap.tv - .addthis.com - .adform.net - .adnxs.com - .adroll.com - .adrta.com - .adsafeprotected.com - .adsrvr.org - .advertising.com - .amazon-adsystem.com - .amazon-adsystem.com - .analytics.yahoo.com - .aol.com - .betrad.com - .bidswitch.net - .casalemedia.com - .chartbeat.net - .cnn.com - .convertro.com - .criteo.com - .criteo.net - .crwdcntrl.net - .demdex.net - .domdex.com - .dotomi.com - .doubleclick.net - .doubleverify.com - .emxdgt.com - .exelator.com - .google-analytics.com - .googleadservices.com - .googlesyndication.com - .googletagmanager.com - .googlevideo.com - .gstatic.com - .gvt1.com - .gvt2.com - .ib-ibi.com - .jivox.com - .mathtag.com - .moatads.com - .moatpixel.com - .mookie1.com - .myvisualiq.net - .netmng.com - .nexac.com - .openx.net - .optimizely.com - .outbrain.com - .pardot.com - .phx.gbl - .pinterest.com - .pubmatic.com - .quantcount.com - .quantserve.com - .revsci.net - .rfihub.net - .rlcdn.com - .rubiconproject.com - .scdn.co - .scorecardresearch.com - .serving-sys.com - .sharethrough.com - .simpli.fi - .sitescout.com - .smartadserver.com - .snapads.com - .spotxchange.com - .taboola.com - .taboola.map.fastly.net - .tapad.com - .tidaltv.com - .trafficmanager.net - .tremorhub.com - .tribalfusion.com - .turn.com - .twimg.com - .tynt.com - .w55c.net - .ytimg.com - .zorosrv.com - 1rx.io - adservice.google.com - ampcid.google.com - clientservices.googleapis.com - googleadapis.l.google.com - imasdk.googleapis.com - l.google.com - ml314.com - mtalk.google.com - update.googleapis.com - www.googletagservices.com - - .pscp.tv - - .digicert.com - .globalsign.com - .globalsign.net - msocsp.com - ocsp.msocsp.com - pki.goog - ocsp.godaddy.com - amazontrust.com - ocsp.sectigo.com - pki-goog.l.google.com - .usertrust.com - ocsp.comodoca.com - ocsp.verisign.com - ocsp.entrust.net - ocsp.identrust.com - status.rapidssl.com - status.thawte.com - ocsp.int-x3.letsencrypt.org - - - - - - - - - - diff --git a/packer/ansible/roles/sysmon_linux/templates/SysmonConfig-TSwift2.xml.j2 b/packer/ansible/roles/sysmon_linux/templates/SysmonConfig-TSwift2.xml.j2 deleted file mode 100644 index 3958ecd0a..000000000 --- a/packer/ansible/roles/sysmon_linux/templates/SysmonConfig-TSwift2.xml.j2 +++ /dev/null @@ -1,1086 +0,0 @@ -{{ ansible_managed | comment('xml') }} - - - - - - md5,sha256,IMPHASH - - - - - - - - - - - - - - - - "C:\Windows\system32\wermgr.exe" "-queuereporting_svc" - C:\Windows\system32\DllHost.exe /Processid - C:\Windows\system32\wbem\wmiprvse.exe -Embedding - C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding - C:\Windows\system32\wermgr.exe -upload - C:\Windows\system32\SearchIndexer.exe /Embedding - C:\windows\system32\wermgr.exe -queuereporting - \??\C:\Windows\system32\autochk.exe * - \SystemRoot\System32\smss.exe - C:\Windows\System32\RuntimeBroker.exe -Embedding - C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe - C:\Windows\System32\TokenBrokerCookies.exe - C:\Windows\System32\plasrv.exe - C:\Windows\System32\wifitask.exe - C:\Windows\system32\CompatTelRunner.exe - C:\Windows\system32\PrintIsolationHost.exe - C:\Windows\system32\SppExtComObj.Exe - C:\Windows\system32\audiodg.exe - C:\Windows\system32\conhost.exe - C:\Windows\system32\mobsync.exe - C:\Windows\system32\musNotification.exe - C:\Windows\system32\musNotificationUx.exe - C:\Windows\system32\powercfg.exe - C:\Windows\system32\sndVol.exe - C:\Windows\system32\sppsvc.exe - C:\Windows\system32\wbem\WmiApSrv.exe - AppContainer - %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows - C:\windows\system32\wermgr.exe -queuereporting - C:\WINDOWS\system32\devicecensus.exe UserCxt - C:\Windows\System32\usocoreworker.exe -Embedding - C:\Windows\system32\SearchIndexer.exe - - C:\Windows\system32\svchost.exe -k appmodel -s StateRepository - C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc - C:\Windows\system32\svchost.exe -k appmodel - C:\Windows\system32\svchost.exe -k appmodel -p -s tiledatamodelsvc - C:\Windows\system32\svchost.exe -k camera -s FrameServer - C:\Windows\system32\svchost.exe -k dcomlaunch -s LSM - C:\Windows\system32\svchost.exe -k dcomlaunch -s PlugPlay - C:\Windows\system32\svchost.exe -k defragsvc - C:\Windows\system32\svchost.exe -k devicesflow -s DevicesFlowUserSvc - C:\Windows\system32\svchost.exe -k imgsvc - C:\Windows\system32\svchost.exe -k localService -s EventSystem - C:\Windows\system32\svchost.exe -k localService -s bthserv - C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc - C:\Windows\system32\svchost.exe -k localService -s nsi - C:\Windows\system32\svchost.exe -k localService -s w32Time - C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation - C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s Dhcp - C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s EventLog - C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s TimeBrokerSvc - C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s WFDSConMgrSvc - C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -s BTAGService - C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService - C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted - C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SensrSvc - C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -p -s SSDPSRV - C:\Windows\system32\svchost.exe -k localServiceNoNetwork - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s WPDBusEnum - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s fhsvc - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s DeviceAssociationService - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s NcbService - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s SensorService - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s NgcSvc - C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -p -s NgcCtnrSvc - C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SCardSvr - C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv - C:\Windows\System32\svchost.exe -k netsvcs -p -s SessionEnv - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WdiSystemHost - C:\Windows\System32\svchost.exe -k localSystemNetworkRestricted -p -s WdiSystemHost - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted - C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc - C:\Windows\system32\svchost.exe -k netsvcs -p -s ncaSvc - C:\Windows\system32\svchost.exe -k netsvcs -s BDESVC - C:\Windows\System32\svchost.exe -k netsvcs -p -s BDESVC - C:\Windows\system32\svchost.exe -k netsvcs -p -s BITS - C:\Windows\system32\svchost.exe -k netsvcs -s BITS - C:\Windows\system32\svchost.exe -k netsvcs -s CertPropSvc - C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc - C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo - C:\Windows\system32\svchost.exe -k netsvcs -s Gpsvc - C:\Windows\system32\svchost.exe -k netsvcs -s ProfSvc - C:\Windows\system32\svchost.exe -k netsvcs -s SENS - C:\Windows\system32\svchost.exe -k netsvcs -s SessionEnv - C:\Windows\system32\svchost.exe -k netsvcs -s Themes - C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt - C:\Windows\system32\svchost.exe -k netsvcs - C:\Windows\system32\svchost.exe -k networkService -p -s DoSvc - C:\Windows\system32\svchost.exe -k networkService -s Dnscache - C:\Windows\system32\svchost.exe -k networkService -s LanmanWorkstation - C:\Windows\system32\svchost.exe -k networkService -s NlaSvc - C:\Windows\system32\svchost.exe -k networkService -s TermService - C:\Windows\system32\svchost.exe -k networkService - C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted - C:\Windows\system32\svchost.exe -k rPCSS - C:\Windows\system32\svchost.exe -k secsvcs - C:\Windows\system32\svchost.exe -k swprv - C:\Windows\system32\svchost.exe -k unistackSvcGroup - C:\Windows\system32\svchost.exe -k utcsvc - C:\Windows\system32\svchost.exe -k wbioSvcGroup - C:\Windows\system32\svchost.exe -k werSvcGroup - C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc - C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC - C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc - C:\Windows\system32\svchost.exe -k wsappx -s ClipSVC - C:\Windows\system32\svchost.exe -k wsappx - C:\Windows\system32\svchost.exe -k netsvcs - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted - C:\Windows\system32\deviceenroller.exe /c /AutoEnrollMDM - - "C:\Program Files (x86)\Microsoft\Edge Dev\Application\msedge.exe" --type= - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe - C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\Ngen.exe - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe - C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe - - C:\Program Files\Microsoft Office\Office16\MSOSYNC.EXE - C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE - C:\Program Files\Microsoft Office\Office16\msoia.exe - C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe - - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe - - C:\Program Files\Windows Media Player\wmpnscfg.exe - - "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type= - "C:\Program Files\Google\Chrome\Application\chrome.exe" --type= - - - - - - - - - - C:\Users - .exe - \Device\HarddiskVolumeShadowCopy - - - - - - OneDrive.exe - C:\Windows\system32\backgroundTaskHost.exe - setup - install - Update\ - redist.exe - msiexec.exe - TrustedInstaller.exe - - - - - - - - - - - - - - - - - C:\Users - C:\Recycle - C:\ProgramData - C:\Windows\Temp - \ - C:\perflogs - C:\intel - C:\Windows\fonts - C:\Windows\system32\config - - at.exe - certutil.exe - cmd.exe - cmstp.exe - cscript.exe - driverquery.exe - dsquery.exe - hh.exe - infDefaultInstall.exe - java.exe - javaw.exe - javaws.exe - mmc.exe - msbuild.exe - mshta.exe - msiexec.exe - nbtstat.exe - net.exe - net1.exe - notepad.exe - nslookup.exe - powershell.exe - qprocess.exe - qwinsta.exe - qwinsta.exe - reg.exe - regsvcs.exe - regsvr32.exe - rundll32.exe - rwinsta.exe - sc.exe - schtasks.exe - taskkill.exe - tasklist.exe - wmic.exe - wscript.exe - - nc.exe - ncat.exe - psexec.exe - psexesvc.exe - tor.exe - vnc.exe - vncservice.exe - vncviewer.exe - winexesvc.exe - nmap.exe - psinfo.exe - - 22 - 23 - 25 - 143 - 3389 - 5800 - 5900 - 444 - - 1080 - 3128 - 8080 - - 1723 - 9001 - 9030 - - - - - - - C:\ProgramData\Microsoft\Windows Defender\Platform\ - AppData\Local\Microsoft\Teams\current\Teams.exe - .microsoft.com - microsoft.com.akadns.net - microsoft.com.nsatc.net - - 127.0.0.1 - fe80:0:0:0 - - - - - - - - - - - - - - - C:\Users - \ - - - - - - - - - - - - - - - - microsoft - windows - Intel - - - - - - - - - - - - - - - - - - - - - - C:\Windows\system32\wbem\WmiPrvSE.exe - C:\Windows\system32\svchost.exe - C:\Windows\system32\wininit.exe - C:\Windows\system32\csrss.exe - C:\Windows\system32\services.exe - C:\Windows\system32\winlogon.exe - C:\Windows\system32\audiodg.exe - C:\Windows\system32\kernel32.dll - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe - - - - - - - - - - - - - - - - - - - - - C:\Program Files\VMware\VMware Tools\vmtoolsd.exe - C:\Windows\system32\taskeng.exe - Sysmon.exe - GoogleUpdate.exe - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe - C:\Program Files\Windows Defender\MsMpEng.exe - C:\Program Files\Microsoft VS Code\Code.exe - C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe - C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe - C:\Windows\system32\mmc.exe - C:\Program Files\Microsoft VS Code\Code.exe - C:\Windows\system32\sihost.exe - C:\Program Files\Windows Defender\MsMpEng.exe - c:\Program Files\Microsoft VS Code\resources\app\out\vs\workbench\services\files\node\watcher\win32\CodeHelper.exe - C:\Windows\system32\ApplicationFrameHost.exe - C:\Windows\System32\taskhostw.exe - C:\Windows\System32\RuntimeBroker.exe - - - - - - - - - - - - \Start Menu - \Startup\ - \Content.Outlook\ - \Downloads\ - .application - .appref-ms - .bat - .chm - .cmd - .cmdline - .crx - .dmp - .docm - .dll - .exe - .exe.log - .jar - .jnlp - .jse - .hta - .job - .pptm - .ps1 - .sys - .scr - .vbe - .vbs - .xlsm - proj - .sln - C:\Users\Default - C:\Windows\system32\Drivers - C:\Windows\SysWOW64\Drivers - C:\Windows\system32\GroupPolicy\Machine\Scripts - C:\Windows\system32\GroupPolicy\User\Scripts - C:\Windows\system32\Wbem - C:\Windows\SysWOW64\Wbem - C:\Windows\system32\WindowsPowerShell - C:\Windows\SysWOW64\WindowsPowerShell - C:\Windows\Tasks\ - C:\Windows\system32\Tasks - C:\Windows\SysWOW64\Tasks - \Device\HarddiskVolumeShadowCopy - - C:\Windows\AppPatch\Custom - VirtualStore - - .xls - .ppt - .rtf - - - - - - - C:\Program Files (x86)\EMET 5.5\EMET_Service.exe - - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe - - C:\Windows\system32\smss.exe - C:\Windows\system32\CompatTelRunner.exe - \\?\C:\Windows\system32\wbem\WMIADAP.EXE - C:\Windows\system32\mobsync.exe - C:\Windows\system32\DriverStore\Temp\ - C:\Windows\system32\wbem\Performance\ - C:\Windows\Installer\ - - C:\$WINDOWS.~BT\Sources\ - C:\Windows\winsxs\amd64_microsoft-windows - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - CurrentVersion\Run - Policies\Explorer\Run - Group Policy\Scripts - Windows\System\Scripts - CurrentVersion\Windows\Load - CurrentVersion\Windows\Run - CurrentVersion\Winlogon\Shell - CurrentVersion\Winlogon\System - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit - HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 - HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute - HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug - UserInitMprLogonScript - user shell folders\startup - - \ServiceDll - \ServiceManifest - \ImagePath - \Start - - Control\Terminal Server\WinStations\RDP-Tcp\PortNumber - Control\Terminal Server\fSingleSessionPerUser - fDenyTSConnections - LastLoggedOnUser - RDP-tcp\PortNumber - Services\PortProxy\v4tov4 - - \command\ - \ddeexec\ - {86C86720-42A0-1069-A2E8-08002B30309D} - exefile - - \InprocServer32\(Default) - - \Hidden - \ShowSuperHidden - \HideFileExt - - Classes\*\ - Classes\AllFilesystemObjects\ - Classes\Directory\ - Classes\Drive\ - Classes\Folder\ - Classes\PROTOCOLS\ - ContextMenuHandlers\ - CurrentVersion\Shell - HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks - HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad - HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers - - HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\ - - HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram - - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\ - - HKLM\SYSTEM\CurrentControlSet\Services\WinSock - \ProxyServer - - HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider - HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ - HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders - HKLM\Software\Microsoft\Netsh - - HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ - HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles - \EnableFirewall - \DoNotAllowExceptions - HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List - HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List - - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\ - HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\ - HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\ - - Microsoft\Office\Outlook\Addins\ - Office Test\ - Security\Trusted Documents\TrustRecords - - Internet Explorer\Toolbar\ - Internet Explorer\Extensions\ - Browser Helper Objects\ - \DisableSecuritySettingsCheck - \3\1206 - \3\2500 - \3\1809 - - HKLM\Software\Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\ - HKLM\Software\Classes\WOW6432Node\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\ - HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\ - HKLM\Software\Classes\WOW6432Node\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\ - - \UrlUpdateInfo - \InstallSource - \EulaAccepted - - \DisableAntiSpyware - \DisableAntiVirus - \SpynetReporting - DisableRealtimeMonitoring - \SubmitSamplesConsent - - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy - - HKLM\Software\Microsoft\Security Center\ - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth - - HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom - HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB - VirtualStore - - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ - HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\ - HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\ - HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\ - \FriendlyName - HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default) - HKLM\Software\Microsoft\Tracing\RASAPI32 - - \LowerCaseLongPath - \Publisher - \BinProductVersion - \DriverVersion - \DriverVerVersion - \LinkDate - Compatibility Assistant\Store\ - - \ - - - - - - - - \{CAFEEFAC- - CreateKey - HKLM\COMPONENTS - - HKLM\Software\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache - - Toolbar\WebBrowser - Browser\ITBar7Height - Browser\ITBar7Layout - Internet Explorer\Toolbar\Locked - Toolbar\WebBrowser\{47833539-D0C5-4125-9FA8-0819E2EAAC93} - }\PreviousPolicyAreas - \Control\WMI\Autologger\ - HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start - \Lsa\OfflineJoin\CurrentValue - HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\ - _Classes\AppX - HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\ - - HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LsaPid - HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache - HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains - - \Services\BITS\Start - \services\clr_optimization_v2.0.50727_32\Start - \services\clr_optimization_v2.0.50727_64\Start - \services\clr_optimization_v4.0.30319_32\Start - \services\clr_optimization_v4.0.30319_64\Start - \services\deviceAssociationService\Start - \services\fhsvc\Start - \services\nal\Start - \services\trustedInstaller\Start - \services\tunnel\Start - \services\usoSvc\Start - - \UserChoice\ProgId - \UserChoice\Hash - \OpenWithList\MRUList - Shell Extentions\Cached - - HKLM\System\CurrentControlSet\Control\Lsa\Audit\SpecialGroups - SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\PSScriptOrder - SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\SOM-ID - SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\GPO-ID - SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\IsPowershell - SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\ExecTime - SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\PSScriptOrder - SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\SOM-ID - SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\GPO-ID - SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\IsPowershell - SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\ExecTime - \safer\codeidentifiers\0\HASHES\{ - - VirtualStore\MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\ - HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ - - C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe - HKCR\VLC. - HKCR\iTunes. - - HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{945a8954-c147-4acd-923f-40c45405a658} - - - - - - - - - - - Downloads - Temp\7z - Startup - .bat - .cmd - .doc - .hta - .lnk - .ppt - .ps1 - .ps2 - .reg - .jse - .vb - .vbe - .vbs - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - .arpa. - .arpa - .msftncsi.com - ..localmachine - localhost - - -pushp.svc.ms - .b-msedge.net - .bing.com - .hotmail.com - .live.com - .live.net - .s-microsoft.com - .microsoft.com - .microsoftonline.com - .microsoftstore.com - .ms-acdc.office.com - .msedge.net - .msn.com - .msocdn.com - .skype.com - .skype.net - .windows.com - .windows.net.nsatc.net - .windowsupdate.com - .xboxlive.com - login.windows.net - C:\ProgramData\Microsoft\Windows Defender\Platform\ - - .activedirectory.windowsazure.com - .aria.microsoft.com - .msauth.net - .msftauth.net - .opinsights.azure.com - osi.office.net - loki.delve.office.com - management.azure.com - messaging.office.com - outlook.office365.com - portal.azure.com - protection.outlook.com - substrate.office.com - - .mozaws.net - .mozilla.com - .mozilla.net - .mozilla.org - .spotify.com - .spotify.map.fastly.net - clients1.google.com - clients2.google.com - clients3.google.com - clients4.google.com - clients5.google.com - clients6.google.com - safebrowsing.googleapis.com - - .akadns.net - .netflix.com - aspnetcdn.com - ajax.googleapis.com - cdnjs.cloudflare.com - fonts.googleapis.com - .typekit.net - cdnjs.cloudflare.com - .stackassets.com - .steamcontent.com - - .disqus.com - .fontawesome.com - disqus.com - - .1rx.io - .2mdn.net - .adadvisor.net - .adap.tv - .addthis.com - .adform.net - .adnxs.com - .adroll.com - .adrta.com - .adsafeprotected.com - .adsrvr.org - .advertising.com - .amazon-adsystem.com - .amazon-adsystem.com - .analytics.yahoo.com - .aol.com - .betrad.com - .bidswitch.net - .casalemedia.com - .chartbeat.net - .cnn.com - .convertro.com - .criteo.com - .criteo.net - .crwdcntrl.net - .demdex.net - .domdex.com - .dotomi.com - .doubleclick.net - .doubleverify.com - .emxdgt.com - .exelator.com - .google-analytics.com - .googleadservices.com - .googlesyndication.com - .googletagmanager.com - .googlevideo.com - .gstatic.com - .gvt1.com - .gvt2.com - .ib-ibi.com - .jivox.com - .mathtag.com - .moatads.com - .moatpixel.com - .mookie1.com - .myvisualiq.net - .netmng.com - .nexac.com - .openx.net - .optimizely.com - .outbrain.com - .pardot.com - .phx.gbl - .pinterest.com - .pubmatic.com - .quantcount.com - .quantserve.com - .revsci.net - .rfihub.net - .rlcdn.com - .rubiconproject.com - .scdn.co - .scorecardresearch.com - .serving-sys.com - .sharethrough.com - .simpli.fi - .sitescout.com - .smartadserver.com - .snapads.com - .spotxchange.com - .taboola.com - .taboola.map.fastly.net - .tapad.com - .tidaltv.com - .trafficmanager.net - .tremorhub.com - .tribalfusion.com - .turn.com - .twimg.com - .tynt.com - .w55c.net - .ytimg.com - .zorosrv.com - 1rx.io - adservice.google.com - ampcid.google.com - clientservices.googleapis.com - googleadapis.l.google.com - imasdk.googleapis.com - l.google.com - ml314.com - mtalk.google.com - update.googleapis.com - www.googletagservices.com - - .pscp.tv - - .digicert.com - .globalsign.com - .globalsign.net - msocsp.com - ocsp.msocsp.com - pki.goog - ocsp.godaddy.com - amazontrust.com - ocsp.sectigo.com - pki-goog.l.google.com - .usertrust.com - ocsp.comodoca.com - ocsp.verisign.com - ocsp.entrust.net - ocsp.identrust.com - status.rapidssl.com - status.thawte.com - ocsp.int-x3.letsencrypt.org - - - - - - - - - diff --git a/packer/ansible/roles/sysmon_linux/templates/SysmonConfig-Verbose.xml.j2 b/packer/ansible/roles/sysmon_linux/templates/SysmonConfig-Verbose.xml.j2 deleted file mode 100644 index 6720ed083..000000000 --- a/packer/ansible/roles/sysmon_linux/templates/SysmonConfig-Verbose.xml.j2 +++ /dev/null @@ -1,127 +0,0 @@ -{{ ansible_managed | comment('xml') }} - - - - - * - - - - splunk - btool.exe - SnareCore - nxlog - winlogbeat - Microsoft Monitoring Agent\Agent\MonitoringHost.exe - C:\Program Files\NVIDIA Corporation\Display\ - C:\Program Files\Dell\SupportAssist\pcdrcui.exe - C:\Program Files\Dell\SupportAssist\koala.exe - C:\Program Files\Windows Defender - C:\Windows\System32\audiodg.exe - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe - \Sysmon.exe - C:\WIndows\System32\poqexec.exe /noreboot /transaction - - - - - - C:\Program Files\Microsoft Office\Office15\ONENOTE.EXE - Spotify.exe - OneDrive.exe - AppData\Roaming\Dashlane\Dashlane.exe - AppData\Roaming\Dashlane\DashlanePlugin.exe - winlogbeat.exe - C:\Windows\System32\spoolsv.exe - C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe - C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe - C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe - C:\Windows\System32\CompatTelRunner.exe - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe - C:\Windows\System32\mmc.exe - C:\Program Files\Microsoft VS Code\Code.exe - - - - - - microsoft - windows - VMware - Intel - - - - chrome.exe - vmtoolsd.exe - Sysmon.exe - mmc.exe - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe - C:\Windows\System32\taskeng.exe - C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe - C:\Program Files\Windows Defender\NisSrv.exe - C:\Program Files\Windows Defender\MsMpEng.exe - - - - - - C:\Program Files\VMware\VMware Tools\vmtoolsd.exe - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe - \Sysmon.exe - - - - C:\Program Files\VMware\VMware Tools\vmtoolsd.exe - C:\Windows\system32\taskeng.exe - C:\Windows\system32\lsass.exe - Sysmon.exe - GoogleUpdate.exe - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe - C:\Program Files\Windows Defender\MsMpEng.exe - C:\Program Files\Microsoft VS Code\Code.exe - C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe - C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe - C:\Windows\system32\mmc.exe - C:\Program Files\Microsoft VS Code\Code.exe - C:\Windows\system32\sihost.exe - C:\Program Files\Windows Defender\MsMpEng.exe - c:\Program Files\Microsoft VS Code\resources\app\out\vs\workbench\services\files\node\watcher\win32\CodeHelper.exe - C:\Windows\system32\ApplicationFrameHost.exe - C:\Windows\System32\taskhostw.exe - C:\Windows\System32\RuntimeBroker.exe - - - - SearchIndexer.exe - winlogbeat.exe - C:\Windows\system32\mmc.exe - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe - C:\Program Files\Microsoft VS Code\Code.exe - - - - C:\Program Files\VMware\VMware Tools\vmtoolsd.exe - C:\Windows\system32\mmc.exe - C:\Windows\system32\taskeng.exe - C:\Windows\System32\svchost.exe - C:\Windows\system32\lsass.exe - C:\Windows\Sysmon.exe - GoogleUpdate.exe - C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe - C:\Program Files\Windows Defender\NisSrv.exe - \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Microsoft Print to PDF\PrinterDriverData - LanguageList - - - - - - - - - diff --git a/packer/ansible/roles/sysmon_linux/templates/SysmonConfig-moti.xml.j2 b/packer/ansible/roles/sysmon_linux/templates/SysmonConfig-moti.xml.j2 deleted file mode 100644 index 123aa8c3b..000000000 --- a/packer/ansible/roles/sysmon_linux/templates/SysmonConfig-moti.xml.j2 +++ /dev/null @@ -1,194 +0,0 @@ -{{ ansible_managed | comment('xml') }} - - - SHA256,IMPHASH - - - - \Startup\ - - - - Software\Microsoft\Windows\CurrentVersion\Run - CurrentControlSet\Control\Session Manager\BootExecute - Software\Microsoft\Windows\CurrentVersion\RunServicesOnce - Software\Microsoft\Windows\CurrentVersion\RunServices - SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify - Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit - Software\Microsoft\Windows NT\CurrentVersion\Winlogon - SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad - Software\Microsoft\Windows\CurrentVersion\RunOnce - Software\Microsoft\Windows\CurrentVersion\RunOnceEx - Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run - Software\Microsoft\Windows NT\CurrentVersion\Windows\load - Software\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs - SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs - - System\CurrentControlSet\Control\Lsa\Security Packages - - - - False - - - C:\Windows\assembly\NativeImages - - - Microsoft Windows - Microsoft Corporation - NVIDIA Corporation - - - - C:\Windows\system32\lsass.exe - C:\Windows\system32\winlogon.exe - C:\Windows\system32\svchost.exe - "C:\Program Files\Google\Chrome\Application\chrome.exe" - "C:\Program Files\Internet Explorer\iexplore.exe" - "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" - - - - c:\Program Files\Windows Defender\MsMpEng.exe - Program Files\Windows Defender\MsMpEng.exe - - - - System - C:\Windows\CCM\CcmExec.exe - C:\Windows\System32\svchost.exe - C:\Program Files\Windows Defender\MsMpEng.exe - C:\Windows\System32\SrTasks.exe - C:\Windows\System32\MRT.exe - C:\Windows\System32\SearchIndexer.exe - C:\Windows\System32\winlogon.exe - C:\Windows\System32\smss.exe - C:\Windows\System32\autochk.exe - C:\Windows\System32\CompatTelRunner.exe - C:\Windows\System32\DeviceCensus.exe - C:\Windows\System32\wininit.exe - C:\Windows\System32\VSSVC.exe - C:\Windows\System32\bcdedit.exe - C:\Windows\System32\WinSAT.exe - C:\Windows\SysWOW64\msiexec.exe - C:\Windows\explorer.exe - C:\Windows\System32\DiskSnapshot.exe - - - - - C:\Windows\system32\lsass.exe - C:\Windows\system32\winlogon.exe - "C:\Program Files\Google\Chrome\Application\chrome.exe" - "C:\Program Files\Internet Explorer\iexplore.exe" - "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" - - - - c:\windows\system32\svchost.exe - C:\WINDOWS\system32\wbem\wmiprvse.exe - C:\WINDOWS\System32\perfmon.exe - C:\WINDOWS\system32\LogonUI.exe - C:\WINDOWS\system32\MRT.exe - C:\Windows\System32\MsiExec.exe - C:\windows\CCM\CcmExec.exe - C:\WINDOWS\system32\taskmgr.exe - C:\WINDOWS\system32\lsass.exe - C:\WINDOWS\system32\services.exe - C:\WINDOWS\system32\wininit.exe - C:\WINDOWS\system32\csrss.exe - C:\WINDOWS\System32\smss.exe - C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe - C:\Windows\syswow64\MsiExec.exe - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe - Program Files\Windows Defender\MsMpEng.exe - - - - AppContainer - - C:\Windows\System32\audiodg.exe - System32\backgroundTaskHost.exe - System32\BackgroundTransferHost.exe - System32\dllhost.exe - System32\smartscreen.exe - System32\SearchFilterHost.exe - System32\audiodg.exe - System32\conhost.exe - System32\SearchProtocolHost.exe - SysWOW64\msiexec.exe - system32\msiexec.exe - microsoft shared\ClickToRun\OfficeClickToRun.exe - System32\consent.exe - System32\LogonUI.exe - System32\taskhostw.exe - System32\LockAppHost.exe - Chrome\Application\chrome.exe - Internet Explorer\iexplorer.exe - Mozilla Firefox\firefox.exe - - - - C:\Windows\System32\RuntimeBroker.exe - c:\windows\system32\svchost.exe - C:\WINDOWS\system32\MpSigStub.exe - C:\WINDOWS\System32\LogonUI.exe - C:\WINDOWS\ImmersiveControlPanel\SystemSettings.exe - C:\WINDOWS\system32\SettingSyncHost.exe - C:\WINDOWS\explorer.exe - C:\WINDOWS\system32\mmc.exe - C:\windows\CCM\CcmExec.exe - C:\WINDOWS\system32\msiexec.exe - C:\WINDOWS\system32\taskmgr.exe - WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe - WINDOWS\system32\backgroundTaskHost.exe - Mozilla Firefox\firefox.exe - Google\Chrome\Application\chrome.exe - - - - - - C:\Users - C:\ProgramData - powershell.exe - cmd.exe - wmic.exe - cscript.exe - wscript.exe - rundll32.exe - - - chrome.exe - iexplore.exe - firefox.exe - outlook.exe - Skype.exe - lync.exe - GoogleUpdate.exe - qbittorrent.exe - OfficeClickToRun.exe - Windows\SystemApps\Microsoft.Windows.Cortana - OneDrive.exe - Windows\System32\svchost.exe - System32\backgroundTaskHost.exe - Skype\Browser\SkypeBrowserHost.exe - Free Download Manager\fdm.exe - 172. - 10. - 192. - 0.0.0.0 - - - diff --git a/packer/ansible/roles/sysmon_linux/templates/SysmonConfig.xml.j2 b/packer/ansible/roles/sysmon_linux/templates/SysmonConfig.xml.j2 deleted file mode 100755 index 24fe396fd..000000000 --- a/packer/ansible/roles/sysmon_linux/templates/SysmonConfig.xml.j2 +++ /dev/null @@ -1,1575 +0,0 @@ - - * - - - False - - Sysmon - - - - - - sethc.exe - utilman.exe - osk.exe - Magnify.exe - DisplaySwitch.exe - Narrator.exe - AtBroker.exe - sdbinst.exe - bitsadmin.exe - - eventvwr.exe - c:\windows\system32\mmc.exe - - fodhelper.exe - ˆ - C:\Windows\explorer.exe - - fltMC.exe - unload;detach - - - fltMC.exe - misc::mflt - - - InstallUtil.exe - /logfile=;/LogToConsole=false;/U - - whoami.exe - ipconfig.exe - tasklist.exe - taskmgr.exe - systeminfo.exe;sysinfo.exe - netstat.exe - qprocess.exe - nslookup.exe - net.exe;net1.exe - quser.exe - query.exe - tracert.exe - tree.com - route.exe - runas.exe - reg.exe - regedit.exe - taskkill.exe - netsh.exe - klist.exe - wevtutil.exe - taskeng.exe - regsvr32.exe - wmiprvse.exe - wmiprvse.exe - hh.exe - cmd.exe - cmd.exe - powershell.exe - powershell.exe - powershell_ise.exe - bash.exe - odbcconf.exe - pcalua.exe - cscript.exe - wscript.exe - pcalua.exe - cscript.exe - wscript.exe - mshta.exe - control.exe - mshta.exe - attrib.exe - cmdkey.exe - nbtstat.exe;nbtinfo.exe - qwinsta.exe - rwinsta.exe - schtasks.exe;sctasks.exe - replace.exe - jjs.exe - appcmd.exe - sc.exe - certutil.exe - findstr.exe - where.exe - forfiles.exe - icacls.exe;cacls.exe - xcopy.exe - robocopy.exe - takeown.exe - makecab.exe - wusa.exe - vassadmin.exe - nltest.exe;nltestk.exe - winrs.exe - computerdefaults.exe - dism.exe - fodhelper.exe - djoin.exe - PktMon.exe - mofcomp.exe - C:\WINDOWS\system32\wbem\scrcons.exe - ScrCons - - esentutl.exe - /y;/vss/d - - - nltestrk.exe - /domain_trusts - - ATBroker.exe - csc.exe - dfsvc.exe - dnscmd.exe - esentutl.exe - expand - extexport.exe - extrac32.exe - IEExec.exe - ilasm.exe - InfDefaultInstall.EXE - jsc.exe - vbc.exe - Microsoft.Workflow.Compiler.exe - msconfig.EXE - Msdt.exe - msiexec.exe - odbcconf.exe - PresentationHost.exe - Print.Exe - rasdlui.exe - RegisterCimProvider2.exe - RegisterCimProvider.exe - RpcPing.exe - ScriptRunner.exe - TTTracer.exe - verclsid.exe - wab.exe - WSReset.exe - xwizard.exe - - Mavinject.exe;mavinject64.exe - /INJECTRUNNING - - - CMSTP.exe - /ni;/s - - MSBuild.exe - excel.exe - winword.exe - powerpnt.exe - outlook.exe - msaccess.exe - mspub.exe - regsvcs.exe;regasm.exe - SyncAppvPublishingServer.exe - PsList.exe - PsService.exe - PsExec.exe - PsExec.c - PsGetSID.exe - PsKill.exe - PKill.exe - ProcDump - PsLoggedOn.exe - PsFile.exe - ShellRunas - PipeList.exe - AccessChk.exe - AccessEnum.exe - LogonSessions.exe - PsLogList.exe - PsInfo.exe - LoadOrd - PsPasswd.exe - ru.exe - Regsize - ProcDump - -ma lsass.exe - C:\PerfLogs\ - C:\$Recycle.bin\ - C:\Intel\Logs\ - C:\Users\Default\ - C:\Users\Public\ - C:\Users\NetworkService\ - C:\Windows\Fonts\ - C:\Windows\Debug\ - C:\Windows\Media\ - C:\Windows\Help\ - C:\Windows\addins\ - C:\Windows\repair\ - C:\Windows\security\ - C:\Windows\system32\config\systemprofile\ - VolumeShadowCopy - \htdocs\ - \wwwroot\ - \Temp\ - \Appdata\Local\ - - control;/name - rundll32.exe;shell32.dll;Control_RunDLL - - - MpCmdRun.exe - Add-MpPreference;RemoveDefinitions;DisableIOAVProtection - - wsmprovhost.exe - winrm.cmd - - - - - - C:\Temp - C:\Windows\Temp - C:\Tmp - C:\Users - - - - - - vnc.exe - vncviewer.exe - vncservice.exe - winexesvc.exe - bitsadmin.exe - omniinet.exe - hpsmhd.exe - ipconfig.exe - tasklist.exe - netstat.exe - qprocess.exe - nslookup.exe - net.exe - quser.exe - query.exe - runas.exe - reg.exe - netsh.exe - klist.exe - wevtutil.exe - taskeng.exe - regsvr32.exe - hh.exe - cmd.exe - powershell.exe - bash.exe - pcalua.exe - cscript.exe - wscript.exe - mshta.exe - nbtstat.exe - net1.exe - nslookup.exe - qwinsta.exe - rwinsta.exe - schtasks.exe - taskkill.exe - sc.exe - nltest.exe - winrs.exe - dfsvc.exe - dnscmd.exe - esentutl.exe - expand.exe - extrac32.exe - IEExec.exe - Msdt.exe - msiexec.exe - Print.Exe - RegisterCimProvider.exe - RpcPing.exe - ScriptRunner.exe - xwizard.exe - Mavinject.exe - at.exe - certutil.exe - cmd.exe - cscript.exe - java.exe - mshta.exe - msiexec.exe - net.exe - notepad.exe - powershell.exe - reg.exe - regsvr32.exe - rundll32.exe - sc.exe - wmic.exe - wscript.exe - driverquery.exe - dsquery.exe - hh.exe - infDefaultInstall.exe - javaw.exe - javaws.exe - mmc.exe - msbuild.exe - nbtstat.exe - net1.exe - nslookup.exe - qprocess.exe - qwinsta.exe - regsvcs.exe - rwinsta.exe - schtasks.exe - taskkill.exe - tasklist.exe - replace.exe - 1080 - 3128 - 8080 - 22 - 23 - 25 - 3389 - 5800 - 5900 - psexec.exe - psexesvc.exe - C:\Users - C:\ProgramData - C:\Windows\Temp - C:\Temp - C:\PerfLogs\ - C:\$Recycle.bin\ - C:\Intel\Logs\ - C:\Users\Default\ - C:\Users\Public\ - C:\Users\NetworkService\ - C:\Windows\Fonts\ - C:\Windows\Debug\ - C:\Windows\Media\ - C:\Windows\Help\ - C:\Windows\addins\ - C:\Windows\repair\ - C:\Windows\security\ - C:\Windows\system32\config\systemprofile\ - \htdocs\ - \wwwroot\ - SyncAppvPublishingServer.exe - tor.exe - 1723 - 4500 - 9001 - 9030 - 5986 - - - - - - C:\Users - C:\Temp - C:\Windows\Temp - - - - - - - - - - - C:\Windows\System32\samlib.dll - C:\Windows\System32\WinSCard.dll - C:\Windows\System32\cryptdll.dll - C:\Windows\System32\hid.dll - C:\Windows\System32\vaultcli.dll - C:\Windows\System32\wlanapi.dll - - .wll - .xll - - C:\Program Files;\Microsoft Office\root\Office - C:\Windows\SysWOW64\combase.dll - - - C:\Program Files;\Microsoft Office\root\Office - C:\Windows\SysWOW64\coml2.dll - - - C:\Program Files;\Microsoft Office\root\Office - C:\Windows\SysWOW64\comsvcs.dll - - - C:\Program Files;\Microsoft Office\root\Office - C:\Windows\assembly\ - - - C:\Program Files;\Microsoft Office\root\Office - C:\Windows\Microsoft.NET\assembly\GAC_MSIL - - - C:\Program Files;\Microsoft Office\root\Office - clr.dll - - - C:\Program Files;\Microsoft Office\root\Office - VBE7INTL.DLL - - - C:\Program Files;\Microsoft Office\root\Office - VBE7.DLL - - - C:\Program Files;\Microsoft Office\root\Office - VBEUI.DLL - - - C:\Program Files;\Microsoft Office\root\Office - C:\Windows\SysWOW64\wbem\wbemdisp.dll - - system.management.automation.ni.dll - system.management.automation.dll - Microsoft.PowerShell.Commands.Diagnostics.dll - Microsoft.PowerShell.Commands.Management.dll - Microsoft.PowerShell.Commands.Utility.dll - Microsoft.PowerShell.ConsoleHost.dll - Microsoft.PowerShell.Security.dll - taskschd.dll - scrobj.dll - admin$;c$;\\;\appdata\;\temp\ - c:\programdata\ - C:\Windows\Media\ - C:\Windows\addins\ - C:\Windows\system32\config\systemprofile\ - C:\Windows\Debug\ - C:\Windows\Temp - C:\PerfLogs\ - C:\Windows\Help\ - C:\Intel\Logs\ - C:\Temp - C:\Windows\repair\ - C:\Windows\security\ - C:\Windows\Fonts\ - file: - $Recycle.bin\ - \Windows\IME\ - wmiutils.dll - - - - - - - c:\windows\system32\csrss.exe - CrtlRoutine - - LoadLibrary - C:\Windows\System32\rundll32.exe - C:\Windows\System32\svchost.exe - C:\Windows\System32\sysmon.exe - - 0x001A0000 - c:\windows\system32\lsass.exe - - 0x00590000 - - - - - - - - - - dbghelp.dll - dbgore.dll - - C:\Windows\system32\csrss.exe - 0x1F1FFF - - - C:\Windows\system32\wininit.exe - 0x1F1FFF - - - C:\Windows\system32\winlogon.exe - 0x1F1FFF - - - C:\Windows\system32\services.exe - 0x1F1FFF - - 0x21410 - - C:\Windows\system32\lsass.exe - 0x1FFFFF - - - C:\Windows\system32\lsass.exe - 0x1F1FFF - - - C:\Windows\system32\lsass.exe - 0x1010 - - - C:\Windows\system32\lsass.exe - 0x143A - - - C:\Program Files;\Microsoft Office\Root\Office - \Microsoft Shared\VBA - - 0x0800 - 0x0810 - 0x0820 - 0x800 - 0x810 - 0x820 - C:\PerfLogs\ - C:\$Recycle.bin\ - C:\Intel\Logs\ - C:\Users\Default\ - C:\Users\Public\ - C:\Users\NetworkService\ - C:\Windows\Fonts\ - C:\Windows\Debug\ - C:\Windows\Media\ - C:\Windows\Help\ - C:\Windows\addins\ - C:\Windows\repair\ - C:\Windows\security\ - C:\Windows\system32\config\systemprofile\ - VolumeShadowCopy - \htdocs\ - \wwwroot\ - \Temp\ - - System.Management.Automation.ni.dll - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe - - - - - - - C:\Windows\AppPatch\Custom - .bat - .cmd - .chm - C:\Users\Default - AppData\Local\Microsoft\CLR_v2.0\UsageLogs\ - \UsageLogs\cscript.exe.log - \UsageLogs\wscript.exe.log - \UsageLogs\wmic.exe.log - \UsageLogs\mshta.exe.log - \UsageLogs\svchost.exe.log - \UsageLogs\regsvr32.exe.log - \UsageLogs\rundll32.exe.log - \Downloads\ - C:\Windows\System32\Drivers - C:\Windows\SysWOW64\Drivers - .exe - C:\Windows\System32\GroupPolicy\Machine\Scripts - C:\Windows\System32\GroupPolicy\User\Scripts - .hta - .iso - .img - .kirbi - .lnk - .scf - .application - .appref-ms - .*proj - .sln - .settingcontent-ms - .docm - .pptm - .xlsm - .xlm - .dotm - .xltm - .potm - .ppsm - .sldm - .xlam - .xla - .iqy - .slk - \Content.Outlook\ - .rft - .jsp - .jspx - .asp - .aspx - .php - .war - .ace - C:\Windows\System32\WindowsPowerShell - C:\Windows\SysWOW64\WindowsPowerShell - .ps1 - .ps2 - .py - .pyc - .pyw - rundll32.exe - C:\Windows\System32\Tasks - C:\Windows\Tasks\ - \Start Menu - \Startup - .sys - \*lsass*.dmp\ - taskmgr.exe - .url - .vb - .vbe - .vbs - C:\Windows\System32\Wbem - C:\Windows\SysWOW64\Wbem - C:\WINDOWS\system32\wbem\scrcons.exe - C:\Windows\Temp\ - C:\Temp\ - C:\PerfLogs\ - C:\Users\Public\ - \AppData\Temp\ - - - - - - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom - HKLM\SYSTEM\CurrentControlSet\Control\Lsa - \CurrentVersion\Run - \Group Policy\Scripts - \Windows\System\Scripts - \Policies\Explorer\Run - \ServiceDll - \ImagePath - \Start - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell - HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 - HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute - \Explorer\FileExts - \shell\install\command - \shell\open\command - \shell\open\ddeexec - Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup - \mscfile\shell\open\command - ms-settings\shell\open\command - Classes\exefile\shell\runas\command\isolatedCommand - Software\Classes\CLSID - \services\Netlogon\Parameters\DisablePasswordChange - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls - HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls - REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DNS\Parameters\ServerLevelPluginDll - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options - HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options - \Internet Explorer\Toolbar - \Internet Explorer\Extensions - \Browser Helper Objects - HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors - SOFTWARE\Microsoft\Netsh - \UrlUpdateInfo - \Security\Trusted Documents\TrustRecords - \Microsoft\Office\Outlook\Addins - \Software\Microsoft\VSTO\Security\Inclusion - \Software\Microsoft\VSTO\SolutionMetadata - HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services - SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe - HKLM\SOFTWARE\Microsoft\Cryptography\OID - HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID - HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust - HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust - \PsExec\EulaAccepted - \PsFile\EulaAccepted - \PsGetSID\EulaAccepted - \PsInfo\EulaAccepted - \PsKill\EulaAccepted - \PsList\EulaAccepted - \PsLoggedOn\EulaAccepted - \PsLogList\EulaAccepted - \PsPasswd\EulaAccepted - \PsService\EulaAccepted - \PsShutDown\EulaAccepted - \PsSuspend\EulaAccepted - SYSTEM\CurrentControlSet\services\SysmonDrv - SYSTEM\CurrentControlSet\services\Sysmon - HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram - HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders - HKLM\Software\Microsoft\WAB\DLLPath - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths - HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls - \InprocServer32\(Default) - Classes\CLSID\;TreatAs - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider - HKLM\SYSTEM\CurrentControlSet\Control\Lsa - HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders - \Control\SecurityProviders\WDigest - HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify - HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware - HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus - HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring - HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection - HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable - HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting - HKLM\SOFTWARE\Policies\Microsoft\Windows Defender - HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List - HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify - HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT - HKLM\SYSTEM\CurrentControlSet\Control\Safeboot - HKLM\SYSTEM\CurrentControlSet\Control\Winlogon - \FriendlyName - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default) - - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - C:\Windows\System32\svchost.exe - - HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles - HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates - \Microsoft\SystemCertificates\Root\Certificates - HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled - HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring - \Classes\AllFilesystemObjects - \Classes\Directory - \Classes\Drive - \Classes\Folder - \ContextMenuHandlers - \CurrentVersion\Shell - HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks - HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad - HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command - {AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy - HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify - HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\ServiceStartup - HKLM\SYSTEM\CurrentControlSet\Services\WinSock - \ProxyServer - SYSTEM\CurrentControlSet\Control\CrashControl - - - - - - Temp\7z - .bat - .cmd - Temp\debug.bin - Downloads - .exe - .hta - .lnk - Content.Outlook - .ps1 - .ps2 - .reg - .vb - .vbe - .vbs - - - - - - "C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe" - Program Files (x86)\Citrix\ICA Client\SelfServicePlugin\SelfService.exe - Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe - Program Files (x86)\Citrix\ICA Client\wfcrun32.exe - Program Files (x86)\Citrix\ICA Client\concentr.exe - \Vivisimo Velocity - \SQLLocal\MSSQLSERVER - \SQLLocal\INSTANCE01 - \SQLLocal\SQLEXPRESS - \SQLLocal\COMMVAULT - \SQLLocal\RTCLOCAL - \SQLLocal\RTC - \SQLLocal\TMSM - Program Files (x86)\Microsoft SQL Server\110\DTS\binn\dtexec.exe - PostgreSQL\9.6\bin\postgres.exe - \pgsignal_ - Program Files\Qlik\Sense\Engine\Engine.exe - Program Files\SplunkUniversalForwarder\bin\splunkd.exe - Program Files\SplunkUniversalForwarder\bin\splunk.exe - Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe - Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\CMAgent\OfcCMAgent.exe - Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\ofcservice.exe - Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Web\Service\DbServer.exe - Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\verconn.exe - Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\WEB_OSCE\WEB\CGI\cgiOnClose.exe - Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\WEB_OSCE\WEB\CGI\cgiRqHotFix.exe - Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\LWCS\LWCSService.exe - Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\WSS\iCRCService.exe - Program Files\Trend\SPROTECT\x64\tsc.exe - Program Files\Trend\SPROTECT\x64\tsc64.exe - Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\osceintegrationservice.exe - Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\OfcLogReceiverSvc.exe - \Trend Micro OSCE Command Handler Manager - \Trend Micro OSCE Command Handler2 Manager - \Trend Micro Endpoint Encryption ToolBox Command Handler Manager - \OfcServerNamePipe - \ntapvsrq - \srvsvc - \wkssvc - \lsass - \winreg - \spoolss - Anonymous Pipe - c:\windows\system32\inetsrv\w3wp.exe - - - - - - Created - - - - - - AcroRd32.exe - /CR;channel= - - - C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe - C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe - C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe - - C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe - C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe - C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe - C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe - C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe - C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe - C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe - "C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe" -Embedding - C:\Windows\system32\cscript.exe" /nologo "MonitorKnowledgeDiscovery.vbs - C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe - C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe - C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe - C:\Program Files\NVIDIA Corporation\ - C:\Program Files\Realtek\ - C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe - C:\Program Files\ESET\ESET Nod32 Antivirus\ekrn.exe - "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type= - "C:\Program Files\Google\Chrome\Application\chrome.exe" --type= - C:\Program Files (x86)\Google\Update\ - C:\Program Files (x86)\Google\Update\ - C:\Program Files (x86)\RES Software\Workspace Manager\pfwsmgr.exe - C:\Program Files (x86)\RES Software\Workspace Manager\respesvc64.exe - C:\Program Files (x86)\Ivanti\Workspace Control\pfwsmgr.exe - C:\Program Files (x86)\RES Software\Workspace Manager\ResPesvc64.exe - C:\Program Files\RES Software\Workspace Manager\respesvc.exe - C:\Program Files\Ivanti\Workspace Control\ResPesvc.exe - C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe - C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe - C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe - C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE - "C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel - "C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel - C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe - C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe - C:\Program Files (x86)\Sophos\Sophos System Protection\ssp.exe - C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe - C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe - C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe - C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe - C:\Program Files\SplunkUniversalForwarder\bin\ - C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe - C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe - D:\Program Files\SplunkUniversalForwarder\bin\ - D:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe - D:\Program Files\SplunkUniversalForwarder\bin\splunk.exe - C:\Program Files\Splunk\bin\ - C:\Program Files\Splunk\bin\splunkd.exe - C:\Program Files\Splunk\bin\splunk.exe - D:\Program Files\Splunk\bin\ - D:\Program Files\Splunk\bin\splunkd.exe - D:\Program Files\Splunk\bin\splunk.exe - C:\Windows\system32\svchost.exe -k appmodel -s StateRepository - C:\Windows\system32\svchost.exe -k appmodel - C:\WINDOWS\system32\svchost.exe -k appmodel -p -s tiledatamodelsvc - C:\Windows\system32\svchost.exe -k camera -s FrameServer - C:\Windows\system32\svchost.exe -k dcomlaunch -s LSM - C:\Windows\system32\svchost.exe -k dcomlaunch -s PlugPlay - C:\Windows\system32\svchost.exe -k defragsvc - C:\Windows\system32\svchost.exe -k devicesflow -s DevicesFlowUserSvc - C:\Windows\system32\svchost.exe -k imgsvc - C:\Windows\system32\svchost.exe -k localService -s EventSystem - C:\Windows\system32\svchost.exe -k localService -s bthserv - C:\Windows\system32\svchost.exe -k localService -s nsi - C:\Windows\system32\svchost.exe -k localService -s w32Time - C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation - C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s Dhcp - C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s EventLog - C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s TimeBrokerSvc - C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s WFDSConMgrSvc - C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted - C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SensrSvc - C:\Windows\system32\svchost.exe -k localServiceNoNetwork - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s WPDBusEnum - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s fhsvc - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s DeviceAssociationService - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s NcbService - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s SensorService - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WdiSystemHost - C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted - C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wlidsvc - C:\Windows\system32\svchost.exe -k netsvcs -p -s ncaSvc - C:\Windows\system32\svchost.exe -k netsvcs -s BDESVC - C:\Windows\system32\svchost.exe -k netsvcs -s BITS - C:\Windows\system32\svchost.exe -k netsvcs -s CertPropSvc - C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc - C:\Windows\system32\svchost.exe -k netsvcs -s Gpsvc - C:\Windows\system32\svchost.exe -k netsvcs -s ProfSvc - C:\Windows\system32\svchost.exe -k netsvcs -s SENS - C:\Windows\system32\svchost.exe -k netsvcs -s SessionEnv - C:\Windows\system32\svchost.exe -k netsvcs -s Themes - C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt - C:\Windows\system32\svchost.exe -k netsvcs - C:\Windows\system32\svchost.exe -k networkService -p -s DoSvc - C:\Windows\system32\svchost.exe -k networkService -s Dnscache - C:\Windows\system32\svchost.exe -k networkService -s LanmanWorkstation - C:\Windows\system32\svchost.exe -k networkService -s NlaSvc - C:\Windows\system32\svchost.exe -k networkService -s TermService - C:\Windows\system32\svchost.exe -k networkService - C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted - C:\Windows\system32\svchost.exe -k rPCSS - C:\Windows\system32\svchost.exe -k secsvcs - C:\Windows\system32\svchost.exe -k swprv - C:\Windows\system32\svchost.exe -k unistackSvcGroup - C:\Windows\system32\svchost.exe -k utcsvc - C:\Windows\system32\svchost.exe -k wbioSvcGroup - C:\Windows\system32\svchost.exe -k werSvcGroup - C:\WINDOWS\System32\svchost.exe -k wsappx -p -s ClipSVC - C:\WINDOWS\system32\svchost.exe -k wsappx -p -s AppXSvc - C:\Windows\system32\svchost.exe -k wsappx -s ClipSVC - C:\Windows\system32\svchost.exe -k wsappx - C:\Windows\system32\svchost.exe -k netsvcs - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted - C:\Program Files\Trend Micro\Deep Security Agent\ds_monitor.exe - C:\Program Files\Trend Micro\Deep Security Agent\dsa.exe - C:\Program Files\Trend Micro\Deep Security Agent\dsuam.exe - C:\Program Files\Trend Micro\Deep Security Agent\Notifier.exe - C:\Program Files\Trend Micro\Deep Security Agent\lib\Patch.exe - C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe - C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmopExtIns32.exe - C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmExtIns.exe - C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmListen.exe - C:\Program Files\Windows Defender\ - C:\Windows\system32\MpSigStub.exe - C:\Windows\SoftwareDistribution\Download\Install\AM_ - C:\Program Files\Microsoft Security Client\MpCmdRun.exe - C:\Windows\system32\DllHost.exe /Processid - C:\Windows\system32\SearchIndexer.exe /Embedding - C:\Windows\System32\CompatTelRunner.exe - C:\Windows\System32\MusNotification.exe - C:\Windows\System32\MusNotificationUx.exe - C:\Windows\System32\audiodg.exe - C:\Windows\System32\conhost.exe - C:\Windows\System32\powercfg.exe - C:\Windows\System32\wbem\WmiApSrv.exe - C:\Windows\System32\wermgr.exe - C:\Windows\SysWOW64\wermgr.exe - C:\Windows\system32\sppsvc.exe - AppContainer - %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows - C:\Windows\system32\SearchIndexer.exe - - - - - AppData\Local\Google\Chrome\Application\chrome.exe - Root\VFS\ProgramFilesX86\Google\Chrome\Application\chrome.exe - OneDrive.exe - setup - - - - - AppData\Roaming\Dropbox\bin\Dropbox.exe - C:\Program Files\ESET\ESET Nod32 Antivirus\ekrn.exe - OneDrive.exe - OneDriveStandaloneUpdater.exe - C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe - C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe - C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe - C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe - C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe - C:\Program Files\Sophos\Sophos Network Threat Protection\bin\SntpService.exe - Spotify.exe - C:\Program files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe - C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe - microsoft.com - microsoft.com.akadns.net - microsoft.com.nsatc.net - - - - - Intel - microsoft - windows - - - - - C:\Windows\System32\svchost.exe - C:\Windows\System32\wininit.exe - C:\Windows\System32\csrss.exe - C:\Windows\System32\services.exe - C:\Windows\System32\winlogon.exe - C:\Windows\System32\audiodg.exe - C:\windows\system32\kernel32.dll - Google\Chrome\Application\chrome.exe - C:\Windows\System32\wbem\WmiPrvSE.exe - - - - - C:\Windows\CarbonBlack\cb.exe - C:\Program Files\Cisco\AMP\;sfc.exe - c:\Program Files\Couchbase\Server\bin\sigar_port.exe - C:\Program Files (x86)\Ivanti\Workspace Control\cpushld.exe - C:\Program Files (x86)\RES Software\Workspace Manager\cpushld.exe - C:\Program Files\Ivanti\Workspace Control\cpushld.exe - C:\Program Files\RES Software\Workspace Manager\cpushld.exe - wmiprvse.exe - GoogleUpdate.exe - LTSVC.exe - taskmgr.exe - VBoxService.exe - vmtoolsd.exe - \Citrix\System32\wfshell.exe - C:\Windows\System32\lsm.exe - Microsoft.Identity.AadConnect.Health.AadSync.Host.exe - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection - 0x1000 - 0x1400 - 0x101400 - 0x101000 - C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform\mfeesp.exe - C:\Program Files\McAfee\Agent\x86\macompatsvc.exe - C:\Program Files\Microsoft Security Client\MsMpEng.exe - C:\Program Files\Windows Defender\MsMpEng.exe - C:\Program Files (x86)\Mobatek\MobaXterm\MobaXterm.exe - C:\Program Files (x86)\Razer Chroma SDK\bin\RzSDKService.exe - C:\WINDOWS\CCM\CcmExec.exe - C:\Program Files\Splunk\bin\splunkd.exe - C:\Program Files (x86)\VMware\VMWare Player\vmware-authd.exe - C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe - C:\Program Files\WinZip\FAHWindow64.exe - - - - - C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe - C:\Windows\system32\igfxCUIService.exe - C:\Program Files (x86)\Ivanti\Workspace Control\pfwsmgr.exe - C:\Program Files (x86)\RES Software\Workspace Manager\pfwsmgr.exe - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe - C:\Windows\System32\smss.exe - C:\Windows\system32\CompatTelRunner.exe - C:\Windows\system32\wbem\WMIADAP.EXE - C:\Windows\System32\DriverStore\Temp\ - C:\Windows\System32\wbem\Performance\ - WRITABLE.TST - \AppData\Roaming\Microsoft\Windows\Recent\ - C:\$WINDOWS.~BT\Sources\SafeOS\SafeOS.Mount\ - C:\WINDOWS\winsxs\amd64_microsoft-windows - c:\Program Files\Microsoft Security Client\MsMpEng.exe - c:\windows\system32\provtool.exe - C:\WINDOWS\CCM\CcmExec.exe - C:\Windows\CCM - C:\Windows\System32\Tasks\Microsoft\Windows\PLA\FabricTraces - C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask - C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleUsageCollector - C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant - C:\WINDOWS\system32\svchost.exe - - - - - C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\aciseposture.exe - C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe - Toolbar\WebBrowser - Toolbar\WebBrowser\ITBar7Height - Toolbar\ShellBrowser\ITBar7Layout - Internet Explorer\Toolbar\Locked - ShellBrowser - C:\Program Files (x86)\Ivanti\Workspace Control\pfwsmgr.exe - C:\Program Files\RES Software\Workspace Manager\pfwsmgr.exe - C:\Program Files\McAfee\Endpoint Encryption Agent\MfeEpeHost.exe - C:\Program Files\McAfee\Endpoint Security\Adaptive Threat Protection\mfeatp.exe - C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform\mfeesp.exe - C:\Program Files\Common Files\McAfee\Engine\AMCoreUpdater\amupdate.exe - C:\Program Files\McAfee\Agent\masvc.exe - C:\Program Files\McAfee\Agent\x86\mfemactl.exe - C:\Program Files\McAfee\Agent\x86\McScript_InUse.exe - C:\Program Files\McAfee\Agent\x86\macompatsvc.exe - C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe - C:\Program Files\Common Files\McAfee\Engine\scanners - C:\Program Files\Common Files\McAfee\AVSolution\mcshield.exe - C:\Program Files (x86)\Webroot\WRSA.exe - C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe - HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit - HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\AuditPolicy - HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System - HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache - HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit - \OpenWithProgids - \OpenWithList - \UserChoice - \UserChoice\ProgId - \UserChoice\Hash - \OpenWithList\MRUList - } 0xFFFF - Office\root\integration\integrator.exe - C:\WINDOWS\system32\backgroundTaskHost.exe - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe - C:\Program Files\Windows Defender\MsMpEng.exe - C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe - C:\Program Files\Microsoft Application Virtualization\Client\AppVClient.exe - \CurrentVersion\Run - \CurrentVersion\RunOnce - \CurrentVersion\App Paths - \CurrentVersion\Image File Execution Options - \CurrentVersion\Shell Extensions\Cached - \CurrentVersion\Shell Extensions\Approved - }\PreviousPolicyAreas - \Control\WMI\Autologger\ - HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start - \Lsa\OfflineJoin\CurrentValue - \Components\TrustedInstaller\Events - \Components\TrustedInstaller - \Components\Wlansvc - \Components\Wlansvc\Events - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\ - \Directory\shellex - \Directory\shellex\DragDropHandlers - \Drive\shellex - \Drive\shellex\DragDropHandlers - _Classes\AppX - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\ - HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates - C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe - C:\$WINDOWS.~BT\ - \services\clr_optimization_v2.0.50727_32\Start - \services\clr_optimization_v2.0.50727_64\Start - \services\clr_optimization_v4.0.30319_32\Start - \services\clr_optimization_v4.0.30319_64\Start - \services\DeviceAssociationService\Start - \services\BITS\Start - \services\TrustedInstaller\Start - \services\tunnel\Start - \services\UsoSvc\Start - - - - - \atsvc - \msagent_ - \msf-pipe - \PSEXESVC - \srvsvc - \winreg - - - - - .1rx.io - .2mdn.net - .adadvisor.net - .adap.tv - .addthis.com - .adform.net - .adnxs.com - .adroll.com - .adrta.com - .adsafeprotected.com - .adsrvr.org - .advertising.com - .amazon-adsystem.com - .amazon-adsystem.com - .analytics.yahoo.com - .aol.com - .betrad.com - .bidswitch.net - .casalemedia.com - .chartbeat.net - .cnn.com - .convertro.com - .criteo.com - .criteo.net - .crwdcntrl.net - .demdex.net - .domdex.com - .dotomi.com - .doubleclick.net - .doubleverify.com - .emxdgt.com - .exelator.com - .google-analytics.com - .googleadservices.com - .googlesyndication.com - .googletagmanager.com - .googlevideo.com - .gstatic.com - .gvt1.com - .gvt2.com - .ib-ibi.com - .jivox.com - .mathtag.com - .moatads.com - .moatpixel.com - .mookie1.com - .myvisualiq.net - .netmng.com - .nexac.com - .openx.net - .optimizely.com - .outbrain.com - .pardot.com - .phx.gbl - .pinterest.com - .pubmatic.com - .quantcount.com - .quantserve.com - .revsci.net - .rfihub.net - .rlcdn.com - .rubiconproject.com - .scdn.co - .scorecardresearch.com - .serving-sys.com - .sharethrough.com - .simpli.fi - .sitescout.com - .smartadserver.com - .snapads.com - .spotxchange.com - .taboola.com - .taboola.map.fastly.net - .tapad.com - .tidaltv.com - .trafficmanager.net - .tremorhub.com - .tribalfusion.com - .turn.com - .twimg.com - .tynt.com - .w55c.net - .ytimg.com - .zorosrv.com - 1rx.io - adservice.google.com - ampcid.google.com - clientservices.googleapis.com - googleadapis.l.google.com - imasdk.googleapis.com - l.google.com - ml314.com - mtalk.google.com - update.googleapis.com - www.googletagservices.com - .mozaws.net - .mozilla.com - .mozilla.net - .mozilla.org - clients1.google.com - clients2.google.com - clients3.google.com - clients4.google.com - clients5.google.com - clients6.google.com - safebrowsing.googleapis.com - .akadns.net - .netflix.com - aspnetcdn.com - ajax.googleapis.com - cdnjs.cloudflare.com - fonts.googleapis.com - .typekit.net - cdnjs.cloudflare.com - .stackassets.com - .steamcontent.com - .arpa. - .arpa - .msftncsi.com - .localmachine - localhost - - C:\ProgramData\LogiShrd\LogiOptions\Software\Current\updater.exe - .logitech.com - - C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe - -pushp.svc.ms - .b-msedge.net - .bing.com - .hotmail.com - .live.com - .live.net - .s-microsoft.com - .microsoft.com - .microsoftonline.com - .microsoftstore.com - .ms-acdc.office.com - .msedge.net - .msn.com - .msocdn.com - .skype.com - .skype.net - .windows.com - .windows.net.nsatc.net - .windowsupdate.com - .xboxlive.com - login.windows.net - .activedirectory.windowsazure.com - .aria.microsoft.com - .msauth.net - .msftauth.net - .opinsights.azure.com - management.azure.com - outlook.office365.com - portal.azure.com - substrate.office.com - osi.office.net - .digicert.com - .globalsign.com - .globalsign.net - msocsp.com - ocsp.msocsp.com - pki.goog - ocsp.godaddy.com - amazontrust.com - ocsp.sectigo.com - pki-goog.l.google.com - .usertrust.com - ocsp.comodoca.com - ocsp.verisign.com - ocsp.entrust.net - ocsp.identrust.com - status.rapidssl.com - status.thawte.com - ocsp.int-x3.letsencrypt.org - subca.ocsp-certum.com - cscasha2.ocsp-certum.com - crl.verisign.com - C:\Program Files\SentinelOne\Sentinel Agent;\SentinelAgent.exe - .spotify.com - .spotify.map.fastly.net - - - - - C:\Program Files\Microsoft SQL Server;\Shared\ErrorDumps - C:\Program Files\Microsoft SQL Server;\DataDumps - C:\Program Files (X86)\Microsoft SQL Server\;Shared\ErrorDumps - - C:\Program Files\Qualys\QualysAgent - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - \Downloads\ - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - \Appdata\Local\Temp\ - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - \Appdata\Local\Microsoft\Windows\INetCache\Content.Outlook\ - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\ProgramData\Intel - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\ProgramData\Mozilla - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\ProgramData\chocolatey\logs - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\ProgramData\Microsoft\DeviceSync - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\ProgramData\Microsoft\PlayReady - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\ProgramData\Microsoft\User Account Pictures - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\ProgramData\Microsoft\Crypto\DSS\MachineKeys - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\ProgramData\Microsoft\Office\Heartbeat - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\ProgramData\Microsoft\Windows\WER\ReportQueue - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\ProgramData\Microsoft\Windows\WER\Temp - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\ProgramData\Microsoft\Windows\WER\Temp - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\ProgramData\Microsoft\Windows\WER\Temp - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\ProgramData\Microsoft\Windows\WER\Temp - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\ProgramData\Microsoft\Windows\WER\Temp - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\Users\All Users\Intel - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\Users\All Users\Mozilla - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\Users\All Users\chocolatey\logs - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\Users\All Users\Microsoft\DeviceSync - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\Users\All Users\Microsoft\PlayReady - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\Users\All Users\Microsoft\User Account Pictures - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\Users\All Users\Microsoft\Crypto\DSS\MachineKeys - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\Users\All Users\Microsoft\NetFramework\BreadcrumbStore - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\Users\All Users\Microsoft\Office\Heartbeat - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\Users\All Users\Microsoft\Windows\WER\ReportArchive - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\Users\All Users\Microsoft\Windows\WER\ReportQueue - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\Users\All Users\Microsoft\Windows\WER\Temp - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\Windows\Tasks - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\Windows\tracing - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\Windows\Registration\CRMLog - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\Windows\System32\Tasks - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\Windows\System32\spool\drivers\color - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - C:\Windows\SysWOW64\Tasks - .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct - - - - - - \appdata\local\google\chrome\user data\swreporter\;software_reporter_tool.exe - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe - NETWORK SERVICE; LOCAL SERVICE - - - - diff --git a/packer/ansible/roles/sysmon_linux/templates/SysmonConfigCustom.xml.j2 b/packer/ansible/roles/sysmon_linux/templates/SysmonConfigCustom.xml.j2 deleted file mode 100644 index 5428dd8df..000000000 --- a/packer/ansible/roles/sysmon_linux/templates/SysmonConfigCustom.xml.j2 +++ /dev/null @@ -1,2 +0,0 @@ -{{ ansible_managed | comment('xml') }} - diff --git a/packer/ansible/roles/sysmon_linux/templates/deploymentclient.conf.j2 b/packer/ansible/roles/sysmon_linux/templates/deploymentclient.conf.j2 deleted file mode 100644 index 983ed0b7c..000000000 --- a/packer/ansible/roles/sysmon_linux/templates/deploymentclient.conf.j2 +++ /dev/null @@ -1,4 +0,0 @@ -[deployment-client] - -[target-broker:deploymentServer] -targetUri= {{ splunk_indexer_ip }}:8089 diff --git a/packer/ansible/roles/sysmon_linux/templates/outputs.conf.j2 b/packer/ansible/roles/sysmon_linux/templates/outputs.conf.j2 deleted file mode 100644 index 9373b03b2..000000000 --- a/packer/ansible/roles/sysmon_linux/templates/outputs.conf.j2 +++ /dev/null @@ -1,5 +0,0 @@ -[tcpout] -defaultGroup=my_indexers - -[tcpout:my_indexers] -server={{ splunk_indexer_ip }}:9997 diff --git a/packer/ansible/roles/update_escu/tasks/main.yml b/packer/ansible/roles/update_escu/tasks/main.yml deleted file mode 100644 index 69572e3b4..000000000 --- a/packer/ansible/roles/update_escu/tasks/main.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- - -- name: Delete ESCU APP - file: - state: absent - path: "/opt/splunk/etc/apps/DA-ESS-ContentUpdate" - become: yes - -- name: Upload ESCU APP - copy: - src: ../../{{ security_content_path }}/dist/escu/ - dest: "/opt/splunk/etc/apps/DA-ESS-ContentUpdate" - owner: splunk - group: splunk - become: yes - -- name: restart splunk - service: - name: splunkd - state: restarted - become: yes diff --git a/packer/ansible/roles/windows_caldera_agent/tasks/firewall.yml b/packer/ansible/roles/windows_caldera_agent/tasks/firewall.yml deleted file mode 100644 index cb6836eb7..000000000 --- a/packer/ansible/roles/windows_caldera_agent/tasks/firewall.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- name: adapt firewall rules for caldera - win_shell: "{{ item }}" - with_items: - - Enable-NetFirewallRule -DisplayName 'File and Printer Sharing (SMB-In)' - - Enable-NetFirewallRule -DisplayName 'Remote Scheduled Tasks Management (RPC)' diff --git a/packer/ansible/roles/windows_caldera_agent/tasks/main.yml b/packer/ansible/roles/windows_caldera_agent/tasks/main.yml deleted file mode 100644 index 0983f1241..000000000 --- a/packer/ansible/roles/windows_caldera_agent/tasks/main.yml +++ /dev/null @@ -1,44 +0,0 @@ ---- - - -- name: Copy caldera agent script - win_template: - src: caldera_agent.ps1.j2 - dest: C:\caldera_agent.ps1 - -- name: Create scheduled task for PS script - win_scheduled_task: - name: CalderaAgent - description: Run a PowerShell script - actions: - - path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe - arguments: -ExecutionPolicy Unrestricted -NonInteractive -File C:\caldera_agent.ps1 - triggers: - - type: boot - username: SYSTEM - run_level: highest - state: present - -- name: Run caldera agent - win_shell: 'Start-ScheduledTask -TaskName "CalderaAgent"' - -- name: Copy caldera manx agent script - win_template: - src: caldera_manx_agent.ps1.j2 - dest: C:\caldera_manx_agent.ps1 - -- name: Create scheduled task for PS script - win_scheduled_task: - name: CalderaAgentManX - description: Run a PowerShell script - actions: - - path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe - arguments: -ExecutionPolicy Unrestricted -NonInteractive -File C:\caldera_manx_agent.ps1 - triggers: - - type: boot - username: SYSTEM - run_level: highest - state: present - -- name: Run caldera manx agent - win_shell: 'Start-ScheduledTask -TaskName "CalderaAgentManX"' diff --git a/packer/ansible/roles/windows_caldera_agent/tasks/registry.yml b/packer/ansible/roles/windows_caldera_agent/tasks/registry.yml deleted file mode 100644 index 53970ac0b..000000000 --- a/packer/ansible/roles/windows_caldera_agent/tasks/registry.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- - -- name: WDigest caching must be enabled for mimikatz to detect plaintext credentials. - win_regedit: - key: HKLM:\System\CurrentControlSet\Control\SecurityProviders\WDigest - value: UseLogonCredential - data: 1 - datatype: dword diff --git a/packer/ansible/roles/windows_caldera_agent/tasks/windows.yml b/packer/ansible/roles/windows_caldera_agent/tasks/windows.yml deleted file mode 100644 index 0b51c5e5e..000000000 --- a/packer/ansible/roles/windows_caldera_agent/tasks/windows.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- - -- name: Ensure Microsoft Visual C++ Redistributable for Visual Studio 2015 is present - win_chocolatey: - name: vcredist2015 - state: present - ignore_errors: true - -- name: Ensure caldera agent directory exists - win_file: - path: 'C:\Program Files\cagent' - state: directory - -- name: Download Caldera agent and dependencies - win_get_url: - url: "{{ item.u }}" - dest: "{{ item.d }}" - with_items: "{{ calderaagent_urls }}" - -- include: firewall.yml -- include: registry.yml - -- name: retrieve Caldera server config - win_get_url: - url: 'https://{{ splunk_indexer_ip }}:8888/conf.yml' - dest: 'C:\Program Files\cagent\conf.yml' - -- name: Setup agent - win_shell: cagent.exe --startup auto install - args: - chdir: 'C:\Program Files\cagent' - -- name: Start agent - win_shell: cagent.exe start - args: - chdir: 'C:\Program Files\cagent' diff --git a/packer/ansible/roles/windows_caldera_agent/templates/caldera_agent.ps1.j2 b/packer/ansible/roles/windows_caldera_agent/templates/caldera_agent.ps1.j2 deleted file mode 100644 index 4daada5f9..000000000 --- a/packer/ansible/roles/windows_caldera_agent/templates/caldera_agent.ps1.j2 +++ /dev/null @@ -1,8 +0,0 @@ - -$url="http://{{ splunk_indexer_ip }}:8888/file/download" -$wc=New-Object System.Net.WebClient -$wc.Headers.add("platform","windows") -$wc.Headers.add("file","sandcat.go") -$output="C:\Users\Public\sandcat.exe" -$wc.DownloadFile($url,$output) -C:\Users\Public\sandcat.exe -server http://{{ splunk_indexer_ip }}:8888 -group my_group -v diff --git a/packer/ansible/roles/windows_caldera_agent/templates/caldera_manx_agent.ps1.j2 b/packer/ansible/roles/windows_caldera_agent/templates/caldera_manx_agent.ps1.j2 deleted file mode 100644 index 5eecfdc24..000000000 --- a/packer/ansible/roles/windows_caldera_agent/templates/caldera_manx_agent.ps1.j2 +++ /dev/null @@ -1,2 +0,0 @@ -#manx splunk attack range TCP agent code -if ($host.Version.Major -ge 3){$ErrAction= "ignore"}else{$ErrAction= "SilentlyContinue"};$server="http://10.0.1.12:8888";$socket="10.0.1.12:7010";$contact="tcp";$url="$server/file/download";$wc=New-Object System.Net.WebClient;$wc.Headers.add("platform","windows");$wc.Headers.add("file","manx.go");$data=$wc.DownloadData($url);$name=$wc.ResponseHeaders["Content-Disposition"].Substring($wc.ResponseHeaders["Content-Disposition"].IndexOf("filename=")+9).Replace("`"","");Get-Process | ? {$_.Path -like "C:\Users\Public\$name.exe"} | stop-process -f -ea $ErrAction;rm -force "C:\Users\Public\$name.exe" -ea $ErrAction;([io.file]::WriteAllBytes("C:\Users\Public\$name.exe",$data)) | Out-Null;Start-Process -FilePath C:\Users\Public\$name.exe -ArgumentList "-socket $socket -http $server -contact tcp" -WindowStyle hidden; diff --git a/packer/ansible/roles/windows_caldera_agent/vars/main.yml b/packer/ansible/roles/windows_caldera_agent/vars/main.yml deleted file mode 100644 index 4fb0aa8af..000000000 --- a/packer/ansible/roles/windows_caldera_agent/vars/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- - -caldera_win_temp_dir: 'c:\ansible\temp' -caldera_server_conf: '' -calderaagent_urls: - - { u: 'https://github.com/mitre/caldera-agent/releases/download/v0.1.0/cagent.exe', c: 'sha256:a7a2269db0b90815390b8986b706212647506dfb988798b937ebf1b92e188d41', d: 'c:\Program Files\cagent\cagent.exe' } diff --git a/packer/ansible/roles/windows_dns_server/tasks/features.yml b/packer/ansible/roles/windows_dns_server/tasks/features.yml deleted file mode 100644 index 5dbfcdecc..000000000 --- a/packer/ansible/roles/windows_dns_server/tasks/features.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: features | Installing Windows DNS Server - win_feature: - name: DNS - state: present - include_management_tools: yes - include_sub_features: yes - register: _windows_dns_server diff --git a/packer/ansible/roles/windows_dns_server/tasks/main.yaml b/packer/ansible/roles/windows_dns_server/tasks/main.yaml deleted file mode 100644 index ec1ae7828..000000000 --- a/packer/ansible/roles/windows_dns_server/tasks/main.yaml +++ /dev/null @@ -1,2 +0,0 @@ -- include: features.yml -- include: reboot.yml diff --git a/packer/ansible/roles/windows_dns_server/tasks/reboot.yml b/packer/ansible/roles/windows_dns_server/tasks/reboot.yml deleted file mode 100644 index 34f88e63e..000000000 --- a/packer/ansible/roles/windows_dns_server/tasks/reboot.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: reboot | Rebooting Server - win_reboot: - reboot_timeout_sec: 3600 - when: > - _windows_dns_server['restart_needed'] is defined and - _windows_dns_server['restart_needed'] diff --git a/packer/ansible/roles/windows_domain_client/files/join_domain.ps1 b/packer/ansible/roles/windows_domain_client/files/join_domain.ps1 deleted file mode 100644 index bfdc78074..000000000 --- a/packer/ansible/roles/windows_domain_client/files/join_domain.ps1 +++ /dev/null @@ -1,6 +0,0 @@ - -$domain = $args[0] -$password = $args[2] | ConvertTo-SecureString -asPlainText -Force -$username = $args[1] -$credential = New-Object System.Management.Automation.PSCredential($username,$password) -Add-Computer -DomainName $domain -Credential $credential -Force diff --git a/packer/ansible/roles/windows_domain_client/tasks/create.yml b/packer/ansible/roles/windows_domain_client/tasks/create.yml deleted file mode 100644 index 50ccfe3c1..000000000 --- a/packer/ansible/roles/windows_domain_client/tasks/create.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- - -- name: Change dns server to domain controller - win_dns_client: - adapter_names: "{{ ansible_interfaces.0.connection_name }}" - ipv4_addresses: "{{ windows_domain_controller_private_ip }}" - -- name: reboot | Rebooting Server - win_reboot: - -- name: Copy join domain script to host - win_copy: - src: "join_domain.ps1" - dest: 'C:\join_domain.ps1' - -- name: Run join domain - win_shell: "C:\\join_domain.ps1 attackrange.local Administrator@attackrange.local {{ win_password }}" - register: win_shell_output - -# - debug: -# var: win_shell_output - -- win_reboot: diff --git a/packer/ansible/roles/windows_domain_client/tasks/main.yaml b/packer/ansible/roles/windows_domain_client/tasks/main.yaml deleted file mode 100644 index 51f49f9d4..000000000 --- a/packer/ansible/roles/windows_domain_client/tasks/main.yaml +++ /dev/null @@ -1,7 +0,0 @@ -- debug: - var: windows_server_join_domain - -- include: create.yml - when: windows_server_join_domain == "1" - -- include: windows-disable-firewall.yml \ No newline at end of file diff --git a/packer/ansible/roles/windows_domain_client/tasks/windows-disable-firewall.yml b/packer/ansible/roles/windows_domain_client/tasks/windows-disable-firewall.yml deleted file mode 100644 index 5f9266d27..000000000 --- a/packer/ansible/roles/windows_domain_client/tasks/windows-disable-firewall.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- - -- name: Disable Domain firewall - win_firewall: - state: disabled - profiles: - - Domain - tags: disable_firewall \ No newline at end of file diff --git a/packer/ansible/roles/windows_domain_controller/tasks/create.yml b/packer/ansible/roles/windows_domain_controller/tasks/create.yml deleted file mode 100644 index 9a80f49aa..000000000 --- a/packer/ansible/roles/windows_domain_controller/tasks/create.yml +++ /dev/null @@ -1,42 +0,0 @@ ---- - -- name: set local admin password - win_user: - name: Administrator - password: "{{ win_password }}" - state: present - -- name: features | Installing RSAT AD Admin Center - win_feature: - name: RSAT-AD-AdminCenter - state: present - -- name: features | Installing AD Domain Services - win_feature: - name: AD-Domain-Services - include_management_tools: yes - include_sub_features: yes - state: present - -- name: Creating a windows domain - win_domain: - dns_domain_name: "attackrange.local" - safe_mode_password: "{{ win_password }}" - -- name: Setting DNS Servers - win_dns_client: - adapter_names: "*" - ipv4_addresses: "127.0.0.1" - -- name: reboot | Rebooting Server - win_reboot: - post_reboot_delay: 60 - -- name: Managing Domain Controller Membership - win_domain_controller: - dns_domain_name: "attackrange.local" - domain_admin_user: "Administrator@attackrange.local" - domain_admin_password: "{{ win_password }}" - safe_mode_password: "{{ win_password }}" - state: "domain_controller" - register: _windows_domain_controller diff --git a/packer/ansible/roles/windows_domain_controller/tasks/main.yaml b/packer/ansible/roles/windows_domain_controller/tasks/main.yaml deleted file mode 100644 index 3ece856b0..000000000 --- a/packer/ansible/roles/windows_domain_controller/tasks/main.yaml +++ /dev/null @@ -1,2 +0,0 @@ -- include: create.yml - when: cloud_provider != "azure" diff --git a/packer/ansible/roles/windows_prelude_agent/tasks/install.yml b/packer/ansible/roles/windows_prelude_agent/tasks/install.yml deleted file mode 100644 index a42782283..000000000 --- a/packer/ansible/roles/windows_prelude_agent/tasks/install.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- - -- name: Wait for redirector to be ready - win_wait_for: - port: 2323 - host: "{{ splunk_indexer_ip }}" - connect_timeout: 30 - delay: 60 - timeout: 900 - -- name: Download Prelude Pneuma from headless Operator - win_get_url: - url: "http://{{ splunk_indexer_ip }}:3391/payloads/pneuma/v1.5/pneuma-windows.exe" - dest: c:\pneuma-windows.exe - -- name: Create a task to Start Prelude Pneuma on boot - win_scheduled_task: - name: Pneuma - description: Start Pneuma on boot - actions: - - path: C:\pneuma-windows.exe - arguments: "-name {{ ansible_hostname }} -address {{ splunk_indexer_ip }}:2323" - triggers: - - type: boot - username: SYSTEM - run_level: highest - state: present - -- name: Start Prelude Pneuma and Connect to headless Operator - win_shell: Start-Process -FilePath c:\pneuma-windows.exe -ArgumentList "-name $env:COMPUTERNAME -address {{ splunk_indexer_ip }}:2323" - - - - diff --git a/packer/ansible/roles/windows_prelude_agent/tasks/main.yml b/packer/ansible/roles/windows_prelude_agent/tasks/main.yml deleted file mode 100644 index 9289c8da4..000000000 --- a/packer/ansible/roles/windows_prelude_agent/tasks/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- - -- include: install.yml - when: prelude == "1" diff --git a/packer/ansible/roles/windows_universal_forwarder/tasks/install_nxlog.yml b/packer/ansible/roles/windows_universal_forwarder/tasks/install_nxlog.yml deleted file mode 100644 index aeb12dc07..000000000 --- a/packer/ansible/roles/windows_universal_forwarder/tasks/install_nxlog.yml +++ /dev/null @@ -1,22 +0,0 @@ - -- name: Download nxlog from their website - win_shell: | - [Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls" - (New-Object System.Net.WebClient).DownloadFile("{{ nxlog_url }}", "C:\nxlog.msi") - -- name: Install nxlog - win_package: - path: C:\nxlog.msi - arguments: '/quiet' - -- name: Copy nxlog.conf configuration - win_copy: - src: nxlog.conf - dest: 'C:\Program Files (x86)\nxlog\conf\nxlog.conf' - -- name: Start nxlog - win_service: - name: nxlog - state: started - - diff --git a/packer/ansible/splunk_server.yml b/packer/ansible/splunk_server.yml deleted file mode 100644 index 969f67486..000000000 --- a/packer/ansible/splunk_server.yml +++ /dev/null @@ -1,12 +0,0 @@ -- hosts: all - gather_facts: False - become: true - vars: - hostname: splunk-server - roles: - - role: linux_common - when: use_prebuilt_images_with_packer == "0" - - role: splunk_server - when: use_prebuilt_images_with_packer == "0" - - role: guacamole - when: use_prebuilt_images_with_packer == "0" \ No newline at end of file diff --git a/packer/ansible/windows.yml b/packer/ansible/windows.yml deleted file mode 100644 index 96bcb2426..000000000 --- a/packer/ansible/windows.yml +++ /dev/null @@ -1,12 +0,0 @@ -- hosts: all - gather_facts: True - vars: - ansible_connection: winrm - ansible_winrm_server_cert_validation: ignore - roles: - - role: windows_common - when: use_prebuilt_images_with_packer == "0" - - role: windows_universal_forwarder - when: use_prebuilt_images_with_packer == "0" - - role: sysmon - when: use_prebuilt_images_with_packer == "0" diff --git a/packer/ansible/zeek.yml b/packer/ansible/zeek.yml deleted file mode 100644 index 955729ce4..000000000 --- a/packer/ansible/zeek.yml +++ /dev/null @@ -1,8 +0,0 @@ -- hosts: all - gather_facts: False - become: true - roles: - - role: linux_universal_forwarder - when: use_prebuilt_images_with_packer == "0" - - role: zeek_sensor - when: use_prebuilt_images_with_packer == "0" diff --git a/packer/linux_server/linux_aws.pkr.hcl b/packer/linux_server/linux_aws.pkr.hcl deleted file mode 100644 index 9cbf83753..000000000 --- a/packer/linux_server/linux_aws.pkr.hcl +++ /dev/null @@ -1,69 +0,0 @@ - -variable "general" { - type = map(string) - - default = { - attack_range_password = "Pl3ase-k1Ll-me:p" - key_name = "attack-range-key-pair" - attack_range_name = "ar" - ip_whitelist = "0.0.0.0/0" - } -} - -variable "aws" { - type = map(string) - - default = { - region = "eu-central-1" - private_key_path = "~/.ssh/id_rsa" - image_owner = "591511147606" - } -} - -variable "splunk_server" { - type = map(string) - - default = { - install_es = "0" - splunk_es_app = "splunk-enterprise-security_701.spl" - } -} - -data "amazon-ami" "ubuntu-ami" { - filters = { - name = "*ubuntu-jammy-22.04-amd64-server-*" - root-device-type = "ebs" - virtualization-type = "hvm" - } - most_recent = true - owners = ["099720109477"] -} - -source "amazon-ebs" "ubuntu" { - ami_name = "linux-v${replace(var.general.version, ".", "-")}" - region = var.aws.region - instance_type = "t3.xlarge" - launch_block_device_mappings { - device_name = "/dev/sda1" - volume_size = "50" - } - source_ami = "${data.amazon-ami.ubuntu-ami.id}" - ssh_username = "ubuntu" - force_deregister = true - force_delete_snapshot = true -} - -build { - - sources = [ - "source.amazon-ebs.ubuntu" - ] - - provisioner "ansible" { - extra_arguments = ["--scp-extra-args", "'-O'", "--extra-vars", "${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.general : "${key}=\"${value}\""])}"] - playbook_file = "packer/ansible/linux_server.yml" - user = "ubuntu" - ansible_ssh_extra_args = ["-oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedKeyTypes=+ssh-rsa"] - } - -} diff --git a/packer/linux_server/linux_azure.pkr.hcl b/packer/linux_server/linux_azure.pkr.hcl deleted file mode 100644 index ed918506d..000000000 --- a/packer/linux_server/linux_azure.pkr.hcl +++ /dev/null @@ -1,56 +0,0 @@ - -variable "general" { - type = map(string) - - default = { - attack_range_password = "Pl3ase-k1Ll-me:p" - key_name = "attack-range-key-pair" - attack_range_name = "ar" - ip_whitelist = "0.0.0.0/0" - } -} - -variable "azure" { - type = map(string) - - default = { - location = "West Europe" - private_key_path = "~/.ssh/id_rsa" - public_key_path = "~/.ssh/id_rsa.pub" - } -} - -variable "splunk_server" { - type = map(string) - - default = { - install_es = "0" - splunk_es_app = "splunk-enterprise-security_701.spl" - } -} - -source "azure-arm" "ubuntu-18-04" { - managed_image_resource_group_name = "packer_${replace(var.azure.location, " ", "_")}" - managed_image_name = "linux-v${replace(var.general.version, ".", "-")}" - os_type = "Linux" - image_publisher = "Canonical" - image_offer = "UbuntuServer" - image_sku = "18.04-LTS" - location = var.azure.location - vm_size = "Standard_A4_v2" - use_azure_cli_auth = true -} - -build { - - sources = [ - "source.azure-arm.ubuntu-18-04" - ] - - provisioner "ansible" { - extra_arguments = ["--extra-vars", "${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])}"] - playbook_file = "packer/ansible/linux_server.yml" - user = "ubuntu" - } - -} diff --git a/packer/nginx_server/nginx_aws.pkr.hcl b/packer/nginx_server/nginx_aws.pkr.hcl deleted file mode 100644 index 581382352..000000000 --- a/packer/nginx_server/nginx_aws.pkr.hcl +++ /dev/null @@ -1,70 +0,0 @@ - -variable "general" { - type = map(string) - - default = { - attack_range_password = "Pl3ase-k1Ll-me:p" - key_name = "attack-range-key-pair" - attack_range_name = "ar" - ip_whitelist = "0.0.0.0/0" - } -} - -variable "aws" { - type = map(string) - - default = { - region = "eu-central-1" - private_key_path = "~/.ssh/id_rsa" - image_owner = "591511147606" - } -} - -variable "splunk_server" { - type = map(string) - - default = { - install_es = "0" - splunk_es_app = "splunk-enterprise-security_701.spl" - } -} - - -data "amazon-ami" "nginx-ami" { - filters = { - name = "*ubuntu-jammy-22.04-amd64-server-*" - root-device-type = "ebs" - virtualization-type = "hvm" - } - most_recent = true - owners = ["099720109477"] -} - -source "amazon-ebs" "nginx-web-proxy" { - ami_name = "nginx-web-proxy-v${replace(var.general.version, ".", "-")}" - region = var.aws.region - instance_type = "t3.small" - launch_block_device_mappings { - device_name = "/dev/sda1" - volume_size = "20" - } - source_ami = "${data.amazon-ami.nginx-ami.id}" - ssh_username = "ubuntu" - force_deregister = true - force_delete_snapshot = true -} - -build { - - sources = [ - "source.amazon-ebs.nginx-web-proxy" - ] - - provisioner "ansible" { - extra_arguments = ["--scp-extra-args", "'-O'", "--extra-vars", "${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.general : "${key}=\"${value}\""])}"] - playbook_file = "packer/ansible/nginx_web_proxy.yml" - user = "ubuntu" - ansible_ssh_extra_args = ["-oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedKeyTypes=+ssh-rsa"] - } - -} \ No newline at end of file diff --git a/packer/phantom_server/phantom_aws.pkr.hcl b/packer/phantom_server/phantom_aws.pkr.hcl deleted file mode 100644 index 7b8397a88..000000000 --- a/packer/phantom_server/phantom_aws.pkr.hcl +++ /dev/null @@ -1,82 +0,0 @@ - -variable "general" { - type = map(string) - - default = { - attack_range_password = "Pl3ase-k1Ll-me:p" - key_name = "attack-range-key-pair" - attack_range_name = "ar" - ip_whitelist = "0.0.0.0/0" - } -} - -variable "aws" { - type = map(string) - - default = { - region = "eu-central-1" - private_key_path = "~/.ssh/id_rsa" - image_owner = "591511147606" - } -} - -variable "phantom_server" { - type = map(string) - default = { - phantom_server = "0" - phantom_community_username = "user" - phantom_community_password = "password" - phantom_repo_url = "https://repo.phantom.us/phantom/5.2/base/7/x86_64/phantom_repo-5.2.1.78411-1.x86_64.rpm" - phantom_version = "5.2.1.78411-1" - } -} - -variable "splunk_server" { - type = map(string) - - default = { - install_es = "0" - splunk_es_app = "splunk-enterprise-security_701.spl" - } -} - -data "amazon-ami" "centos-ami" { - filters = { - name = "CentOS Linux 7*" - root-device-type = "ebs" - virtualization-type = "hvm" - architecture = "x86_64" - } - most_recent = true - owners = ["125523088429"] -} - -source "amazon-ebs" "phantom" { - ami_name = "phantom-v${replace(var.general.version, ".", "-")}" - region = var.aws.region - instance_type = "t3.2xlarge" - launch_block_device_mappings { - device_name = "/dev/sda1" - volume_size = "20" - } - source_ami = "${data.amazon-ami.centos-ami.id}" - ssh_username = "centos" - force_deregister = true - force_delete_snapshot = true -} - - -build { - - sources = [ - "source.amazon-ebs.phantom" - ] - - provisioner "ansible" { - extra_arguments = ["--scp-extra-args", "'-O'", "--extra-vars", "${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.phantom_server : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.general : "${key}=\"${value}\""])}"] - playbook_file = "packer/ansible/phantom_server.yml" - user = "centos" - ansible_ssh_extra_args = ["-oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedKeyTypes=+ssh-rsa"] - } - -} \ No newline at end of file diff --git a/packer/phantom_server/phantom_azure.pkr.hcl b/packer/phantom_server/phantom_azure.pkr.hcl deleted file mode 100644 index 7b3710639..000000000 --- a/packer/phantom_server/phantom_azure.pkr.hcl +++ /dev/null @@ -1,67 +0,0 @@ - -variable "general" { - type = map(string) - - default = { - attack_range_password = "Pl3ase-k1Ll-me:p" - key_name = "attack-range-key-pair" - attack_range_name = "ar" - ip_whitelist = "0.0.0.0/0" - } -} - -variable "azure" { - type = map(string) - - default = { - location = "West Europe" - private_key_path = "~/.ssh/id_rsa" - public_key_path = "~/.ssh/id_rsa.pub" - } -} - -variable "phantom_server" { - type = map(string) - default = { - phantom_server = "0" - phantom_community_username = "user" - phantom_community_password = "password" - phantom_repo_url = "https://repo.phantom.us/phantom/5.2/base/7/x86_64/phantom_repo-5.2.1.78411-1.x86_64.rpm" - phantom_version = "5.2.1.78411-1" - } -} - -variable "splunk_server" { - type = map(string) - - default = { - install_es = "0" - splunk_es_app = "splunk-enterprise-security_701.spl" - } -} - -source "azure-arm" "phantom" { - managed_image_resource_group_name = "packer_${replace(var.azure.location, " ", "_")}" - managed_image_name = "phantom-v${replace(var.general.version, ".", "-")}" - os_type = "Linux" - image_publisher = "openlogic" - image_offer = "centos" - image_sku = "7_9" - location = var.azure.location - vm_size = "Standard_A8_v2" - use_azure_cli_auth = true -} - -build { - - sources = [ - "source.azure-arm.phantom" - ] - - provisioner "ansible" { - extra_arguments = ["--extra-vars", "${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.phantom_server : "${key}=\"${value}\""])}"] - playbook_file = "packer/ansible/phantom_server.yml" - user = "centos" - } - -} \ No newline at end of file diff --git a/packer/splunk_server/splunk_aws.pkr.hcl b/packer/splunk_server/splunk_aws.pkr.hcl deleted file mode 100644 index 16b73bf52..000000000 --- a/packer/splunk_server/splunk_aws.pkr.hcl +++ /dev/null @@ -1,71 +0,0 @@ - -variable "general" { - type = map(string) - - default = { - attack_range_password = "Pl3ase-k1Ll-me:p" - key_name = "attack-range-key-pair" - attack_range_name = "ar" - ip_whitelist = "0.0.0.0/0" - version = "3.0.0" - } -} - -variable "aws" { - type = map(string) - - default = { - region = "eu-central-1" - private_key_path = "~/.ssh/id_rsa" - image_owner = "591511147606" - } -} - -variable "splunk_server" { - type = map(string) - - default = { - install_es = "0" - splunk_es_app = "splunk-enterprise-security_701.spl" - } -} - -data "amazon-ami" "ubuntu-ami" { - filters = { - name = "*ubuntu-jammy-22.04-amd64-server-*" - root-device-type = "ebs" - virtualization-type = "hvm" - } - most_recent = true - owners = ["099720109477"] -} - -source "amazon-ebs" "splunk-ubuntu" { - ami_name = "splunk-v${replace(var.general.version, ".", "-")}" - region = var.aws.region - instance_type = "t3.2xlarge" - launch_block_device_mappings { - device_name = "/dev/sda1" - volume_size = "50" - } - source_ami = "${data.amazon-ami.ubuntu-ami.id}" - ssh_username = "ubuntu" - force_deregister = true - force_delete_snapshot = true -} - - -build { - - sources = [ - "source.amazon-ebs.splunk-ubuntu" - ] - - provisioner "ansible" { - extra_arguments = ["--scp-extra-args", "'-O'", "--extra-vars", "${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.general : "${key}=\"${value}\""])}"] - playbook_file = "packer/ansible/splunk_server.yml" - user = "ubuntu" - ansible_ssh_extra_args = ["-oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedKeyTypes=+ssh-rsa"] - } - -} diff --git a/packer/splunk_server/splunk_azure.pkr.hcl b/packer/splunk_server/splunk_azure.pkr.hcl deleted file mode 100644 index 16f220faa..000000000 --- a/packer/splunk_server/splunk_azure.pkr.hcl +++ /dev/null @@ -1,57 +0,0 @@ - -variable "general" { - type = map(string) - - default = { - attack_range_password = "Pl3ase-k1Ll-me:p" - key_name = "attack-range-key-pair" - attack_range_name = "ar" - ip_whitelist = "0.0.0.0/0" - version = "3.0.0" - } -} - -variable "azure" { - type = map(string) - - default = { - location = "West Europe" - private_key_path = "~/.ssh/id_rsa" - public_key_path = "~/.ssh/id_rsa.pub" - } -} - -variable "splunk_server" { - type = map(string) - - default = { - install_es = "0" - splunk_es_app = "splunk-enterprise-security_701.spl" - } -} - -source "azure-arm" "splunk-ubuntu-18-04" { - managed_image_resource_group_name = "packer_${replace(var.azure.location, " ", "_")}" - managed_image_name = "splunk-v${replace(var.general.version, ".", "-")}" - os_type = "Linux" - image_publisher = "Canonical" - image_offer = "UbuntuServer" - image_sku = "18.04-LTS" - location = var.azure.location - vm_size = "Standard_A8_v2" - use_azure_cli_auth = true -} - -build { - - sources = [ - "source.azure-arm.splunk-ubuntu-18-04" - ] - - provisioner "ansible" { - extra_arguments = ["--extra-vars", "${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.general : "${key}=\"${value}\""])}"] - playbook_file = "packer/ansible/splunk_server.yml" - user = "ubuntu" - } - -} diff --git a/packer/windows_server/AnsibleSetup.ps1 b/packer/windows_server/AnsibleSetup.ps1 deleted file mode 100644 index 891c73acc..000000000 --- a/packer/windows_server/AnsibleSetup.ps1 +++ /dev/null @@ -1,420 +0,0 @@ -#Requires -Version 3.0 - -# Configure a Windows host for remote management with Ansible -# ----------------------------------------------------------- -# -# This script checks the current WinRM (PS Remoting) configuration and makes -# the necessary changes to allow Ansible to connect, authenticate and -# execute PowerShell commands. -# -# All events are logged to the Windows EventLog, useful for unattended runs. -# -# Use option -Verbose in order to see the verbose output messages. -# -# Use option -CertValidityDays to specify how long this certificate is valid -# starting from today. So you would specify -CertValidityDays 3650 to get -# a 10-year valid certificate. -# -# Use option -ForceNewSSLCert if the system has been SysPreped and a new -# SSL Certificate must be forced on the WinRM Listener when re-running this -# script. This is necessary when a new SID and CN name is created. -# -# Use option -EnableCredSSP to enable CredSSP as an authentication option. -# -# Use option -DisableBasicAuth to disable basic authentication. -# -# Use option -SkipNetworkProfileCheck to skip the network profile check. -# Without specifying this the script will only run if the device's interfaces -# are in DOMAIN or PRIVATE zones. Provide this switch if you want to enable -# WinRM on a device with an interface in PUBLIC zone. -# -# Use option -SubjectName to specify the CN name of the certificate. This -# defaults to the system's hostname and generally should not be specified. - -# Written by Trond Hindenes -# Updated by Chris Church -# Updated by Michael Crilly -# Updated by Anton Ouzounov -# Updated by Nicolas Simond -# Updated by Dag Wieërs -# Updated by Jordan Borean -# Updated by Erwan Quélin -# Updated by David Norman -# -# Version 1.0 - 2014-07-06 -# Version 1.1 - 2014-11-11 -# Version 1.2 - 2015-05-15 -# Version 1.3 - 2016-04-04 -# Version 1.4 - 2017-01-05 -# Version 1.5 - 2017-02-09 -# Version 1.6 - 2017-04-18 -# Version 1.7 - 2017-11-23 -# Version 1.8 - 2018-02-23 -# Version 1.9 - 2018-09-21 - -# Support -Verbose option -[CmdletBinding()] - -Param ( - [string]$SubjectName = $env:COMPUTERNAME, - [int]$CertValidityDays = 1095, - [switch]$SkipNetworkProfileCheck, - $CreateSelfSignedCert = $true, - [switch]$ForceNewSSLCert, - [switch]$GlobalHttpFirewallAccess, - [switch]$DisableBasicAuth = $false, - [switch]$EnableCredSSP -) - -Function Write-ProgressLog { - $Message = $args[0] - Write-EventLog -LogName Application -Source $EventSource -EntryType Information -EventId 1 -Message $Message -} - -Function Write-VerboseLog { - $Message = $args[0] - Write-Verbose $Message - Write-ProgressLog $Message -} - -Function Write-HostLog { - $Message = $args[0] - Write-Output $Message - Write-ProgressLog $Message -} - -Function New-LegacySelfSignedCert { - Param ( - [string]$SubjectName, - [int]$ValidDays = 1095 - ) - - $hostnonFQDN = $env:computerName - $hostFQDN = [System.Net.Dns]::GetHostByName(($env:computerName)).Hostname - $SignatureAlgorithm = "SHA256" - - $name = New-Object -COM "X509Enrollment.CX500DistinguishedName.1" - $name.Encode("CN=$SubjectName", 0) - - $key = New-Object -COM "X509Enrollment.CX509PrivateKey.1" - $key.ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider" - $key.KeySpec = 1 - $key.Length = 4096 - $key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)" - $key.MachineContext = 1 - $key.Create() - - $serverauthoid = New-Object -COM "X509Enrollment.CObjectId.1" - $serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1") - $ekuoids = New-Object -COM "X509Enrollment.CObjectIds.1" - $ekuoids.Add($serverauthoid) - $ekuext = New-Object -COM "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1" - $ekuext.InitializeEncode($ekuoids) - - $cert = New-Object -COM "X509Enrollment.CX509CertificateRequestCertificate.1" - $cert.InitializeFromPrivateKey(2, $key, "") - $cert.Subject = $name - $cert.Issuer = $cert.Subject - $cert.NotBefore = (Get-Date).AddDays(-1) - $cert.NotAfter = $cert.NotBefore.AddDays($ValidDays) - - $SigOID = New-Object -ComObject X509Enrollment.CObjectId - $SigOID.InitializeFromValue(([Security.Cryptography.Oid]$SignatureAlgorithm).Value) - - [string[]] $AlternativeName += $hostnonFQDN - $AlternativeName += $hostFQDN - $IAlternativeNames = New-Object -ComObject X509Enrollment.CAlternativeNames - - foreach ($AN in $AlternativeName) { - $AltName = New-Object -ComObject X509Enrollment.CAlternativeName - $AltName.InitializeFromString(0x3, $AN) - $IAlternativeNames.Add($AltName) - } - - $SubjectAlternativeName = New-Object -ComObject X509Enrollment.CX509ExtensionAlternativeNames - $SubjectAlternativeName.InitializeEncode($IAlternativeNames) - - [String[]]$KeyUsage = ("DigitalSignature", "KeyEncipherment") - $KeyUsageObj = New-Object -ComObject X509Enrollment.CX509ExtensionKeyUsage - $KeyUsageObj.InitializeEncode([int][Security.Cryptography.X509Certificates.X509KeyUsageFlags]($KeyUsage)) - $KeyUsageObj.Critical = $true - - $cert.X509Extensions.Add($KeyUsageObj) - $cert.X509Extensions.Add($ekuext) - $cert.SignatureInformation.HashAlgorithm = $SigOID - $CERT.X509Extensions.Add($SubjectAlternativeName) - $cert.Encode() - - $enrollment = New-Object -COM "X509Enrollment.CX509Enrollment.1" - $enrollment.InitializeFromRequest($cert) - $certdata = $enrollment.CreateRequest(0) - $enrollment.InstallResponse(2, $certdata, 0, "") - - # extract/return the thumbprint from the generated cert - $parsed_cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 - $parsed_cert.Import([System.Text.Encoding]::UTF8.GetBytes($certdata)) - - return $parsed_cert.Thumbprint -} - -Function Enable-GlobalHttpFirewallAccess { - Write-Verbose "Forcing global HTTP firewall access" - # this is a fairly naive implementation; could be more sophisticated about rule matching/collapsing - $fw = New-Object -ComObject HNetCfg.FWPolicy2 - - # try to find/enable the default rule first - $add_rule = $false - $matching_rules = $fw.Rules | Where-Object { $_.Name -eq "Windows Remote Management (HTTP-In)" } - $rule = $null - If ($matching_rules) { - If ($matching_rules -isnot [Array]) { - Write-Verbose "Editing existing single HTTP firewall rule" - $rule = $matching_rules - } - Else { - # try to find one with the All or Public profile first - Write-Verbose "Found multiple existing HTTP firewall rules..." - $rule = $matching_rules | ForEach-Object { $_.Profiles -band 4 }[0] - - If (-not $rule -or $rule -is [Array]) { - Write-Verbose "Editing an arbitrary single HTTP firewall rule (multiple existed)" - # oh well, just pick the first one - $rule = $matching_rules[0] - } - } - } - - If (-not $rule) { - Write-Verbose "Creating a new HTTP firewall rule" - $rule = New-Object -ComObject HNetCfg.FWRule - $rule.Name = "Windows Remote Management (HTTP-In)" - $rule.Description = "Inbound rule for Windows Remote Management via WS-Management. [TCP 5985]" - $add_rule = $true - } - - $rule.Profiles = 0x7FFFFFFF - $rule.Protocol = 6 - $rule.LocalPorts = 5985 - $rule.RemotePorts = "*" - $rule.LocalAddresses = "*" - $rule.RemoteAddresses = "*" - $rule.Enabled = $true - $rule.Direction = 1 - $rule.Action = 1 - $rule.Grouping = "Windows Remote Management" - - If ($add_rule) { - $fw.Rules.Add($rule) - } - - Write-Verbose "HTTP firewall rule $($rule.Name) updated" -} - -# Setup error handling. -Trap { - $_ - Exit 1 -} -$ErrorActionPreference = "Stop" - -# Get the ID and security principal of the current user account -$myWindowsID = [System.Security.Principal.WindowsIdentity]::GetCurrent() -$myWindowsPrincipal = new-object System.Security.Principal.WindowsPrincipal($myWindowsID) - -# Get the security principal for the Administrator role -$adminRole = [System.Security.Principal.WindowsBuiltInRole]::Administrator - -# Check to see if we are currently running "as Administrator" -if (-Not $myWindowsPrincipal.IsInRole($adminRole)) { - Write-Output "ERROR: You need elevated Administrator privileges in order to run this script." - Write-Output " Start Windows PowerShell by using the Run as Administrator option." - Exit 2 -} - -$EventSource = $MyInvocation.MyCommand.Name -If (-Not $EventSource) { - $EventSource = "Powershell CLI" -} - -If ([System.Diagnostics.EventLog]::Exists('Application') -eq $False -or [System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { - New-EventLog -LogName Application -Source $EventSource -} - -# Detect PowerShell version. -If ($PSVersionTable.PSVersion.Major -lt 3) { - Write-ProgressLog "PowerShell version 3 or higher is required." - Throw "PowerShell version 3 or higher is required." -} - -# Find and start the WinRM service. -Write-Verbose "Verifying WinRM service." -If (!(Get-Service "WinRM")) { - Write-ProgressLog "Unable to find the WinRM service." - Throw "Unable to find the WinRM service." -} -ElseIf ((Get-Service "WinRM").Status -ne "Running") { - Write-Verbose "Setting WinRM service to start automatically on boot." - Set-Service -Name "WinRM" -StartupType Automatic - Write-ProgressLog "Set WinRM service to start automatically on boot." - Write-Verbose "Starting WinRM service." - Start-Service -Name "WinRM" -ErrorAction Stop - Write-ProgressLog "Started WinRM service." - -} - -# WinRM should be running; check that we have a PS session config. -If (!(Get-PSSessionConfiguration -Verbose:$false) -or (!(Get-ChildItem WSMan:\localhost\Listener))) { - If ($SkipNetworkProfileCheck) { - Write-Verbose "Enabling PS Remoting without checking Network profile." - Enable-PSRemoting -SkipNetworkProfileCheck -Force -ErrorAction Stop - Write-ProgressLog "Enabled PS Remoting without checking Network profile." - } - Else { - Write-Verbose "Enabling PS Remoting." - Enable-PSRemoting -Force -ErrorAction Stop - Write-ProgressLog "Enabled PS Remoting." - } -} -Else { - Write-Verbose "PS Remoting is already enabled." -} - -# Ensure LocalAccountTokenFilterPolicy is set to 1 -# https://github.com/ansible/ansible/issues/42978 -$token_path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -$token_prop_name = "LocalAccountTokenFilterPolicy" -$token_key = Get-Item -Path $token_path -$token_value = $token_key.GetValue($token_prop_name, $null) -if ($token_value -ne 1) { - Write-Verbose "Setting LocalAccountTOkenFilterPolicy to 1" - if ($null -ne $token_value) { - Remove-ItemProperty -Path $token_path -Name $token_prop_name - } - New-ItemProperty -Path $token_path -Name $token_prop_name -Value 1 -PropertyType DWORD > $null -} - -# Make sure there is a SSL listener. -$listeners = Get-ChildItem WSMan:\localhost\Listener -If (!($listeners | Where-Object { $_.Keys -like "TRANSPORT=HTTPS" })) { - # We cannot use New-SelfSignedCertificate on 2012R2 and earlier - $thumbprint = New-LegacySelfSignedCert -SubjectName $SubjectName -ValidDays $CertValidityDays - Write-HostLog "Self-signed SSL certificate generated; thumbprint: $thumbprint" - - # Create the hashtables of settings to be used. - $valueset = @{ - Hostname = $SubjectName - CertificateThumbprint = $thumbprint - } - - $selectorset = @{ - Transport = "HTTPS" - Address = "*" - } - - Write-Verbose "Enabling SSL listener." - New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset - Write-ProgressLog "Enabled SSL listener." -} -Else { - Write-Verbose "SSL listener is already active." - - # Force a new SSL cert on Listener if the $ForceNewSSLCert - If ($ForceNewSSLCert) { - - # We cannot use New-SelfSignedCertificate on 2012R2 and earlier - $thumbprint = New-LegacySelfSignedCert -SubjectName $SubjectName -ValidDays $CertValidityDays - Write-HostLog "Self-signed SSL certificate generated; thumbprint: $thumbprint" - - $valueset = @{ - CertificateThumbprint = $thumbprint - Hostname = $SubjectName - } - - # Delete the listener for SSL - $selectorset = @{ - Address = "*" - Transport = "HTTPS" - } - Remove-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset - - # Add new Listener with new SSL cert - New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset - } -} - -# Check for basic authentication. -$basicAuthSetting = Get-ChildItem WSMan:\localhost\Service\Auth | Where-Object { $_.Name -eq "Basic" } - -If ($DisableBasicAuth) { - If (($basicAuthSetting.Value) -eq $true) { - Write-Verbose "Disabling basic auth support." - Set-Item -Path "WSMan:\localhost\Service\Auth\Basic" -Value $false - Write-ProgressLog "Disabled basic auth support." - } - Else { - Write-Verbose "Basic auth is already disabled." - } -} -Else { - If (($basicAuthSetting.Value) -eq $false) { - Write-Verbose "Enabling basic auth support." - Set-Item -Path "WSMan:\localhost\Service\Auth\Basic" -Value $true - Write-ProgressLog "Enabled basic auth support." - } - Else { - Write-Verbose "Basic auth is already enabled." - } -} - -# If EnableCredSSP if set to true -If ($EnableCredSSP) { - # Check for CredSSP authentication - $credsspAuthSetting = Get-ChildItem WSMan:\localhost\Service\Auth | Where-Object { $_.Name -eq "CredSSP" } - If (($credsspAuthSetting.Value) -eq $false) { - Write-Verbose "Enabling CredSSP auth support." - Enable-WSManCredSSP -role server -Force - Write-ProgressLog "Enabled CredSSP auth support." - } -} - -If ($GlobalHttpFirewallAccess) { - Enable-GlobalHttpFirewallAccess -} - -# Configure firewall to allow WinRM HTTPS connections. -$fwtest1 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS" -$fwtest2 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS" profile=any -If ($fwtest1.count -lt 5) { - Write-Verbose "Adding firewall rule to allow WinRM HTTPS." - netsh advfirewall firewall add rule profile=any name="Allow WinRM HTTPS" dir=in localport=5986 protocol=TCP action=allow - Write-ProgressLog "Added firewall rule to allow WinRM HTTPS." -} -ElseIf (($fwtest1.count -ge 5) -and ($fwtest2.count -lt 5)) { - Write-Verbose "Updating firewall rule to allow WinRM HTTPS for any profile." - netsh advfirewall firewall set rule name="Allow WinRM HTTPS" new profile=any - Write-ProgressLog "Updated firewall rule to allow WinRM HTTPS for any profile." -} -Else { - Write-Verbose "Firewall rule already exists to allow WinRM HTTPS." -} - -# Test a remoting connection to localhost, which should work. -$httpResult = Invoke-Command -ComputerName "localhost" -ScriptBlock { $using:env:COMPUTERNAME } -ErrorVariable httpError -ErrorAction SilentlyContinue -$httpsOptions = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck - -$httpsResult = New-PSSession -UseSSL -ComputerName "localhost" -SessionOption $httpsOptions -ErrorVariable httpsError -ErrorAction SilentlyContinue - -If ($httpResult -and $httpsResult) { - Write-Verbose "HTTP: Enabled | HTTPS: Enabled" -} -ElseIf ($httpsResult -and !$httpResult) { - Write-Verbose "HTTP: Disabled | HTTPS: Enabled" -} -ElseIf ($httpResult -and !$httpsResult) { - Write-Verbose "HTTP: Enabled | HTTPS: Disabled" -} -Else { - Write-ProgressLog "Unable to establish an HTTP or HTTPS remoting session." - Throw "Unable to establish an HTTP or HTTPS remoting session." -} -Write-VerboseLog "PS Remoting has been successfully configured for Ansible." \ No newline at end of file diff --git a/packer/windows_server/bootstrap_win_winrm_https.txt b/packer/windows_server/bootstrap_win_winrm_https.txt deleted file mode 100644 index bad79bed9..000000000 --- a/packer/windows_server/bootstrap_win_winrm_https.txt +++ /dev/null @@ -1,46 +0,0 @@ - - -# MAKE SURE IN YOUR PACKER CONFIG TO SET: -# -# -# "winrm_username": "Administrator", -# "winrm_insecure": true, -# "winrm_use_ssl": true, -# -# - -write-output "Running User Data Script" -write-host "(host) Running User Data Script" - -Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore - -# Don't set this before Set-ExecutionPolicy as it throws an error -$ErrorActionPreference = "stop" - -# Remove HTTP listener -Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse - -# Create a self-signed certificate to let ssl work -$Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName "packer" -New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force - -# WinRM -write-output "Setting up WinRM" -write-host "(host) setting up WinRM" - -cmd.exe /c winrm quickconfig -q -cmd.exe /c winrm set "winrm/config" '@{MaxTimeoutms="1800000"}' -cmd.exe /c winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}' -cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}' -cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}' -cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}' -cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}' -cmd.exe /c winrm set "winrm/config/service/auth" '@{CredSSP="true"}' -cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}" -cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes -cmd.exe /c netsh firewall add portopening TCP 5986 "Port 5986" -cmd.exe /c net stop winrm -cmd.exe /c sc config winrm start= auto -cmd.exe /c net start winrm - - \ No newline at end of file diff --git a/packer/windows_server/sysprep.ps1 b/packer/windows_server/sysprep.ps1 deleted file mode 100644 index d67fccec1..000000000 --- a/packer/windows_server/sysprep.ps1 +++ /dev/null @@ -1,18 +0,0 @@ -Write-Output '>>> Waiting for GA Service (RdAgent) to start ...' -while ((Get-Service RdAgent).Status -ne 'Running') { Start-Sleep -s 5 } -Write-Output '>>> Waiting for GA Service (WindowsAzureTelemetryService) to start ...' -while ((Get-Service WindowsAzureTelemetryService) -and ((Get-Service WindowsAzureTelemetryService).Status -ne 'Running')) { Start-Sleep -s 5 } -Write-Output '>>> Waiting for GA Service (WindowsAzureGuestAgent) to start ...' -while ((Get-Service WindowsAzureGuestAgent).Status -ne 'Running') { Start-Sleep -s 5 } -Write-Output '>>> Sysprepping VM ...' -if( Test-Path $Env:SystemRoot\system32\Sysprep\unattend.xml ) { -Remove-Item $Env:SystemRoot\system32\Sysprep\unattend.xml -Force -} -& $Env:SystemRoot\System32\Sysprep\Sysprep.exe /oobe /generalize /quiet /quit -while($true) { -$imageState = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State).ImageState -Write-Output $imageState -if ($imageState -eq 'IMAGE_STATE_GENERALIZE_RESEAL_TO_OOBE') { break } -Start-Sleep -s 5 -} -Write-Output '>>> Sysprep complete ...' \ No newline at end of file diff --git a/packer/windows_server/windows_aws.pkr.hcl b/packer/windows_server/windows_aws.pkr.hcl deleted file mode 100644 index 650e6f6ee..000000000 --- a/packer/windows_server/windows_aws.pkr.hcl +++ /dev/null @@ -1,94 +0,0 @@ - -variable "general" { - type = map(string) - - default = { - attack_range_password = "Pl3ase-k1Ll-me:p" - key_name = "attack-range-key-pair" - attack_range_name = "ar" - ip_whitelist = "0.0.0.0/0" - } -} - -variable "aws" { - type = map(string) - - default = { - region = "eu-central-1" - private_key_path = "~/.ssh/id_rsa" - image_owner = "591511147606" - } -} - -variable "splunk_server" { - type = map(string) - - default = { - install_es = "0" - splunk_es_app = "splunk-enterprise-security_701.spl" - } -} - -variable "images" { - type = map(string) - - default = { - aws_image = "Windows_Server-2016-English-Full-Base-*" - azure_publisher = "MicrosoftWindowsServer" - azure_offer = "WindowsServer" - azure_sku = "2016-Datacenter" - name = "windows-2016" - } -} - - -data "amazon-ami" "windows" { - filters = { - name = var.images.aws_image - root-device-type = "ebs" - virtualization-type = "hvm" - } - most_recent = true - owners = ["801119661308"] -} - -source "amazon-ebs" "windows" { - ami_name = "${var.images.name}-v${replace(var.general.version, ".", "-")}" - region = var.aws.region - force_delete_snapshot = "true" - force_deregister = "true" - instance_type = "t3.xlarge" - source_ami = "${data.amazon-ami.windows.id}" - user_data_file = "packer/windows_server/bootstrap_win_winrm_https.txt" - communicator = "winrm" - winrm_username = "Administrator" - winrm_insecure = true - winrm_use_ssl = true -} - - -build { - - sources = [ - "source.amazon-ebs.windows", - ] - - provisioner "ansible" { - only = ["amazon-ebs.windows"] - playbook_file = "packer/ansible/windows.yml" - user = "Administrator" - use_proxy = false - local_port = 5986 - ansible_env_vars = ["no_proxy=\"*\""] - extra_arguments = ["--extra-vars", "ansible_shell_type=powershell ansible_shell_executable=None ansible_user=Administrator ansible_password=${var.general.attack_range_password} ansible_become_pass={{.WinRMPassword}} ${join(" ", [for key, value in var.general : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])}"] - } - - provisioner "powershell" { - only = ["amazon-ebs.windows"] - inline = [ - "C:/ProgramData/Amazon/EC2-Windows/Launch/Scripts/InitializeInstance.ps1 -Schedule", - "C:/ProgramData/Amazon/EC2-Windows/Launch/Scripts/SysprepInstance.ps1 -NoShutdown" - ] - } - -} \ No newline at end of file diff --git a/packer/windows_server/windows_azure.pkr.hcl b/packer/windows_server/windows_azure.pkr.hcl deleted file mode 100644 index feb1470c1..000000000 --- a/packer/windows_server/windows_azure.pkr.hcl +++ /dev/null @@ -1,97 +0,0 @@ - -variable "general" { - type = map(string) - - default = { - attack_range_password = "Pl3ase-k1Ll-me:p" - key_name = "attack-range-key-pair" - attack_range_name = "ar" - ip_whitelist = "0.0.0.0/0" - } -} - -variable "azure" { - type = map(string) - - default = { - location = "West Europe" - private_key_path = "~/.ssh/id_rsa" - public_key_path = "~/.ssh/id_rsa.pub" - } -} - -variable "aws" { - type = map(string) - - default = { - region = "eu-central-1" - private_key_path = "~/.ssh/id_rsa" - image_owner = "591511147606" - } -} - -variable "splunk_server" { - type = map(string) - - default = { - install_es = "0" - splunk_es_app = "splunk-enterprise-security_701.spl" - } -} - -variable "images" { - type = map(string) - - default = { - aws_image = "Windows_Server-2016-English-Full-Base-*" - azure_publisher = "MicrosoftWindowsServer" - azure_offer = "WindowsServer" - azure_sku = "2016-Datacenter" - name = "windows-2016" - } -} - -source "azure-arm" "windows" { - managed_image_resource_group_name = "packer_${replace(var.azure.location, " ", "_")}" - managed_image_name = "${var.images.name}-v${replace(var.general.version, ".", "-")}" - os_type = "Windows" - image_publisher = var.images.azure_publisher - image_offer = var.images.azure_offer - image_sku = var.images.azure_sku - location = var.azure.location - vm_size = "Standard_D4_v4" - communicator = "winrm" - winrm_insecure = true - winrm_use_ssl = true - winrm_username = "packer" - winrm_port = 5986 - use_azure_cli_auth = true -} - -build { - - sources = [ - "source.azure-arm.windows", - ] - - provisioner "powershell" { - only = ["azure-arm.windows"] - script = "packer/windows_server/AnsibleSetup.ps1" - } - - provisioner "ansible" { - only = ["azure-arm.windows"] - playbook_file = "packer/ansible/windows.yml" - user = "packer" - use_proxy = false - local_port = 5986 - ansible_env_vars = ["WINRM_PASSWORD={{.WinRMPassword}}", "no_proxy=\"*\""] - extra_arguments = ["--extra-vars", "ansible_winrm_operation_timeout_sec=120 ansible_winrm_read_timeout_sec=150 ansible_shell_type=powershell ansible_shell_executable=None ansible_become_pass={{.WinRMPassword}} ${join(" ", [for key, value in var.general : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])}"] - } - - provisioner "powershell" { - only = ["azure-arm.windows"] - script = "packer/windows_server/sysprep.ps1" - } - -} \ No newline at end of file diff --git a/packer/zeek_server/zeek_aws.pkr.hcl b/packer/zeek_server/zeek_aws.pkr.hcl deleted file mode 100644 index f64ce36d8..000000000 --- a/packer/zeek_server/zeek_aws.pkr.hcl +++ /dev/null @@ -1,69 +0,0 @@ - -variable "general" { - type = map(string) - - default = { - attack_range_password = "Pl3ase-k1Ll-me:p" - key_name = "attack-range-key-pair" - attack_range_name = "ar" - ip_whitelist = "0.0.0.0/0" - } -} - -variable "aws" { - type = map(string) - - default = { - region = "eu-central-1" - private_key_path = "~/.ssh/id_rsa" - image_owner = "591511147606" - } -} - -variable "splunk_server" { - type = map(string) - - default = { - install_es = "0" - splunk_es_app = "splunk-enterprise-security_701.spl" - } -} - -data "amazon-ami" "ubuntu-ami" { - filters = { - name = "*ubuntu-focal-20.04-amd64-server-*" - root-device-type = "ebs" - virtualization-type = "hvm" - } - most_recent = true - owners = ["099720109477"] -} - -source "amazon-ebs" "ubuntu" { - ami_name = "zeek-v${replace(var.general.version, ".", "-")}" - region = var.aws.region - instance_type = "t3.xlarge" - launch_block_device_mappings { - device_name = "/dev/sda1" - volume_size = "30" - } - source_ami = "${data.amazon-ami.ubuntu-ami.id}" - ssh_username = "ubuntu" - force_deregister = true - force_delete_snapshot = true -} - -build { - - sources = [ - "source.amazon-ebs.ubuntu" - ] - - provisioner "ansible" { - extra_arguments = ["--scp-extra-args", "'-O'", "--extra-vars", "${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.general : "${key}=\"${value}\""])}"] - playbook_file = "packer/ansible/zeek.yml" - user = "ubuntu" - ansible_ssh_extra_args = ["-oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedKeyTypes=+ssh-rsa"] - } - -} diff --git a/terraform/ansible/linux_server.yml b/terraform/ansible/linux_server.yml new file mode 100644 index 000000000..23af6a6ac --- /dev/null +++ b/terraform/ansible/linux_server.yml @@ -0,0 +1,14 @@ +- hosts: all + gather_facts: False + become: true + roles: + - set_hostname_linux + - linux_common + - linux_universal_forwarder + - linux_osquery + - linux_sysmon + - linux_install_art + - linux_server_post + - update_sysmon_config_linux + - splunk_byo_linux + - contentctl \ No newline at end of file diff --git a/terraform/ansible/linux_server_post.yml b/terraform/ansible/linux_server_post.yml deleted file mode 100644 index a070f6e57..000000000 --- a/terraform/ansible/linux_server_post.yml +++ /dev/null @@ -1,15 +0,0 @@ -- hosts: all - gather_facts: False - become: true - roles: - - role: set_hostname_linux - - role: linux_server_post - when: install_contentctl == "0" - - role: update_sysmon_config_linux - when: install_contentctl == "0" - - role: linux_agent_prelude - when: install_contentctl == "0" - - role: splunk_byo_linux - when: install_contentctl == "0" - - role: contentctl - when: install_contentctl == "1" \ No newline at end of file diff --git a/packer/ansible/nginx_web_proxy.yml b/terraform/ansible/nginx_server.yml similarity index 61% rename from packer/ansible/nginx_web_proxy.yml rename to terraform/ansible/nginx_server.yml index 08aaea2a9..bfe66c6f1 100644 --- a/packer/ansible/nginx_web_proxy.yml +++ b/terraform/ansible/nginx_server.yml @@ -1,9 +1,9 @@ - hosts: all gather_facts: False become: true - vars: - proxy_server_ip: "10.0.1.12" - proxy_server_port: "8000" roles: + - set_hostname_nginx - linux_universal_forwarder - nginx_web_proxy + - nginx_server_post + - splunk_byo_linux \ No newline at end of file diff --git a/terraform/ansible/nginx_server_post.yml b/terraform/ansible/nginx_server_post.yml deleted file mode 100644 index c12055f74..000000000 --- a/terraform/ansible/nginx_server_post.yml +++ /dev/null @@ -1,8 +0,0 @@ -- hosts: all - gather_facts: False - become: true - roles: - - set_hostname_linux - - linux_server_post - - nginx_server_post - - splunk_byo_linux \ No newline at end of file diff --git a/terraform/ansible/roles/azure_logging/tasks/azure_logging.yml b/terraform/ansible/roles/azure_logging/tasks/azure_logging.yml index 5efd0a5c6..77121856a 100644 --- a/terraform/ansible/roles/azure_logging/tasks/azure_logging.yml +++ b/terraform/ansible/roles/azure_logging/tasks/azure_logging.yml @@ -9,6 +9,7 @@ recurse: yes with_items: - /opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/local/ + when: azure.azure_logging == "1" - name: Copy new mscs_azure_accounts.conf configuration template: @@ -16,6 +17,7 @@ dest: /opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/local/mscs_azure_accounts.conf owner: splunk group: splunk + when: azure.azure_logging == "1" - name: Copy new mscs_azure_audit_inputs.conf configuration template: @@ -23,6 +25,7 @@ dest: /opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/local/mscs_azure_audit_inputs.conf owner: splunk group: splunk + when: azure.azure_logging == "1" - name: Copy new inputs.conf configuration template: @@ -30,7 +33,9 @@ dest: /opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/local/inputs.conf owner: splunk group: splunk + when: azure.azure_logging == "1" - name: restart splunk service: name=splunk state=restarted - become: yes \ No newline at end of file + become: yes + when: azure.azure_logging == "1" \ No newline at end of file diff --git a/terraform/ansible/roles/azure_logging/tasks/main.yml b/terraform/ansible/roles/azure_logging/tasks/main.yml index 54bd4440e..dbeeb8073 100644 --- a/terraform/ansible/roles/azure_logging/tasks/main.yml +++ b/terraform/ansible/roles/azure_logging/tasks/main.yml @@ -1,4 +1,4 @@ --- - include: azure_logging.yml - when: (azure_logging == "1") and (cloud_provider == "azure") \ No newline at end of file + when: general.cloud_provider == "azure" \ No newline at end of file diff --git a/terraform/ansible/roles/azure_logging/templates/inputs.conf.j2 b/terraform/ansible/roles/azure_logging/templates/inputs.conf.j2 index 09124ff24..8e154d7a4 100644 --- a/terraform/ansible/roles/azure_logging/templates/inputs.conf.j2 +++ b/terraform/ansible/roles/azure_logging/templates/inputs.conf.j2 @@ -1,8 +1,8 @@ [mscs_azure_event_hub://event_hub] account = azure_account consumer_group = $Default -event_hub_name = {{ event_hub_name }} -event_hub_namespace = {{ event_hub_host_name }} +event_hub_name = {{ azure.event_hub_name }} +event_hub_namespace = {{ azure.event_hub_host_name }} index = azure interval = 300 max_batch_size = 300 diff --git a/terraform/ansible/roles/azure_logging/templates/mscs_azure_accounts.conf.j2 b/terraform/ansible/roles/azure_logging/templates/mscs_azure_accounts.conf.j2 index 97b0bfe94..7ef45213a 100644 --- a/terraform/ansible/roles/azure_logging/templates/mscs_azure_accounts.conf.j2 +++ b/terraform/ansible/roles/azure_logging/templates/mscs_azure_accounts.conf.j2 @@ -1,5 +1,5 @@ [azure_account] account_class_type = 1 -client_id = {{ client_id }} -client_secret = {{ client_secret }} -tenant_id = {{ tenant_id }} \ No newline at end of file +client_id = {{ azure.client_id }} +client_secret = {{ azure.client_secret }} +tenant_id = {{ azure.tenant_id }} \ No newline at end of file diff --git a/terraform/ansible/roles/azure_logging/templates/mscs_azure_audit_inputs.conf.j2 b/terraform/ansible/roles/azure_logging/templates/mscs_azure_audit_inputs.conf.j2 index b845c6bdf..3266ac967 100644 --- a/terraform/ansible/roles/azure_logging/templates/mscs_azure_audit_inputs.conf.j2 +++ b/terraform/ansible/roles/azure_logging/templates/mscs_azure_audit_inputs.conf.j2 @@ -3,4 +3,4 @@ account = azure_account index = azure interval = 300 start_time = 2022-06-13T09:24:37+00:00 -subscription_id = {{ subscription_id }} \ No newline at end of file +subscription_id = {{ azure.subscription_id }} \ No newline at end of file diff --git a/terraform/ansible/roles/bad_blood/tasks/main.yml b/terraform/ansible/roles/bad_blood/tasks/main.yml index 89a83ddcd..d54ed8c04 100644 --- a/terraform/ansible/roles/bad_blood/tasks/main.yml +++ b/terraform/ansible/roles/bad_blood/tasks/main.yml @@ -1,7 +1,7 @@ --- - include_tasks: "install_badblood.yml" - when: bad_blood == "1" + when: windows_servers.bad_blood == "1" - include_tasks: "run_badblood.yml" - when: bad_blood == "1" + when: windows_servers.bad_blood == "1" diff --git a/terraform/ansible/roles/carbon_black_cloud_agent/tasks/install.yml b/terraform/ansible/roles/carbon_black_cloud_agent/tasks/install.yml index a29e1dea9..c25229b44 100644 --- a/terraform/ansible/roles/carbon_black_cloud_agent/tasks/install.yml +++ b/terraform/ansible/roles/carbon_black_cloud_agent/tasks/install.yml @@ -2,8 +2,8 @@ - name: Copy carbon black cloud agent win_copy: - src: "../../apps/{{ carbon_black_cloud_agent_name }}" + src: "../../apps/{{ general.carbon_black_cloud_agent_name }}" dest: C:\Temp\WindowsSensor.msi - name: install carbon black cloud agent - win_command: 'msiexec /q /i C:\Temp\WindowsSensor.msi /L* log.txt COMPANY_CODE={{ carbon_black_cloud_company_code }}' \ No newline at end of file + win_command: 'msiexec /q /i C:\Temp\WindowsSensor.msi /L* log.txt COMPANY_CODE={{ general.carbon_black_cloud_company_code }}' \ No newline at end of file diff --git a/terraform/ansible/roles/carbon_black_cloud_agent/tasks/main.yml b/terraform/ansible/roles/carbon_black_cloud_agent/tasks/main.yml index 2e1092bb0..fe0a0dbee 100644 --- a/terraform/ansible/roles/carbon_black_cloud_agent/tasks/main.yml +++ b/terraform/ansible/roles/carbon_black_cloud_agent/tasks/main.yml @@ -1,4 +1,4 @@ --- - include: install.yml - when: carbon_black_cloud == "1" \ No newline at end of file + when: general.carbon_black_cloud == "1" \ No newline at end of file diff --git a/terraform/ansible/roles/carbon_black_cloud_logs/tasks/config.yml b/terraform/ansible/roles/carbon_black_cloud_logs/tasks/config.yml index 081093ed5..32d2ea0c2 100644 --- a/terraform/ansible/roles/carbon_black_cloud_logs/tasks/config.yml +++ b/terraform/ansible/roles/carbon_black_cloud_logs/tasks/config.yml @@ -4,8 +4,6 @@ file: path: "{{ item }}" state: directory - owner: splunk - group: splunk recurse: yes with_items: - /opt/splunk/etc/apps/Splunk_TA_aws/local/ @@ -14,15 +12,11 @@ template: src: inputs.conf.j2 dest: /opt/splunk/etc/apps/Splunk_TA_aws/local/inputs.conf - owner: splunk - group: splunk - name: copy local.meta copy: src: local.meta dest: /opt/splunk/etc/apps/vmware_app_for_splunk/metadata/local.meta - owner: splunk - group: splunk - name: restart splunk service: name=splunk state=restarted diff --git a/terraform/ansible/roles/carbon_black_cloud_logs/tasks/main.yml b/terraform/ansible/roles/carbon_black_cloud_logs/tasks/main.yml index 21456712c..779a355a0 100644 --- a/terraform/ansible/roles/carbon_black_cloud_logs/tasks/main.yml +++ b/terraform/ansible/roles/carbon_black_cloud_logs/tasks/main.yml @@ -1,4 +1,4 @@ --- - include: config.yml - when: carbon_black_cloud == "1" \ No newline at end of file + when: general.carbon_black_cloud == "1" \ No newline at end of file diff --git a/terraform/ansible/roles/carbon_black_cloud_logs/templates/inputs.conf.j2 b/terraform/ansible/roles/carbon_black_cloud_logs/templates/inputs.conf.j2 index 991a3f58d..7e1395f8e 100644 --- a/terraform/ansible/roles/carbon_black_cloud_logs/templates/inputs.conf.j2 +++ b/terraform/ansible/roles/carbon_black_cloud_logs/templates/inputs.conf.j2 @@ -1,6 +1,6 @@ [aws_s3://cb_events] -aws_account = splunk_role_{{ attack_range_name }}_{{ key_name }} -bucket_name = {{ carbon_black_cloud_s3_bucket }} +aws_account = splunk_role_{{ general.attack_range_name }}_{{ general.key_name }} +bucket_name = {{ general.carbon_black_cloud_s3_bucket }} character_set = auto ct_blacklist = ^$ host_name = s3.us-east-1.amazonaws.com diff --git a/terraform/ansible/roles/cloudtrail_logs/tasks/configure_inputs.yml b/terraform/ansible/roles/cloudtrail_logs/tasks/configure_inputs.yml index a7a392346..218b87c04 100644 --- a/terraform/ansible/roles/cloudtrail_logs/tasks/configure_inputs.yml +++ b/terraform/ansible/roles/cloudtrail_logs/tasks/configure_inputs.yml @@ -4,22 +4,19 @@ file: path: "{{ item }}" state: directory - owner: splunk - group: splunk recurse: yes with_items: - /opt/splunk/etc/apps/Splunk_TA_aws/local/ + when: aws.cloudtrail == "1" - name: Copy new aws_account_ext.conf configuration template: src: aws_account_ext.conf.j2 dest: /opt/splunk/etc/apps/Splunk_TA_aws/local/aws_account_ext.conf - owner: splunk - group: splunk + when: aws.cloudtrail == "1" - name: Copy new inputs.conf configuration template: src: aws_inputs.conf.j2 dest: /opt/splunk/etc/apps/Splunk_TA_aws/local/inputs.conf - owner: splunk - group: splunk \ No newline at end of file + when: aws.cloudtrail == "1" \ No newline at end of file diff --git a/terraform/ansible/roles/cloudtrail_logs/tasks/main.yml b/terraform/ansible/roles/cloudtrail_logs/tasks/main.yml index 8578fe555..bc67e6ec3 100644 --- a/terraform/ansible/roles/cloudtrail_logs/tasks/main.yml +++ b/terraform/ansible/roles/cloudtrail_logs/tasks/main.yml @@ -1,4 +1,4 @@ --- - include: configure_inputs.yml - when: (cloudtrail == "1") and (cloud_provider == "aws") \ No newline at end of file + when: general.cloud_provider == "aws" \ No newline at end of file diff --git a/terraform/ansible/roles/cloudtrail_logs/templates/aws_account_ext.conf.j2 b/terraform/ansible/roles/cloudtrail_logs/templates/aws_account_ext.conf.j2 index 34e6146a9..a45a1cda3 100644 --- a/terraform/ansible/roles/cloudtrail_logs/templates/aws_account_ext.conf.j2 +++ b/terraform/ansible/roles/cloudtrail_logs/templates/aws_account_ext.conf.j2 @@ -1,3 +1,3 @@ -[splunk_role_{{ attack_range_name }}_{{ key_name }}] +[splunk_role_{{ general.attack_range_name }}_{{ general.key_name }}] category = 1 iam = 1 \ No newline at end of file diff --git a/terraform/ansible/roles/cloudtrail_logs/templates/aws_inputs.conf.j2 b/terraform/ansible/roles/cloudtrail_logs/templates/aws_inputs.conf.j2 index 260697734..2a0317cd6 100644 --- a/terraform/ansible/roles/cloudtrail_logs/templates/aws_inputs.conf.j2 +++ b/terraform/ansible/roles/cloudtrail_logs/templates/aws_inputs.conf.j2 @@ -1,9 +1,9 @@ [aws_sqs_based_s3://cloudtrail] -aws_account = splunk_role_{{ attack_range_name }}_{{ key_name }} +aws_account = splunk_role_{{ general.attack_range_name }}_{{ general.key_name }} index = aws interval = 60 s3_file_decoder = CloudTrail sourcetype = aws:cloudtrail sqs_batch_size = 10 -sqs_queue_region = {{ region }} -sqs_queue_url = {{ cloudtrail_sqs_queue }} \ No newline at end of file +sqs_queue_region = {{ aws.region }} +sqs_queue_url = {{ aws.cloudtrail_sqs_queue }} \ No newline at end of file diff --git a/terraform/ansible/roles/contentctl/tasks/main.yml b/terraform/ansible/roles/contentctl/tasks/main.yml index 87bd4fd66..092da63c7 100644 --- a/terraform/ansible/roles/contentctl/tasks/main.yml +++ b/terraform/ansible/roles/contentctl/tasks/main.yml @@ -1,7 +1,7 @@ --- - include: docker.yml - when: install_contentctl == "1" + when: general.install_contentctl == "1" - include: contentctl.yml - when: install_contentctl == "1" \ No newline at end of file + when: general.install_contentctl == "1" \ No newline at end of file diff --git a/terraform/ansible/roles/create_domain_controller/tasks/main.yml b/terraform/ansible/roles/create_domain_controller/tasks/main.yml index 1c14e37f6..a38dc63e9 100644 --- a/terraform/ansible/roles/create_domain_controller/tasks/main.yml +++ b/terraform/ansible/roles/create_domain_controller/tasks/main.yml @@ -1,3 +1,3 @@ - include: windows-create-domain.yml - when: create_domain == "1" \ No newline at end of file + when: windows_servers.create_domain == "1" \ No newline at end of file diff --git a/terraform/ansible/roles/create_domain_controller/tasks/windows-create-domain.yml b/terraform/ansible/roles/create_domain_controller/tasks/windows-create-domain.yml index 711cae6b8..aec54e323 100644 --- a/terraform/ansible/roles/create_domain_controller/tasks/windows-create-domain.yml +++ b/terraform/ansible/roles/create_domain_controller/tasks/windows-create-domain.yml @@ -18,7 +18,7 @@ - name: set local admin password win_user: name: "{{ ansible_user }}" - password: "{{ attack_range_password }}" + password: "{{ general.attack_range_password }}" state: present - name: features | Installing RSAT AD Admin Center @@ -36,7 +36,7 @@ - name: Creating a windows domain win_domain: dns_domain_name: "attackrange.local" - safe_mode_password: "{{ attack_range_password }}" + safe_mode_password: "{{ general.attack_range_password }}" - name: Setting DNS Servers win_dns_client: @@ -51,8 +51,8 @@ win_domain_controller: dns_domain_name: "attackrange.local" domain_admin_user: "{{ ansible_user }}@attackrange.local" - domain_admin_password: "{{ attack_range_password }}" - safe_mode_password: "{{ attack_range_password }}" + domain_admin_password: "{{ general.attack_range_password }}" + safe_mode_password: "{{ general.attack_range_password }}" state: "domain_controller" register: _windows_domain_controller diff --git a/terraform/ansible/roles/crowdstrike_falcon_agent/tasks/crowdstrike_install.yml b/terraform/ansible/roles/crowdstrike_falcon_agent/tasks/crowdstrike_install.yml index 3c5eb194b..0515ca59e 100644 --- a/terraform/ansible/roles/crowdstrike_falcon_agent/tasks/crowdstrike_install.yml +++ b/terraform/ansible/roles/crowdstrike_falcon_agent/tasks/crowdstrike_install.yml @@ -2,8 +2,8 @@ - name: Copy crowdstrike falcon agent win_copy: - src: "../../apps/{{ crowdstrike_agent_name }}" + src: "../../apps/{{ general.crowdstrike_agent_name }}" dest: c:\temp\WindowsSensor.exe - name: install crowdstrike falcon agent - win_command: 'C:\Temp\WindowsSensor.exe /install /quiet /norestart CID={{ crowdstrike_customer_ID }}' \ No newline at end of file + win_command: 'C:\Temp\WindowsSensor.exe /install /quiet /norestart CID={{ general.crowdstrike_customer_ID }}' \ No newline at end of file diff --git a/terraform/ansible/roles/crowdstrike_falcon_agent/tasks/main.yml b/terraform/ansible/roles/crowdstrike_falcon_agent/tasks/main.yml index 13b84062d..9fdd08950 100644 --- a/terraform/ansible/roles/crowdstrike_falcon_agent/tasks/main.yml +++ b/terraform/ansible/roles/crowdstrike_falcon_agent/tasks/main.yml @@ -1,4 +1,4 @@ --- - include: crowdstrike_install.yml - when: crowdstrike_falcon == "1" \ No newline at end of file + when: general.crowdstrike_falcon == "1" \ No newline at end of file diff --git a/terraform/ansible/roles/crowdstrike_falcon_logging/tasks/config.yml b/terraform/ansible/roles/crowdstrike_falcon_logging/tasks/config.yml index 64536ff12..01d7665ba 100644 --- a/terraform/ansible/roles/crowdstrike_falcon_logging/tasks/config.yml +++ b/terraform/ansible/roles/crowdstrike_falcon_logging/tasks/config.yml @@ -4,8 +4,6 @@ file: path: "{{ item }}" state: directory - owner: splunk - group: splunk recurse: yes with_items: - /opt/splunk/etc/apps/Splunk_TA_CrowdStrike_FDR/local/ @@ -14,12 +12,8 @@ template: src: splunk_ta_crowdstrike_fdr_aws_collections.conf.j2 dest: /opt/splunk/etc/apps/Splunk_TA_CrowdStrike_FDR/local/splunk_ta_crowdstrike_fdr_aws_collections.conf - owner: splunk - group: splunk - name: Copy new inputs.conf configuration template: src: inputs.conf.j2 - dest: /opt/splunk/etc/apps/Splunk_TA_CrowdStrike_FDR/local/inputs.conf - owner: splunk - group: splunk \ No newline at end of file + dest: /opt/splunk/etc/apps/Splunk_TA_CrowdStrike_FDR/local/inputs.conf \ No newline at end of file diff --git a/terraform/ansible/roles/crowdstrike_falcon_logging/tasks/main.yml b/terraform/ansible/roles/crowdstrike_falcon_logging/tasks/main.yml index 0aaa5525d..14e23898c 100644 --- a/terraform/ansible/roles/crowdstrike_falcon_logging/tasks/main.yml +++ b/terraform/ansible/roles/crowdstrike_falcon_logging/tasks/main.yml @@ -1,9 +1,9 @@ --- - include: config.yml - when: crowdstrike_falcon == "1" + when: general.crowdstrike_falcon == "1" - name: restart splunk service: name=splunk state=restarted become: yes - when: crowdstrike_falcon == "1" \ No newline at end of file + when: general.crowdstrike_falcon == "1" \ No newline at end of file diff --git a/terraform/ansible/roles/crowdstrike_falcon_logging/templates/inputs.conf.j2 b/terraform/ansible/roles/crowdstrike_falcon_logging/templates/inputs.conf.j2 index 3dd790bd6..4ba300a8e 100644 --- a/terraform/ansible/roles/crowdstrike_falcon_logging/templates/inputs.conf.j2 +++ b/terraform/ansible/roles/crowdstrike_falcon_logging/templates/inputs.conf.j2 @@ -1,6 +1,6 @@ [simple_consumer_input://crowdstrike_input] aws_collection = crowdstrike_falcon -aws_sqs_url = {{ crowdstrike_logs_sqs_url }} +aws_sqs_url = {{ general.crowdstrike_logs_sqs_url }} aws_sqs_visibility_timeout = 21600 collect_external_events = 0 collect_inventory_aidmaster = 1 diff --git a/terraform/ansible/roles/crowdstrike_falcon_logging/templates/splunk_ta_crowdstrike_fdr_aws_collections.conf.j2 b/terraform/ansible/roles/crowdstrike_falcon_logging/templates/splunk_ta_crowdstrike_fdr_aws_collections.conf.j2 index 7669a1935..e858d0a12 100644 --- a/terraform/ansible/roles/crowdstrike_falcon_logging/templates/splunk_ta_crowdstrike_fdr_aws_collections.conf.j2 +++ b/terraform/ansible/roles/crowdstrike_falcon_logging/templates/splunk_ta_crowdstrike_fdr_aws_collections.conf.j2 @@ -1,4 +1,4 @@ [crowdstrike_falcon] -aws_access_key_id = {{ crowdstrike_logs_access_key_id }} -aws_region = {{ crowdstrike_logs_region }} -aws_secret_access_key = {{ crowdstrike_logs_secret_access_key }} \ No newline at end of file +aws_access_key_id = {{ general.crowdstrike_logs_access_key_id }} +aws_region = {{ general.crowdstrike_logs_region }} +aws_secret_access_key = {{ general.crowdstrike_logs_secret_access_key }} \ No newline at end of file diff --git a/packer/ansible/roles/guacamole/files/tomcat.service b/terraform/ansible/roles/guacamole/files/tomcat.service similarity index 100% rename from packer/ansible/roles/guacamole/files/tomcat.service rename to terraform/ansible/roles/guacamole/files/tomcat.service diff --git a/packer/ansible/roles/guacamole/tasks/guacamole_client.yml b/terraform/ansible/roles/guacamole/tasks/guacamole_client.yml similarity index 100% rename from packer/ansible/roles/guacamole/tasks/guacamole_client.yml rename to terraform/ansible/roles/guacamole/tasks/guacamole_client.yml diff --git a/packer/ansible/roles/guacamole/tasks/guacamole_server.yml b/terraform/ansible/roles/guacamole/tasks/guacamole_server.yml similarity index 100% rename from packer/ansible/roles/guacamole/tasks/guacamole_server.yml rename to terraform/ansible/roles/guacamole/tasks/guacamole_server.yml diff --git a/terraform/ansible/roles/guacamole/tasks/guacamole_server_post.yml b/terraform/ansible/roles/guacamole/tasks/guacamole_server_post.yml index c48492089..ee4c3d21f 100644 --- a/terraform/ansible/roles/guacamole/tasks/guacamole_server_post.yml +++ b/terraform/ansible/roles/guacamole/tasks/guacamole_server_post.yml @@ -26,7 +26,7 @@ template: src: user-mapping.xml dest: /etc/guacamole/user-mapping.xml - when: cloud_provider != "local" + when: general.cloud_provider != "local" - name: Create a new folder file: @@ -37,7 +37,7 @@ template: src: user-mapping-local.xml dest: /etc/guacamole/user-mapping.xml - when: cloud_provider == "local" + when: general.cloud_provider == "local" - name: Restart guacd and tomcat shell: diff --git a/packer/ansible/roles/guacamole/tasks/install_packages.yml b/terraform/ansible/roles/guacamole/tasks/install_packages.yml similarity index 70% rename from packer/ansible/roles/guacamole/tasks/install_packages.yml rename to terraform/ansible/roles/guacamole/tasks/install_packages.yml index 87cef573c..e51d8c73c 100644 --- a/packer/ansible/roles/guacamole/tasks/install_packages.yml +++ b/terraform/ansible/roles/guacamole/tasks/install_packages.yml @@ -31,9 +31,17 @@ - libwebp-dev - openjdk-11-jdk -- name: Install FreeRDP2 (add-apt-repository) - apt_repository: - repo: ppa:remmina-ppa-team/remmina-next-daily +- name: Add FreeRDP2 repository key + ansible.builtin.get_url: + url: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x04E38CE134B239B9F38F82EE8A993C2521C5F0BA + dest: /etc/apt/trusted.gpg.d/remmina-ppa-team.asc + become: yes + +- name: Add FreeRDP2 repository + ansible.builtin.apt_repository: + repo: 'ppa:remmina-ppa-team/remmina-next-daily' + state: present + become: yes - name: Update apt-get repo and cache apt: update_cache=yes force_apt_get=yes cache_valid_time=3600 diff --git a/terraform/ansible/roles/guacamole/tasks/main.yml b/terraform/ansible/roles/guacamole/tasks/main.yml index c8271b5af..befc4a8ef 100644 --- a/terraform/ansible/roles/guacamole/tasks/main.yml +++ b/terraform/ansible/roles/guacamole/tasks/main.yml @@ -1,3 +1,7 @@ --- +- include: install_packages.yml +- include: setup_tomcat.yml +- include: guacamole_server.yml +- include: guacamole_client.yml - include: guacamole_server_post.yml \ No newline at end of file diff --git a/packer/ansible/roles/guacamole/tasks/setup_tomcat.yml b/terraform/ansible/roles/guacamole/tasks/setup_tomcat.yml similarity index 100% rename from packer/ansible/roles/guacamole/tasks/setup_tomcat.yml rename to terraform/ansible/roles/guacamole/tasks/setup_tomcat.yml diff --git a/terraform/ansible/roles/guacamole/templates/user-mapping-local.xml b/terraform/ansible/roles/guacamole/templates/user-mapping-local.xml index db2241e7e..38afaaf6a 100644 --- a/terraform/ansible/roles/guacamole/templates/user-mapping-local.xml +++ b/terraform/ansible/roles/guacamole/templates/user-mapping-local.xml @@ -1,7 +1,7 @@ diff --git a/terraform/ansible/roles/guacamole/templates/user-mapping.xml b/terraform/ansible/roles/guacamole/templates/user-mapping.xml index f9ec159ff..2c6cc15e2 100644 --- a/terraform/ansible/roles/guacamole/templates/user-mapping.xml +++ b/terraform/ansible/roles/guacamole/templates/user-mapping.xml @@ -1,71 +1,115 @@ - + ssh localhost 22 ubuntu - {{ lookup('file', private_key_path) }} + {% if general.cloud_provider == 'aws' %} + {{ lookup('file', aws.private_key_path) }} + {% elif general.cloud_provider == 'azure' %} + {{ lookup('file', azure.private_key_path) }} + {% endif %} - {% if phantom_server == '1' %} - + {% if phantom_server.phantom_server == '1' %} + ssh 10.0.1.13 22 centos - {{ lookup('file', private_key_path) }} + {% if general.cloud_provider == 'aws' %} + {{ lookup('file', aws.private_key_path) }} + {% elif general.cloud_provider == 'azure' %} + {{ lookup('file', azure.private_key_path) }} + {% endif %} {% endif %} - - {% for server in windows|from_json|map('string')|list %} - + + {% if windows_servers is string %} + {% set windows_servers_list = windows_servers|from_json %} + {% else %} + {% set windows_servers_list = windows_servers %} + {% endif %} + {% for server in windows_servers_list %} + rdp 10.0.1.{{loop.index-1+14}} 3389 - {% if cloud_provider == 'azure' %} + {% if general.cloud_provider == 'azure' %} AzureAdmin {% else %} Administrator {% endif %} - {{attack_range_password}} + {{general.attack_range_password}} true true /home/ubuntu/shared-folder {% endfor %} - {% for server in linux|from_json|map('string')|list %} - + {% if linux_servers is string %} + {% set linux_servers_list = linux_servers|from_json %} + {% else %} + {% set linux_servers_list = linux_servers %} + {% endif %} + {% for server in linux_servers_list %} + ssh 10.0.1.{{loop.index-1+21}} 22 ubuntu - {{ lookup('file', private_key_path) }} + {% if general.cloud_provider == 'aws' %} + {{ lookup('file', aws.private_key_path) }} + {% elif general.cloud_provider == 'azure' %} + {{ lookup('file', azure.private_key_path) }} + {% endif %} {% endfor %} - {% if kali_server == '1' %} - + {% if kali_server.kali_server == '1' %} + ssh 10.0.1.30 22 kali - {{ lookup('file', private_key_path) }} + {% if general.cloud_provider == 'aws' %} + {{ lookup('file', aws.private_key_path) }} + {% elif general.cloud_provider == 'azure' %} + {{ lookup('file', azure.private_key_path) }} + {% endif %} {% endif %} - {% if zeek_server == '1' %} - + {% if zeek_server.zeek_server == '1' %} + ssh 10.0.1.50 22 ubuntu - {{ lookup('file', private_key_path) }} + {% if general.cloud_provider == 'aws' %} + {{ lookup('file', aws.private_key_path) }} + {% elif general.cloud_provider == 'azure' %} + {{ lookup('file', azure.private_key_path) }} + {% endif %} + + {% endif %} + + {% if snort_server.snort_server == '1' %} + + ssh + 10.0.1.60 + 22 + ubuntu + {% if general.cloud_provider == 'aws' %} + {{ lookup('file', aws.private_key_path) }} + {% elif general.cloud_provider == 'azure' %} + {{ lookup('file', azure.private_key_path) }} + {% endif %} {% endif %} diff --git a/terraform/ansible/roles/join_domain/tasks/create.yml b/terraform/ansible/roles/join_domain/tasks/create.yml index e9d904b3a..03e36bab9 100644 --- a/terraform/ansible/roles/join_domain/tasks/create.yml +++ b/terraform/ansible/roles/join_domain/tasks/create.yml @@ -14,7 +14,7 @@ dest: 'C:\join_domain.ps1' - name: Run join domain - win_shell: "C:\\join_domain.ps1 attackrange.local {{ ansible_user }}@attackrange.local {{ attack_range_password }}" + win_shell: "C:\\join_domain.ps1 attackrange.local {{ ansible_user }}@attackrange.local {{ general.attack_range_password }}" register: win_shell_output retries: 20 delay: 60 diff --git a/terraform/ansible/roles/join_domain/tasks/create_local.yml b/terraform/ansible/roles/join_domain/tasks/create_local.yml index af17cd080..e1f823fb4 100644 --- a/terraform/ansible/roles/join_domain/tasks/create_local.yml +++ b/terraform/ansible/roles/join_domain/tasks/create_local.yml @@ -14,7 +14,7 @@ dest: 'C:\join_domain.ps1' - name: Run join domain - win_shell: "C:\\join_domain.ps1 attackrange.local {{ ansible_user }}@attackrange.local {{ attack_range_password }}" + win_shell: "C:\\join_domain.ps1 attackrange.local {{ ansible_user }}@attackrange.local {{ general.attack_range_password }}" register: win_shell_output retries: 20 delay: 60 diff --git a/terraform/ansible/roles/join_domain/tasks/main.yaml b/terraform/ansible/roles/join_domain/tasks/main.yaml index 0fb72143b..96be9ec1c 100644 --- a/terraform/ansible/roles/join_domain/tasks/main.yaml +++ b/terraform/ansible/roles/join_domain/tasks/main.yaml @@ -1,9 +1,9 @@ - include: create.yml - when: join_domain == "1" and cloud_provider != "local" + when: windows_servers.join_domain == "1" and general.cloud_provider != "local" - include: create_local.yml - when: join_domain == "1" and cloud_provider == "local" + when: windows_servers.join_domain == "1" and general.cloud_provider == "local" - include: windows-disable-firewall.yml - when: join_domain == "1" \ No newline at end of file + when: windows_servers.join_domain == "1" \ No newline at end of file diff --git a/terraform/ansible/roles/linux_agent_prelude/tasks/install.yml b/terraform/ansible/roles/linux_agent_prelude/tasks/install.yml deleted file mode 100644 index 50d35dc80..000000000 --- a/terraform/ansible/roles/linux_agent_prelude/tasks/install.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- - -- name: Wait for redirector to be ready - wait_for: - port: 2323 - host: "10.0.1.12" - connect_timeout: 30 - delay: 60 - timeout: 900 - -- name: Download Prelude Pneuma from headless Operator - get_url: - url: http://10.0.1.12:3391/payloads/pneuma/v1.6/pneuma-linux - dest: /opt/prelude-pneuma - mode: 755 - -- name: Start Prelude Pneuma and Connect to headless Operator - shell: /opt/prelude-pneuma -name "$(hostname)" -address 10.0.1.12:2323 & - async: 10 - poll: 0 \ No newline at end of file diff --git a/terraform/ansible/roles/linux_agent_prelude/tasks/install_local.yml b/terraform/ansible/roles/linux_agent_prelude/tasks/install_local.yml deleted file mode 100644 index 78f701f75..000000000 --- a/terraform/ansible/roles/linux_agent_prelude/tasks/install_local.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- - -- name: Wait for redirector to be ready - wait_for: - port: 2323 - host: "192.168.56.12" - connect_timeout: 30 - delay: 60 - timeout: 900 - -- name: Download Prelude Pneuma from headless Operator - get_url: - url: http://192.168.56.12:3391/payloads/pneuma/v1.6/pneuma-linux - dest: /opt/prelude-pneuma - mode: 755 - -- name: Start Prelude Pneuma and Connect to headless Operator - shell: /opt/prelude-pneuma -name "$(hostname)" -address 192.168.56.12:2323 & - async: 10 - poll: 0 \ No newline at end of file diff --git a/terraform/ansible/roles/linux_agent_prelude/tasks/main.yml b/terraform/ansible/roles/linux_agent_prelude/tasks/main.yml deleted file mode 100644 index dd87e583f..000000000 --- a/terraform/ansible/roles/linux_agent_prelude/tasks/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- include: install.yml - when: prelude == "1" and cloud_provider!='local' - -- include: install_local.yml - when: prelude == "1" and cloud_provider=='local' \ No newline at end of file diff --git a/packer/ansible/roles/linux_common/files/20auto-upgrades b/terraform/ansible/roles/linux_common/files/20auto-upgrades similarity index 100% rename from packer/ansible/roles/linux_common/files/20auto-upgrades rename to terraform/ansible/roles/linux_common/files/20auto-upgrades diff --git a/packer/ansible/roles/linux_common/tasks/disable-autoupgrade.yml b/terraform/ansible/roles/linux_common/tasks/disable-autoupgrade.yml similarity index 100% rename from packer/ansible/roles/linux_common/tasks/disable-autoupgrade.yml rename to terraform/ansible/roles/linux_common/tasks/disable-autoupgrade.yml diff --git a/packer/ansible/roles/linux_common/tasks/disable-dnssec.yml b/terraform/ansible/roles/linux_common/tasks/disable-dnssec.yml similarity index 100% rename from packer/ansible/roles/linux_common/tasks/disable-dnssec.yml rename to terraform/ansible/roles/linux_common/tasks/disable-dnssec.yml diff --git a/packer/ansible/roles/linux_common/tasks/main.yml b/terraform/ansible/roles/linux_common/tasks/main.yml similarity index 80% rename from packer/ansible/roles/linux_common/tasks/main.yml rename to terraform/ansible/roles/linux_common/tasks/main.yml index a90580883..573f6a4ef 100644 --- a/packer/ansible/roles/linux_common/tasks/main.yml +++ b/terraform/ansible/roles/linux_common/tasks/main.yml @@ -1,6 +1,6 @@ --- #- include: set-hostname.yml -- include: update_packages.yml +#- include: update_packages.yml - include: disable-dnssec.yml - include: disable-autoupgrade.yml - include: update_sshd_config.yml \ No newline at end of file diff --git a/packer/ansible/roles/linux_common/tasks/set-hostname.yml b/terraform/ansible/roles/linux_common/tasks/set-hostname.yml similarity index 100% rename from packer/ansible/roles/linux_common/tasks/set-hostname.yml rename to terraform/ansible/roles/linux_common/tasks/set-hostname.yml diff --git a/packer/ansible/roles/linux_common/tasks/update_packages.yml b/terraform/ansible/roles/linux_common/tasks/update_packages.yml similarity index 67% rename from packer/ansible/roles/linux_common/tasks/update_packages.yml rename to terraform/ansible/roles/linux_common/tasks/update_packages.yml index fe4deb156..5748f976a 100644 --- a/packer/ansible/roles/linux_common/tasks/update_packages.yml +++ b/terraform/ansible/roles/linux_common/tasks/update_packages.yml @@ -1,15 +1,21 @@ --- -- name: Install Acl +- name: Update apt cache apt: - name: acl - update_cache: true - state: present + update_cache: yes + register: apt_update_result + retries: 3 + delay: 10 + until: apt_update_result is success -- name: Install Acl Retry +- name: Install Acl apt: name: acl state: present + register: acl_install_result + retries: 3 + delay: 10 + until: acl_install_result is success - name: Check if a reboot is needed for Debian and Ubuntu boxes register: reboot_required_file diff --git a/packer/ansible/roles/linux_common/tasks/update_sshd_config.yml b/terraform/ansible/roles/linux_common/tasks/update_sshd_config.yml similarity index 100% rename from packer/ansible/roles/linux_common/tasks/update_sshd_config.yml rename to terraform/ansible/roles/linux_common/tasks/update_sshd_config.yml diff --git a/packer/ansible/roles/linux_common/templates/disable-dnssec.conf.j2 b/terraform/ansible/roles/linux_common/templates/disable-dnssec.conf.j2 similarity index 100% rename from packer/ansible/roles/linux_common/templates/disable-dnssec.conf.j2 rename to terraform/ansible/roles/linux_common/templates/disable-dnssec.conf.j2 diff --git a/packer/ansible/roles/linux_install_art/tasks/main.yml b/terraform/ansible/roles/linux_install_art/tasks/main.yml similarity index 100% rename from packer/ansible/roles/linux_install_art/tasks/main.yml rename to terraform/ansible/roles/linux_install_art/tasks/main.yml diff --git a/packer/ansible/roles/linux_osquery/files/custom_osquery.conf b/terraform/ansible/roles/linux_osquery/files/custom_osquery.conf similarity index 100% rename from packer/ansible/roles/linux_osquery/files/custom_osquery.conf rename to terraform/ansible/roles/linux_osquery/files/custom_osquery.conf diff --git a/packer/ansible/roles/linux_osquery/files/custom_osquery.flags b/terraform/ansible/roles/linux_osquery/files/custom_osquery.flags similarity index 100% rename from packer/ansible/roles/linux_osquery/files/custom_osquery.flags rename to terraform/ansible/roles/linux_osquery/files/custom_osquery.flags diff --git a/packer/ansible/roles/linux_osquery/files/inputs.conf b/terraform/ansible/roles/linux_osquery/files/inputs.conf similarity index 100% rename from packer/ansible/roles/linux_osquery/files/inputs.conf rename to terraform/ansible/roles/linux_osquery/files/inputs.conf diff --git a/terraform/ansible/roles/linux_osquery/files/osquery_install.sh b/terraform/ansible/roles/linux_osquery/files/osquery_install.sh new file mode 100644 index 000000000..6e1393a46 --- /dev/null +++ b/terraform/ansible/roles/linux_osquery/files/osquery_install.sh @@ -0,0 +1,13 @@ +#!/bin/bash +export OSQUERY_KEY=1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B +export OSQUERY_REPO="deb [arch=amd64] https://pkg.osquery.io/deb deb main" + +# Download and add the GPG key +curl -sSL https://pkg.osquery.io/deb/pubkey.gpg | sudo apt-key add - + +# Add the repository +echo "$OSQUERY_REPO" | sudo tee /etc/apt/sources.list.d/osquery.list + +# Update and install +sudo apt-get update +sudo apt-get install -y osquery \ No newline at end of file diff --git a/packer/ansible/roles/linux_osquery/files/template.osquery.conf b/terraform/ansible/roles/linux_osquery/files/template.osquery.conf similarity index 100% rename from packer/ansible/roles/linux_osquery/files/template.osquery.conf rename to terraform/ansible/roles/linux_osquery/files/template.osquery.conf diff --git a/packer/ansible/roles/linux_osquery/tasks/collect_osquery_logs.yml b/terraform/ansible/roles/linux_osquery/tasks/collect_osquery_logs.yml similarity index 87% rename from packer/ansible/roles/linux_osquery/tasks/collect_osquery_logs.yml rename to terraform/ansible/roles/linux_osquery/tasks/collect_osquery_logs.yml index f52bf9484..f0387efeb 100644 --- a/packer/ansible/roles/linux_osquery/tasks/collect_osquery_logs.yml +++ b/terraform/ansible/roles/linux_osquery/tasks/collect_osquery_logs.yml @@ -8,8 +8,6 @@ file: path: "{{ item }}" state: directory - owner: splunk - group: splunk recurse: yes with_items: - /opt/splunkforwarder/etc/apps/osquery_app/local/ @@ -18,6 +16,4 @@ copy: src: inputs.conf dest: /opt/splunkforwarder/etc/apps/osquery_app/local/inputs.conf - owner: splunk - group: splunk force: yes \ No newline at end of file diff --git a/packer/ansible/roles/linux_osquery/tasks/install_osquery_linux.yml b/terraform/ansible/roles/linux_osquery/tasks/install_osquery_linux.yml similarity index 97% rename from packer/ansible/roles/linux_osquery/tasks/install_osquery_linux.yml rename to terraform/ansible/roles/linux_osquery/tasks/install_osquery_linux.yml index 1e468a133..d39bdcc6c 100644 --- a/packer/ansible/roles/linux_osquery/tasks/install_osquery_linux.yml +++ b/terraform/ansible/roles/linux_osquery/tasks/install_osquery_linux.yml @@ -12,7 +12,7 @@ copy: src: osquery_install.sh dest: /tmp/osquery_install.sh - mode: 0777 + mode: '0755' - name: check if osquery service exist stat: path=/etc/init.d/osqueryd @@ -67,11 +67,4 @@ become: true systemd: name: osqueryd - state: started - - - - - - - + state: started \ No newline at end of file diff --git a/packer/ansible/roles/linux_osquery/tasks/main.yml b/terraform/ansible/roles/linux_osquery/tasks/main.yml similarity index 75% rename from packer/ansible/roles/linux_osquery/tasks/main.yml rename to terraform/ansible/roles/linux_osquery/tasks/main.yml index ed70762fc..29d3b2b8e 100644 --- a/packer/ansible/roles/linux_osquery/tasks/main.yml +++ b/terraform/ansible/roles/linux_osquery/tasks/main.yml @@ -6,9 +6,9 @@ - name: Restart splunk uf become: true command: "systemctl restart SplunkForwarder" - when: cloud_provider != "local" + when: general.cloud_provider != "local" - name: Restart splunk uf become: true command: "/opt/splunkforwarder/bin/splunk restart" - when: cloud_provider == "local" \ No newline at end of file + when: general.cloud_provider == "local" \ No newline at end of file diff --git a/terraform/ansible/roles/linux_server_post/tasks/change_splunk_password.yml b/terraform/ansible/roles/linux_server_post/tasks/change_splunk_password.yml index a981346f3..72b92212a 100644 --- a/terraform/ansible/roles/linux_server_post/tasks/change_splunk_password.yml +++ b/terraform/ansible/roles/linux_server_post/tasks/change_splunk_password.yml @@ -1,24 +1,20 @@ --- - name: change password splunk - shell: '/opt/splunkforwarder/bin/splunk edit user admin -password {{ attack_range_password }} -auth admin:Pl3ase-k1Ll-me:p' + shell: '/opt/splunkforwarder/bin/splunk edit user admin -password {{ general.attack_range_password }} -auth admin:Pl3ase-k1Ll-me:p' become: yes ignore_errors: yes - name: Change hostname - shell: '/opt/splunkforwarder/bin/splunk set default-hostname {{ hostname }} -auth admin:{{ attack_range_password }}' + shell: '/opt/splunkforwarder/bin/splunk set default-hostname {{ linux_servers.hostname }} -auth admin:{{ general.attack_range_password }}' become: yes - name: Change servername - shell: '/opt/splunkforwarder/bin/splunk set servername {{ hostname }} -auth admin:{{ attack_range_password }}' + shell: '/opt/splunkforwarder/bin/splunk set servername {{ linux_servers.hostname }} -auth admin:{{ general.attack_range_password }}' become: yes - name: Restart splunk uf become: true - command: "systemctl restart SplunkForwarder" - when: cloud_provider != "local" - -- name: Restart splunk uf - become: true - command: "/opt/splunkforwarder/bin/splunk restart" - when: cloud_provider == "local" \ No newline at end of file + systemd: + name: SplunkForwarder + state: restarted diff --git a/packer/ansible/roles/linux_sysmon/files/AttackRangeSysmon.xml b/terraform/ansible/roles/linux_sysmon/files/AttackRangeSysmon.xml similarity index 100% rename from packer/ansible/roles/linux_sysmon/files/AttackRangeSysmon.xml rename to terraform/ansible/roles/linux_sysmon/files/AttackRangeSysmon.xml diff --git a/packer/ansible/roles/linux_sysmon/files/SwiftOnSecurity.xml b/terraform/ansible/roles/linux_sysmon/files/SwiftOnSecurity.xml similarity index 100% rename from packer/ansible/roles/linux_sysmon/files/SwiftOnSecurity.xml rename to terraform/ansible/roles/linux_sysmon/files/SwiftOnSecurity.xml diff --git a/packer/ansible/roles/linux_sysmon/files/inputs.conf b/terraform/ansible/roles/linux_sysmon/files/inputs.conf similarity index 100% rename from packer/ansible/roles/linux_sysmon/files/inputs.conf rename to terraform/ansible/roles/linux_sysmon/files/inputs.conf diff --git a/packer/ansible/roles/linux_sysmon/tasks/configure_inputs.yml b/terraform/ansible/roles/linux_sysmon/tasks/configure_inputs.yml similarity index 83% rename from packer/ansible/roles/linux_sysmon/tasks/configure_inputs.yml rename to terraform/ansible/roles/linux_sysmon/tasks/configure_inputs.yml index 0a8a24bf1..79901872a 100644 --- a/packer/ansible/roles/linux_sysmon/tasks/configure_inputs.yml +++ b/terraform/ansible/roles/linux_sysmon/tasks/configure_inputs.yml @@ -4,8 +4,6 @@ file: path: "{{ item }}" state: directory - owner: splunk - group: splunk recurse: yes with_items: - /opt/splunkforwarder/etc/apps/sysmon_app/local/ @@ -14,6 +12,4 @@ copy: src: inputs.conf dest: /opt/splunkforwarder/etc/apps/sysmon_app/local/inputs.conf - owner: splunk - group: splunk force: yes diff --git a/packer/ansible/roles/linux_sysmon/tasks/install_sysmon_linux.yml b/terraform/ansible/roles/linux_sysmon/tasks/install_sysmon_linux.yml similarity index 100% rename from packer/ansible/roles/linux_sysmon/tasks/install_sysmon_linux.yml rename to terraform/ansible/roles/linux_sysmon/tasks/install_sysmon_linux.yml diff --git a/packer/ansible/roles/linux_sysmon/tasks/main.yml b/terraform/ansible/roles/linux_sysmon/tasks/main.yml similarity index 75% rename from packer/ansible/roles/linux_sysmon/tasks/main.yml rename to terraform/ansible/roles/linux_sysmon/tasks/main.yml index 55442f60b..abc604903 100644 --- a/packer/ansible/roles/linux_sysmon/tasks/main.yml +++ b/terraform/ansible/roles/linux_sysmon/tasks/main.yml @@ -6,9 +6,9 @@ - name: Restart splunk uf become: true command: "systemctl restart SplunkForwarder" - when: cloud_provider != "local" + when: general.cloud_provider != "local" - name: Restart splunk uf become: true command: "/opt/splunkforwarder/bin/splunk restart" - when: cloud_provider == "local" \ No newline at end of file + when: general.cloud_provider == "local" \ No newline at end of file diff --git a/terraform/ansible/roles/linux_universal_forwarder/tasks/install_universal_forwarder.yml b/terraform/ansible/roles/linux_universal_forwarder/tasks/install_universal_forwarder.yml new file mode 100644 index 000000000..18b5d57a9 --- /dev/null +++ b/terraform/ansible/roles/linux_universal_forwarder/tasks/install_universal_forwarder.yml @@ -0,0 +1,29 @@ +--- + +- name: Install splunk uf + become: yes + apt: deb="{{ splunk_server.splunk_uf_url }}" + +- name: copy outputs.conf to forward data to splunk server + template: + src: outputs.conf.j2 + dest: /opt/splunkforwarder/etc/system/local/outputs.conf + force: yes + +- name: splunk license acceptance + become: true + command: /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --no-prompt --seed-passwd Pl3ase-k1Ll-me:p + +- name: Stop splunk uf + become: true + command: "/opt/splunkforwarder/bin/splunk stop" + +- name: setup to start at boot + become: true + command: "/opt/splunkforwarder/bin/splunk enable boot-start" + +- name: Start splunk uf + become: true + systemd: + name: SplunkForwarder + state: started \ No newline at end of file diff --git a/packer/ansible/roles/linux_universal_forwarder/tasks/main.yml b/terraform/ansible/roles/linux_universal_forwarder/tasks/main.yml similarity index 100% rename from packer/ansible/roles/linux_universal_forwarder/tasks/main.yml rename to terraform/ansible/roles/linux_universal_forwarder/tasks/main.yml diff --git a/packer/ansible/roles/windows_universal_forwarder/templates/outputs.conf.j2 b/terraform/ansible/roles/linux_universal_forwarder/templates/outputs.conf.j2 similarity index 75% rename from packer/ansible/roles/windows_universal_forwarder/templates/outputs.conf.j2 rename to terraform/ansible/roles/linux_universal_forwarder/templates/outputs.conf.j2 index 4ec01efe1..6a945ccc0 100644 --- a/packer/ansible/roles/windows_universal_forwarder/templates/outputs.conf.j2 +++ b/terraform/ansible/roles/linux_universal_forwarder/templates/outputs.conf.j2 @@ -2,7 +2,7 @@ defaultGroup=my_indexers [tcpout:my_indexers] -{% if cloud_provider == 'local' %} +{% if general.cloud_provider == 'local' %} server=192.168.56.12:9997 {%- else -%} server=10.0.1.12:9997 diff --git a/terraform/ansible/roles/nginx_server_post/tasks/main.yml b/terraform/ansible/roles/nginx_server_post/tasks/main.yml index 2648cac81..34e3e8fac 100644 --- a/terraform/ansible/roles/nginx_server_post/tasks/main.yml +++ b/terraform/ansible/roles/nginx_server_post/tasks/main.yml @@ -4,11 +4,30 @@ template: src: default.conf.j2 dest: /etc/nginx/conf.d/default.conf - when: proxy_server_ip != "10.0.1.12" or proxy_server_port != "8000" + when: nginx_server.proxy_server_ip != "10.0.1.12" or nginx_server.proxy_server_port != "8000" - name: reload nginx systemd: state: restarted daemon_reload: yes name: nginx - when: proxy_server_ip != "10.0.1.12" or proxy_server_port != "8000" \ No newline at end of file + when: nginx_server.proxy_server_ip != "10.0.1.12" or nginx_server.proxy_server_port != "8000" + +- name: change password splunk + shell: '/opt/splunkforwarder/bin/splunk edit user admin -password {{ general.attack_range_password }} -auth admin:Pl3ase-k1Ll-me:p' + become: yes + ignore_errors: yes + +- name: Change hostname + shell: '/opt/splunkforwarder/bin/splunk set default-hostname {{ nginx_server.hostname }} -auth admin:{{ general.attack_range_password }}' + become: yes + +- name: Change servername + shell: '/opt/splunkforwarder/bin/splunk set servername {{ nginx_server.hostname }} -auth admin:{{ general.attack_range_password }}' + become: yes + +- name: Restart splunk uf + become: true + systemd: + name: SplunkForwarder + state: restarted \ No newline at end of file diff --git a/terraform/ansible/roles/nginx_server_post/templates/default.conf.j2 b/terraform/ansible/roles/nginx_server_post/templates/default.conf.j2 index 5db8cc3bb..47e2706cc 100644 --- a/terraform/ansible/roles/nginx_server_post/templates/default.conf.j2 +++ b/terraform/ansible/roles/nginx_server_post/templates/default.conf.j2 @@ -7,7 +7,7 @@ server { location / { # root /usr/share/nginx/html; # index index.html index.htm; - proxy_pass http://{{proxy_server_ip}}:{{proxy_server_port}}; + proxy_pass http://{{nginx_server.proxy_server_ip}}:{{nginx_server.proxy_server_port}}; } #error_page 404 /404.html; diff --git a/packer/ansible/roles/nginx_web_proxy/files/default.conf b/terraform/ansible/roles/nginx_web_proxy/files/default.conf similarity index 100% rename from packer/ansible/roles/nginx_web_proxy/files/default.conf rename to terraform/ansible/roles/nginx_web_proxy/files/default.conf diff --git a/packer/ansible/roles/nginx_web_proxy/files/inputs.conf b/terraform/ansible/roles/nginx_web_proxy/files/inputs.conf similarity index 100% rename from packer/ansible/roles/nginx_web_proxy/files/inputs.conf rename to terraform/ansible/roles/nginx_web_proxy/files/inputs.conf diff --git a/packer/ansible/roles/nginx_web_proxy/files/nginx.conf b/terraform/ansible/roles/nginx_web_proxy/files/nginx.conf similarity index 100% rename from packer/ansible/roles/nginx_web_proxy/files/nginx.conf rename to terraform/ansible/roles/nginx_web_proxy/files/nginx.conf diff --git a/packer/ansible/roles/nginx_web_proxy/tasks/configure_inputs.yml b/terraform/ansible/roles/nginx_web_proxy/tasks/configure_inputs.yml similarity index 81% rename from packer/ansible/roles/nginx_web_proxy/tasks/configure_inputs.yml rename to terraform/ansible/roles/nginx_web_proxy/tasks/configure_inputs.yml index 144b57236..c686f185d 100644 --- a/packer/ansible/roles/nginx_web_proxy/tasks/configure_inputs.yml +++ b/terraform/ansible/roles/nginx_web_proxy/tasks/configure_inputs.yml @@ -2,6 +2,4 @@ copy: src: inputs.conf dest: /opt/splunkforwarder/etc/system/local/inputs.conf - owner: splunk - group: splunk force: yes diff --git a/packer/ansible/roles/nginx_web_proxy/tasks/main.yml b/terraform/ansible/roles/nginx_web_proxy/tasks/main.yml similarity index 67% rename from packer/ansible/roles/nginx_web_proxy/tasks/main.yml rename to terraform/ansible/roles/nginx_web_proxy/tasks/main.yml index 2ec114f5a..083cacce0 100644 --- a/packer/ansible/roles/nginx_web_proxy/tasks/main.yml +++ b/terraform/ansible/roles/nginx_web_proxy/tasks/main.yml @@ -1,8 +1,6 @@ --- -#- include: install_deb_uf.yml -#- include: configure_outputs_conf.yml + - include: nginx_web_proxy.yml -#- include: create_deploymentclient.yml - include: configure_inputs.yml - name: Restart splunk uf diff --git a/packer/ansible/roles/nginx_web_proxy/tasks/nginx_web_proxy.yml b/terraform/ansible/roles/nginx_web_proxy/tasks/nginx_web_proxy.yml similarity index 100% rename from packer/ansible/roles/nginx_web_proxy/tasks/nginx_web_proxy.yml rename to terraform/ansible/roles/nginx_web_proxy/tasks/nginx_web_proxy.yml diff --git a/packer/ansible/roles/nginx_web_proxy/templates/default.conf.j2 b/terraform/ansible/roles/nginx_web_proxy/templates/default.conf.j2 similarity index 93% rename from packer/ansible/roles/nginx_web_proxy/templates/default.conf.j2 rename to terraform/ansible/roles/nginx_web_proxy/templates/default.conf.j2 index 4d6362b3e..5a6f9119f 100644 --- a/packer/ansible/roles/nginx_web_proxy/templates/default.conf.j2 +++ b/terraform/ansible/roles/nginx_web_proxy/templates/default.conf.j2 @@ -7,7 +7,7 @@ server { location / { # root /usr/share/nginx/html; # index index.html index.htm; - proxy_pass http://{{proxy_server_ip}}:{{proxy_server_port}}; + proxy_pass http://{{nginx_server.proxy_server_ip}}:{{nginx_server.proxy_server_port}}; } #error_page 404 /404.html; diff --git a/packer/ansible/roles/nginx_web_proxy/templates/deploymentclient.conf.j2 b/terraform/ansible/roles/nginx_web_proxy/templates/deploymentclient.conf.j2 similarity index 100% rename from packer/ansible/roles/nginx_web_proxy/templates/deploymentclient.conf.j2 rename to terraform/ansible/roles/nginx_web_proxy/templates/deploymentclient.conf.j2 diff --git a/packer/ansible/roles/nginx_web_proxy/templates/outputs.conf.j2 b/terraform/ansible/roles/nginx_web_proxy/templates/outputs.conf.j2 similarity index 100% rename from packer/ansible/roles/nginx_web_proxy/templates/outputs.conf.j2 rename to terraform/ansible/roles/nginx_web_proxy/templates/outputs.conf.j2 diff --git a/terraform/ansible/roles/phantom/tasks/configure_phantom.yml b/terraform/ansible/roles/phantom/tasks/configure_phantom.yml index 142f99a52..44d1343cb 100644 --- a/terraform/ansible/roles/phantom/tasks/configure_phantom.yml +++ b/terraform/ansible/roles/phantom/tasks/configure_phantom.yml @@ -7,7 +7,7 @@ method: POST user: soar_local_admin password: password - body: {"old_password":"password","password":"{{attack_range_password}}"} + body: {"old_password":"password","password":"{{general.attack_range_password}}"} body_format: json force_basic_auth: yes validate_certs: no @@ -17,7 +17,7 @@ url: https://127.0.0.1:8443/rest/ph_user/2/token method: GET user: soar_local_admin - password: "{{attack_range_password}}" + password: "{{general.attack_range_password}}" force_basic_auth: yes validate_certs: no register: api_token @@ -32,7 +32,7 @@ method: POST body: '{"allowed_ips":["any"]}' user: soar_local_admin - password: "{{attack_range_password}}" + password: "{{general.attack_range_password}}" force_basic_auth: yes validate_certs: no diff --git a/terraform/ansible/roles/phantom/tasks/configure_phantom_old.yml b/terraform/ansible/roles/phantom/tasks/configure_phantom_old.yml index f8c32b293..eee9bfd06 100644 --- a/terraform/ansible/roles/phantom/tasks/configure_phantom_old.yml +++ b/terraform/ansible/roles/phantom/tasks/configure_phantom_old.yml @@ -7,7 +7,7 @@ method: POST user: admin password: password - body: {"old_password":"password","password":"{{attack_range_password}}"} + body: {"old_password":"password","password":"{{general.attack_range_password}}"} body_format: json force_basic_auth: yes validate_certs: no @@ -17,7 +17,7 @@ url: https://127.0.0.1:8443/rest/ph_user/2/token method: GET user: admin - password: "{{attack_range_password}}" + password: "{{general.attack_range_password}}" force_basic_auth: yes validate_certs: no register: api_token @@ -32,7 +32,7 @@ method: POST body: '{"allowed_ips":["any"]}' user: admin - password: "{{attack_range_password}}" + password: "{{general.attack_range_password}}" force_basic_auth: yes validate_certs: no diff --git a/terraform/ansible/roles/phantom/tasks/install_phantom.yml b/terraform/ansible/roles/phantom/tasks/install_phantom.yml new file mode 100644 index 000000000..792973d71 --- /dev/null +++ b/terraform/ansible/roles/phantom/tasks/install_phantom.yml @@ -0,0 +1,50 @@ +--- +# Install Phantom from RPM on a fresh CentOS 7 instance + +- name: Change mirror to vault.centos.org + shell: sed -i s/mirror.centos.org/vault.centos.org/g /etc/yum.repos.d/*.repo + become: yes + +- name: Uncomment baseurl lines + shell: sed -i s/^#.*baseurl=http/baseurl=http/g /etc/yum.repos.d/*.repo + become: yes + +- name: Comment out mirrorlist lines + shell: sed -i s/^mirrorlist=http/#mirrorlist=http/g /etc/yum.repos.d/*.repo + become: yes + +- name: Update all packages + yum: + name: "*" + state: latest + update_cache: yes + become: yes + +- name: Copy Splunk SOAR to server + become: true + become_user: centos + unarchive: + src: "../../apps/{{ phantom_server.phantom_app }}" + dest: /home/centos + +- name: Creates directory + file: + path: /opt/soar + state: directory + +- name: prepare phantom install script without apps + become_user: centos + shell: sudo /home/centos/splunk-soar/soar-prepare-system --splunk-soar-home /opt/soar --no-prompt + +- name: copy splunk soar folder + shell: cp -r /home/centos/splunk-soar /home/phantom/splunk-soar + +- name: chown splunk soar folder + shell: chown -R phantom. /home/phantom/splunk-soar + +- name: run the phantom install script + become_user: phantom + shell: ./soar-install --splunk-soar-home /opt/soar --no-prompt --ignore-warnings + args: + chdir: /home/phantom/splunk-soar + diff --git a/packer/ansible/roles/phantom/tasks/install_phantom_local.yml b/terraform/ansible/roles/phantom/tasks/install_phantom_local.yml similarity index 95% rename from packer/ansible/roles/phantom/tasks/install_phantom_local.yml rename to terraform/ansible/roles/phantom/tasks/install_phantom_local.yml index a1fd7213a..3c8c93d13 100644 --- a/packer/ansible/roles/phantom/tasks/install_phantom_local.yml +++ b/terraform/ansible/roles/phantom/tasks/install_phantom_local.yml @@ -25,7 +25,7 @@ - name: Copy Splunk SOAR to server unarchive: - src: "../../apps/{{ phantom_app }}" + src: "../../apps/{{ phantom_server.phantom_app }}" dest: /home/vagrant become: yes become_user: vagrant diff --git a/terraform/ansible/roles/phantom/tasks/main.yml b/terraform/ansible/roles/phantom/tasks/main.yml index 2b26238c0..6703fbb14 100644 --- a/terraform/ansible/roles/phantom/tasks/main.yml +++ b/terraform/ansible/roles/phantom/tasks/main.yml @@ -1,8 +1,14 @@ --- # This playbook contains common tasks in this role +- include: install_phantom.yml + when: general.cloud_provider != "local" + +- include: install_phantom_local.yml + when: general.cloud_provider == "local" + - include: configure_phantom.yml - when: phantom_app | regex_search("splunk_soar-unpriv-6") + when: phantom_server.phantom_app | regex_search("splunk_soar-unpriv-6") - include: configure_phantom_old.yml - when: phantom_app | regex_search("splunk_soar-unpriv-5") \ No newline at end of file + when: phantom_server.phantom_app | regex_search("splunk_soar-unpriv-5") \ No newline at end of file diff --git a/terraform/ansible/roles/phantom_byo_splunk/tasks/config.yml b/terraform/ansible/roles/phantom_byo_splunk/tasks/config.yml index 9df8911e2..0517d54c6 100644 --- a/terraform/ansible/roles/phantom_byo_splunk/tasks/config.yml +++ b/terraform/ansible/roles/phantom_byo_splunk/tasks/config.yml @@ -4,22 +4,18 @@ file: path: /opt/splunk/etc/apps/phantom/local state: directory - owner: splunk - group: splunk - name: copy phantom.conf to splunk server copy: src: phantom.conf dest: /opt/splunk/etc/apps/phantom/local/phantom.conf - owner: splunk - group: splunk - name: restart splunk service: name=splunk state=restarted become: yes - name: Connect Splunk Phantom App with Phantom - shell: curl -k -u "admin:{{ attack_range_password }}" --data '{"verify_certs":"false","enable_logging":"false","config":[{"ph-auth-token":"{{ phantom_byo_api_token | replace("=","%3D") | replace("+","%2B") }}","server":"https://{{ phantom_byo_ip }}","custom_name":"phantom","default":false,"user":"","ph_auth_config_id":"193b2ffc-48fb-4087-bc75-c44184e7fa07","proxy":"","validate":true}],"accepted":"true","save":true}' https://localhost:8089/services/update_phantom_config?output_mode=json + shell: curl -k -u "admin:{{ general.attack_range_password }}" --data '{"verify_certs":"false","enable_logging":"false","config":[{"ph-auth-token":"{{ phantom_server.phantom_byo_api_token | replace("=","%3D") | replace("+","%2B") }}","server":"https://{{ phantom_server.phantom_byo_ip }}","custom_name":"phantom","default":false,"user":"","ph_auth_config_id":"193b2ffc-48fb-4087-bc75-c44184e7fa07","proxy":"","validate":true}],"accepted":"true","save":true}' https://localhost:8089/services/update_phantom_config?output_mode=json register: shell_output - debug: diff --git a/terraform/ansible/roles/phantom_byo_splunk/tasks/main.yml b/terraform/ansible/roles/phantom_byo_splunk/tasks/main.yml index 1b3c4c04a..d0bdf57db 100644 --- a/terraform/ansible/roles/phantom_byo_splunk/tasks/main.yml +++ b/terraform/ansible/roles/phantom_byo_splunk/tasks/main.yml @@ -1,4 +1,4 @@ --- - include: config.yml - when: phantom_byo == "1" \ No newline at end of file + when: phantom_server.phantom_byo == "1" \ No newline at end of file diff --git a/terraform/ansible/roles/prelude/files/prelude-operator.service b/terraform/ansible/roles/prelude/files/prelude-operator.service deleted file mode 100644 index 598d3db25..000000000 --- a/terraform/ansible/roles/prelude/files/prelude-operator.service +++ /dev/null @@ -1,19 +0,0 @@ -# Expects Headless Operator binary under headless under: /opt/prelude -# Safe this file to /etc/systemd/system/prelude-operator.service, then run: systemctl daemon-reload -# You can configure specific account by writing ACCOUNT_EMAIL var under /opt/prelude/env -# example: -# ACCOUNT_EMAIL=a8b6a79c-c98b-11ec-ba35-3f30ad1005c5@desktop.prelude.org -# Writes logs to syslog - -[Unit] -Description=Prelude Operator - -[Service] -EnvironmentFile=/opt/prelude/env -ExecStart=/opt/prelude/headless --accountEmail=${ACCOUNT_EMAIL} --sessionToken=${SESSION_TOKEN} -StandardOutput=syslog -StandardError=syslog -SyslogIdentifier=prelude-operator - -[Install] -WantedBy=multi-user.target diff --git a/terraform/ansible/roles/prelude/tasks/install.yml b/terraform/ansible/roles/prelude/tasks/install.yml deleted file mode 100644 index 9a7074371..000000000 --- a/terraform/ansible/roles/prelude/tasks/install.yml +++ /dev/null @@ -1,47 +0,0 @@ ---- -- name: Make /opt/prelude - file: - path: /opt/prelude - state: directory - mode: '0755' - -- name: Download Prelude Operator Linux Headless /opt/prelude/headless.zip - get_url: - url: "{{ prelude_operator_url }}" - dest: /opt/prelude/headless.zip - -- name: Install unzip - apt: - name: unzip - state: latest - -- name: Unzip headless.zip - unarchive: - src: /opt/prelude/headless.zip - dest: /opt/prelude - remote_src: yes - -- name: Generate Session Token - shell: uuidgen - register: prelude_session_token - -- name: Copy env, configures Prelude Email Account - template: - src: env - dest: /opt/prelude/env - -- name: Copy systemd file - copy: - src: prelude-operator.service - dest: /etc/systemd/system/prelude-operator.service - mode: 644 - -- name: Start Prelude Operator service - systemd: - name: prelude-operator.service - state: started - -- name: Write Session Token to file - delegate_to: localhost - become: false - local_action: copy content="{{ prelude_session_token.stdout }}" dest=/var/tmp/.prelude_session_token force=yes diff --git a/terraform/ansible/roles/prelude/tasks/main.yml b/terraform/ansible/roles/prelude/tasks/main.yml deleted file mode 100644 index a7b7780f0..000000000 --- a/terraform/ansible/roles/prelude/tasks/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- - -- include: install.yml - when: prelude == "1" \ No newline at end of file diff --git a/terraform/ansible/roles/prelude/templates/env b/terraform/ansible/roles/prelude/templates/env deleted file mode 100644 index 5b5a8ffca..000000000 --- a/terraform/ansible/roles/prelude/templates/env +++ /dev/null @@ -1,3 +0,0 @@ -## Prelude Creds -ACCOUNT_EMAIL={{ prelude_account_email }} -SESSION_TOKEN= {{ prelude_session_token.stdout }} \ No newline at end of file diff --git a/terraform/ansible/roles/red_team_tools/tasks/main.yml b/terraform/ansible/roles/red_team_tools/tasks/main.yml index f5b823647..28b4e6d0a 100644 --- a/terraform/ansible/roles/red_team_tools/tasks/main.yml +++ b/terraform/ansible/roles/red_team_tools/tasks/main.yml @@ -1,87 +1,87 @@ --- - name: Git clone SharpHound win_shell: git clone https://github.com/BloodHoundAD/SharpHound3.git C:\tools\SharpHound3 - when: install_red_team_tools == "1" + when: windows_servers.install_red_team_tools == "1" - name: Git clone MailSniper win_shell: git clone https://github.com/dafthack/MailSniper.git C:\tools\MailSniper - when: install_red_team_tools == "1" + when: windows_servers.install_red_team_tools == "1" - name: Git clone juicy-potato win_shell: git clone https://github.com/decoder-it/juicy-potato.git C:\tools\juicy-potato - when: install_red_team_tools == "1" + when: windows_servers.install_red_team_tools == "1" - name: Git clone SharpChrome win_shell: git clone https://github.com/djhohnstein/SharpChrome.git C:\tools\SharpChrome - when: install_red_team_tools == "1" + when: windows_servers.install_red_team_tools == "1" - name: Git clone Egress-Assess win_shell: git clone https://github.com/FortyNorthSecurity/Egress-Assess.git C:\tools\Egress-Assess - when: install_red_team_tools == "1" + when: windows_servers.install_red_team_tools == "1" - name: Git clone SharpGPOAbuse win_shell: git clone https://github.com/FSecureLABS/SharpGPOAbuse.git C:\tools\SharpGPOAbuse - when: install_red_team_tools == "1" + when: windows_servers.install_red_team_tools == "1" - name: Git clone SharpGPOAbuse win_shell: git clone https://github.com/gentilkiwi/mimikatz.git C:\tools\mimikatz - when: install_red_team_tools == "1" + when: windows_servers.install_red_team_tools == "1" - name: Git clone Seatbelt win_shell: git clone https://github.com/GhostPack/Seatbelt.git C:\tools\Seatbelt - when: install_red_team_tools == "1" + when: windows_servers.install_red_team_tools == "1" - name: Git clone DAMP win_shell: git clone https://github.com/HarmJ0y/DAMP.git C:\tools\DAMP - when: install_red_team_tools == "1" + when: windows_servers.install_red_team_tools == "1" - name: Git clone UACME win_shell: git clone https://github.com/hfiref0x/UACME.git C:\tools\UACME - when: install_red_team_tools == "1" + when: windows_servers.install_red_team_tools == "1" - name: Git clone SpoolSample win_shell: git clone https://github.com/leechristensen/SpoolSample.git C:\tools\SpoolSample - when: install_red_team_tools == "1" + when: windows_servers.install_red_team_tools == "1" - name: Git clone PowerUpSQL win_shell: git clone https://github.com/NetSPI/PowerUpSQL.git C:\tools\PowerUpSQL - when: install_red_team_tools == "1" + when: windows_servers.install_red_team_tools == "1" - name: Git clone PowerShdll win_shell: git clone https://github.com/p3nt4/PowerShdll.git C:\tools\PowerShdll - when: install_red_team_tools == "1" + when: windows_servers.install_red_team_tools == "1" - name: Git clone PowerSploit win_shell: git clone https://github.com/PowerShellMafia/PowerSploit.git C:\tools\PowerSploit - when: install_red_team_tools == "1" + when: windows_servers.install_red_team_tools == "1" - name: Git clone MiscTools win_shell: git clone https://github.com/rasta-mouse/MiscTools.git C:\tools\MiscTools - when: install_red_team_tools == "1" + when: windows_servers.install_red_team_tools == "1" - name: Git clone Sherlock win_shell: git clone https://github.com/rasta-mouse/Sherlock.git C:\tools\Sherlock - when: install_red_team_tools == "1" + when: windows_servers.install_red_team_tools == "1" - name: Git clone Watson win_shell: git clone https://github.com/rasta-mouse/Watson.git C:\tools\Watson - when: install_red_team_tools == "1" + when: windows_servers.install_red_team_tools == "1" - name: Git clone SharpView win_shell: git clone https://github.com/tevora-threat/SharpView.git C:\tools\SharpView - when: install_red_team_tools == "1" + when: windows_servers.install_red_team_tools == "1" - name: Git clone donut win_shell: git clone https://github.com/TheWover/donut.git C:\tools\donut - when: install_red_team_tools == "1" + when: windows_servers.install_red_team_tools == "1" # - name: Git clone PurpleSharp # win_shell: git clone https://github.com/mvelazc0/PurpleSharp.git c:\tools\PurpleSharp -# when: install_red_team_tools == "1" +# when: windows_servers.install_red_team_tools == "1" - name: install sysinternals win_shell: C:\\ProgramData\\chocolatey\\bin\\choco.exe install sysinternals --fail-on-unfound --yes --no-progress --limit-output --timeout 2700 --ignore-checksums - when: install_red_team_tools == "1" + when: windows_servers.install_red_team_tools == "1" ignore_errors: yes diff --git a/terraform/ansible/roles/set_hostname_linux/tasks/main.yml b/terraform/ansible/roles/set_hostname_linux/tasks/main.yml index 55551a9c3..104746095 100644 --- a/terraform/ansible/roles/set_hostname_linux/tasks/main.yml +++ b/terraform/ansible/roles/set_hostname_linux/tasks/main.yml @@ -2,4 +2,4 @@ - name: Change the hostname hostname: - name: "{{ hostname }}" \ No newline at end of file + name: "{{ linux_servers.hostname }}" \ No newline at end of file diff --git a/terraform/ansible/roles/set_hostname_nginx/tasks/main.yml b/terraform/ansible/roles/set_hostname_nginx/tasks/main.yml new file mode 100644 index 000000000..e001f4cfc --- /dev/null +++ b/terraform/ansible/roles/set_hostname_nginx/tasks/main.yml @@ -0,0 +1,5 @@ +--- + +- name: Change the hostname + hostname: + name: "{{ nginx_server.hostname }}" \ No newline at end of file diff --git a/terraform/ansible/roles/set_hostname_win/tasks/main.yml b/terraform/ansible/roles/set_hostname_win/tasks/main.yml index f26adc879..16fae0087 100644 --- a/terraform/ansible/roles/set_hostname_win/tasks/main.yml +++ b/terraform/ansible/roles/set_hostname_win/tasks/main.yml @@ -2,7 +2,7 @@ - name: Change the hostname win_hostname: - name: "{{ hostname }}" + name: "{{ windows_servers.hostname }}" - name: reboot | Rebooting Server win_reboot: \ No newline at end of file diff --git a/terraform/ansible/roles/snort/files/inputs.conf b/terraform/ansible/roles/snort/files/inputs.conf new file mode 100644 index 000000000..8c8b87d50 --- /dev/null +++ b/terraform/ansible/roles/snort/files/inputs.conf @@ -0,0 +1,8 @@ +[default] +host = snort + +[monitor:///var/log/snort/alert_fast.txt] +_TCP_ROUTING = * +index = snort +sourcetype = snort_alert_fast + diff --git a/terraform/ansible/roles/snort/files/snort.lua b/terraform/ansible/roles/snort/files/snort.lua new file mode 100644 index 000000000..2f63ba0c8 --- /dev/null +++ b/terraform/ansible/roles/snort/files/snort.lua @@ -0,0 +1,282 @@ +--------------------------------------------------------------------------- +-- Snort++ configuration +--------------------------------------------------------------------------- + +-- there are over 200 modules available to tune your policy. +-- many can be used with defaults w/o any explicit configuration. +-- use this conf as a template for your specific configuration. + +-- 1. configure defaults +-- 2. configure inspection +-- 3. configure bindings +-- 4. configure performance +-- 5. configure detection +-- 6. configure filters +-- 7. configure outputs +-- 8. configure tweaks + +--------------------------------------------------------------------------- +-- 1. configure defaults +--------------------------------------------------------------------------- + +-- HOME_NET and EXTERNAL_NET must be set now +-- setup the network addresses you are protecting +HOME_NET = 'any' + +-- set up the external network addresses. +-- (leave as "any" in most situations) +EXTERNAL_NET = 'any' + +include 'snort_defaults.lua' + +--------------------------------------------------------------------------- +-- 2. configure inspection +--------------------------------------------------------------------------- + +-- mod = { } uses internal defaults +-- you can see them with snort --help-module mod + +-- mod = default_mod uses external defaults +-- you can see them in snort_defaults.lua + +-- the following are quite capable with defaults: + +stream = { } +stream_ip = { } +stream_icmp = { } +stream_tcp = { } +stream_udp = { } +stream_user = { } +stream_file = { } + +arp_spoof = { } +back_orifice = { } +dns = { } +imap = { } +netflow = {} +normalizer = { } +pop = { } +rpc_decode = { } +sip = { } +ssh = { } +ssl = { } +telnet = { } + +cip = { } +dnp3 = { } +iec104 = { } +mms = { } +modbus = { } +s7commplus = { } + +dce_smb = { } +dce_tcp = { } +dce_udp = { } +dce_http_proxy = { } +dce_http_server = { } + +-- see snort_defaults.lua for default_* +gtp_inspect = default_gtp +port_scan = default_med_port_scan +smtp = default_smtp + +ftp_server = default_ftp_server +ftp_client = { } +ftp_data = { } + +http_inspect = { } +http2_inspect = { } + +-- see file_magic.rules for file id rules +file_id = { rules_file = 'file_magic.rules' } +file_policy = { } + +js_norm = default_js_norm + +-- the following require additional configuration to be fully effective: + +appid = +{ + -- appid requires this to use appids in rules + --app_detector_dir = 'directory to load appid detectors from' +app_detector_dir = '/usr/local/lib', +log_stats = true, +} + +--[[ +reputation = +{ + -- configure one or both of these, then uncomment reputation + -- (see also related path vars at the top of snort_defaults.lua) + + --blacklist = 'blacklist file name with ip lists' + --whitelist = 'whitelist file name with ip lists' +} +--]] + +--------------------------------------------------------------------------- +-- 3. configure bindings +--------------------------------------------------------------------------- + +wizard = default_wizard + +binder = +{ + -- port bindings required for protocols without wizard support + { when = { proto = 'udp', ports = '53', role='server' }, use = { type = 'dns' } }, + { when = { proto = 'tcp', ports = '53', role='server' }, use = { type = 'dns' } }, + { when = { proto = 'tcp', ports = '111', role='server' }, use = { type = 'rpc_decode' } }, + { when = { proto = 'tcp', ports = '502', role='server' }, use = { type = 'modbus' } }, + { when = { proto = 'tcp', ports = '2123 2152 3386', role='server' }, use = { type = 'gtp_inspect' } }, + { when = { proto = 'tcp', ports = '2404', role='server' }, use = { type = 'iec104' } }, + { when = { proto = 'udp', ports = '2222', role = 'server' }, use = { type = 'cip' } }, + { when = { proto = 'tcp', ports = '44818', role = 'server' }, use = { type = 'cip' } }, + + { when = { proto = 'tcp', service = 'dcerpc' }, use = { type = 'dce_tcp' } }, + { when = { proto = 'udp', service = 'dcerpc' }, use = { type = 'dce_udp' } }, + { when = { proto = 'udp', service = 'netflow' }, use = { type = 'netflow' } }, + + { when = { service = 'netbios-ssn' }, use = { type = 'dce_smb' } }, + { when = { service = 'dce_http_server' }, use = { type = 'dce_http_server' } }, + { when = { service = 'dce_http_proxy' }, use = { type = 'dce_http_proxy' } }, + + { when = { service = 'cip' }, use = { type = 'cip' } }, + { when = { service = 'dnp3' }, use = { type = 'dnp3' } }, + { when = { service = 'dns' }, use = { type = 'dns' } }, + { when = { service = 'ftp' }, use = { type = 'ftp_server' } }, + { when = { service = 'ftp-data' }, use = { type = 'ftp_data' } }, + { when = { service = 'gtp' }, use = { type = 'gtp_inspect' } }, + { when = { service = 'imap' }, use = { type = 'imap' } }, + { when = { service = 'http' }, use = { type = 'http_inspect' } }, + { when = { service = 'http2' }, use = { type = 'http2_inspect' } }, + { when = { service = 'iec104' }, use = { type = 'iec104' } }, + { when = { service = 'mms' }, use = { type = 'mms' } }, + { when = { service = 'modbus' }, use = { type = 'modbus' } }, + { when = { service = 'pop3' }, use = { type = 'pop' } }, + { when = { service = 'ssh' }, use = { type = 'ssh' } }, + { when = { service = 'sip' }, use = { type = 'sip' } }, + { when = { service = 'smtp' }, use = { type = 'smtp' } }, + { when = { service = 'ssl' }, use = { type = 'ssl' } }, + { when = { service = 'sunrpc' }, use = { type = 'rpc_decode' } }, + { when = { service = 's7commplus' }, use = { type = 's7commplus' } }, + { when = { service = 'telnet' }, use = { type = 'telnet' } }, + + { use = { type = 'wizard' } } +} + +--------------------------------------------------------------------------- +-- 4. configure performance +--------------------------------------------------------------------------- + +-- use latency to monitor / enforce packet and rule thresholds +--latency = { } + +-- use these to capture perf data for analysis and tuning +--profiler = { } +--perf_monitor = { } + +--------------------------------------------------------------------------- +-- 5. configure detection +--------------------------------------------------------------------------- + +references = default_references +classifications = default_classifications + +ips = +{ + -- use this to enable decoder and inspector alerts +enable_builtin_rules = true, +include = RULE_PATH .. "/local.rules", +include = RULE_PATH .. "/snort3-community-rules/snort3-community.rules", + -- use include for rules files; be sure to set your path + -- note that rules files can include other rules files + -- (see also related path vars at the top of snort_defaults.lua) + + variables = default_variables +} + +-- use these to configure additional rule actions +-- react = { } +-- reject = { } + +-- use this to enable payload injection utility +-- payload_injector = { } + +--------------------------------------------------------------------------- +-- 6. configure filters +--------------------------------------------------------------------------- + +-- below are examples of filters +-- each table is a list of records + +--[[ +suppress = +{ + -- don't want to any of see these + { gid = 1, sid = 1 }, + + -- don't want to see anything for a given host + { track = 'by_dst', ip = '1.2.3.4' } + + -- don't want to see these for a given host + { gid = 1, sid = 2, track = 'by_dst', ip = '1.2.3.4' }, +} +--]] + +--[[ +event_filter = +{ + -- reduce the number of events logged for some rules + { gid = 1, sid = 1, type = 'limit', track = 'by_src', count = 2, seconds = 10 }, + { gid = 1, sid = 2, type = 'both', track = 'by_dst', count = 5, seconds = 60 }, +} +--]] + +--[[ +rate_filter = +{ + -- alert on connection attempts from clients in SOME_NET + { gid = 135, sid = 1, track = 'by_src', count = 5, seconds = 1, + new_action = 'alert', timeout = 4, apply_to = '[$SOME_NET]' }, + + -- alert on connections to servers over threshold + { gid = 135, sid = 2, track = 'by_dst', count = 29, seconds = 3, + new_action = 'alert', timeout = 1 }, +} +--]] + +--------------------------------------------------------------------------- +-- 7. configure outputs +--------------------------------------------------------------------------- + +-- event logging +-- you can enable with defaults from the command line with -A +-- uncomment below to set non-default configs +--alert_csv = { } +alert_fast = {file = true, +packet = false, +limit = 10, +} +--alert_fast = { } +--alert_full = { } +--alert_sfsocket = { } +--alert_syslog = { } +--unified2 = { } + +-- packet logging +-- you can enable with defaults from the command line with -L +--log_codecs = { } +--log_hext = { } +--log_pcap = { } + +-- additional logs +--packet_capture = { } +--file_log = { } + +--------------------------------------------------------------------------- +-- 8. configure tweaks +--------------------------------------------------------------------------- + +if ( tweaks ~= nil ) then + include(tweaks .. '.lua') +end \ No newline at end of file diff --git a/terraform/ansible/roles/snort/files/snort.service b/terraform/ansible/roles/snort/files/snort.service new file mode 100644 index 000000000..d5da0b977 --- /dev/null +++ b/terraform/ansible/roles/snort/files/snort.service @@ -0,0 +1,9 @@ +[Unit] +Description=Snort3 NIDS Daemon +After=syslog.target network.target +[Service] +Type=simple +ExecStart=/usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i ens5 -m 0x1b --create-pidfile +ExecStop=/bin/kill -9 $MAINPID +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/terraform/ansible/roles/snort/files/snort3-nic.service b/terraform/ansible/roles/snort/files/snort3-nic.service new file mode 100644 index 000000000..af64750aa --- /dev/null +++ b/terraform/ansible/roles/snort/files/snort3-nic.service @@ -0,0 +1,11 @@ +[Unit] +Description=Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot +After=network.target +[Service] +Type=oneshot +ExecStart=/usr/sbin/ip link set dev ens5 promisc on +ExecStart=/usr/sbin/ethtool -K ens5 gro off lro off +TimeoutStartSec=0 +RemainAfterExit=yes +[Install] +WantedBy=default.target \ No newline at end of file diff --git a/terraform/ansible/roles/snort/tasks/configure_network_interface.yml b/terraform/ansible/roles/snort/tasks/configure_network_interface.yml new file mode 100644 index 000000000..6d167c5e2 --- /dev/null +++ b/terraform/ansible/roles/snort/tasks/configure_network_interface.yml @@ -0,0 +1,23 @@ +--- + +- name: install /etc/systemd/system/snort3-nic.service to set ens5 settings at boot + become: true + copy: + src: snort3-nic.service + dest: /etc/systemd/system/snort3-nic.service + owner: root + group: root + mode: 0755 + force: yes + +- name: systemctl daemon reload + become: true + command: "systemctl daemon-reload" + +- name: systemctl to enable snort3-nic.service + become: true + command: "systemctl enable snort3-nic.service" + +- name: systemctl to start snort3-nic.service + become: true + command: "systemctl start snort3-nic.service" \ No newline at end of file diff --git a/terraform/ansible/roles/snort/tasks/configure_snort.yml b/terraform/ansible/roles/snort/tasks/configure_snort.yml new file mode 100644 index 000000000..15f5c8d4c --- /dev/null +++ b/terraform/ansible/roles/snort/tasks/configure_snort.yml @@ -0,0 +1,80 @@ +--- + +- name: Create necessary directories for Snort + become: true + file: + path: "{{ item }}" + state: directory + mode: '0755' + loop: + - /usr/local/etc/rules + - /usr/local/etc/so_rules + - /usr/local/etc/lists + - /var/log/snort + +- name: Create empty files for Snort + become: true + file: + path: "{{ item }}" + state: touch + mode: '0644' + loop: + - /usr/local/etc/rules/local.rules + - /usr/local/etc/lists/default.blocklist + +- name: Copy snort.lua configuration file + become: true + copy: + src: snort.lua + dest: /usr/local/etc/snort/snort.lua + owner: root + group: root + mode: '0644' + force: yes + +- name: Download and extract Snort3 community rules + become: true + unarchive: + src: https://www.snort.org/downloads/community/snort3-community-rules.tar.gz + dest: /usr/local/etc/rules + remote_src: yes + +- name: Download OpenAppID + get_url: + url: https://www.snort.org/downloads/openappid/33380 + dest: ~/snort_src/OpenAppID.tgz + +- name: Extract OpenAppID + unarchive: + src: ~/snort_src/OpenAppID.tgz + dest: ~/snort_src/ + remote_src: yes + +- name: Copy OpenAppID to Snort directory + become: true + copy: + src: ~/snort_src/odp + dest: /usr/local/lib/ + remote_src: yes + +- name: install /etc/systemd/system/snort.service to set ens5 settings at boot + become: true + copy: + src: snort.service + dest: /etc/systemd/system/snort.service + owner: root + group: root + mode: 0755 + force: yes + +- name: systemctl daemon reload + become: true + command: "systemctl daemon-reload" + +- name: systemctl to enable snort.service + become: true + command: "systemctl enable snort.service" + +- name: systemctl to start snort.service + become: true + command: "systemctl start snort.service" \ No newline at end of file diff --git a/terraform/ansible/roles/snort/tasks/configure_splunk_input.yml b/terraform/ansible/roles/snort/tasks/configure_splunk_input.yml new file mode 100644 index 000000000..cbef46bcf --- /dev/null +++ b/terraform/ansible/roles/snort/tasks/configure_splunk_input.yml @@ -0,0 +1,13 @@ +--- + +- name: copy inputs.conf to capture snort logs + copy: + src: inputs.conf + dest: /opt/splunkforwarder/etc/system/local/inputs.conf + force: yes + +- name: Restart splunk uf + become: true + systemd: + name: SplunkForwarder + state: restarted diff --git a/terraform/ansible/roles/snort/tasks/install_snort.yml b/terraform/ansible/roles/snort/tasks/install_snort.yml new file mode 100644 index 000000000..3884181ec --- /dev/null +++ b/terraform/ansible/roles/snort/tasks/install_snort.yml @@ -0,0 +1,152 @@ +--- + +- name: Update apt cache + apt: + update_cache: yes + become: yes + ignore_errors: yes + +- name: Update apt cache and upgrade all packages + apt: + update_cache: yes + upgrade: dist + force_apt_get: yes + become: yes + ignore_errors: yes + +- name: Check if a reboot is needed + register: reboot_required_file + stat: + path: /var/run/reboot-required + get_md5: no + ignore_errors: yes + +- name: Reboot the server if required + reboot: + msg: "Reboot initiated by Ansible due to package upgrades" + connect_timeout: 5 + reboot_timeout: 300 + pre_reboot_delay: 0 + post_reboot_delay: 30 + test_command: uptime + when: reboot_required_file.stat.exists + become: yes + ignore_errors: yes + +- name: Install Snort dependencies + apt: + name: + - build-essential + - libpcap-dev + - libpcre3-dev + - libnet1-dev + - zlib1g-dev + - luajit + - hwloc + - libdnet-dev + - libdumbnet-dev + - bison + - flex + - liblzma-dev + - openssl + - libssl-dev + - pkg-config + - libhwloc-dev + - cmake + - cpputest + - libsqlite3-dev + - uuid-dev + - libcmocka-dev + - libnetfilter-queue-dev + - libmnl-dev + - autotools-dev + - libluajit-5.1-dev + - libunwind-dev + - libfl-dev + - unzip + state: present + update_cache: yes + become: yes + +- name: Create Snort source directory + file: + path: "~/snort_src" + state: directory + mode: '0755' + +- name: Clone libdaq repository + git: + repo: 'https://github.com/snort3/libdaq.git' + dest: '~/snort_src/libdaq' + version: master + +- name: Build and install libdaq + become: yes + shell: | + ./bootstrap + ./configure + make + make install + args: + chdir: '~/snort_src/libdaq' + executable: /bin/bash + +- name: Download gperftools + get_url: + url: https://github.com/gperftools/gperftools/releases/download/gperftools-2.9.1/gperftools-2.9.1.tar.gz + dest: ~/snort_src/gperftools-2.9.1.tar.gz + +- name: Extract gperftools + unarchive: + src: ~/snort_src/gperftools-2.9.1.tar.gz + dest: ~/snort_src + remote_src: yes + +- name: Build and install gperftools + become: yes + shell: | + ./configure + make + make install + args: + chdir: ~/snort_src/gperftools-2.9.1 + executable: /bin/bash + +- name: Download Snort3 source + get_url: + url: https://github.com/snort3/snort3/archive/refs/heads/master.zip + dest: ~/snort_src/snort3-master.zip + +- name: Extract Snort3 source + unarchive: + src: ~/snort_src/snort3-master.zip + dest: ~/snort_src + remote_src: yes + +- name: Configure and build Snort3 + become: yes + shell: | + ./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc + args: + chdir: ~/snort_src/snort3-master + executable: /bin/bash + +- name: Build and Install Snort3 + become: yes + shell: | + make -j $(nproc) install + args: + chdir: ~/snort_src/snort3-master/build + executable: /bin/bash + +- name: Update shared library cache + become: yes + command: ldconfig + +- name: Get Snort version + command: snort -V + register: snort_version + +- name: Display Snort version + debug: + var: snort_version.stdout_lines diff --git a/terraform/ansible/roles/snort/tasks/main.yml b/terraform/ansible/roles/snort/tasks/main.yml new file mode 100644 index 000000000..392c67ac2 --- /dev/null +++ b/terraform/ansible/roles/snort/tasks/main.yml @@ -0,0 +1,6 @@ +--- + +- include: install_snort.yml +- include: configure_network_interface.yml +- include: configure_snort.yml +- include: configure_splunk_input.yml \ No newline at end of file diff --git a/terraform/ansible/roles/splunk_byo_linux/tasks/config.yml b/terraform/ansible/roles/splunk_byo_linux/tasks/config.yml index 56e7ea510..5abeb8cd5 100644 --- a/terraform/ansible/roles/splunk_byo_linux/tasks/config.yml +++ b/terraform/ansible/roles/splunk_byo_linux/tasks/config.yml @@ -4,8 +4,6 @@ template: src: outputs.conf.j2 dest: /opt/splunkforwarder/etc/system/local/outputs.conf - owner: splunk - group: splunk force: yes - name: restart splunk diff --git a/terraform/ansible/roles/splunk_byo_linux/tasks/main.yml b/terraform/ansible/roles/splunk_byo_linux/tasks/main.yml index 4145c088a..9a8de66fc 100644 --- a/terraform/ansible/roles/splunk_byo_linux/tasks/main.yml +++ b/terraform/ansible/roles/splunk_byo_linux/tasks/main.yml @@ -1,4 +1,4 @@ --- - include: config.yml - when: byo_splunk == "1" \ No newline at end of file + when: splunk_server.byo_splunk == "1" \ No newline at end of file diff --git a/terraform/ansible/roles/splunk_byo_linux/templates/outputs.conf.j2 b/terraform/ansible/roles/splunk_byo_linux/templates/outputs.conf.j2 index 5b3d9c0a2..ebe8201d9 100644 --- a/terraform/ansible/roles/splunk_byo_linux/templates/outputs.conf.j2 +++ b/terraform/ansible/roles/splunk_byo_linux/templates/outputs.conf.j2 @@ -2,4 +2,4 @@ defaultGroup=my_indexers [tcpout:my_indexers] -server={{ byo_splunk_ip }}:9997 \ No newline at end of file +server={{ splunk_server.byo_splunk_ip }}:9997 \ No newline at end of file diff --git a/terraform/ansible/roles/splunk_byo_windows/tasks/main.yml b/terraform/ansible/roles/splunk_byo_windows/tasks/main.yml index 4145c088a..9a8de66fc 100644 --- a/terraform/ansible/roles/splunk_byo_windows/tasks/main.yml +++ b/terraform/ansible/roles/splunk_byo_windows/tasks/main.yml @@ -1,4 +1,4 @@ --- - include: config.yml - when: byo_splunk == "1" \ No newline at end of file + when: splunk_server.byo_splunk == "1" \ No newline at end of file diff --git a/packer/ansible/roles/splunk_server/files/DigiCertGlobalRootCA.pem b/terraform/ansible/roles/splunk_server/files/DigiCertGlobalRootCA.pem similarity index 100% rename from packer/ansible/roles/splunk_server/files/DigiCertGlobalRootCA.pem rename to terraform/ansible/roles/splunk_server/files/DigiCertGlobalRootCA.pem diff --git a/packer/ansible/roles/splunk_server/files/authorize.conf b/terraform/ansible/roles/splunk_server/files/authorize.conf similarity index 100% rename from packer/ansible/roles/splunk_server/files/authorize.conf rename to terraform/ansible/roles/splunk_server/files/authorize.conf diff --git a/packer/ansible/roles/splunk_server/files/datamodels.conf b/terraform/ansible/roles/splunk_server/files/datamodels.conf similarity index 100% rename from packer/ansible/roles/splunk_server/files/datamodels.conf rename to terraform/ansible/roles/splunk_server/files/datamodels.conf diff --git a/packer/ansible/roles/splunk_server/files/docker.conf b/terraform/ansible/roles/splunk_server/files/docker.conf similarity index 100% rename from packer/ansible/roles/splunk_server/files/docker.conf rename to terraform/ansible/roles/splunk_server/files/docker.conf diff --git a/packer/ansible/roles/splunk_server/files/indexes.conf b/terraform/ansible/roles/splunk_server/files/indexes.conf similarity index 97% rename from packer/ansible/roles/splunk_server/files/indexes.conf rename to terraform/ansible/roles/splunk_server/files/indexes.conf index 7ab0bc449..811697437 100644 --- a/packer/ansible/roles/splunk_server/files/indexes.conf +++ b/terraform/ansible/roles/splunk_server/files/indexes.conf @@ -239,4 +239,10 @@ frozenTimePeriodInSecs = 604800 homePath = volume:primary/zeekdb/db coldPath = volume:primary/zeekdb/colddb thawedPath = $SPLUNK_DB/zeekdb/thaweddb +frozenTimePeriodInSecs = 604800 + +[snort] +homePath = volume:primary/snortdb/db +coldPath = volume:primary/snortdb/colddb +thawedPath = $SPLUNK_DB/snortdb/thaweddb frozenTimePeriodInSecs = 604800 \ No newline at end of file diff --git a/packer/ansible/roles/splunk_server/files/inputs.conf b/terraform/ansible/roles/splunk_server/files/inputs.conf similarity index 100% rename from packer/ansible/roles/splunk_server/files/inputs.conf rename to terraform/ansible/roles/splunk_server/files/inputs.conf diff --git a/packer/ansible/roles/splunk_server/files/limits.conf b/terraform/ansible/roles/splunk_server/files/limits.conf similarity index 100% rename from packer/ansible/roles/splunk_server/files/limits.conf rename to terraform/ansible/roles/splunk_server/files/limits.conf diff --git a/packer/ansible/roles/splunk_server/files/local.meta b/terraform/ansible/roles/splunk_server/files/local.meta similarity index 100% rename from packer/ansible/roles/splunk_server/files/local.meta rename to terraform/ansible/roles/splunk_server/files/local.meta diff --git a/packer/ansible/roles/splunk_server/files/mltk.local.meta b/terraform/ansible/roles/splunk_server/files/mltk.local.meta similarity index 100% rename from packer/ansible/roles/splunk_server/files/mltk.local.meta rename to terraform/ansible/roles/splunk_server/files/mltk.local.meta diff --git a/packer/ansible/roles/splunk_phantom/files/phantom.conf b/terraform/ansible/roles/splunk_server/files/phantom.conf similarity index 100% rename from packer/ansible/roles/splunk_phantom/files/phantom.conf rename to terraform/ansible/roles/splunk_server/files/phantom.conf diff --git a/packer/ansible/roles/splunk_server/files/props.conf b/terraform/ansible/roles/splunk_server/files/props.conf similarity index 100% rename from packer/ansible/roles/splunk_server/files/props.conf rename to terraform/ansible/roles/splunk_server/files/props.conf diff --git a/packer/ansible/roles/splunk_server/files/proxy.conf b/terraform/ansible/roles/splunk_server/files/proxy.conf similarity index 100% rename from packer/ansible/roles/splunk_server/files/proxy.conf rename to terraform/ansible/roles/splunk_server/files/proxy.conf diff --git a/packer/ansible/roles/splunk_server/files/server.conf b/terraform/ansible/roles/splunk_server/files/server.conf similarity index 100% rename from packer/ansible/roles/splunk_server/files/server.conf rename to terraform/ansible/roles/splunk_server/files/server.conf diff --git a/packer/ansible/roles/splunk_server/files/serverclass.conf b/terraform/ansible/roles/splunk_server/files/serverclass.conf similarity index 100% rename from packer/ansible/roles/splunk_server/files/serverclass.conf rename to terraform/ansible/roles/splunk_server/files/serverclass.conf diff --git a/packer/ansible/roles/splunk_server/files/user-prefs.conf b/terraform/ansible/roles/splunk_server/files/user-prefs.conf similarity index 100% rename from packer/ansible/roles/splunk_server/files/user-prefs.conf rename to terraform/ansible/roles/splunk_server/files/user-prefs.conf diff --git a/packer/ansible/roles/splunk_server/files/web.conf b/terraform/ansible/roles/splunk_server/files/web.conf similarity index 100% rename from packer/ansible/roles/splunk_server/files/web.conf rename to terraform/ansible/roles/splunk_server/files/web.conf diff --git a/packer/ansible/roles/splunk_phantom/handlers/main.yml b/terraform/ansible/roles/splunk_server/handlers/main.yml similarity index 100% rename from packer/ansible/roles/splunk_phantom/handlers/main.yml rename to terraform/ansible/roles/splunk_server/handlers/main.yml diff --git a/packer/ansible/roles/splunk_server/tasks/configure_attack_range_dashboard.yml b/terraform/ansible/roles/splunk_server/tasks/configure_attack_range_dashboard.yml similarity index 83% rename from packer/ansible/roles/splunk_server/tasks/configure_attack_range_dashboard.yml rename to terraform/ansible/roles/splunk_server/tasks/configure_attack_range_dashboard.yml index 066718d1f..545df6a0a 100644 --- a/packer/ansible/roles/splunk_server/tasks/configure_attack_range_dashboard.yml +++ b/terraform/ansible/roles/splunk_server/tasks/configure_attack_range_dashboard.yml @@ -3,8 +3,6 @@ file: path: "{{ item }}" state: directory - owner: splunk - group: splunk recurse: yes with_items: - /opt/splunk/etc/users/admin/user-prefs/local/ @@ -13,6 +11,4 @@ copy: src: user-prefs.conf dest: /opt/splunk/etc/users/admin/user-prefs/local/user-prefs.conf - owner: splunk - group: splunk notify: restart splunk diff --git a/packer/ansible/roles/splunk_server/tasks/configure_cim.yml b/terraform/ansible/roles/splunk_server/tasks/configure_cim.yml similarity index 82% rename from packer/ansible/roles/splunk_server/tasks/configure_cim.yml rename to terraform/ansible/roles/splunk_server/tasks/configure_cim.yml index c9f7f8206..e458ba3c0 100644 --- a/packer/ansible/roles/splunk_server/tasks/configure_cim.yml +++ b/terraform/ansible/roles/splunk_server/tasks/configure_cim.yml @@ -2,8 +2,6 @@ file: path: "{{ item }}" state: directory - owner: splunk - group: splunk recurse: yes with_items: - /opt/splunk/etc/apps/Splunk_SA_CIM/local/ @@ -12,6 +10,4 @@ copy: src: datamodels.conf dest: /opt/splunk/etc/apps/Splunk_SA_CIM/local/datamodels.conf - owner: splunk - group: splunk notify: restart splunk diff --git a/packer/ansible/roles/splunk_server/tasks/configure_dltk.yml b/terraform/ansible/roles/splunk_server/tasks/configure_dltk.yml similarity index 92% rename from packer/ansible/roles/splunk_server/tasks/configure_dltk.yml rename to terraform/ansible/roles/splunk_server/tasks/configure_dltk.yml index 3fa8b3e60..43c1de419 100644 --- a/packer/ansible/roles/splunk_server/tasks/configure_dltk.yml +++ b/terraform/ansible/roles/splunk_server/tasks/configure_dltk.yml @@ -50,8 +50,6 @@ file: path: "{{ item }}" state: directory - owner: splunk - group: splunk recurse: yes with_items: - /opt/splunk/etc/apps/mltk-container/local/ @@ -60,19 +58,14 @@ copy: src: docker.conf dest: /opt/splunk/etc/apps/mltk-container/local/docker.conf - owner: splunk - group: splunk notify: restart splunk - name: pull docker containers become: true - become_user: splunk command: docker pull phdrieger/mltk-container-golden-image-cpu:3.9.0 - name: copy local.meta for mltk copy: src: mltk.local.meta dest: /opt/splunk/etc/apps//Splunk_ML_Toolkit/metadata/local.meta - owner: splunk - group: splunk notify: restart splunk \ No newline at end of file diff --git a/packer/ansible/roles/splunk_server/tasks/configure_escu.yml b/terraform/ansible/roles/splunk_server/tasks/configure_escu.yml similarity index 83% rename from packer/ansible/roles/splunk_server/tasks/configure_escu.yml rename to terraform/ansible/roles/splunk_server/tasks/configure_escu.yml index cced81348..7e6525dd6 100644 --- a/packer/ansible/roles/splunk_server/tasks/configure_escu.yml +++ b/terraform/ansible/roles/splunk_server/tasks/configure_escu.yml @@ -2,8 +2,6 @@ file: path: "{{ item }}" state: directory - owner: splunk - group: splunk recurse: yes with_items: - /opt/splunk/etc/apps/DA-ESS-ContentUpdate/local/ diff --git a/packer/ansible/roles/splunk_server/tasks/configure_indexes.yml b/terraform/ansible/roles/splunk_server/tasks/configure_indexes.yml similarity index 82% rename from packer/ansible/roles/splunk_server/tasks/configure_indexes.yml rename to terraform/ansible/roles/splunk_server/tasks/configure_indexes.yml index c16d9d86b..256006866 100644 --- a/packer/ansible/roles/splunk_server/tasks/configure_indexes.yml +++ b/terraform/ansible/roles/splunk_server/tasks/configure_indexes.yml @@ -3,8 +3,6 @@ file: path: "{{ item }}" state: directory - owner: splunk - group: splunk recurse: yes with_items: - /opt/splunk/etc/apps/indexes_app/local/ @@ -13,14 +11,10 @@ copy: src: indexes.conf dest: /opt/splunk/etc/apps/indexes_app/local/indexes.conf - owner: splunk - group: splunk notify: restart splunk - name: copy authorize.conf for default searchable indexes_app copy: src: authorize.conf dest: /opt/splunk/etc/system/local/authorize.conf - owner: splunk - group: splunk notify: restart splunk diff --git a/packer/ansible/roles/splunk_server/tasks/configure_inputs.yml b/terraform/ansible/roles/splunk_server/tasks/configure_inputs.yml similarity index 81% rename from packer/ansible/roles/splunk_server/tasks/configure_inputs.yml rename to terraform/ansible/roles/splunk_server/tasks/configure_inputs.yml index 427c9fb98..9114946e3 100644 --- a/packer/ansible/roles/splunk_server/tasks/configure_inputs.yml +++ b/terraform/ansible/roles/splunk_server/tasks/configure_inputs.yml @@ -3,8 +3,6 @@ file: path: "{{ item }}" state: directory - owner: splunk - group: splunk recurse: yes with_items: - /opt/splunk/etc/apps/inputs_app/local/ @@ -13,6 +11,4 @@ copy: src: inputs.conf dest: /opt/splunk/etc/apps/inputs_app/local/inputs.conf - owner: splunk - group: splunk notify: restart splunk diff --git a/packer/ansible/roles/splunk_server/tasks/configure_limits.yml b/terraform/ansible/roles/splunk_server/tasks/configure_limits.yml similarity index 82% rename from packer/ansible/roles/splunk_server/tasks/configure_limits.yml rename to terraform/ansible/roles/splunk_server/tasks/configure_limits.yml index c2af1800e..065dade20 100644 --- a/packer/ansible/roles/splunk_server/tasks/configure_limits.yml +++ b/terraform/ansible/roles/splunk_server/tasks/configure_limits.yml @@ -3,8 +3,6 @@ file: path: "{{ item }}" state: directory - owner: splunk - group: splunk recurse: yes with_items: - /opt/splunk/etc/apps/limits_app/local/ @@ -13,6 +11,4 @@ copy: src: limits.conf dest: /opt/splunk/etc/apps/limits_app/local/limits.conf - owner: splunk - group: splunk notify: restart splunk diff --git a/packer/ansible/roles/splunk_server/tasks/configure_phantom.yml b/terraform/ansible/roles/splunk_server/tasks/configure_phantom.yml similarity index 60% rename from packer/ansible/roles/splunk_server/tasks/configure_phantom.yml rename to terraform/ansible/roles/splunk_server/tasks/configure_phantom.yml index a2602ecba..ceb859150 100644 --- a/packer/ansible/roles/splunk_server/tasks/configure_phantom.yml +++ b/terraform/ansible/roles/splunk_server/tasks/configure_phantom.yml @@ -4,12 +4,8 @@ file: path: /opt/splunk/etc/apps/phantom/local state: directory - owner: splunk - group: splunk - name: copy phantom.conf to splunk server copy: src: phantom.conf - dest: /opt/splunk/etc/apps/phantom/local/phantom.conf - owner: splunk - group: splunk \ No newline at end of file + dest: /opt/splunk/etc/apps/phantom/local/phantom.conf \ No newline at end of file diff --git a/packer/ansible/roles/splunk_server/tasks/configure_props.yml b/terraform/ansible/roles/splunk_server/tasks/configure_props.yml similarity index 78% rename from packer/ansible/roles/splunk_server/tasks/configure_props.yml rename to terraform/ansible/roles/splunk_server/tasks/configure_props.yml index 5f9dec5db..d2a371c78 100644 --- a/packer/ansible/roles/splunk_server/tasks/configure_props.yml +++ b/terraform/ansible/roles/splunk_server/tasks/configure_props.yml @@ -3,12 +3,8 @@ copy: src: props.conf dest: /opt/splunk/etc/system/local/props.conf - owner: splunk - group: splunk - name: Copy new local.meta configuration copy: src: local.meta dest: /opt/splunk/etc/apps/vmware_app_for_splunk/metadata/local.meta - owner: splunk - group: splunk diff --git a/packer/ansible/roles/splunk_server/tasks/configure_server_conf.yml b/terraform/ansible/roles/splunk_server/tasks/configure_server_conf.yml similarity index 85% rename from packer/ansible/roles/splunk_server/tasks/configure_server_conf.yml rename to terraform/ansible/roles/splunk_server/tasks/configure_server_conf.yml index 95e106069..57a8ff875 100644 --- a/packer/ansible/roles/splunk_server/tasks/configure_server_conf.yml +++ b/terraform/ansible/roles/splunk_server/tasks/configure_server_conf.yml @@ -3,8 +3,6 @@ file: path: "{{ item }}" state: directory - owner: splunk - group: splunk recurse: yes with_items: - /opt/splunk/etc/apps/server_app/local/ @@ -13,8 +11,6 @@ copy: src: server.conf dest: /opt/splunk/etc/apps/server_app/local/server.conf - owner: splunk - group: splunk notify: restart splunk - name: restart splunk diff --git a/packer/ansible/roles/splunk_server/tasks/configure_web_conf.yml b/terraform/ansible/roles/splunk_server/tasks/configure_web_conf.yml similarity index 81% rename from packer/ansible/roles/splunk_server/tasks/configure_web_conf.yml rename to terraform/ansible/roles/splunk_server/tasks/configure_web_conf.yml index 0476f398b..d676fb9fe 100644 --- a/packer/ansible/roles/splunk_server/tasks/configure_web_conf.yml +++ b/terraform/ansible/roles/splunk_server/tasks/configure_web_conf.yml @@ -3,8 +3,6 @@ file: path: "{{ item }}" state: directory - owner: splunk - group: splunk recurse: yes with_items: - /opt/splunk/etc/apps/system/local/ @@ -13,6 +11,4 @@ copy: src: web.conf dest: /opt/splunk/etc/apps/system/local/web.conf - owner: splunk - group: splunk notify: restart splunk diff --git a/packer/ansible/roles/splunk_server/tasks/create_serverclass.yml b/terraform/ansible/roles/splunk_server/tasks/create_serverclass.yml similarity index 82% rename from packer/ansible/roles/splunk_server/tasks/create_serverclass.yml rename to terraform/ansible/roles/splunk_server/tasks/create_serverclass.yml index 7b9d788b4..24ded906b 100644 --- a/packer/ansible/roles/splunk_server/tasks/create_serverclass.yml +++ b/terraform/ansible/roles/splunk_server/tasks/create_serverclass.yml @@ -4,6 +4,4 @@ copy: src: serverclass.conf dest: /opt/splunk/etc/system/local/serverclass.conf - owner: splunk - group: splunk notify: restart splunk diff --git a/packer/ansible/roles/splunk_server/tasks/install_app_from_s3.yml b/terraform/ansible/roles/splunk_server/tasks/install_app_from_s3.yml similarity index 89% rename from packer/ansible/roles/splunk_server/tasks/install_app_from_s3.yml rename to terraform/ansible/roles/splunk_server/tasks/install_app_from_s3.yml index 4ad4a2cf4..1f9128e89 100644 --- a/packer/ansible/roles/splunk_server/tasks/install_app_from_s3.yml +++ b/terraform/ansible/roles/splunk_server/tasks/install_app_from_s3.yml @@ -2,7 +2,7 @@ - name: download {{ item }} from S3 bucket get_url: - url: '{{ s3_bucket_url }}/{{ item }}' + url: '{{ splunk_server.s3_bucket_url }}/{{ item }}' dest: /tmp/{{ item }} - name: Install {{ item }} via REST diff --git a/packer/ansible/roles/splunk_server/tasks/install_botsv1_dataset.yml b/terraform/ansible/roles/splunk_server/tasks/install_botsv1_dataset.yml similarity index 90% rename from packer/ansible/roles/splunk_server/tasks/install_botsv1_dataset.yml rename to terraform/ansible/roles/splunk_server/tasks/install_botsv1_dataset.yml index b07aae888..e64ffb1eb 100644 --- a/packer/ansible/roles/splunk_server/tasks/install_botsv1_dataset.yml +++ b/terraform/ansible/roles/splunk_server/tasks/install_botsv1_dataset.yml @@ -8,7 +8,5 @@ unarchive: src: 'https://s3.amazonaws.com/botsdataset/botsv1/splunk-pre-indexed/botsv1_data_set.tgz' dest: /opt/splunk/etc/apps - owner: splunk - group: splunk remote_src: yes when: botsv1_app.stat.exists == False diff --git a/packer/ansible/roles/splunk_server/tasks/install_botsv1a_dataset.yml b/terraform/ansible/roles/splunk_server/tasks/install_botsv1a_dataset.yml similarity index 90% rename from packer/ansible/roles/splunk_server/tasks/install_botsv1a_dataset.yml rename to terraform/ansible/roles/splunk_server/tasks/install_botsv1a_dataset.yml index af4db3169..d02cedb66 100644 --- a/packer/ansible/roles/splunk_server/tasks/install_botsv1a_dataset.yml +++ b/terraform/ansible/roles/splunk_server/tasks/install_botsv1a_dataset.yml @@ -8,7 +8,5 @@ unarchive: src: 'https://s3.amazonaws.com/botsdataset/botsv1/botsv1-attack-only.tgz' dest: /opt/splunk/etc/apps - owner: splunk - group: splunk remote_src: yes when: botsv1a_app.stat.exists == False diff --git a/packer/ansible/roles/splunk_server/tasks/install_botsv2_dataset.yml b/terraform/ansible/roles/splunk_server/tasks/install_botsv2_dataset.yml similarity index 90% rename from packer/ansible/roles/splunk_server/tasks/install_botsv2_dataset.yml rename to terraform/ansible/roles/splunk_server/tasks/install_botsv2_dataset.yml index 940e357ee..5bc33c33a 100644 --- a/packer/ansible/roles/splunk_server/tasks/install_botsv2_dataset.yml +++ b/terraform/ansible/roles/splunk_server/tasks/install_botsv2_dataset.yml @@ -8,7 +8,5 @@ unarchive: src: 'https://s3.amazonaws.com/botsdataset/botsv2/botsv2_data_set.tgz' dest: /opt/splunk/etc/apps - owner: splunk - group: splunk remote_src: yes when: botsv2_app.stat.exists == False diff --git a/packer/ansible/roles/splunk_server/tasks/install_botsv2a_dataset.yml b/terraform/ansible/roles/splunk_server/tasks/install_botsv2a_dataset.yml similarity index 91% rename from packer/ansible/roles/splunk_server/tasks/install_botsv2a_dataset.yml rename to terraform/ansible/roles/splunk_server/tasks/install_botsv2a_dataset.yml index 042eade5d..b2183e236 100644 --- a/packer/ansible/roles/splunk_server/tasks/install_botsv2a_dataset.yml +++ b/terraform/ansible/roles/splunk_server/tasks/install_botsv2a_dataset.yml @@ -7,7 +7,5 @@ unarchive: src: 'https://s3.amazonaws.com/botsdataset/botsv2/botsv2_data_set_attack_only.tgz' dest: /opt/splunk/etc/apps - owner: splunk - group: splunk remote_src: yes when: botsv2a_app.stat.exists == False diff --git a/packer/ansible/roles/splunk_server/tasks/install_botsv3_dataset.yml b/terraform/ansible/roles/splunk_server/tasks/install_botsv3_dataset.yml similarity index 90% rename from packer/ansible/roles/splunk_server/tasks/install_botsv3_dataset.yml rename to terraform/ansible/roles/splunk_server/tasks/install_botsv3_dataset.yml index c3c464b66..2d1d36d6d 100644 --- a/packer/ansible/roles/splunk_server/tasks/install_botsv3_dataset.yml +++ b/terraform/ansible/roles/splunk_server/tasks/install_botsv3_dataset.yml @@ -7,7 +7,5 @@ unarchive: src: 'https://botsdataset.s3.amazonaws.com/botsv3/botsv3_data_set.tgz' dest: /opt/splunk/etc/apps - owner: splunk - group: splunk remote_src: yes when: botsv3_app.stat.exists == False diff --git a/packer/ansible/roles/splunk_server/tasks/install_dsp.yml b/terraform/ansible/roles/splunk_server/tasks/install_dsp.yml similarity index 100% rename from packer/ansible/roles/splunk_server/tasks/install_dsp.yml rename to terraform/ansible/roles/splunk_server/tasks/install_dsp.yml diff --git a/packer/ansible/roles/splunk_server/tasks/install_stream_app.yml b/terraform/ansible/roles/splunk_server/tasks/install_stream_app.yml similarity index 97% rename from packer/ansible/roles/splunk_server/tasks/install_stream_app.yml rename to terraform/ansible/roles/splunk_server/tasks/install_stream_app.yml index 08aa71994..ea8bbb5ab 100644 --- a/packer/ansible/roles/splunk_server/tasks/install_stream_app.yml +++ b/terraform/ansible/roles/splunk_server/tasks/install_stream_app.yml @@ -86,8 +86,6 @@ template: src: inputs_stream.conf.j2 dest: /opt/splunk/etc/apps/Splunk_TA_stream/local/inputs.conf - owner: splunk - group: splunk # # app installation may still be in progress - name: Wait for set_permissions.sh to exist @@ -114,8 +112,6 @@ copy: src: /opt/splunk/etc/apps/Splunk_TA_stream dest: /opt/splunk/etc/deployment-apps - owner: splunk - group: splunk remote_src: yes directory_mode: yes @@ -128,5 +124,3 @@ template: src: inputs.conf.j2 dest: /opt/splunk/etc/deployment-apps/Splunk_TA_stream/local/inputs.conf - owner: splunk - group: splunk diff --git a/terraform/ansible/roles/splunk_server/tasks/main.yml b/terraform/ansible/roles/splunk_server/tasks/main.yml new file mode 100644 index 000000000..46a7f605d --- /dev/null +++ b/terraform/ansible/roles/splunk_server/tasks/main.yml @@ -0,0 +1,23 @@ +--- +# This playbook contains common tasks in this role + +- include: splunk.yml +- include: configure_inputs.yml +- include: configure_indexes.yml +- include: configure_limits.yml +- include: configure_web_conf.yml +- include: configure_server_conf.yml +- include: create_serverclass.yml + +- name: Convert splunk_apps string to list + set_fact: + splunk_apps_list: "{{ splunk_server.splunk_apps.split(',') }}" + +- include: install_app_from_s3.yml + with_items: "{{ splunk_apps_list }}" + +- include: configure_attack_range_dashboard.yml +- include: configure_escu.yml +- include: configure_props.yml +- include: configure_cim.yml +- include: configure_phantom.yml \ No newline at end of file diff --git a/terraform/ansible/roles/splunk_server/tasks/splunk.yml b/terraform/ansible/roles/splunk_server/tasks/splunk.yml new file mode 100644 index 000000000..43ba0c6d6 --- /dev/null +++ b/terraform/ansible/roles/splunk_server/tasks/splunk.yml @@ -0,0 +1,32 @@ +--- +# This playbook install the apps required in a server + +- name: download splunk + get_url: + url: "{{ splunk_server.splunk_url }}" + dest: /opt/splunk.tgz + +- name: install splunk binary + unarchive: remote_src=yes src=/opt/splunk.tgz dest=/opt/ creates=yes + become: yes + +- name: migrate to WiredTiger + blockinfile: + path: /opt/splunk/etc/system/local/server.conf + insertafter: EOF + create: yes + block: | + [kvstore] + storageEngine=wiredTiger + +- name: accept license and start splunk + shell: /opt/splunk/bin/splunk start --accept-license --answer-yes --no-prompt --seed-passwd Pl3ase-k1Ll-me:p + become: yes + +- name: enable boot-start + shell: /opt/splunk/bin/splunk enable boot-start + +- name: restart splunk + service: + name: splunkd + state: restarted \ No newline at end of file diff --git a/terraform/ansible/roles/splunk_server/templates/inputs_stream.conf.j2 b/terraform/ansible/roles/splunk_server/templates/inputs_stream.conf.j2 new file mode 100644 index 000000000..2ad30fc1a --- /dev/null +++ b/terraform/ansible/roles/splunk_server/templates/inputs_stream.conf.j2 @@ -0,0 +1,5 @@ +[streamfwd://streamfwd] +index = network +splunk_stream_app_location = http{% if splunk_server.install_es == "1" %}s{% endif %}://localhost:8000/en-us/custom/splunk_app_stream/ +stream_forwarder_id = +disabled = 0 diff --git a/terraform/ansible/roles/splunk_server_post/tasks/change_splunk_password.yml b/terraform/ansible/roles/splunk_server_post/tasks/change_splunk_password.yml index 5a2828a44..e8ebe7f15 100644 --- a/terraform/ansible/roles/splunk_server_post/tasks/change_splunk_password.yml +++ b/terraform/ansible/roles/splunk_server_post/tasks/change_splunk_password.yml @@ -1,9 +1,8 @@ --- - name: change password splunk - shell: '/opt/splunk/bin/splunk edit user admin -password {{ attack_range_password }} -auth admin:Pl3ase-k1Ll-me:p' + shell: '/opt/splunk/bin/splunk edit user admin -password {{ general.attack_range_password }} -auth admin:Pl3ase-k1Ll-me:p' become: yes - become_user: splunk - name: restart splunk service: name=splunk state=restarted diff --git a/terraform/ansible/roles/splunk_server_post/tasks/install_botsv3_dataset.yml b/terraform/ansible/roles/splunk_server_post/tasks/install_botsv3_dataset.yml index d9a2420b4..89895437b 100644 --- a/terraform/ansible/roles/splunk_server_post/tasks/install_botsv3_dataset.yml +++ b/terraform/ansible/roles/splunk_server_post/tasks/install_botsv3_dataset.yml @@ -8,7 +8,5 @@ unarchive: src: 'https://botsdataset.s3.amazonaws.com/botsv3/botsv3_data_set.tgz' dest: /opt/splunk/etc/apps - owner: splunk - group: splunk remote_src: yes when: botsv3_app.stat.exists == False diff --git a/terraform/ansible/roles/splunk_server_post/tasks/install_dltk.yml b/terraform/ansible/roles/splunk_server_post/tasks/install_dltk.yml index 386b90f7b..466731c27 100644 --- a/terraform/ansible/roles/splunk_server_post/tasks/install_dltk.yml +++ b/terraform/ansible/roles/splunk_server_post/tasks/install_dltk.yml @@ -2,7 +2,7 @@ - name: download DLTK from S3 bucket get_url: - url: '{{ s3_bucket_url }}/splunk-app-for-data-science-and-deep-learning_390.tgz' + url: '{{ splunk_server.s3_bucket_url }}/splunk-app-for-data-science-and-deep-learning_390.tgz' dest: /tmp/splunk-app-for-data-science-and-deep-learning_390.tgz - name: Install DLTK via REST @@ -10,7 +10,7 @@ url: "https://127.0.0.1:8089/services/apps/local" method: POST user: "admin" - password: "{{ attack_range_password }}" + password: "{{ general.attack_range_password }}" validate_certs: false body: "name=/tmp/splunk-app-for-data-science-and-deep-learning_390.tgz&update=true&filename=true" headers: @@ -69,8 +69,6 @@ file: path: "{{ item }}" state: directory - owner: splunk - group: splunk recurse: yes with_items: - /opt/splunk/etc/apps/mltk-container/local/ @@ -79,19 +77,14 @@ copy: src: docker.conf dest: /opt/splunk/etc/apps/mltk-container/local/docker.conf - owner: splunk - group: splunk notify: restart splunk - name: pull docker containers become: true - become_user: splunk command: docker pull phdrieger/mltk-container-golden-image-cpu:3.9.0 - name: copy local.meta for mltk copy: src: mltk.local.meta dest: /opt/splunk/etc/apps//Splunk_ML_Toolkit/metadata/local.meta - owner: splunk - group: splunk notify: restart splunk \ No newline at end of file diff --git a/terraform/ansible/roles/splunk_server_post/tasks/install_enterprise_security.yml b/terraform/ansible/roles/splunk_server_post/tasks/install_enterprise_security.yml index b58eadf65..24623de66 100644 --- a/terraform/ansible/roles/splunk_server_post/tasks/install_enterprise_security.yml +++ b/terraform/ansible/roles/splunk_server_post/tasks/install_enterprise_security.yml @@ -4,7 +4,7 @@ url: "https://127.0.0.1:8089/services/apps/local/Splunk_ML_Toolkit" method: DELETE user: "admin" - password: "{{ attack_range_password }}" + password: "{{ general.attack_range_password }}" validate_certs: false headers: Content-Type: "application/x-www-form-urlencoded" @@ -16,7 +16,7 @@ url: "https://127.0.0.1:8089/services/apps/local/Splunk_SA_Scientific_Python_linux_x86_64" method: DELETE user: "admin" - password: "{{ attack_range_password }}" + password: "{{ general.attack_range_password }}" validate_certs: false headers: Content-Type: "application/x-www-form-urlencoded" @@ -29,7 +29,7 @@ - name: Copy enterprise security to server copy: - src: "../../apps/{{ splunk_es_app }}" + src: "../../apps/{{ splunk_server.splunk_es_app }}" dest: /tmp/es_app.tgz - name: Install es app via REST @@ -37,7 +37,7 @@ url: "https://127.0.0.1:8089/services/apps/local" method: POST user: "admin" - password: "{{ attack_range_password }}" + password: "{{ general.attack_range_password }}" validate_certs: false body: "name=/tmp/es_app.tgz&update=true&filename=true" headers: @@ -50,9 +50,8 @@ become: yes - name: Run es post-install setup - command: "/opt/splunk/bin/splunk search '| essinstall --ssl_enablement auto' -auth admin:{{ attack_range_password }}" + command: "/opt/splunk/bin/splunk search '| essinstall --ssl_enablement auto' -auth admin:{{ general.attack_range_password }}" become: yes - become_user: splunk async: 600 poll: 60 diff --git a/terraform/ansible/roles/splunk_server_post/tasks/main.yml b/terraform/ansible/roles/splunk_server_post/tasks/main.yml index e21f6478b..a3370089d 100644 --- a/terraform/ansible/roles/splunk_server_post/tasks/main.yml +++ b/terraform/ansible/roles/splunk_server_post/tasks/main.yml @@ -1,18 +1,22 @@ --- +- name: Change the hostname + hostname: + name: "{{ hostname }}" + - include: change_splunk_password.yml - include: phantom_server_configure.yml - when: phantom_server == "1" and not cloud_provider == "local" + when: phantom_server.phantom_server == "1" and not general.cloud_provider == "local" - include: phantom_server_configure_local.yml - when: phantom_server == "1" and cloud_provider == "local" + when: phantom_server.phantom_server == "1" and general.cloud_provider == "local" - include: install_enterprise_security.yml - when: install_es == "1" + when: splunk_server.install_es == "1" - include: install_botsv3_dataset.yml - when: ingest_bots3_data == "1" + when: splunk_server.ingest_bots3_data == "1" - include: install_dltk.yml - when: install_dltk == "1" \ No newline at end of file + when: splunk_server.install_dltk == "1" \ No newline at end of file diff --git a/terraform/ansible/roles/splunk_server_post/tasks/phantom_server_configure.yml b/terraform/ansible/roles/splunk_server_post/tasks/phantom_server_configure.yml index c8af2a44d..15075191e 100644 --- a/terraform/ansible/roles/splunk_server_post/tasks/phantom_server_configure.yml +++ b/terraform/ansible/roles/splunk_server_post/tasks/phantom_server_configure.yml @@ -5,38 +5,38 @@ url: https://10.0.1.13:8443/rest/ph_user/2/token method: GET user: admin - password: "{{ attack_range_password }}" + password: "{{ general.attack_range_password }}" force_basic_auth: yes validate_certs: no register: api_token_5 until: api_token_5.status == 200 retries: 25 delay: 60 - when: phantom_app | regex_search("splunk_soar-unpriv-5") + when: phantom_server.phantom_app | regex_search("splunk_soar-unpriv-5") - name: Connect Splunk Phantom App with Phantom v5 - shell: curl -k -u "admin:{{ attack_range_password }}" --data '{"verify_certs":"false","enable_logging":"false","config":[{"ph-auth-token":"{{ api_token_5.json.key | replace("=","%3D") | replace("+","%2B") }}","server":"https://10.0.1.13:8443","custom_name":"phantom","default":false,"user":"","ph_auth_config_id":"193b2ffc-48fb-4087-bc75-c44184e7fa07","proxy":"","validate":true}],"accepted":"true","save":true}' https://localhost:8089/services/update_phantom_config?output_mode=json + shell: curl -k -u "admin:{{ general.attack_range_password }}" --data '{"verify_certs":"false","enable_logging":"false","config":[{"ph-auth-token":"{{ api_token_5.json.key | replace("=","%3D") | replace("+","%2B") }}","server":"https://10.0.1.13:8443","custom_name":"phantom","default":false,"user":"","ph_auth_config_id":"193b2ffc-48fb-4087-bc75-c44184e7fa07","proxy":"","validate":true}],"accepted":"true","save":true}' https://localhost:8089/services/update_phantom_config?output_mode=json register: shell_output - when: phantom_app | regex_search("splunk_soar-unpriv-5") + when: phantom_server.phantom_app | regex_search("splunk_soar-unpriv-5") - name: fetch phantom api token uri: url: https://10.0.1.13:8443/rest/ph_user/2/token method: GET user: soar_local_admin - password: "{{ attack_range_password }}" + password: "{{ general.attack_range_password }}" force_basic_auth: yes validate_certs: no register: api_token_6 until: api_token_6.status == 200 retries: 25 delay: 60 - when: phantom_app | regex_search("splunk_soar-unpriv-6") + when: phantom_server.phantom_app | regex_search("splunk_soar-unpriv-6") - name: Connect Splunk Phantom App with Phantom v6 - shell: curl -k -u "admin:{{ attack_range_password }}" --data '{"verify_certs":"false","enable_logging":"false","config":[{"ph-auth-token":"{{ api_token_6.json.key | replace("=","%3D") | replace("+","%2B") }}","server":"https://10.0.1.13:8443","custom_name":"phantom","default":false,"user":"","ph_auth_config_id":"193b2ffc-48fb-4087-bc75-c44184e7fa07","proxy":"","validate":true}],"accepted":"true","save":true}' https://localhost:8089/services/update_phantom_config?output_mode=json + shell: curl -k -u "admin:{{ general.attack_range_password }}" --data '{"verify_certs":"false","enable_logging":"false","config":[{"ph-auth-token":"{{ api_token_6.json.key | replace("=","%3D") | replace("+","%2B") }}","server":"https://10.0.1.13:8443","custom_name":"phantom","default":false,"user":"","ph_auth_config_id":"193b2ffc-48fb-4087-bc75-c44184e7fa07","proxy":"","validate":true}],"accepted":"true","save":true}' https://localhost:8089/services/update_phantom_config?output_mode=json register: shell_output - when: phantom_app | regex_search("splunk_soar-unpriv-6") + when: phantom_server.phantom_app | regex_search("splunk_soar-unpriv-6") - name: restart splunk service: name=splunk state=restarted diff --git a/terraform/ansible/roles/splunk_server_post/tasks/phantom_server_configure_local.yml b/terraform/ansible/roles/splunk_server_post/tasks/phantom_server_configure_local.yml index 7c96e4e94..934f33cf0 100644 --- a/terraform/ansible/roles/splunk_server_post/tasks/phantom_server_configure_local.yml +++ b/terraform/ansible/roles/splunk_server_post/tasks/phantom_server_configure_local.yml @@ -5,38 +5,38 @@ url: https://192.168.56.13:8443/rest/ph_user/2/token method: GET user: admin - password: "{{ attack_range_password }}" + password: "{{ general.attack_range_password }}" force_basic_auth: yes validate_certs: no register: api_token_5 until: api_token_5.status == 200 retries: 25 delay: 60 - when: phantom_app | regex_search("splunk_soar-unpriv-5") + when: phantom_server.phantom_app | regex_search("splunk_soar-unpriv-5") - name: Connect Splunk Phantom App with Phantom v5 - shell: curl -k -u "admin:{{ attack_range_password }}" --data '{"verify_certs":"false","enable_logging":"false","config":[{"ph-auth-token":"{{ api_token_5.json.key | replace("=","%3D") | replace("+","%2B") }}","server":"https://10.0.1.13:8443","custom_name":"phantom","default":false,"user":"","ph_auth_config_id":"193b2ffc-48fb-4087-bc75-c44184e7fa07","proxy":"","validate":true}],"accepted":"true","save":true}' https://localhost:8089/services/update_phantom_config?output_mode=json + shell: curl -k -u "admin:{{ general.attack_range_password }}" --data '{"verify_certs":"false","enable_logging":"false","config":[{"ph-auth-token":"{{ api_token_5.json.key | replace("=","%3D") | replace("+","%2B") }}","server":"https://10.0.1.13:8443","custom_name":"phantom","default":false,"user":"","ph_auth_config_id":"193b2ffc-48fb-4087-bc75-c44184e7fa07","proxy":"","validate":true}],"accepted":"true","save":true}' https://localhost:8089/services/update_phantom_config?output_mode=json register: shell_output - when: phantom_app | regex_search("splunk_soar-unpriv-5") + when: phantom_server.phantom_app | regex_search("splunk_soar-unpriv-5") - name: fetch phantom api token uri: url: https://192.168.56.13:8443/rest/ph_user/2/token method: GET user: soar_local_admin - password: "{{ attack_range_password }}" + password: "{{ general.attack_range_password }}" force_basic_auth: yes validate_certs: no register: api_token_6 until: api_token_6.status == 200 retries: 25 delay: 60 - when: phantom_app | regex_search("splunk_soar-unpriv-6") + when: phantom_server.phantom_app | regex_search("splunk_soar-unpriv-6") - name: Connect Splunk Phantom App with Phantom v6 - shell: curl -k -u "admin:{{ attack_range_password }}" --data '{"verify_certs":"false","enable_logging":"false","config":[{"ph-auth-token":"{{ api_token_6.json.key | replace("=","%3D") | replace("+","%2B") }}","server":"https://10.0.1.13:8443","custom_name":"phantom","default":false,"user":"","ph_auth_config_id":"193b2ffc-48fb-4087-bc75-c44184e7fa07","proxy":"","validate":true}],"accepted":"true","save":true}' https://localhost:8089/services/update_phantom_config?output_mode=json + shell: curl -k -u "admin:{{ general.attack_range_password }}" --data '{"verify_certs":"false","enable_logging":"false","config":[{"ph-auth-token":"{{ api_token_6.json.key | replace("=","%3D") | replace("+","%2B") }}","server":"https://10.0.1.13:8443","custom_name":"phantom","default":false,"user":"","ph_auth_config_id":"193b2ffc-48fb-4087-bc75-c44184e7fa07","proxy":"","validate":true}],"accepted":"true","save":true}' https://localhost:8089/services/update_phantom_config?output_mode=json register: shell_output - when: phantom_app | regex_search("splunk_soar-unpriv-6") + when: phantom_server.phantom_app | regex_search("splunk_soar-unpriv-6") - name: restart splunk service: name=splunk state=restarted diff --git a/packer/ansible/roles/sysmon/handlers/main.yml b/terraform/ansible/roles/sysmon/handlers/main.yml similarity index 100% rename from packer/ansible/roles/sysmon/handlers/main.yml rename to terraform/ansible/roles/sysmon/handlers/main.yml diff --git a/packer/ansible/roles/sysmon/tasks/main.yml b/terraform/ansible/roles/sysmon/tasks/main.yml similarity index 100% rename from packer/ansible/roles/sysmon/tasks/main.yml rename to terraform/ansible/roles/sysmon/tasks/main.yml diff --git a/packer/ansible/roles/sysmon/tasks/windows-logging-registry.yml b/terraform/ansible/roles/sysmon/tasks/windows-logging-registry.yml similarity index 100% rename from packer/ansible/roles/sysmon/tasks/windows-logging-registry.yml rename to terraform/ansible/roles/sysmon/tasks/windows-logging-registry.yml diff --git a/packer/ansible/roles/sysmon/tasks/windows-sysmon.yml b/terraform/ansible/roles/sysmon/tasks/windows-sysmon.yml similarity index 100% rename from packer/ansible/roles/sysmon/tasks/windows-sysmon.yml rename to terraform/ansible/roles/sysmon/tasks/windows-sysmon.yml diff --git a/packer/ansible/roles/sysmon/templates/SysmonConfig-Neo23x0-server.xml.j2 b/terraform/ansible/roles/sysmon/templates/SysmonConfig-Neo23x0-server.xml.j2 similarity index 100% rename from packer/ansible/roles/sysmon/templates/SysmonConfig-Neo23x0-server.xml.j2 rename to terraform/ansible/roles/sysmon/templates/SysmonConfig-Neo23x0-server.xml.j2 diff --git a/packer/ansible/roles/sysmon/templates/SysmonConfig-Neo23x0-workstations.xml.j2 b/terraform/ansible/roles/sysmon/templates/SysmonConfig-Neo23x0-workstations.xml.j2 similarity index 100% rename from packer/ansible/roles/sysmon/templates/SysmonConfig-Neo23x0-workstations.xml.j2 rename to terraform/ansible/roles/sysmon/templates/SysmonConfig-Neo23x0-workstations.xml.j2 diff --git a/packer/ansible/roles/sysmon/templates/SysmonConfig-TSwift.xml.j2 b/terraform/ansible/roles/sysmon/templates/SysmonConfig-TSwift.xml.j2 similarity index 100% rename from packer/ansible/roles/sysmon/templates/SysmonConfig-TSwift.xml.j2 rename to terraform/ansible/roles/sysmon/templates/SysmonConfig-TSwift.xml.j2 diff --git a/packer/ansible/roles/sysmon/templates/SysmonConfig-TSwift2.xml.j2 b/terraform/ansible/roles/sysmon/templates/SysmonConfig-TSwift2.xml.j2 similarity index 100% rename from packer/ansible/roles/sysmon/templates/SysmonConfig-TSwift2.xml.j2 rename to terraform/ansible/roles/sysmon/templates/SysmonConfig-TSwift2.xml.j2 diff --git a/packer/ansible/roles/sysmon/templates/SysmonConfig-Verbose.xml.j2 b/terraform/ansible/roles/sysmon/templates/SysmonConfig-Verbose.xml.j2 similarity index 100% rename from packer/ansible/roles/sysmon/templates/SysmonConfig-Verbose.xml.j2 rename to terraform/ansible/roles/sysmon/templates/SysmonConfig-Verbose.xml.j2 diff --git a/packer/ansible/roles/sysmon/templates/SysmonConfig-moti.xml.j2 b/terraform/ansible/roles/sysmon/templates/SysmonConfig-moti.xml.j2 similarity index 100% rename from packer/ansible/roles/sysmon/templates/SysmonConfig-moti.xml.j2 rename to terraform/ansible/roles/sysmon/templates/SysmonConfig-moti.xml.j2 diff --git a/packer/ansible/roles/sysmon/templates/SysmonConfig.xml.j2 b/terraform/ansible/roles/sysmon/templates/SysmonConfig.xml.j2 similarity index 100% rename from packer/ansible/roles/sysmon/templates/SysmonConfig.xml.j2 rename to terraform/ansible/roles/sysmon/templates/SysmonConfig.xml.j2 diff --git a/packer/ansible/roles/sysmon/templates/SysmonConfigCustom.xml.j2 b/terraform/ansible/roles/sysmon/templates/SysmonConfigCustom.xml.j2 similarity index 100% rename from packer/ansible/roles/sysmon/templates/SysmonConfigCustom.xml.j2 rename to terraform/ansible/roles/sysmon/templates/SysmonConfigCustom.xml.j2 diff --git a/terraform/ansible/roles/update_sysmon_config/tasks/main.yml b/terraform/ansible/roles/update_sysmon_config/tasks/main.yml index 16974acd0..d1e721f48 100644 --- a/terraform/ansible/roles/update_sysmon_config/tasks/main.yml +++ b/terraform/ansible/roles/update_sysmon_config/tasks/main.yml @@ -1,4 +1,4 @@ --- - include: windows-sysmon.yml - when: win_sysmon_config != "SwiftOnSecurity.xml" + when: windows_servers.win_sysmon_config != "SwiftOnSecurity.xml" diff --git a/terraform/ansible/roles/update_sysmon_config/tasks/windows-sysmon.yml b/terraform/ansible/roles/update_sysmon_config/tasks/windows-sysmon.yml index 17787dff6..05d130a8a 100644 --- a/terraform/ansible/roles/update_sysmon_config/tasks/windows-sysmon.yml +++ b/terraform/ansible/roles/update_sysmon_config/tasks/windows-sysmon.yml @@ -2,11 +2,11 @@ - name: Copy Sysmon template win_copy: - src: '../../configs/{{ win_sysmon_config }}' - dest: 'C:\Program Files\ansible\{{ win_sysmon_config }}' + src: '../../configs/{{ windows_servers.win_sysmon_config }}' + dest: 'C:\Program Files\ansible\{{ windows_servers.win_sysmon_config }}' - name: install sysmon with defined config - win_command: '"C:\Program Files\ansible\sysmon\sysmon64.exe" -c "C:\Program Files\ansible\{{ win_sysmon_config }}"' + win_command: '"C:\Program Files\ansible\sysmon\sysmon64.exe" -c "C:\Program Files\ansible\{{ windows_servers.win_sysmon_config }}"' - name: 'Reboot server' win_reboot: \ No newline at end of file diff --git a/terraform/ansible/roles/update_sysmon_config_linux/tasks/main.yml b/terraform/ansible/roles/update_sysmon_config_linux/tasks/main.yml index f4997fcad..8b327c5d7 100644 --- a/terraform/ansible/roles/update_sysmon_config_linux/tasks/main.yml +++ b/terraform/ansible/roles/update_sysmon_config_linux/tasks/main.yml @@ -1,4 +1,4 @@ --- - include: update_sysmon_config.yml - when: sysmon_config != "SysMonLinux-CatchAll.xml" \ No newline at end of file + when: linux_servers.sysmon_config != "SysMonLinux-CatchAll.xml" \ No newline at end of file diff --git a/terraform/ansible/roles/update_sysmon_config_linux/tasks/update_sysmon_config.yml b/terraform/ansible/roles/update_sysmon_config_linux/tasks/update_sysmon_config.yml index 719cb9ba0..65a9e690a 100644 --- a/terraform/ansible/roles/update_sysmon_config_linux/tasks/update_sysmon_config.yml +++ b/terraform/ansible/roles/update_sysmon_config_linux/tasks/update_sysmon_config.yml @@ -3,9 +3,9 @@ - name: copy sysmon config template become: true copy: - src: "../../configs/{{ sysmon_config }}" - dest: "/tmp/{{ sysmon_config }}" + src: "../../configs/{{ linux_servers.sysmon_config }}" + dest: "/tmp/{{ linux_servers.sysmon_config }}" - name: update sysmon config become: true - ansible.builtin.shell: sysmon -c /tmp/{{ sysmon_config }} \ No newline at end of file + ansible.builtin.shell: sysmon -c /tmp/{{ linux_servers.sysmon_config }} \ No newline at end of file diff --git a/terraform/ansible/roles/windows_agent_prelude/tasks/install.yml b/terraform/ansible/roles/windows_agent_prelude/tasks/install.yml deleted file mode 100644 index 969567b3d..000000000 --- a/terraform/ansible/roles/windows_agent_prelude/tasks/install.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- - -- name: Wait for redirector to be ready - win_wait_for: - port: 2323 - host: "10.0.1.12" - connect_timeout: 30 - delay: 60 - timeout: 900 - -- name: Download Prelude Pneuma from headless Operator - win_get_url: - url: "http://10.0.1.12:3391/payloads/pneuma/v1.6/pneuma-windows.exe" - dest: c:\pneuma-windows.exe - -- name: Create a task to Start Prelude Pneuma on boot - win_scheduled_task: - name: Pneuma - description: Start Pneuma on boot - actions: - - path: C:\pneuma-windows.exe - arguments: "-name {{ ansible_hostname }} -address 10.0.1.12:2323" - triggers: - - type: boot - username: SYSTEM - run_level: highest - state: present - -- name: Start Prelude Pneuma and Connect to headless Operator - win_shell: Start-Process -FilePath c:\pneuma-windows.exe -ArgumentList "-name $env:COMPUTERNAME -address 10.0.1.12:2323" - \ No newline at end of file diff --git a/terraform/ansible/roles/windows_agent_prelude/tasks/install_local.yml b/terraform/ansible/roles/windows_agent_prelude/tasks/install_local.yml deleted file mode 100644 index 01f0da9db..000000000 --- a/terraform/ansible/roles/windows_agent_prelude/tasks/install_local.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- - -- name: Wait for redirector to be ready - win_wait_for: - port: 2323 - host: "192.168.56.12" - connect_timeout: 30 - delay: 60 - timeout: 900 - -- name: Download Prelude Pneuma from headless Operator - win_get_url: - url: "http://192.168.56.12:3391/payloads/pneuma/v1.6/pneuma-windows.exe" - dest: c:\pneuma-windows.exe - -- name: Create a task to Start Prelude Pneuma on boot - win_scheduled_task: - name: Pneuma - description: Start Pneuma on boot - actions: - - path: C:\pneuma-windows.exe - arguments: "-name {{ ansible_hostname }} -address 192.168.56.12:2323" - triggers: - - type: boot - username: SYSTEM - run_level: highest - state: present - -- name: Start Prelude Pneuma and Connect to headless Operator - win_shell: Start-Process -FilePath c:\pneuma-windows.exe -ArgumentList "-name $env:COMPUTERNAME -address 192.168.56.12" - \ No newline at end of file diff --git a/terraform/ansible/roles/windows_agent_prelude/tasks/main.yml b/terraform/ansible/roles/windows_agent_prelude/tasks/main.yml deleted file mode 100644 index ac9772e2d..000000000 --- a/terraform/ansible/roles/windows_agent_prelude/tasks/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- - -- include: install.yml - when: prelude == "1" \ No newline at end of file diff --git a/terraform/ansible/roles/windows_aurora_agent/tasks/main.yml b/terraform/ansible/roles/windows_aurora_agent/tasks/main.yml index 38b8f160a..7159485d1 100644 --- a/terraform/ansible/roles/windows_aurora_agent/tasks/main.yml +++ b/terraform/ansible/roles/windows_aurora_agent/tasks/main.yml @@ -1,5 +1,5 @@ --- - include: install_aurora_agent.yml - when: aurora_agent == "1" + when: windows_servers.aurora_agent == "1" diff --git a/packer/ansible/roles/windows_common/tasks/advanced_logging.yml b/terraform/ansible/roles/windows_common/tasks/advanced_logging.yml similarity index 100% rename from packer/ansible/roles/windows_common/tasks/advanced_logging.yml rename to terraform/ansible/roles/windows_common/tasks/advanced_logging.yml diff --git a/packer/ansible/roles/windows_common/tasks/install_7zip.yml b/terraform/ansible/roles/windows_common/tasks/install_7zip.yml similarity index 100% rename from packer/ansible/roles/windows_common/tasks/install_7zip.yml rename to terraform/ansible/roles/windows_common/tasks/install_7zip.yml diff --git a/packer/ansible/roles/windows_common/tasks/install_app_chocolatey.yml b/terraform/ansible/roles/windows_common/tasks/install_app_chocolatey.yml similarity index 100% rename from packer/ansible/roles/windows_common/tasks/install_app_chocolatey.yml rename to terraform/ansible/roles/windows_common/tasks/install_app_chocolatey.yml diff --git a/packer/ansible/roles/windows_common/tasks/install_choco.yml b/terraform/ansible/roles/windows_common/tasks/install_choco.yml similarity index 100% rename from packer/ansible/roles/windows_common/tasks/install_choco.yml rename to terraform/ansible/roles/windows_common/tasks/install_choco.yml diff --git a/packer/ansible/roles/windows_common/tasks/install_firefox.yml b/terraform/ansible/roles/windows_common/tasks/install_firefox.yml similarity index 100% rename from packer/ansible/roles/windows_common/tasks/install_firefox.yml rename to terraform/ansible/roles/windows_common/tasks/install_firefox.yml diff --git a/packer/ansible/roles/windows_common/tasks/install_git.yml b/terraform/ansible/roles/windows_common/tasks/install_git.yml similarity index 100% rename from packer/ansible/roles/windows_common/tasks/install_git.yml rename to terraform/ansible/roles/windows_common/tasks/install_git.yml diff --git a/packer/ansible/roles/windows_common/tasks/install_notepadplusplus.yml b/terraform/ansible/roles/windows_common/tasks/install_notepadplusplus.yml similarity index 100% rename from packer/ansible/roles/windows_common/tasks/install_notepadplusplus.yml rename to terraform/ansible/roles/windows_common/tasks/install_notepadplusplus.yml diff --git a/packer/ansible/roles/windows_common/tasks/main.yml b/terraform/ansible/roles/windows_common/tasks/main.yml similarity index 78% rename from packer/ansible/roles/windows_common/tasks/main.yml rename to terraform/ansible/roles/windows_common/tasks/main.yml index cba4c0b94..94c51757e 100644 --- a/packer/ansible/roles/windows_common/tasks/main.yml +++ b/terraform/ansible/roles/windows_common/tasks/main.yml @@ -1,10 +1,9 @@ --- -#- include: set-hostname.yml + - include: windows-disable-defender.yml - include: windows-enable-ps-logging.yml - include: windows-enable-4688-cmd-line-audit.yml - include: install_choco.yml -# when: cloud_provider == "local" - include: install_app_chocolatey.yml with_items: - "firefox" @@ -14,5 +13,5 @@ - "adobereader" - "python" - include: advanced_logging.yml - when: advanced_logging == "1" + when: windows_servers.advanced_logging == "1" diff --git a/packer/ansible/roles/windows_common/tasks/set-hostname.yml b/terraform/ansible/roles/windows_common/tasks/set-hostname.yml similarity index 100% rename from packer/ansible/roles/windows_common/tasks/set-hostname.yml rename to terraform/ansible/roles/windows_common/tasks/set-hostname.yml diff --git a/packer/ansible/roles/windows_common/tasks/windows-disable-defender.yml b/terraform/ansible/roles/windows_common/tasks/windows-disable-defender.yml similarity index 100% rename from packer/ansible/roles/windows_common/tasks/windows-disable-defender.yml rename to terraform/ansible/roles/windows_common/tasks/windows-disable-defender.yml diff --git a/packer/ansible/roles/windows_common/tasks/windows-enable-4688-cmd-line-audit.yml b/terraform/ansible/roles/windows_common/tasks/windows-enable-4688-cmd-line-audit.yml similarity index 100% rename from packer/ansible/roles/windows_common/tasks/windows-enable-4688-cmd-line-audit.yml rename to terraform/ansible/roles/windows_common/tasks/windows-enable-4688-cmd-line-audit.yml diff --git a/packer/ansible/roles/windows_common/tasks/windows-enable-ps-logging.yml b/terraform/ansible/roles/windows_common/tasks/windows-enable-ps-logging.yml similarity index 100% rename from packer/ansible/roles/windows_common/tasks/windows-enable-ps-logging.yml rename to terraform/ansible/roles/windows_common/tasks/windows-enable-ps-logging.yml diff --git a/terraform/ansible/roles/windows_install_attack_simulation/tasks/main.yml b/terraform/ansible/roles/windows_install_attack_simulation/tasks/main.yml index fcd4062bb..44eac2923 100644 --- a/terraform/ansible/roles/windows_install_attack_simulation/tasks/main.yml +++ b/terraform/ansible/roles/windows_install_attack_simulation/tasks/main.yml @@ -25,7 +25,7 @@ IEX (IWR https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1) Install-AtomicRedTeam -Force IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicsfolder.ps1' -UseBasicParsing) - Install-AtomicsFolder -Force -RepoOwner "{{ atomic_red_team_repo }}" -Branch "{{ atomic_red_team_branch }}" + Install-AtomicsFolder -Force -RepoOwner "{{ simulation.atomic_red_team_repo }}" -Branch "{{ simulation.atomic_red_team_branch }}" register: install_art - name: copy default powershell profile diff --git a/terraform/ansible/roles/windows_splunk_post/tasks/main.yml b/terraform/ansible/roles/windows_splunk_post/tasks/main.yml index 82c52c1e5..d8440597c 100644 --- a/terraform/ansible/roles/windows_splunk_post/tasks/main.yml +++ b/terraform/ansible/roles/windows_splunk_post/tasks/main.yml @@ -1,10 +1,10 @@ --- - name: Change Splunk password - win_command: '"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" edit user admin -password {{ attack_range_password }} -auth admin:Pl3ase-k1Ll-me:p' + win_command: '"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" edit user admin -password {{ general.attack_range_password }} -auth admin:Pl3ase-k1Ll-me:p' - name: Change Hostname - win_command: '"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" set default-hostname {{ hostname }} -auth admin:{{ attack_range_password }}' + win_command: '"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" set default-hostname {{ windows_servers.hostname }} -auth admin:{{ general.attack_range_password }}' - name: Restart win_command: '"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" restart' \ No newline at end of file diff --git a/packer/ansible/roles/windows_universal_forwarder/files/atomic_red_team_execution_inputs.conf b/terraform/ansible/roles/windows_universal_forwarder/files/atomic_red_team_execution_inputs.conf similarity index 100% rename from packer/ansible/roles/windows_universal_forwarder/files/atomic_red_team_execution_inputs.conf rename to terraform/ansible/roles/windows_universal_forwarder/files/atomic_red_team_execution_inputs.conf diff --git a/packer/ansible/roles/windows_universal_forwarder/files/aurora_agent_inputs.conf b/terraform/ansible/roles/windows_universal_forwarder/files/aurora_agent_inputs.conf similarity index 100% rename from packer/ansible/roles/windows_universal_forwarder/files/aurora_agent_inputs.conf rename to terraform/ansible/roles/windows_universal_forwarder/files/aurora_agent_inputs.conf diff --git a/packer/ansible/roles/windows_universal_forwarder/files/nxlog.conf b/terraform/ansible/roles/windows_universal_forwarder/files/nxlog.conf similarity index 100% rename from packer/ansible/roles/windows_universal_forwarder/files/nxlog.conf rename to terraform/ansible/roles/windows_universal_forwarder/files/nxlog.conf diff --git a/packer/ansible/roles/windows_universal_forwarder/files/nxlog_inputs.conf b/terraform/ansible/roles/windows_universal_forwarder/files/nxlog_inputs.conf similarity index 100% rename from packer/ansible/roles/windows_universal_forwarder/files/nxlog_inputs.conf rename to terraform/ansible/roles/windows_universal_forwarder/files/nxlog_inputs.conf diff --git a/packer/ansible/roles/windows_universal_forwarder/files/outputs.conf b/terraform/ansible/roles/windows_universal_forwarder/files/outputs.conf similarity index 100% rename from packer/ansible/roles/windows_universal_forwarder/files/outputs.conf rename to terraform/ansible/roles/windows_universal_forwarder/files/outputs.conf diff --git a/packer/ansible/roles/windows_universal_forwarder/files/powershell_inputs.conf b/terraform/ansible/roles/windows_universal_forwarder/files/powershell_inputs.conf similarity index 100% rename from packer/ansible/roles/windows_universal_forwarder/files/powershell_inputs.conf rename to terraform/ansible/roles/windows_universal_forwarder/files/powershell_inputs.conf diff --git a/packer/ansible/roles/windows_universal_forwarder/files/sysmon_inputs.conf b/terraform/ansible/roles/windows_universal_forwarder/files/sysmon_inputs.conf similarity index 100% rename from packer/ansible/roles/windows_universal_forwarder/files/sysmon_inputs.conf rename to terraform/ansible/roles/windows_universal_forwarder/files/sysmon_inputs.conf diff --git a/packer/ansible/roles/windows_universal_forwarder/files/win_event_log_inputs.conf b/terraform/ansible/roles/windows_universal_forwarder/files/win_event_log_inputs.conf similarity index 100% rename from packer/ansible/roles/windows_universal_forwarder/files/win_event_log_inputs.conf rename to terraform/ansible/roles/windows_universal_forwarder/files/win_event_log_inputs.conf diff --git a/packer/ansible/roles/windows_universal_forwarder/files/win_event_log_inputs_plain.conf b/terraform/ansible/roles/windows_universal_forwarder/files/win_event_log_inputs_plain.conf similarity index 100% rename from packer/ansible/roles/windows_universal_forwarder/files/win_event_log_inputs_plain.conf rename to terraform/ansible/roles/windows_universal_forwarder/files/win_event_log_inputs_plain.conf diff --git a/packer/ansible/roles/windows_universal_forwarder/tasks/collect_attack_simulation_logs.yml b/terraform/ansible/roles/windows_universal_forwarder/tasks/collect_attack_simulation_logs.yml similarity index 100% rename from packer/ansible/roles/windows_universal_forwarder/tasks/collect_attack_simulation_logs.yml rename to terraform/ansible/roles/windows_universal_forwarder/tasks/collect_attack_simulation_logs.yml diff --git a/packer/ansible/roles/windows_universal_forwarder/tasks/collect_aurora_agent_logs.yml b/terraform/ansible/roles/windows_universal_forwarder/tasks/collect_aurora_agent_logs.yml similarity index 100% rename from packer/ansible/roles/windows_universal_forwarder/tasks/collect_aurora_agent_logs.yml rename to terraform/ansible/roles/windows_universal_forwarder/tasks/collect_aurora_agent_logs.yml diff --git a/packer/ansible/roles/windows_universal_forwarder/tasks/collect_nxlog_logs.yml b/terraform/ansible/roles/windows_universal_forwarder/tasks/collect_nxlog_logs.yml similarity index 100% rename from packer/ansible/roles/windows_universal_forwarder/tasks/collect_nxlog_logs.yml rename to terraform/ansible/roles/windows_universal_forwarder/tasks/collect_nxlog_logs.yml diff --git a/packer/ansible/roles/windows_universal_forwarder/tasks/collect_powershell_logs.yml b/terraform/ansible/roles/windows_universal_forwarder/tasks/collect_powershell_logs.yml similarity index 100% rename from packer/ansible/roles/windows_universal_forwarder/tasks/collect_powershell_logs.yml rename to terraform/ansible/roles/windows_universal_forwarder/tasks/collect_powershell_logs.yml diff --git a/packer/ansible/roles/windows_universal_forwarder/tasks/collect_sysmon_logs.yml b/terraform/ansible/roles/windows_universal_forwarder/tasks/collect_sysmon_logs.yml similarity index 100% rename from packer/ansible/roles/windows_universal_forwarder/tasks/collect_sysmon_logs.yml rename to terraform/ansible/roles/windows_universal_forwarder/tasks/collect_sysmon_logs.yml diff --git a/packer/ansible/roles/windows_universal_forwarder/tasks/collect_windows_event_logs.yml b/terraform/ansible/roles/windows_universal_forwarder/tasks/collect_windows_event_logs.yml similarity index 100% rename from packer/ansible/roles/windows_universal_forwarder/tasks/collect_windows_event_logs.yml rename to terraform/ansible/roles/windows_universal_forwarder/tasks/collect_windows_event_logs.yml diff --git a/packer/ansible/roles/windows_universal_forwarder/tasks/configure_outputs.yml b/terraform/ansible/roles/windows_universal_forwarder/tasks/configure_outputs.yml similarity index 100% rename from packer/ansible/roles/windows_universal_forwarder/tasks/configure_outputs.yml rename to terraform/ansible/roles/windows_universal_forwarder/tasks/configure_outputs.yml diff --git a/packer/ansible/roles/windows_universal_forwarder/tasks/create_deploymentclient.yml b/terraform/ansible/roles/windows_universal_forwarder/tasks/create_deploymentclient.yml similarity index 100% rename from packer/ansible/roles/windows_universal_forwarder/tasks/create_deploymentclient.yml rename to terraform/ansible/roles/windows_universal_forwarder/tasks/create_deploymentclient.yml diff --git a/packer/ansible/roles/windows_universal_forwarder/tasks/install_splunk_uf.yml b/terraform/ansible/roles/windows_universal_forwarder/tasks/install_splunk_uf.yml similarity index 79% rename from packer/ansible/roles/windows_universal_forwarder/tasks/install_splunk_uf.yml rename to terraform/ansible/roles/windows_universal_forwarder/tasks/install_splunk_uf.yml index 944f3a19b..4adb97759 100644 --- a/packer/ansible/roles/windows_universal_forwarder/tasks/install_splunk_uf.yml +++ b/terraform/ansible/roles/windows_universal_forwarder/tasks/install_splunk_uf.yml @@ -3,7 +3,7 @@ - name: Download Splunk UF from Splunk website win_shell: | [Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls" - (New-Object System.Net.WebClient).DownloadFile("{{ splunk_uf_win_url }}", "C:\splunkuf.msi") + (New-Object System.Net.WebClient).DownloadFile("{{ splunk_server.splunk_uf_win_url }}", "C:\splunkuf.msi") - name: Install Splunk_UF MSI win_package: diff --git a/packer/ansible/roles/windows_universal_forwarder/tasks/main.yml b/terraform/ansible/roles/windows_universal_forwarder/tasks/main.yml similarity index 100% rename from packer/ansible/roles/windows_universal_forwarder/tasks/main.yml rename to terraform/ansible/roles/windows_universal_forwarder/tasks/main.yml diff --git a/packer/ansible/roles/linux_universal_forwarder/templates/outputs.conf.j2 b/terraform/ansible/roles/windows_universal_forwarder/templates/outputs.conf.j2 similarity index 75% rename from packer/ansible/roles/linux_universal_forwarder/templates/outputs.conf.j2 rename to terraform/ansible/roles/windows_universal_forwarder/templates/outputs.conf.j2 index 4ec01efe1..6a945ccc0 100644 --- a/packer/ansible/roles/linux_universal_forwarder/templates/outputs.conf.j2 +++ b/terraform/ansible/roles/windows_universal_forwarder/templates/outputs.conf.j2 @@ -2,7 +2,7 @@ defaultGroup=my_indexers [tcpout:my_indexers] -{% if cloud_provider == 'local' %} +{% if general.cloud_provider == 'local' %} server=192.168.56.12:9997 {%- else -%} server=10.0.1.12:9997 diff --git a/packer/ansible/roles/zeek_sensor/files/capture-int.service b/terraform/ansible/roles/zeek_sensor/files/capture-int.service similarity index 100% rename from packer/ansible/roles/zeek_sensor/files/capture-int.service rename to terraform/ansible/roles/zeek_sensor/files/capture-int.service diff --git a/packer/ansible/roles/zeek_sensor/files/inputs.conf b/terraform/ansible/roles/zeek_sensor/files/inputs.conf similarity index 100% rename from packer/ansible/roles/zeek_sensor/files/inputs.conf rename to terraform/ansible/roles/zeek_sensor/files/inputs.conf diff --git a/packer/ansible/roles/zeek_sensor/tasks/main.yml b/terraform/ansible/roles/zeek_sensor/tasks/main.yml similarity index 100% rename from packer/ansible/roles/zeek_sensor/tasks/main.yml rename to terraform/ansible/roles/zeek_sensor/tasks/main.yml diff --git a/packer/ansible/roles/zeek_sensor/tasks/splunkuf.yml b/terraform/ansible/roles/zeek_sensor/tasks/splunkuf.yml similarity index 61% rename from packer/ansible/roles/zeek_sensor/tasks/splunkuf.yml rename to terraform/ansible/roles/zeek_sensor/tasks/splunkuf.yml index 1da20fa47..514c7d77d 100644 --- a/packer/ansible/roles/zeek_sensor/tasks/splunkuf.yml +++ b/terraform/ansible/roles/zeek_sensor/tasks/splunkuf.yml @@ -4,10 +4,11 @@ copy: src: inputs.conf dest: /opt/splunkforwarder/etc/system/local/inputs.conf - owner: splunk - group: splunk force: yes -- name: restart splunkuf +- name: Restart splunk uf become: true - command: "systemctl restart SplunkForwarder" + systemd: + name: SplunkForwarder + state: restarted + diff --git a/packer/ansible/roles/zeek_sensor/tasks/zeek.yml b/terraform/ansible/roles/zeek_sensor/tasks/zeek.yml similarity index 100% rename from packer/ansible/roles/zeek_sensor/tasks/zeek.yml rename to terraform/ansible/roles/zeek_sensor/tasks/zeek.yml diff --git a/packer/ansible/attack_test.yml b/terraform/ansible/snort_server.yml similarity index 57% rename from packer/ansible/attack_test.yml rename to terraform/ansible/snort_server.yml index b57e03324..a64bf01be 100644 --- a/packer/ansible/attack_test.yml +++ b/terraform/ansible/snort_server.yml @@ -2,4 +2,5 @@ gather_facts: False become: true roles: - - attack_test + - linux_universal_forwarder + - snort \ No newline at end of file diff --git a/terraform/ansible/splunk_server_post.yml b/terraform/ansible/splunk_server.yml similarity index 89% rename from terraform/ansible/splunk_server_post.yml rename to terraform/ansible/splunk_server.yml index 5db69af29..9e936c7b9 100644 --- a/terraform/ansible/splunk_server_post.yml +++ b/terraform/ansible/splunk_server.yml @@ -7,8 +7,8 @@ azure_logging: "0" kali_server: "0" roles: - - set_hostname_linux - - prelude + - linux_common + - splunk_server - splunk_server_post - phantom_byo_splunk - cloudtrail_logs diff --git a/terraform/ansible/vars/.gitkeep b/terraform/ansible/vars/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/terraform/ansible/vars/linux_vars.json b/terraform/ansible/vars/linux_vars.json new file mode 100644 index 000000000..7f3aa1a12 --- /dev/null +++ b/terraform/ansible/vars/linux_vars.json @@ -0,0 +1,7 @@ +{ + "ansible_python_interpreter": "/usr/bin/python3", + "general": {"attack_range_name":"ar","attack_range_password":"5kVkrkns0eL2TN23Ir2","carbon_black_cloud":"0","carbon_black_cloud_agent_name":"installer_vista_win7_win8-64-3.8.0.627.msi","carbon_black_cloud_company_code":"","carbon_black_cloud_s3_bucket":"","cloud_provider":"aws","crowdstrike_agent_name":"WindowsSensor.exe","crowdstrike_customer_ID":"","crowdstrike_falcon":"0","crowdstrike_logs_access_key_id":"","crowdstrike_logs_region":"","crowdstrike_logs_secret_access_key":"","crowdstrike_logs_sqs_url":"","install_contentctl":"0","ip_whitelist":"84.174.73.25/32","key_name":"pbareiss-09129","statepath":"/Users/pbareiss/projects/attack_range/modules/../terraform/aws/state/ar.terraform.tfstate","use_prebuilt_images_with_packer":"0"}, + "splunk_server": {"byo_splunk":"0","byo_splunk_ip":"","ingest_bots3_data":"0","install_dltk":"0","install_es":"0","s3_bucket_url":"https://attack-range-appbinaries.s3-us-west-2.amazonaws.com","splunk_apps":"splunk-add-on-for-microsoft-windows_880.tgz,splunk-timeline-custom-visualization_162.tgz,status-indicator-custom-visualization_150.tgz,splunk-sankey-diagram-custom-visualization_160.tgz,punchcard-custom-visualization_150.tgz,splunk_attack_range_reporting-1.0.9.tar.gz,splunk-common-information-model-cim_532.tgz,DA-ESS-ContentUpdate-latest.tar.gz,python-for-scientific-computing-for-linux-64-bit_420.tgz,splunk-machine-learning-toolkit_541.tgz,splunk-security-essentials_380.tgz,splunk-add-on-for-sysmon_400.tgz,splunk-add-on-for-sysmon-for-linux_100.tgz,splunk-add-on-for-amazon-web-services-aws_760.tgz,splunk-add-on-for-microsoft-office-365_451.tgz,splunk-add-on-for-amazon-kinesis-firehose_131r7d1d093.tgz,splunk-add-on-for-unix-and-linux_910.tgz,ta-for-zeek_108.tgz,splunk-add-on-for-nginx_322.tgz,phantom-app-for-splunk_4035.tgz,TA-osquery.tar.gz,splunk-add-on-for-microsoft-cloud-services_530.tgz,splunk-add-on-for-crowdstrike-fdr_150.tgz,vmware-carbon-black-cloud_115.tgz,splunk-add-on-for-carbon-black_210.tgz,TA-aurora-0.2.0.tar.gz,snort-alert-for-splunk_111.tgz","splunk_es_app":"splunk-enterprise-security_731.spl","splunk_uf_url":"https://download.splunk.com/products/universalforwarder/releases/9.3.0/linux/splunkforwarder-9.3.0-51ccf43db5bd-linux-2.6-amd64.deb","splunk_uf_win_url":"https://download.splunk.com/products/universalforwarder/releases/9.3.0/windows/splunkforwarder-9.3.0-51ccf43db5bd-x64-release.msi","splunk_url":"https://download.splunk.com/products/splunk/releases/9.3.0/linux/splunk-9.3.0-51ccf43db5bd-Linux-x86_64.tgz"}, + "linux_servers": {"hostname":"ar-lin","sysmon_config":"SysMonLinux-CatchAll.xml"}, + "simulation": {"atomic_red_team_branch":"master","atomic_red_team_repo":"redcanaryco"}, +} diff --git a/terraform/ansible/vars/nginx_vars.json b/terraform/ansible/vars/nginx_vars.json new file mode 100644 index 000000000..914714b98 --- /dev/null +++ b/terraform/ansible/vars/nginx_vars.json @@ -0,0 +1,6 @@ +{ + "ansible_python_interpreter": "/usr/bin/python3", + "general": {"attack_range_name":"ar","attack_range_password":"5kVkrkns0eL2TN23Ir2","carbon_black_cloud":"0","carbon_black_cloud_agent_name":"installer_vista_win7_win8-64-3.8.0.627.msi","carbon_black_cloud_company_code":"","carbon_black_cloud_s3_bucket":"","cloud_provider":"aws","crowdstrike_agent_name":"WindowsSensor.exe","crowdstrike_customer_ID":"","crowdstrike_falcon":"0","crowdstrike_logs_access_key_id":"","crowdstrike_logs_region":"","crowdstrike_logs_secret_access_key":"","crowdstrike_logs_sqs_url":"","install_contentctl":"0","ip_whitelist":"84.174.73.25/32","key_name":"pbareiss-09129","statepath":"/Users/pbareiss/projects/attack_range/modules/../terraform/aws/state/ar.terraform.tfstate","use_prebuilt_images_with_packer":"0"}, + "splunk_server": {"byo_splunk":"0","byo_splunk_ip":"","ingest_bots3_data":"0","install_dltk":"0","install_es":"1","s3_bucket_url":"https://attack-range-appbinaries.s3-us-west-2.amazonaws.com","splunk_apps":"splunk-add-on-for-microsoft-windows_880.tgz,splunk-timeline-custom-visualization_162.tgz,status-indicator-custom-visualization_150.tgz,splunk-sankey-diagram-custom-visualization_160.tgz,punchcard-custom-visualization_150.tgz,splunk_attack_range_reporting-1.0.9.tar.gz,splunk-common-information-model-cim_532.tgz,DA-ESS-ContentUpdate-latest.tar.gz,python-for-scientific-computing-for-linux-64-bit_420.tgz,splunk-machine-learning-toolkit_541.tgz,splunk-security-essentials_380.tgz,splunk-add-on-for-sysmon_400.tgz,splunk-add-on-for-sysmon-for-linux_100.tgz,splunk-add-on-for-amazon-web-services-aws_760.tgz,splunk-add-on-for-microsoft-office-365_451.tgz,splunk-add-on-for-amazon-kinesis-firehose_131r7d1d093.tgz,splunk-add-on-for-unix-and-linux_910.tgz,ta-for-zeek_108.tgz,splunk-add-on-for-nginx_322.tgz,phantom-app-for-splunk_4035.tgz,TA-osquery.tar.gz,splunk-add-on-for-microsoft-cloud-services_530.tgz,splunk-add-on-for-crowdstrike-fdr_150.tgz,vmware-carbon-black-cloud_115.tgz,splunk-add-on-for-carbon-black_210.tgz,TA-aurora-0.2.0.tar.gz,snort-alert-for-splunk_111.tgz","splunk_es_app":"splunk-enterprise-security_731.spl","splunk_uf_url":"https://download.splunk.com/products/universalforwarder/releases/9.3.0/linux/splunkforwarder-9.3.0-51ccf43db5bd-linux-2.6-amd64.deb","splunk_uf_win_url":"https://download.splunk.com/products/universalforwarder/releases/9.3.0/windows/splunkforwarder-9.3.0-51ccf43db5bd-x64-release.msi","splunk_url":"https://download.splunk.com/products/splunk/releases/9.3.0/linux/splunk-9.3.0-51ccf43db5bd-Linux-x86_64.tgz"}, + "nginx_server": {"hostname":"nginx","nginx_server":"1","proxy_server_ip":"10.0.1.12","proxy_server_port":"8000"}, +} diff --git a/terraform/ansible/vars/phantom_vars.json b/terraform/ansible/vars/phantom_vars.json new file mode 100644 index 000000000..b2ed49576 --- /dev/null +++ b/terraform/ansible/vars/phantom_vars.json @@ -0,0 +1,5 @@ +{ + "general": {"attack_range_name":"ar","attack_range_password":"5kVkrkns0eL2TN23Ir2","carbon_black_cloud":"0","carbon_black_cloud_agent_name":"installer_vista_win7_win8-64-3.8.0.627.msi","carbon_black_cloud_company_code":"","carbon_black_cloud_s3_bucket":"","cloud_provider":"aws","crowdstrike_agent_name":"WindowsSensor.exe","crowdstrike_customer_ID":"","crowdstrike_falcon":"0","crowdstrike_logs_access_key_id":"","crowdstrike_logs_region":"","crowdstrike_logs_secret_access_key":"","crowdstrike_logs_sqs_url":"","install_contentctl":"0","ip_whitelist":"84.174.73.25/32","key_name":"pbareiss-09129","statepath":"/Users/pbareiss/projects/attack_range/modules/../terraform/aws/state/ar.terraform.tfstate","use_prebuilt_images_with_packer":"0"}, + "aws": {"cloudtrail":"0","cloudtrail_sqs_queue":"https://sqs.us-west-2.amazonaws.com/111111111111/cloudtrail-cloud-attack-range","private_key_path":"/Users/pbareiss/projects/attack_range/pbareiss-09129.key","region":"eu-central-1","tf_remote_state_dynamo_db_table":"test","tf_remote_state_s3_bucket":"test","use_elastic_ips":"1","use_remote_state":"0"}, + "phantom_server": {"phantom_app":"splunk_soar-unpriv-6.2.2.134-8f694086-el7-x86_64.tgz","phantom_byo":"0","phantom_byo_api_token":"","phantom_byo_ip":"","phantom_server":"1"}, +} diff --git a/terraform/ansible/vars/snort_vars.json b/terraform/ansible/vars/snort_vars.json new file mode 100644 index 000000000..4e3ee9b65 --- /dev/null +++ b/terraform/ansible/vars/snort_vars.json @@ -0,0 +1,6 @@ +{ + "ansible_python_interpreter": "/usr/bin/python3", + "general": {"attack_range_name":"ar","attack_range_password":"5kVkrkns0eL2TN23Ir2","carbon_black_cloud":"0","carbon_black_cloud_agent_name":"installer_vista_win7_win8-64-3.8.0.627.msi","carbon_black_cloud_company_code":"","carbon_black_cloud_s3_bucket":"","cloud_provider":"aws","crowdstrike_agent_name":"WindowsSensor.exe","crowdstrike_customer_ID":"","crowdstrike_falcon":"0","crowdstrike_logs_access_key_id":"","crowdstrike_logs_region":"","crowdstrike_logs_secret_access_key":"","crowdstrike_logs_sqs_url":"","install_contentctl":"0","ip_whitelist":"84.174.73.25/32","key_name":"pbareiss-09129","statepath":"/Users/pbareiss/projects/attack_range/modules/../terraform/aws/state/ar.terraform.tfstate","use_prebuilt_images_with_packer":"0"}, + "splunk_server": {"byo_splunk":"0","byo_splunk_ip":"","ingest_bots3_data":"0","install_dltk":"0","install_es":"0","s3_bucket_url":"https://attack-range-appbinaries.s3-us-west-2.amazonaws.com","splunk_apps":"splunk-add-on-for-microsoft-windows_880.tgz,splunk-timeline-custom-visualization_162.tgz,status-indicator-custom-visualization_150.tgz,splunk-sankey-diagram-custom-visualization_160.tgz,punchcard-custom-visualization_150.tgz,splunk_attack_range_reporting-1.0.9.tar.gz,splunk-common-information-model-cim_532.tgz,DA-ESS-ContentUpdate-latest.tar.gz,python-for-scientific-computing-for-linux-64-bit_420.tgz,splunk-machine-learning-toolkit_541.tgz,splunk-security-essentials_380.tgz,splunk-add-on-for-sysmon_400.tgz,splunk-add-on-for-sysmon-for-linux_100.tgz,splunk-add-on-for-amazon-web-services-aws_760.tgz,splunk-add-on-for-microsoft-office-365_451.tgz,splunk-add-on-for-amazon-kinesis-firehose_131r7d1d093.tgz,splunk-add-on-for-unix-and-linux_910.tgz,ta-for-zeek_108.tgz,splunk-add-on-for-nginx_322.tgz,phantom-app-for-splunk_4035.tgz,TA-osquery.tar.gz,splunk-add-on-for-microsoft-cloud-services_530.tgz,splunk-add-on-for-crowdstrike-fdr_150.tgz,vmware-carbon-black-cloud_115.tgz,splunk-add-on-for-carbon-black_210.tgz,TA-aurora-0.2.0.tar.gz,snort-alert-for-splunk_111.tgz","splunk_es_app":"splunk-enterprise-security_731.spl","splunk_uf_url":"https://download.splunk.com/products/universalforwarder/releases/9.3.0/linux/splunkforwarder-9.3.0-51ccf43db5bd-linux-2.6-amd64.deb","splunk_uf_win_url":"https://download.splunk.com/products/universalforwarder/releases/9.3.0/windows/splunkforwarder-9.3.0-51ccf43db5bd-x64-release.msi","splunk_url":"https://download.splunk.com/products/splunk/releases/9.3.0/linux/splunk-9.3.0-51ccf43db5bd-Linux-x86_64.tgz"}, + "snort_server": {"snort_server":"1"}, +} diff --git a/terraform/ansible/vars/splunk_vars.json b/terraform/ansible/vars/splunk_vars.json new file mode 100644 index 000000000..b751a6fcc --- /dev/null +++ b/terraform/ansible/vars/splunk_vars.json @@ -0,0 +1,13 @@ +{ + "ansible_python_interpreter": "/usr/bin/python3", + "general": {"attack_range_name":"ar","attack_range_password":"5kVkrkns0eL2TN23Ir2","carbon_black_cloud":"0","carbon_black_cloud_agent_name":"installer_vista_win7_win8-64-3.8.0.627.msi","carbon_black_cloud_company_code":"","carbon_black_cloud_s3_bucket":"","cloud_provider":"aws","crowdstrike_agent_name":"WindowsSensor.exe","crowdstrike_customer_ID":"","crowdstrike_falcon":"0","crowdstrike_logs_access_key_id":"","crowdstrike_logs_region":"","crowdstrike_logs_secret_access_key":"","crowdstrike_logs_sqs_url":"","install_contentctl":"0","ip_whitelist":"84.174.73.25/32","key_name":"pbareiss-09129","statepath":"/Users/pbareiss/projects/attack_range/modules/../terraform/aws/state/ar.terraform.tfstate","use_prebuilt_images_with_packer":"0"}, + "aws": {"cloudtrail":"0","cloudtrail_sqs_queue":"https://sqs.us-west-2.amazonaws.com/111111111111/cloudtrail-cloud-attack-range","private_key_path":"/Users/pbareiss/projects/attack_range/pbareiss-09129.key","region":"eu-central-1","tf_remote_state_dynamo_db_table":"test","tf_remote_state_s3_bucket":"test","use_elastic_ips":"1","use_remote_state":"0"}, + "splunk_server": {"byo_splunk":"0","byo_splunk_ip":"","ingest_bots3_data":"0","install_dltk":"0","install_es":"0","s3_bucket_url":"https://attack-range-appbinaries.s3-us-west-2.amazonaws.com","splunk_apps":"splunk-add-on-for-microsoft-windows_880.tgz,splunk-timeline-custom-visualization_162.tgz,status-indicator-custom-visualization_150.tgz,splunk-sankey-diagram-custom-visualization_160.tgz,punchcard-custom-visualization_150.tgz,splunk_attack_range_reporting-1.0.9.tar.gz,splunk-common-information-model-cim_532.tgz,DA-ESS-ContentUpdate-latest.tar.gz,python-for-scientific-computing-for-linux-64-bit_420.tgz,splunk-machine-learning-toolkit_541.tgz,splunk-security-essentials_380.tgz,splunk-add-on-for-sysmon_400.tgz,splunk-add-on-for-sysmon-for-linux_100.tgz,splunk-add-on-for-amazon-web-services-aws_760.tgz,splunk-add-on-for-microsoft-office-365_451.tgz,splunk-add-on-for-amazon-kinesis-firehose_131r7d1d093.tgz,splunk-add-on-for-unix-and-linux_910.tgz,ta-for-zeek_108.tgz,splunk-add-on-for-nginx_322.tgz,phantom-app-for-splunk_4035.tgz,TA-osquery.tar.gz,splunk-add-on-for-microsoft-cloud-services_530.tgz,splunk-add-on-for-crowdstrike-fdr_150.tgz,vmware-carbon-black-cloud_115.tgz,splunk-add-on-for-carbon-black_210.tgz,TA-aurora-0.2.0.tar.gz,snort-alert-for-splunk_111.tgz","splunk_es_app":"splunk-enterprise-security_731.spl","splunk_uf_url":"https://download.splunk.com/products/universalforwarder/releases/9.3.0/linux/splunkforwarder-9.3.0-51ccf43db5bd-linux-2.6-amd64.deb","splunk_uf_win_url":"https://download.splunk.com/products/universalforwarder/releases/9.3.0/windows/splunkforwarder-9.3.0-51ccf43db5bd-x64-release.msi","splunk_url":"https://download.splunk.com/products/splunk/releases/9.3.0/linux/splunk-9.3.0-51ccf43db5bd-Linux-x86_64.tgz"}, + "phantom_server": {"phantom_app":"splunk_soar-unpriv-6.2.2.134-8f694086-el7-x86_64.tgz","phantom_byo":"0","phantom_byo_api_token":"","phantom_byo_ip":"","phantom_server":"0"}, + "simulation": {"atomic_red_team_branch":"master","atomic_red_team_repo":"redcanaryco"}, + "kali_server": {"kali_server":"0"}, + "zeek_server": {"zeek_server":"0"}, + "windows_servers": [{"advanced_logging":"0","aurora_agent":"0","bad_blood":"0","create_domain":"0","hostname":"ar-win","install_red_team_tools":"0","join_domain":"0","win_sysmon_config":"SwiftOnSecurity.xml","windows_ami":"Windows_Server-2019-English-Full-Base-*","windows_image":"windows-server-2019"}], + "linux_servers": [{"hostname":"ar-lin","sysmon_config":"SysMonLinux-CatchAll.xml"}], + "snort_server": {"snort_server":"0"} +} diff --git a/terraform/ansible/vars/windows_vars.json b/terraform/ansible/vars/windows_vars.json new file mode 100644 index 000000000..ce74cf2f3 --- /dev/null +++ b/terraform/ansible/vars/windows_vars.json @@ -0,0 +1,9 @@ +{ + "ansible_user": "Administrator", + "ansible_password": 5kVkrkns0eL2TN23Ir2, + "attack_range_password": 5kVkrkns0eL2TN23Ir2, + "general": {"attack_range_name":"ar","attack_range_password":"5kVkrkns0eL2TN23Ir2","carbon_black_cloud":"0","carbon_black_cloud_agent_name":"installer_vista_win7_win8-64-3.8.0.627.msi","carbon_black_cloud_company_code":"","carbon_black_cloud_s3_bucket":"","cloud_provider":"aws","crowdstrike_agent_name":"WindowsSensor.exe","crowdstrike_customer_ID":"","crowdstrike_falcon":"0","crowdstrike_logs_access_key_id":"","crowdstrike_logs_region":"","crowdstrike_logs_secret_access_key":"","crowdstrike_logs_sqs_url":"","install_contentctl":"0","ip_whitelist":"84.174.73.25/32","key_name":"pbareiss-09129","statepath":"/Users/pbareiss/projects/attack_range/modules/../terraform/aws/state/ar.terraform.tfstate","use_prebuilt_images_with_packer":"0"}, + "splunk_server": {"byo_splunk":"0","byo_splunk_ip":"","ingest_bots3_data":"0","install_dltk":"0","install_es":"0","s3_bucket_url":"https://attack-range-appbinaries.s3-us-west-2.amazonaws.com","splunk_apps":"splunk-add-on-for-microsoft-windows_880.tgz,splunk-timeline-custom-visualization_162.tgz,status-indicator-custom-visualization_150.tgz,splunk-sankey-diagram-custom-visualization_160.tgz,punchcard-custom-visualization_150.tgz,splunk_attack_range_reporting-1.0.9.tar.gz,splunk-common-information-model-cim_532.tgz,DA-ESS-ContentUpdate-latest.tar.gz,python-for-scientific-computing-for-linux-64-bit_420.tgz,splunk-machine-learning-toolkit_541.tgz,splunk-security-essentials_380.tgz,splunk-add-on-for-sysmon_400.tgz,splunk-add-on-for-sysmon-for-linux_100.tgz,splunk-add-on-for-amazon-web-services-aws_760.tgz,splunk-add-on-for-microsoft-office-365_451.tgz,splunk-add-on-for-amazon-kinesis-firehose_131r7d1d093.tgz,splunk-add-on-for-unix-and-linux_910.tgz,ta-for-zeek_108.tgz,splunk-add-on-for-nginx_322.tgz,phantom-app-for-splunk_4035.tgz,TA-osquery.tar.gz,splunk-add-on-for-microsoft-cloud-services_530.tgz,splunk-add-on-for-crowdstrike-fdr_150.tgz,vmware-carbon-black-cloud_115.tgz,splunk-add-on-for-carbon-black_210.tgz,TA-aurora-0.2.0.tar.gz,snort-alert-for-splunk_111.tgz","splunk_es_app":"splunk-enterprise-security_731.spl","splunk_uf_url":"https://download.splunk.com/products/universalforwarder/releases/9.3.0/linux/splunkforwarder-9.3.0-51ccf43db5bd-linux-2.6-amd64.deb","splunk_uf_win_url":"https://download.splunk.com/products/universalforwarder/releases/9.3.0/windows/splunkforwarder-9.3.0-51ccf43db5bd-x64-release.msi","splunk_url":"https://download.splunk.com/products/splunk/releases/9.3.0/linux/splunk-9.3.0-51ccf43db5bd-Linux-x86_64.tgz"}, + "simulation": {"atomic_red_team_branch":"master","atomic_red_team_repo":"redcanaryco"}, + "windows_servers": {"advanced_logging":"0","aurora_agent":"0","bad_blood":"0","create_domain":"0","hostname":"ar-win","install_red_team_tools":"0","join_domain":"0","win_sysmon_config":"SwiftOnSecurity.xml","windows_ami":"Windows_Server-2019-English-Full-Base-*","windows_image":"windows-server-2019"}, +} diff --git a/terraform/ansible/vars/zeek_vars.json b/terraform/ansible/vars/zeek_vars.json new file mode 100644 index 000000000..63467e053 --- /dev/null +++ b/terraform/ansible/vars/zeek_vars.json @@ -0,0 +1,5 @@ +{ + "ansible_python_interpreter": "/usr/bin/python3", + "general": {"attack_range_name":"ar","attack_range_password":"5kVkrkns0eL2TN23Ir2","carbon_black_cloud":"0","carbon_black_cloud_agent_name":"installer_vista_win7_win8-64-3.8.0.627.msi","carbon_black_cloud_company_code":"","carbon_black_cloud_s3_bucket":"","cloud_provider":"aws","crowdstrike_agent_name":"WindowsSensor.exe","crowdstrike_customer_ID":"","crowdstrike_falcon":"0","crowdstrike_logs_access_key_id":"","crowdstrike_logs_region":"","crowdstrike_logs_secret_access_key":"","crowdstrike_logs_sqs_url":"","install_contentctl":"0","ip_whitelist":"84.174.73.25/32","key_name":"pbareiss-09129","statepath":"/Users/pbareiss/projects/attack_range/modules/../terraform/aws/state/ar.terraform.tfstate","use_prebuilt_images_with_packer":"0"}, + "splunk_server": {"byo_splunk":"0","byo_splunk_ip":"","ingest_bots3_data":"0","install_dltk":"0","install_es":"1","s3_bucket_url":"https://attack-range-appbinaries.s3-us-west-2.amazonaws.com","splunk_apps":"splunk-add-on-for-microsoft-windows_880.tgz,splunk-timeline-custom-visualization_162.tgz,status-indicator-custom-visualization_150.tgz,splunk-sankey-diagram-custom-visualization_160.tgz,punchcard-custom-visualization_150.tgz,splunk_attack_range_reporting-1.0.9.tar.gz,splunk-common-information-model-cim_532.tgz,DA-ESS-ContentUpdate-latest.tar.gz,python-for-scientific-computing-for-linux-64-bit_420.tgz,splunk-machine-learning-toolkit_541.tgz,splunk-security-essentials_380.tgz,splunk-add-on-for-sysmon_400.tgz,splunk-add-on-for-sysmon-for-linux_100.tgz,splunk-add-on-for-amazon-web-services-aws_760.tgz,splunk-add-on-for-microsoft-office-365_451.tgz,splunk-add-on-for-amazon-kinesis-firehose_131r7d1d093.tgz,splunk-add-on-for-unix-and-linux_910.tgz,ta-for-zeek_108.tgz,splunk-add-on-for-nginx_322.tgz,phantom-app-for-splunk_4035.tgz,TA-osquery.tar.gz,splunk-add-on-for-microsoft-cloud-services_530.tgz,splunk-add-on-for-crowdstrike-fdr_150.tgz,vmware-carbon-black-cloud_115.tgz,splunk-add-on-for-carbon-black_210.tgz,TA-aurora-0.2.0.tar.gz,snort-alert-for-splunk_111.tgz","splunk_es_app":"splunk-enterprise-security_731.spl","splunk_uf_url":"https://download.splunk.com/products/universalforwarder/releases/9.3.0/linux/splunkforwarder-9.3.0-51ccf43db5bd-linux-2.6-amd64.deb","splunk_uf_win_url":"https://download.splunk.com/products/universalforwarder/releases/9.3.0/windows/splunkforwarder-9.3.0-51ccf43db5bd-x64-release.msi","splunk_url":"https://download.splunk.com/products/splunk/releases/9.3.0/linux/splunk-9.3.0-51ccf43db5bd-Linux-x86_64.tgz"}, +} diff --git a/terraform/ansible/windows_post.yml b/terraform/ansible/windows.yml similarity index 75% rename from terraform/ansible/windows_post.yml rename to terraform/ansible/windows.yml index b3a13ddd7..915aa9c20 100644 --- a/terraform/ansible/windows_post.yml +++ b/terraform/ansible/windows.yml @@ -4,14 +4,18 @@ ansible_connection: winrm ansible_winrm_server_cert_validation: ignore ansible_port: 5985 + ansible_winrm_operation_timeout_sec: 300 + ansible_winrm_read_timeout_sec: 900 roles: + - windows_common + - windows_universal_forwarder + - sysmon - set_hostname_win - windows_splunk_post - create_domain_controller - update_sysmon_config - red_team_tools - join_domain - - windows_agent_prelude - bad_blood - splunk_byo_windows - windows_aurora_agent diff --git a/terraform/ansible/zeek_server_post.yml b/terraform/ansible/zeek_server.yml similarity index 67% rename from terraform/ansible/zeek_server_post.yml rename to terraform/ansible/zeek_server.yml index bc3e2fe55..7ecf0f366 100644 --- a/terraform/ansible/zeek_server_post.yml +++ b/terraform/ansible/zeek_server.yml @@ -2,5 +2,7 @@ gather_facts: False become: true roles: + - linux_universal_forwarder + - zeek_sensor - zeek_server_post - splunk_byo_linux \ No newline at end of file diff --git a/terraform/aws/modules/linux-server/resources.tf b/terraform/aws/modules/linux-server/resources.tf index 6b0293623..7cd649b35 100644 --- a/terraform/aws/modules/linux-server/resources.tf +++ b/terraform/aws/modules/linux-server/resources.tf @@ -1,17 +1,7 @@ -data "aws_ami" "linux_server_packer" { - count = (var.general.use_prebuilt_images_with_packer == "1") ? length(var.linux_servers) : 0 - most_recent = true - owners = ["self"] - - filter { - name = "name" - values = [var.linux_servers[count.index].linux_image] - } -} data "aws_ami" "linux_server" { - count = (var.general.use_prebuilt_images_with_packer == "0") ? length(var.linux_servers) : 0 + count = length(var.linux_servers) most_recent = true owners = ["099720109477"] # Canonical @@ -28,8 +18,8 @@ data "aws_ami" "linux_server" { resource "aws_instance" "linux_server" { count = length(var.linux_servers) - ami = var.general.use_prebuilt_images_with_packer == "1" ? data.aws_ami.linux_server_packer[count.index].id : data.aws_ami.linux_server[count.index].id - instance_type = var.zeek_server.zeek_server == "1" ? "m5.2xlarge" : "t3.xlarge" + ami = data.aws_ami.linux_server[count.index].id + instance_type = (var.zeek_server.zeek_server == "1" || var.snort_server.snort_server == "1") ? "m5.2xlarge" : "t3.xlarge" key_name = var.general.key_name subnet_id = var.ec2_subnet_id vpc_security_group_ids = [var.vpc_security_group_ids] @@ -58,13 +48,23 @@ resource "aws_instance" "linux_server" { } provisioner "local-exec" { - working_dir = "../../packer/ansible" - command = "ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u ubuntu --private-key '${var.aws.private_key_path}' -i '${self.public_ip},' linux_server.yml -e 'ansible_python_interpreter=/usr/bin/python3 ${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.general : "${key}=\"${value}\""])}'" + working_dir = "../ansible" + command = <<-EOT + cat < vars/linux_vars.json + { + "ansible_python_interpreter": "/usr/bin/python3", + "general": ${jsonencode(var.general)}, + "splunk_server": ${jsonencode(var.splunk_server)}, + "linux_servers": ${jsonencode(var.linux_servers[count.index])}, + "simulation": ${jsonencode(var.simulation)}, + } + EOF + EOT } provisioner "local-exec" { working_dir = "../ansible" - command = "ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u ubuntu --private-key '${var.aws.private_key_path}' -i '${self.public_ip},' linux_server_post.yml -e 'ansible_python_interpreter=/usr/bin/python3 ${join(" ", [for key, value in var.general : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.linux_servers[count.index] : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.simulation : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])}'" + command = "ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u ubuntu --private-key '${var.aws.private_key_path}' -i '${self.public_ip},' linux_server.yml -e @vars/linux_vars.json" } } diff --git a/terraform/aws/modules/linux-server/variable.tf b/terraform/aws/modules/linux-server/variable.tf index 1d7ab7262..a562179fb 100644 --- a/terraform/aws/modules/linux-server/variable.tf +++ b/terraform/aws/modules/linux-server/variable.tf @@ -5,5 +5,6 @@ variable "general" { } variable "aws" { } variable "linux_servers" { } variable "simulation" { } +variable "splunk_server" { } variable "zeek_server" { } -variable "splunk_server" { } \ No newline at end of file +variable "snort_server" { } \ No newline at end of file diff --git a/terraform/aws/modules/nginx-server/resources.tf b/terraform/aws/modules/nginx-server/resources.tf index b87aaad51..a1a7300f6 100644 --- a/terraform/aws/modules/nginx-server/resources.tf +++ b/terraform/aws/modules/nginx-server/resources.tf @@ -1,18 +1,7 @@ -data "aws_ami" "nginx_server_packer" { - count = (var.nginx_server.nginx_server == "1") && (var.general.use_prebuilt_images_with_packer == "1") ? 1 : 0 - most_recent = true - owners = ["self"] - - filter { - name = "name" - values = [var.nginx_server.nginx_image] - } -} - data "aws_ami" "nginx_server" { - count = (var.nginx_server.nginx_server == "1") && (var.general.use_prebuilt_images_with_packer == "0") ? 1 : 0 + count = (var.nginx_server.nginx_server == "1") ? 1 : 0 most_recent = true owners = ["099720109477"] # Canonical @@ -29,7 +18,7 @@ data "aws_ami" "nginx_server" { resource "aws_instance" "nginx_server" { count = var.nginx_server.nginx_server == "1" ? 1 : 0 - ami = var.general.use_prebuilt_images_with_packer == "1" ? data.aws_ami.nginx_server_packer[0].id : data.aws_ami.nginx_server[0].id + ami = data.aws_ami.nginx_server[0].id instance_type = "t3.small" key_name = var.general.key_name subnet_id = var.ec2_subnet_id @@ -59,13 +48,22 @@ resource "aws_instance" "nginx_server" { } provisioner "local-exec" { - working_dir = "../../packer/ansible" - command = "ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u ubuntu --private-key '${var.aws.private_key_path}' -i '${self.public_ip},' nginx_web_proxy.yml -e 'ansible_python_interpreter=/usr/bin/python3 ${join(" ", [for key, value in var.general : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.nginx_server : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])}'" + working_dir = "../ansible" + command = <<-EOT + cat < vars/nginx_vars.json + { + "ansible_python_interpreter": "/usr/bin/python3", + "general": ${jsonencode(var.general)}, + "splunk_server": ${jsonencode(var.splunk_server)}, + "nginx_server": ${jsonencode(var.nginx_server)}, + } + EOF + EOT } provisioner "local-exec" { working_dir = "../ansible" - command = "ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u ubuntu --private-key '${var.aws.private_key_path}' -i '${self.public_ip},' nginx_server_post.yml -e 'ansible_python_interpreter=/usr/bin/python3 ${join(" ", [for key, value in var.general : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.nginx_server : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])}'" + command = "ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u ubuntu --private-key '${var.aws.private_key_path}' -i '${self.public_ip},' nginx_server.yml -e @vars/nginx_vars.json" } } diff --git a/terraform/aws/modules/phantom-server/resources.tf b/terraform/aws/modules/phantom-server/resources.tf index 775fe539f..287bd6feb 100644 --- a/terraform/aws/modules/phantom-server/resources.tf +++ b/terraform/aws/modules/phantom-server/resources.tf @@ -1,17 +1,7 @@ -data "aws_ami" "latest-centos-packer" { - count = (var.phantom_server.phantom_server == "1") && (var.general.use_prebuilt_images_with_packer == "1") ? 1 : 0 - most_recent = true - owners = ["self"] - - filter { - name = "name" - values = [var.phantom_server.phantom_image] - } -} data "aws_ami" "latest-centos" { - count = (var.phantom_server.phantom_server == "1") && (var.general.use_prebuilt_images_with_packer == "0") ? 1 : 0 + count = (var.phantom_server.phantom_server == "1") ? 1 : 0 most_recent = true owners = ["125523088429"] @@ -34,7 +24,7 @@ data "aws_ami" "latest-centos" { # install Phantom on a bare CentOS 7 instance resource "aws_instance" "phantom-server" { count = var.phantom_server.phantom_server == "1" ? 1 : 0 - ami = var.general.use_prebuilt_images_with_packer == "1" ? data.aws_ami.latest-centos-packer[0].id : data.aws_ami.latest-centos[0].id + ami = data.aws_ami.latest-centos[0].id instance_type = "t3.xlarge" key_name = var.general.key_name subnet_id = var.ec2_subnet_id @@ -62,13 +52,22 @@ resource "aws_instance" "phantom-server" { } provisioner "local-exec" { - working_dir = "../../packer/ansible" - command = "ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u centos --private-key '${var.aws.private_key_path}' -i '${aws_instance.phantom-server[0].public_ip},' phantom_server.yml -e '${join(" ", [for key, value in var.general : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.phantom_server : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])}'" + working_dir = "../ansible" + command = <<-EOT + cat < vars/phantom_vars.json + { + "general": ${jsonencode(var.general)}, + "aws": ${jsonencode(var.aws)}, + "phantom_server": ${jsonencode(var.phantom_server)}, + } + EOF + EOT } + provisioner "local-exec" { working_dir = "../ansible" - command = "ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u centos --private-key '${var.aws.private_key_path}' -i '${aws_instance.phantom-server[0].public_ip},' phantom_server.yml -e '${join(" ", [for key, value in var.general : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.phantom_server : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.aws : "${key}=\"${value}\""])}'" + command = "ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u centos --private-key '${var.aws.private_key_path}' -i '${aws_instance.phantom-server[0].public_ip},' phantom_server.yml -e @vars/phantom_vars.json" } } diff --git a/terraform/aws/modules/snort-server/resources.tf b/terraform/aws/modules/snort-server/resources.tf new file mode 100644 index 000000000..687749980 --- /dev/null +++ b/terraform/aws/modules/snort-server/resources.tf @@ -0,0 +1,120 @@ + + +data "aws_ami" "snort_server" { + count = (var.snort_server.snort_server == "1") ? 1 : 0 + most_recent = true + owners = ["099720109477"] # Canonical + + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } +} + +resource "aws_instance" "snort_sensor" { + count = var.snort_server.snort_server == "1" ? 1 : 0 + ami = data.aws_ami.snort_server[0].id + instance_type = "m5.2xlarge" + key_name = var.general.key_name + subnet_id = var.ec2_subnet_id + vpc_security_group_ids = [var.vpc_security_group_ids] + private_ip = "10.0.1.60" + associate_public_ip_address = true + + tags = { + Name = "ar-snort-${var.general.key_name}-${var.general.attack_range_name}" + } + + provisioner "remote-exec" { + inline = ["echo booted"] + + connection { + type = "ssh" + user = "ubuntu" + host = self.public_ip + private_key = file(var.aws.private_key_path) + } + } + + provisioner "local-exec" { + working_dir = "../ansible" + command = <<-EOT + cat < vars/snort_vars.json + { + "ansible_python_interpreter": "/usr/bin/python3", + "general": ${jsonencode(var.general)}, + "splunk_server": ${jsonencode(var.splunk_server)}, + "snort_server": ${jsonencode(var.snort_server)}, + } + EOF + EOT + } + + provisioner "local-exec" { + working_dir = "../ansible" + command = "ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u ubuntu --private-key '${var.aws.private_key_path}' -i '${self.public_ip},' snort_server.yml -e @vars/snort_vars.json" + } +} + +resource "aws_eip" "snort_ip" { + count = (var.snort_server.snort_server == "1") && (var.aws.use_elastic_ips == "1") ? 1 : 0 + instance = aws_instance.snort_sensor[0].id +} + +resource "aws_ec2_traffic_mirror_target" "snort_target" { + count = var.snort_server.snort_server == "1" ? 1 : 0 + description = "VPC Tap for Snort" + network_interface_id = aws_instance.snort_sensor[0].primary_network_interface_id +} + +resource "aws_ec2_traffic_mirror_filter" "snort_filter" { + count = var.snort_server.snort_server == "1" ? 1 : 0 + description = "Snort Mirror Filter - Allow All" +} + +resource "aws_ec2_traffic_mirror_filter_rule" "snort_outbound" { + count = var.snort_server.snort_server == "1" ? 1 : 0 + description = "Snort Outbound Rule" + traffic_mirror_filter_id = aws_ec2_traffic_mirror_filter.snort_filter[0].id + destination_cidr_block = "0.0.0.0/0" + source_cidr_block = "0.0.0.0/0" + rule_number = 1 + rule_action = "accept" + traffic_direction = "egress" +} + +resource "aws_ec2_traffic_mirror_filter_rule" "snort_inbound" { + count = var.snort_server.snort_server == "1" ? 1 : 0 + description = "Snort Inbound Rule" + traffic_mirror_filter_id = aws_ec2_traffic_mirror_filter.snort_filter[0].id + destination_cidr_block = "0.0.0.0/0" + source_cidr_block = "0.0.0.0/0" + rule_number = 1 + rule_action = "accept" + traffic_direction = "ingress" +} + +resource "aws_ec2_traffic_mirror_session" "snort_windows_session" { + count = var.snort_server.snort_server == "1" ? length(var.windows_servers) : 0 + description = "Snort Mirror Session for Windows Server" + depends_on = [var.windows_server_instances] + traffic_mirror_filter_id = aws_ec2_traffic_mirror_filter.snort_filter[0].id + traffic_mirror_target_id = aws_ec2_traffic_mirror_target.snort_target[0].id + network_interface_id = var.windows_server_instances[count.index].primary_network_interface_id + session_number = 100 +} + +resource "aws_ec2_traffic_mirror_session" "snort_linux_session" { + count = var.snort_server.snort_server == "1" ? length(var.linux_servers) : 0 + description = "Snort Mirror Session for Linux Server" + depends_on = [var.linux_server_instances] + traffic_mirror_filter_id = aws_ec2_traffic_mirror_filter.snort_filter[0].id + traffic_mirror_target_id = aws_ec2_traffic_mirror_target.snort_target[0].id + network_interface_id = var.linux_server_instances[count.index].primary_network_interface_id + session_number = 100 +} \ No newline at end of file diff --git a/terraform/aws/modules/snort-server/variables.tf b/terraform/aws/modules/snort-server/variables.tf new file mode 100644 index 000000000..7bc9003a6 --- /dev/null +++ b/terraform/aws/modules/snort-server/variables.tf @@ -0,0 +1,11 @@ + +variable "vpc_security_group_ids" { } +variable "ec2_subnet_id" { } +variable "general" { } +variable "aws" { } +variable "snort_server" { } +variable "windows_servers" { } +variable "windows_server_instances" { } +variable "linux_servers" { } +variable "linux_server_instances" { } +variable "splunk_server" { } \ No newline at end of file diff --git a/terraform/aws/modules/splunk-server/resources.tf b/terraform/aws/modules/splunk-server/resources.tf index 251246836..23963d463 100644 --- a/terraform/aws/modules/splunk-server/resources.tf +++ b/terraform/aws/modules/splunk-server/resources.tf @@ -1,18 +1,5 @@ - - -data "aws_ami" "splunk_server_packer" { - count = (var.splunk_server.byo_splunk == "0") && (var.general.use_prebuilt_images_with_packer == "1") ? 1 : 0 - most_recent = true - owners = ["self"] - - filter { - name = "name" - values = [var.splunk_server.splunk_image] - } -} - data "aws_ami" "splunk_server" { - count = (var.splunk_server.byo_splunk == "0") && (var.general.use_prebuilt_images_with_packer == "0") ? 1 : 0 + count = (var.splunk_server.byo_splunk == "0") ? 1 : 0 most_recent = true owners = ["099720109477"] # Canonical @@ -88,7 +75,7 @@ resource "aws_iam_role_policy" "splunk_logging_policy" { resource "aws_instance" "splunk-server" { count = var.splunk_server.byo_splunk == "0" ? 1 : 0 - ami = var.general.use_prebuilt_images_with_packer == "1" ? data.aws_ami.splunk_server_packer[0].id : data.aws_ami.splunk_server[0].id + ami = data.aws_ami.splunk_server[0].id instance_type = "t3.2xlarge" key_name = var.general.key_name subnet_id = var.ec2_subnet_id @@ -119,13 +106,31 @@ resource "aws_instance" "splunk-server" { } provisioner "local-exec" { - working_dir = "../../packer/ansible" - command = "ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u ubuntu --private-key '${var.aws.private_key_path}' -i '${aws_instance.splunk-server[0].public_ip},' splunk_server.yml -e 'ansible_python_interpreter=/usr/bin/python3 ${join(" ", [for key, value in var.general : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])} '" + working_dir = "../ansible" + command = <<-EOT + cat < vars/splunk_vars.json + { + "ansible_python_interpreter": "/usr/bin/python3", + "general": ${jsonencode(var.general)}, + "aws": ${jsonencode(var.aws)}, + "splunk_server": ${jsonencode(var.splunk_server)}, + "phantom_server": ${jsonencode(var.phantom_server)}, + "simulation": ${jsonencode(var.simulation)}, + "kali_server": ${jsonencode(var.kali_server)}, + "zeek_server": ${jsonencode(var.zeek_server)}, + "windows_servers": ${jsonencode(var.windows_servers)}, + "linux_servers": ${jsonencode(var.linux_servers)}, + "snort_server": ${jsonencode(var.snort_server)} + } + EOF + EOT } provisioner "local-exec" { working_dir = "../ansible" - command = "ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u ubuntu --private-key '${var.aws.private_key_path}' -i '${aws_instance.splunk-server[0].public_ip},' splunk_server_post.yml -e 'ansible_python_interpreter=/usr/bin/python3 ${join(" ", [for key, value in var.general : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.aws : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.phantom_server : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.simulation : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.kali_server : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.zeek_server : "${key}=\"${value}\""])} windows=${jsonencode(var.windows_servers)} linux=${jsonencode(var.linux_servers)}'" + command = <<-EOT + ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u ubuntu --private-key '${var.aws.private_key_path}' -i '${aws_instance.splunk-server[0].public_ip},' splunk_server.yml -e "@vars/splunk_vars.json" + EOT } } @@ -133,4 +138,4 @@ resource "aws_instance" "splunk-server" { resource "aws_eip" "splunk_ip" { count = (var.splunk_server.byo_splunk == "0") && (var.aws.use_elastic_ips == "1") ? 1 : 0 instance = aws_instance.splunk-server[0].id -} +} \ No newline at end of file diff --git a/terraform/aws/modules/splunk-server/variable.tf b/terraform/aws/modules/splunk-server/variable.tf index 0ad5b62dc..e99de481b 100644 --- a/terraform/aws/modules/splunk-server/variable.tf +++ b/terraform/aws/modules/splunk-server/variable.tf @@ -10,3 +10,4 @@ variable "windows_servers" { } variable "linux_servers" { } variable "kali_server" { } variable "zeek_server" { } +variable "snort_server" { } diff --git a/terraform/aws/modules/windows/resources.tf b/terraform/aws/modules/windows/resources.tf index f1b3eeff7..eee69eece 100644 --- a/terraform/aws/modules/windows/resources.tf +++ b/terraform/aws/modules/windows/resources.tf @@ -1,20 +1,8 @@ data "aws_availability_zones" "available" {} - -data "aws_ami" "windows_ami_packer" { - count = (var.general.use_prebuilt_images_with_packer == "1") ? length(var.windows_servers) : 0 - most_recent = true - owners = ["self"] - - filter { - name = "name" - values = [var.windows_servers[count.index].windows_image] - } -} - data "aws_ami" "windows_ami" { - count = (var.general.use_prebuilt_images_with_packer == "0") ? length(var.windows_servers) : 0 + count = length(var.windows_servers) most_recent = true owners = ["801119661308"] # Canonical @@ -32,8 +20,8 @@ data "aws_ami" "windows_ami" { resource "aws_instance" "windows_server" { count = length(var.windows_servers) - ami = var.general.use_prebuilt_images_with_packer == "1" ? data.aws_ami.windows_ami_packer[count.index].id : data.aws_ami.windows_ami[count.index].id - instance_type = var.zeek_server.zeek_server == "1" ? "m5.2xlarge" : "t3.xlarge" + ami = data.aws_ami.windows_ami[count.index].id + instance_type = (var.zeek_server.zeek_server == "1" || var.snort_server.snort_server == "1") ? "m5.2xlarge" : "t3.xlarge" key_name = var.general.key_name subnet_id = var.ec2_subnet_id private_ip = "10.0.1.${14 + count.index}" @@ -90,13 +78,25 @@ EOF } provisioner "local-exec" { - working_dir = "../../packer/ansible" - command = "ansible-playbook -i '${self.public_ip},' windows.yml --extra-vars 'ansible_user=Administrator ansible_password=${var.general.attack_range_password} ansible_winrm_operation_timeout_sec=120 ansible_winrm_read_timeout_sec=150 ansible_port=5985 attack_range_password=${var.general.attack_range_password} ${join(" ", [for key, value in var.general : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.simulation : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.windows_servers[count.index] : "${key}=\"${value}\""])}'" + working_dir = "../ansible" + command = <<-EOT + cat < vars/windows_vars.json + { + "ansible_user": "Administrator", + "ansible_password": ${var.general.attack_range_password}, + "attack_range_password": ${var.general.attack_range_password}, + "general": ${jsonencode(var.general)}, + "splunk_server": ${jsonencode(var.splunk_server)}, + "simulation": ${jsonencode(var.simulation)}, + "windows_servers": ${jsonencode(var.windows_servers[count.index])}, + } + EOF + EOT } provisioner "local-exec" { working_dir = "../ansible" - command = "ansible-playbook -i '${self.public_ip},' windows_post.yml --extra-vars 'ansible_user=Administrator ansible_password=${var.general.attack_range_password} ansible_winrm_operation_timeout_sec=120 ansible_winrm_read_timeout_sec=150 attack_range_password=${var.general.attack_range_password} ${join(" ", [for key, value in var.windows_servers[count.index] : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.simulation : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.general : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])}'" + command = "ansible-playbook -i '${self.public_ip},' windows.yml -e @vars/windows_vars.json" } } diff --git a/terraform/aws/modules/windows/variables.tf b/terraform/aws/modules/windows/variables.tf index c8e4f38d2..1fc9e9f8d 100644 --- a/terraform/aws/modules/windows/variables.tf +++ b/terraform/aws/modules/windows/variables.tf @@ -4,6 +4,7 @@ variable "ec2_subnet_id" { } variable "general" { } variable "aws" { } variable "windows_servers" { } -variable "zeek_server" { } variable "splunk_server" { } -variable "simulation" { } \ No newline at end of file +variable "simulation" { } +variable "zeek_server" { } +variable "snort_server" { } \ No newline at end of file diff --git a/terraform/aws/modules/zeek-server/ressources.tf b/terraform/aws/modules/zeek-server/resources.tf similarity index 74% rename from terraform/aws/modules/zeek-server/ressources.tf rename to terraform/aws/modules/zeek-server/resources.tf index c9f46a55b..329bfcf77 100644 --- a/terraform/aws/modules/zeek-server/ressources.tf +++ b/terraform/aws/modules/zeek-server/resources.tf @@ -1,17 +1,7 @@ -data "aws_ami" "zeek_server_packer" { - count = (var.zeek_server.zeek_server == "1") && (var.general.use_prebuilt_images_with_packer == "1") ? 1 : 0 - most_recent = true - owners = ["self"] - - filter { - name = "name" - values = [var.zeek_server.zeek_image] - } -} data "aws_ami" "zeek_server" { - count = (var.zeek_server.zeek_server == "1") && (var.general.use_prebuilt_images_with_packer == "0") ? 1 : 0 + count = (var.zeek_server.zeek_server == "1") ? 1 : 0 most_recent = true owners = ["099720109477"] # Canonical @@ -28,7 +18,7 @@ data "aws_ami" "zeek_server" { resource "aws_instance" "zeek_sensor" { count = var.zeek_server.zeek_server == "1" ? 1 : 0 - ami = var.general.use_prebuilt_images_with_packer == "1" ? data.aws_ami.zeek_server_packer[0].id : data.aws_ami.zeek_server[0].id + ami = data.aws_ami.zeek_server[0].id instance_type = "m5.2xlarge" key_name = var.general.key_name subnet_id = var.ec2_subnet_id @@ -52,13 +42,23 @@ resource "aws_instance" "zeek_sensor" { } provisioner "local-exec" { - working_dir = "../../packer/ansible" - command = "ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u ubuntu --private-key ${var.aws.private_key_path} -i '${self.public_ip},' zeek.yml -e 'ansible_python_interpreter=/usr/bin/python3 ${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.general : "${key}=\"${value}\""])}'" + working_dir = "../ansible" + command = <<-EOT + cat < vars/zeek_vars.json + { + "ansible_python_interpreter": "/usr/bin/python3", + "general": ${jsonencode(var.general)}, + "splunk_server": ${jsonencode(var.splunk_server)}, + } + EOF + EOT } provisioner "local-exec" { working_dir = "../ansible" - command = "ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u ubuntu --private-key ${var.aws.private_key_path} -i '${self.public_ip},' zeek_server_post.yml -e 'ansible_python_interpreter=/usr/bin/python3 ${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])}'" + command = <<-EOT + ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u ubuntu --private-key '${var.aws.private_key_path}' -i '${aws_instance.zeek_sensor[0].public_ip},' zeek_server.yml -e "@vars/zeek_vars.json" + EOT } } diff --git a/terraform/aws/resources.tf b/terraform/aws/resources.tf index e3aaa5fbe..a3234fb0a 100644 --- a/terraform/aws/resources.tf +++ b/terraform/aws/resources.tf @@ -17,6 +17,7 @@ module "splunk-server" { linux_servers = var.linux_servers kali_server = var.kali_server zeek_server = var.zeek_server + snort_server = var.snort_server } module "phantom-server" { @@ -35,9 +36,10 @@ module "windows-server" { ec2_subnet_id = module.networkModule.ec2_subnet_id general = var.general aws = var.aws + zeek_server = var.zeek_server + snort_server = var.snort_server windows_servers = var.windows_servers simulation = var.simulation - zeek_server = var.zeek_server splunk_server = var.splunk_server } @@ -48,9 +50,10 @@ module "linux-server" { ec2_subnet_id = module.networkModule.ec2_subnet_id general = var.general aws = var.aws + zeek_server = var.zeek_server + snort_server = var.snort_server linux_servers = var.linux_servers simulation = var.simulation - zeek_server = var.zeek_server splunk_server = var.splunk_server } @@ -85,4 +88,18 @@ module "zeek-server" { linux_servers = var.linux_servers linux_server_instances = module.linux-server.linux_servers splunk_server = var.splunk_server +} + +module "snort-server" { + source = "./modules/snort-server" + vpc_security_group_ids = module.networkModule.sg_vpc_id + ec2_subnet_id = module.networkModule.ec2_subnet_id + general = var.general + aws = var.aws + snort_server = var.snort_server + windows_servers = var.windows_servers + windows_server_instances = module.windows-server.windows_servers + linux_servers = var.linux_servers + linux_server_instances = module.linux-server.linux_servers + splunk_server = var.splunk_server } \ No newline at end of file diff --git a/terraform/aws/variables.tf b/terraform/aws/variables.tf index 14c70eb90..b5b5ede1b 100644 --- a/terraform/aws/variables.tf +++ b/terraform/aws/variables.tf @@ -87,4 +87,6 @@ variable "nginx_server" { } } -variable "zeek_server" { } \ No newline at end of file +variable "zeek_server" { } + +variable "snort_server" { } \ No newline at end of file diff --git a/terraform/azure/modules/linux-server/resources.tf b/terraform/azure/modules/linux-server/resources.tf index ba24d2178..13fa0020c 100644 --- a/terraform/azure/modules/linux-server/resources.tf +++ b/terraform/azure/modules/linux-server/resources.tf @@ -21,12 +21,6 @@ resource "azurerm_network_interface" "linux-nic" { } } -data "azurerm_image" "search" { - count = (var.general.use_prebuilt_images_with_packer == "1") ? length(var.linux_servers) : 0 - name = var.linux_servers[count.index].linux_image - resource_group_name = "packer_${replace(var.azure.location, " ", "_")}" -} - resource "azurerm_virtual_machine" "linux" { count = length(var.linux_servers) name = "ar-linux-${var.general.key_name}-${var.general.attack_range_name}-${count.index}" @@ -44,11 +38,10 @@ resource "azurerm_virtual_machine" "linux" { } storage_image_reference { - id = var.general.use_prebuilt_images_with_packer == "1" ? data.azurerm_image.search[count.index].id : null - publisher = var.general.use_prebuilt_images_with_packer == "0" ? "Canonical" : null - offer = var.general.use_prebuilt_images_with_packer == "0" ? "UbuntuServer" : null - sku = var.general.use_prebuilt_images_with_packer == "0" ? "18.04-LTS" : null - version = var.general.use_prebuilt_images_with_packer == "0" ? "latest" : null + publisher = "canonical" + offer = "0001-com-ubuntu-server-jammy" + sku = "22_04-lts" + version = "latest" } os_profile { @@ -77,13 +70,23 @@ resource "azurerm_virtual_machine" "linux" { } provisioner "local-exec" { - working_dir = "../../packer/ansible" - command = "ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u ubuntu --private-key ${var.azure.private_key_path} -i '${azurerm_public_ip.linux-publicip[count.index].ip_address},' linux_server.yml -e 'ansible_python_interpreter=/usr/bin/python3 ${join(" ", [for key, value in var.general : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])}'" + working_dir = "../ansible" + command = <<-EOT + cat < vars/linux_vars.json + { + "ansible_python_interpreter": "/usr/bin/python3", + "general": ${jsonencode(var.general)}, + "splunk_server": ${jsonencode(var.splunk_server)}, + "linux_servers": ${jsonencode(var.linux_servers[count.index])}, + "simulation": ${jsonencode(var.simulation)}, + } + EOF + EOT } provisioner "local-exec" { working_dir = "../ansible" - command = "ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u ubuntu --private-key ${var.azure.private_key_path} -i '${azurerm_public_ip.linux-publicip[count.index].ip_address},' linux_server_post.yml -e 'ansible_python_interpreter=/usr/bin/python3 ${join(" ", [for key, value in var.general : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.linux_servers[count.index] : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.simulation : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])}'" + command = "ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u ubuntu --private-key '${var.azure.private_key_path}' -i '${azurerm_public_ip.linux-publicip[count.index].ip_address},' linux_server.yml -e @vars/linux_vars.json" } } \ No newline at end of file diff --git a/terraform/azure/modules/network/resources.tf b/terraform/azure/modules/network/resources.tf index 31e4b14b2..41cabf210 100644 --- a/terraform/azure/modules/network/resources.tf +++ b/terraform/azure/modules/network/resources.tf @@ -135,42 +135,6 @@ resource "azurerm_network_security_group" "attackrange-nsg" { destination_address_prefix = "*" } - security_rule { - name = "Prelude1" - priority = 1011 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "3391" - source_address_prefixes = [var.general.ip_whitelist] - destination_address_prefix = "*" - } - - security_rule { - name = "Prelude2" - priority = 1012 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "2323" - source_address_prefixes = [var.general.ip_whitelist] - destination_address_prefix = "*" - } - - security_rule { - name = "Prelude3" - priority = 1013 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "50051" - source_address_prefixes = [var.general.ip_whitelist] - destination_address_prefix = "*" - } - security_rule { name = "Guacamole" priority = 1014 diff --git a/terraform/azure/modules/phantom-server/resources.tf b/terraform/azure/modules/phantom-server/resources.tf index 958a72dd4..d39ee353d 100644 --- a/terraform/azure/modules/phantom-server/resources.tf +++ b/terraform/azure/modules/phantom-server/resources.tf @@ -21,12 +21,6 @@ resource "azurerm_network_interface" "phantom-nic" { } } -data "azurerm_image" "phantom" { - count = (var.phantom_server.phantom_server == "1") && (var.general.use_prebuilt_images_with_packer == "1") ? 1 : 0 - name = var.phantom_server.phantom_image - resource_group_name = "packer_${replace(var.azure.location, " ", "_")}" -} - resource "azurerm_virtual_machine" "phantom" { count = var.phantom_server.phantom_server == "1" ? 1 : 0 name = "ar-phantom-${var.general.key_name}-${var.general.attack_range_name}" @@ -45,11 +39,10 @@ resource "azurerm_virtual_machine" "phantom" { } storage_image_reference { - id = var.general.use_prebuilt_images_with_packer == "1" ? data.azurerm_image.phantom[0].id : null - publisher = var.general.use_prebuilt_images_with_packer == "0" ? "openlogic" : null - offer = var.general.use_prebuilt_images_with_packer == "0" ? "centos" : null - sku = var.general.use_prebuilt_images_with_packer == "0" ? "7_9" : null - version = var.general.use_prebuilt_images_with_packer == "0" ? "latest" : null + publisher = "openlogic" + offer = "centos" + sku = "7_9" + version = "latest" } os_profile { @@ -78,13 +71,22 @@ resource "azurerm_virtual_machine" "phantom" { } provisioner "local-exec" { - working_dir = "../../packer/ansible" - command = "ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u centos --private-key ${var.azure.private_key_path} -i '${azurerm_public_ip.phantom-publicip[0].ip_address},' phantom_server.yml -e '${join(" ", [for key, value in var.general : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.phantom_server : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])}'" + working_dir = "../ansible" + command = <<-EOT + cat < vars/phantom_vars.json + { + "general": ${jsonencode(var.general)}, + "azure": ${jsonencode(var.azure)}, + "phantom_server": ${jsonencode(var.phantom_server)}, + } + EOF + EOT } + provisioner "local-exec" { working_dir = "../ansible" - command = "ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u centos --private-key ${var.azure.private_key_path} -i '${azurerm_public_ip.phantom-publicip[0].ip_address},' phantom_server.yml -e '${join(" ", [for key, value in var.general : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.phantom_server : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.azure : "${key}=\"${value}\""])}'" + command = "ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u centos --private-key '${var.azure.private_key_path}' -i '${azurerm_public_ip.phantom-publicip[0].ip_address},' phantom_server.yml -e @vars/phantom_vars.json" } } \ No newline at end of file diff --git a/terraform/azure/modules/splunk-server/resources.tf b/terraform/azure/modules/splunk-server/resources.tf index ad309946e..b5f2acc59 100644 --- a/terraform/azure/modules/splunk-server/resources.tf +++ b/terraform/azure/modules/splunk-server/resources.tf @@ -22,12 +22,6 @@ resource "azurerm_network_interface" "splunk-nic" { } } -data "azurerm_image" "search" { - count = (var.splunk_server.byo_splunk == "0") && (var.general.use_prebuilt_images_with_packer == "1") ? 1 : 0 - name = var.splunk_server.splunk_image - resource_group_name = "packer_${replace(var.azure.location, " ", "_")}" -} - resource "azurerm_virtual_machine" "splunk" { count = var.splunk_server.byo_splunk == "0" ? 1 : 0 name = "ar-splunk-${var.general.key_name}-${var.general.attack_range_name}" @@ -46,11 +40,10 @@ resource "azurerm_virtual_machine" "splunk" { } storage_image_reference { - id = var.general.use_prebuilt_images_with_packer == "1" ? data.azurerm_image.search[0].id : null - publisher = var.general.use_prebuilt_images_with_packer == "0" ? "Canonical" : null - offer = var.general.use_prebuilt_images_with_packer == "0" ? "UbuntuServer" : null - sku = var.general.use_prebuilt_images_with_packer == "0" ? "18.04-LTS" : null - version = var.general.use_prebuilt_images_with_packer == "0" ? "latest" : null + publisher = "canonical" + offer = "0001-com-ubuntu-server-jammy" + sku = "22_04-lts" + version = "latest" } os_profile { @@ -79,13 +72,31 @@ resource "azurerm_virtual_machine" "splunk" { } provisioner "local-exec" { - working_dir = "../../packer/ansible" - command = "ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u ubuntu --private-key ${var.azure.private_key_path} -i '${azurerm_public_ip.splunk-publicip[0].ip_address},' splunk_server.yml -e 'ansible_python_interpreter=/usr/bin/python3 ${join(" ", [for key, value in var.general : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])} '" + working_dir = "../ansible" + command = <<-EOT + cat < vars/splunk_vars.json + { + "ansible_python_interpreter": "/usr/bin/python3", + "general": ${jsonencode(var.general)}, + "azure": ${jsonencode(var.azure)}, + "splunk_server": ${jsonencode(var.splunk_server)}, + "phantom_server": ${jsonencode(var.phantom_server)}, + "kali_server": ${jsonencode(var.kali_server)}, + "simulation": ${jsonencode(var.simulation)}, + "zeek_server": ${jsonencode(var.zeek_server)}, + "snort_server": ${jsonencode(var.snort_server)}, + "windows_servers": ${jsonencode(var.windows_servers)}, + "linux_servers": ${jsonencode(var.linux_servers)}, + } + EOF + EOT } provisioner "local-exec" { working_dir = "../ansible" - command = "ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u ubuntu --private-key ${var.azure.private_key_path} -i '${azurerm_public_ip.splunk-publicip[0].ip_address},' splunk_server_post.yml -e 'ansible_python_interpreter=/usr/bin/python3 ${join(" ", [for key, value in var.general : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.azure : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.phantom_server : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.simulation : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.zeek_server : "${key}=\"${value}\""])} windows=${jsonencode(var.windows_servers)} linux=${jsonencode(var.linux_servers)}'" + command = <<-EOT + ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u ubuntu --private-key '${var.azure.private_key_path}' -i '${azurerm_public_ip.splunk-publicip[0].ip_address},' splunk_server.yml -e "@vars/splunk_vars.json" + EOT } } \ No newline at end of file diff --git a/terraform/azure/modules/splunk-server/variable.tf b/terraform/azure/modules/splunk-server/variable.tf index b096bebe8..6eed5e54d 100644 --- a/terraform/azure/modules/splunk-server/variable.tf +++ b/terraform/azure/modules/splunk-server/variable.tf @@ -8,4 +8,6 @@ variable "general" { } variable "simulation" { } variable "windows_servers" { } variable "linux_servers" { } -variable "zeek_server" { } \ No newline at end of file +variable "zeek_server" { } +variable "kali_server" { } +variable "snort_server" { } \ No newline at end of file diff --git a/terraform/azure/modules/windows/resources.tf b/terraform/azure/modules/windows/resources.tf index 2dfb72dd3..8fece5a74 100644 --- a/terraform/azure/modules/windows/resources.tf +++ b/terraform/azure/modules/windows/resources.tf @@ -26,12 +26,6 @@ resource "azurerm_public_ip" "windows-publicip" { allocation_method = "Static" } -data "azurerm_image" "search" { - count = (var.general.use_prebuilt_images_with_packer == "1") ? length(var.windows_servers) : 0 - name = var.windows_servers[count.index].windows_image - resource_group_name = "packer_${replace(var.azure.location, " ", "_")}" -} - resource "azurerm_virtual_machine" "windows" { count = length(var.windows_servers) name = "ar-win-${var.general.key_name}-${var.general.attack_range_name}-${count.index}" @@ -43,11 +37,10 @@ resource "azurerm_virtual_machine" "windows" { delete_os_disk_on_termination = true storage_image_reference { - id = var.general.use_prebuilt_images_with_packer == "1" ? data.azurerm_image.search[count.index].id : null - publisher = var.general.use_prebuilt_images_with_packer == "0" ? var.windows_servers[count.index].azure_publisher : null - offer = var.general.use_prebuilt_images_with_packer == "0" ? var.windows_servers[count.index].azure_offer : null - sku = var.general.use_prebuilt_images_with_packer == "0" ? var.windows_servers[count.index].azure_sku : null - version = var.general.use_prebuilt_images_with_packer == "0" ? "latest" : null + publisher = var.windows_servers[count.index].azure_publisher + offer = var.windows_servers[count.index].azure_offer + sku = var.windows_servers[count.index].azure_sku + version = "latest" } os_profile { @@ -100,13 +93,26 @@ resource "azurerm_virtual_machine" "windows" { } provisioner "local-exec" { - working_dir = "../../packer/ansible" - command = "ansible-playbook -i '${azurerm_public_ip.windows-publicip[count.index].ip_address},' windows.yml --extra-vars 'ansible_port=5985 ansible_user=AzureAdmin ansible_password=${var.general.attack_range_password} ansible_winrm_operation_timeout_sec=120 ansible_winrm_read_timeout_sec=150 attack_range_password=${var.general.attack_range_password} ${join(" ", [for key, value in var.general : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.simulation : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.windows_servers[count.index] : "${key}=\"${value}\""])}'" + working_dir = "../ansible" + command = <<-EOT + cat < vars/windows_vars.json + { + "ansible_user": "AzureAdmin", + "ansible_port": 5985, + "ansible_password": ${var.general.attack_range_password}, + "attack_range_password": ${var.general.attack_range_password}, + "general": ${jsonencode(var.general)}, + "splunk_server": ${jsonencode(var.splunk_server)}, + "simulation": ${jsonencode(var.simulation)}, + "windows_servers": ${jsonencode(var.windows_servers[count.index])}, + } + EOF + EOT } provisioner "local-exec" { working_dir = "../ansible" - command = "ansible-playbook -i '${azurerm_public_ip.windows-publicip[count.index].ip_address},' windows_post.yml --extra-vars 'ansible_port=5985 ansible_user=AzureAdmin ansible_password=${var.general.attack_range_password} ansible_winrm_operation_timeout_sec=120 ansible_winrm_read_timeout_sec=150 attack_range_password=${var.general.attack_range_password} ${join(" ", [for key, value in var.windows_servers[count.index] : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.simulation : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.general : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])}'" + command = "ansible-playbook -i '${azurerm_public_ip.windows-publicip[count.index].ip_address},' windows.yml -e @vars/windows_vars.json" } } \ No newline at end of file diff --git a/terraform/azure/ressources.tf b/terraform/azure/ressources.tf index 57df36b71..d01b25d91 100644 --- a/terraform/azure/ressources.tf +++ b/terraform/azure/ressources.tf @@ -17,6 +17,8 @@ module "splunk-server" { windows_servers = var.windows_servers linux_servers = var.linux_servers zeek_server = var.zeek_server + kali_server = var.kali_server + snort_server = var.snort_server } module "phantom-server" { diff --git a/terraform/azure/variable.tf b/terraform/azure/variable.tf index 054d45ca5..10b370c77 100644 --- a/terraform/azure/variable.tf +++ b/terraform/azure/variable.tf @@ -89,4 +89,6 @@ variable "nginx_server" { } } -variable "zeek_server" { } \ No newline at end of file +variable "zeek_server" { } + +variable "snort_server" { } \ No newline at end of file diff --git a/vagrant/linux_server/Vagrantfile b/vagrant/linux_server/Vagrantfile index 79571d572..f7e92c5ac 100644 --- a/vagrant/linux_server/Vagrantfile +++ b/vagrant/linux_server/Vagrantfile @@ -5,37 +5,23 @@ config.vm.define "ar-linux-{{config.general.key_name}}-{{config.general.attack_r config.vm.network :private_network, ip: "192.168.56.{{21 + count}}" config.vm.network "forwarded_port", guest: 22, host: {{ 2022 + count }} config.vm.synced_folder '.', '/vagrant', disabled: true - - config.vm.provision "ansible" do |ansible| - ansible.playbook = "../packer/ansible/linux_server.yml" - ansible.compatibility_mode = "2.0" - ansible.extra_vars = { - ansible_python_interpreter: "/usr/bin/python3", - splunk_admin_password: 'Pl3ase-k1Ll-me:p', - use_prebuilt_images_with_packer: '0', - splunk_uf_url: 'https://download.splunk.com/products/universalforwarder/releases/8.2.5/linux/splunkforwarder-8.2.5-77015bc7a462-linux-2.6-amd64.deb', -{% for key, value in config.general.items() %} - {{ key }}: "{{ value }}", -{% endfor %} - } - end config.vm.provision "ansible" do |ansible| - ansible.playbook = "../terraform/ansible/linux_server_post.yml" + ansible.playbook = "../terraform/ansible/linux_server.yml" ansible.compatibility_mode = "2.0" ansible.extra_vars = { ansible_python_interpreter: "/usr/bin/python3", {% for key, value in config.general.items() %} - {{ key }}: "{{ value }}", + general.{{ key }}: "{{ value }}", {% endfor %} {% for key, value in server.items() %} - {{ key }}: "{{ value }}", + linux_servers.{{ key }}: "{{ value }}", {% endfor %} {% for key, value in config.simulation.items() %} - {{ key }}: "{{ value }}", + simulation.{{ key }}: "{{ value }}", {% endfor %} {% for key, value in config.splunk_server.items() %} - {{ key }}: "{{ value }}", + splunk_server.{{ key }}: "{{ value }}", {% endfor %} } end diff --git a/vagrant/phantom_server/Vagrantfile b/vagrant/phantom_server/Vagrantfile index 12b3dabba..f015fd4ab 100644 --- a/vagrant/phantom_server/Vagrantfile +++ b/vagrant/phantom_server/Vagrantfile @@ -9,35 +9,19 @@ config.vm.define "ar-phantom-{{config.general.key_name}}-{{config.general.attack # Add this line near the top of the config block config.vm.synced_folder ".", "/vagrant", disabled: true - config.vm.provision "ansible" do |ansible| - ansible.playbook = "../packer/ansible/phantom_server.yml" - ansible.compatibility_mode = "2.0" - ansible.extra_vars = { -{% for key, value in config.general.items() %} - {{ key }}: "{{ value }}", -{% endfor %} -{% for key, value in config.splunk_server.items() %} - {{ key }}: "{{ value }}", -{% endfor %} -{% for key, value in config.phantom_server.items() %} - {{ key }}: "{{ value }}", -{% endfor %} - } - end - config.vm.provision "ansible" do |ansible| ansible.playbook = "../terraform/ansible/phantom_server.yml" ansible.compatibility_mode = "2.0" ansible.extra_vars = { use_prebuilt_images_with_packer: '0', {% for key, value in config.general.items() %} - {{ key }}: "{{ value }}", + general.{{ key }}: "{{ value }}", {% endfor %} {% for key, value in config.splunk_server.items() %} - {{ key }}: "{{ value }}", + splunk_server.{{ key }}: "{{ value }}", {% endfor %} {% for key, value in config.phantom_server.items() %} - {{ key }}: "{{ value }}", + phantom_server.{{ key }}: "{{ value }}", {% endfor %} } end diff --git a/vagrant/splunk_server/Vagrantfile b/vagrant/splunk_server/Vagrantfile index 6b3ed1e16..8b0f74b3c 100644 --- a/vagrant/splunk_server/Vagrantfile +++ b/vagrant/splunk_server/Vagrantfile @@ -7,42 +7,25 @@ config.vm.define "ar-splunk-{{config.general.key_name}}-{{config.general.attack_ config.vm.network "forwarded_port", guest: 8089, host: 8089, protocol: "tcp" config.vm.network "forwarded_port", guest: 8080, host: 8080, protocol: "tcp" config.vm.network :private_network, ip: "192.168.56.12" - - config.vm.provision "ansible" do |ansible| - ansible.playbook = "../packer/ansible/splunk_server.yml" - ansible.compatibility_mode = "2.0" - ansible.extra_vars = { - ansible_python_interpreter: "/usr/bin/python3", - splunk_admin_password: 'Pl3ase-k1Ll-me:p', - s3_bucket_url: 'https://attack-range-appbinaries.s3-us-west-2.amazonaws.com', - splunk_url: 'https://download.splunk.com/products/splunk/releases/8.2.5/linux/splunk-8.2.5-77015bc7a462-Linux-x86_64.tgz', -{% for key, value in config.general.items() %} - {{ key }}: "{{ value }}", -{% endfor %} -{% for key, value in config.splunk_server.items() %} - {{ key }}: "{{ value }}", -{% endfor %} - } - end config.vm.provision "ansible" do |ansible| - ansible.playbook = "../terraform/ansible/splunk_server_post.yml" + ansible.playbook = "../terraform/ansible/splunk_server.yml" ansible.compatibility_mode = "2.0" ansible.extra_vars = { ansible_python_interpreter: "/usr/bin/python3", windows_servers_count: {{ config.windows_servers|length }}, linux_servers_count: {{ config.linux_servers|length }}, {% for key, value in config.general.items() %} - {{ key }}: "{{ value }}", + general.{{ key }}: "{{ value }}", {% endfor %} {% for key, value in config.splunk_server.items() %} - {{ key }}: "{{ value }}", + splunk_server.{{ key }}: "{{ value }}", {% endfor %} {% for key, value in config.phantom_server.items() %} - {{ key }}: "{{ value }}", + phantom_server.{{ key }}: "{{ value }}", {% endfor %} {% for key, value in config.simulation.items() %} - {{ key }}: "{{ value }}", + simulation.{{ key }}: "{{ value }}", {% endfor %} } end diff --git a/vagrant/windows_server/Vagrantfile b/vagrant/windows_server/Vagrantfile index bdf4c12d8..e6ed3f914 100644 --- a/vagrant/windows_server/Vagrantfile +++ b/vagrant/windows_server/Vagrantfile @@ -14,25 +14,6 @@ config.vm.define "ar-win-{{config.general.key_name}}-{{config.general.attack_ran config.vm.provision "shell", inline: "net user Administrator {{ config.general.attack_range_password }}" - config.vm.provision "ansible" do |ansible| - ansible.extra_vars = { - ansible_port: {{ 5985 + count }}, - ansible_winrm_scheme: 'http', - splunk_admin_password: 'Pl3ase-k1Ll-me:p', - splunk_uf_win_url: 'https://download.splunk.com/products/universalforwarder/releases/8.2.5/windows/splunkforwarder-8.2.5-77015bc7a462-x64-release.msi', - win_password: 'Pl3ase-k1Ll-me:p', - use_prebuilt_images_with_packer: '0', -{% for key, value in config.general.items() %} - {{ key }}: "{{ value }}", -{% endfor %} -{% for key, value in server.items() %} - {{ key }}: "{{ value }}", -{% endfor %} - } - ansible.playbook = "../packer/ansible/windows.yml" - ansible.compatibility_mode = "2.0" - end - config.vm.provision "ansible" do |ansible| ansible.extra_vars = { ansible_port: {{ 5985 + count }}, @@ -42,16 +23,16 @@ config.vm.define "ar-win-{{config.general.key_name}}-{{config.general.attack_ran ansible_user: "Administrator", ansible_password: "{{ config.general.attack_range_password }}", {% for key, value in config.general.items() %} - {{ key }}: "{{ value }}", + general.{{ key }}: "{{ value }}", {% endfor %} {% for key, value in server.items() %} - {{ key }}: "{{ value }}", + windows_servers.{{ key }}: "{{ value }}", {% endfor %} {% for key, value in config.simulation.items() %} - {{ key }}: "{{ value }}", + simulation.{{ key }}: "{{ value }}", {% endfor %} {% for key, value in config.splunk_server.items() %} - {{ key }}: "{{ value }}", + splunk_server.{{ key }}: "{{ value }}", {% endfor %} } ansible.playbook = "../terraform/ansible/windows_post.yml"