add contentctl

configs/attack_range_default.yml

@@ -109,13 +109,13 @@ splunk_server:
   s3_bucket_url: "https://attack-range-appbinaries.s3-us-west-2.amazonaws.com"
 # S3 bucket containing the Splunk Apps which will be installed in Attack Range
 
-  splunk_url: "https://download.splunk.com/products/splunk/releases/9.0.2/linux/splunk-9.0.2-17e00c557dc1-Linux-x86_64.tgz"
+  splunk_url: "https://download.splunk.com/products/splunk/releases/9.0.5/linux/splunk-9.0.5-e9494146ae5c-Linux-x86_64.tgz"
 # Url to download Splunk Enterprise
 
-  splunk_uf_url: "https://download.splunk.com/products/universalforwarder/releases/9.0.2/linux/splunkforwarder-9.0.2-17e00c557dc1-linux-2.6-amd64.deb"
+  splunk_uf_url: "https://download.splunk.com/products/universalforwarder/releases/9.0.5/linux/splunkforwarder-9.0.5-e9494146ae5c-linux-2.6-amd64.deb"
 # Url to download Splunk Universal Forwarder Linux
 
-  splunk_uf_win_url: "https://download.splunk.com/products/universalforwarder/releases/9.0.2/windows/splunkforwarder-9.0.2-17e00c557dc1-x64-release.msi"
+  splunk_uf_win_url: "https://download.splunk.com/products/universalforwarder/releases/9.0.5/windows/splunkforwarder-9.0.5-e9494146ae5c-x64-release.msi"
 # Url to download Splunk Universal Forwarder Windows
 
   byo_splunk: "0"
@@ -174,6 +174,9 @@ windows_servers_default:
   bad_blood: "0"
 # Install Bad Blood. More inforamtion in chapter Bad Blood under Attack Range Features.
 
+  aurora_agent: "0"
+# Install Aurora Agent  
+
 linux_servers_default:
   hostname: ar-linux
 # Define the hostname for the Linux Server

modules/ansible/roles/atomic_red_team/tasks/main.yml

@@ -4,8 +4,8 @@
 #   debug:
 #     var: ansible_facts
 
-- include_tasks: "install_art_windows.yml"
-  when: ansible_distribution is match "Microsoft Windows"
+# - include_tasks: "install_art_windows.yml"
+#   when: ansible_distribution is match "Microsoft Windows"
 
 - include_tasks: "run_art_linux.yml"
   with_items: "{{ techniques }}"

modules/ansible/roles/atomic_red_team/tasks/run_art_linux.yml

@@ -6,10 +6,7 @@
 - name: Run Atomic Red Team
   become: true
   shell: |
-    pwsh -Command 'IEX (IWR https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicsfolder.ps1 -UseBasicParsing); 
-    Install-AtomicsFolder -Force; 
-    IEX (IWR https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1); 
-    Install-AtomicRedTeam -Force; Invoke-AtomicTest "{{ technique }}" -GetPrereqs; 
+    pwsh -Command 'Invoke-AtomicTest "{{ technique }}" -GetPrereqs; 
     Invoke-AtomicTest "{{ technique }}";
     Invoke-AtomicTest "{{ technique }}" -Cleanup'
   register: output_art

modules/aws_controller.py

@@ -141,7 +141,7 @@ def packer(self, image_name) -> None:
         self.config['general']['use_prebuilt_images_with_packer'] = "0"
 
         if image_name.startswith("splunk"):
-            only_cmd_arg = "amazon-ebs.splunk-ubuntu-18-04"
+            only_cmd_arg = "amazon-ebs.splunk-ubuntu"
             path_packer_file = "packer/splunk_server/splunk_aws.pkr.hcl"
             command = ["packer", "build", "-force", 
                 "-var", "general=" + json.dumps(self.config["general"]), 
@@ -181,7 +181,7 @@ def packer(self, image_name) -> None:
                 "-only=" + only_cmd_arg, path_packer_file]
 
         elif image_name.startswith("linux"):
-            only_cmd_arg = "amazon-ebs.ubuntu-18-04"
+            only_cmd_arg = "amazon-ebs.ubuntu"
             path_packer_file = "packer/linux_server/linux_aws.pkr.hcl"
             command = ["packer", "build", "-force", 
                 "-var", "general=" + json.dumps(self.config["general"]), 
@@ -200,7 +200,7 @@ def packer(self, image_name) -> None:
                 "-only=" + only_cmd_arg, path_packer_file]
 
         elif image_name.startswith("zeek"):
-            only_cmd_arg = "amazon-ebs.ubuntu-18-04"
+            only_cmd_arg = "amazon-ebs.ubuntu"
             path_packer_file = "packer/zeek_server/zeek_aws.pkr.hcl"
             command = ["packer", "build", "-force", 
                 "-var", "general=" + json.dumps(self.config["general"]), 

modules/configuration.py

@@ -53,7 +53,7 @@ def create_key_pair_aws(region):
     epoch_time = str(int(time.time()))
     ssh_key_name = getpass.getuser() + "-" + epoch_time[-5:] + ".key"
     # create ssh keys
-    response = client.create_key_pair(KeyName=str(ssh_key_name)[:-4])
+    response = client.create_key_pair(KeyType='ed25519', KeyName=str(ssh_key_name)[:-4])
     with open(ssh_key_name, "w") as ssh_key:
         ssh_key.write(response['KeyMaterial'])
     os.chmod(ssh_key_name, 0o600)
@@ -387,7 +387,7 @@ def new(config):
             if configuration['general']['cloud_provider'] == "aws":
                 configuration['aws']['region'] = answers['region']
             else:
-                configuration['azure']['region'] = answers['region']
+                configuration['azure']['location'] = answers['region']
         else:
             if configuration['general']['cloud_provider'] == "aws":
                 configuration['aws']['region'] = 'eu-central-1'

packer/ansible/linux_server.yml

@@ -9,4 +9,6 @@
     - role: linux_osquery
       when: use_prebuilt_images_with_packer == "0"
     - role: linux_sysmon
+      when: use_prebuilt_images_with_packer == "0"
+    - role: linux_install_art
       when: use_prebuilt_images_with_packer == "0"

packer/ansible/roles/guacamole/tasks/guacamole_client.yml

@@ -8,11 +8,11 @@
 
 - name: Download Guacamole Client
   get_url:
-    url: https://archive.apache.org/dist/guacamole/1.5.0/binary/guacamole-1.5.0.war
-    dest: /tmp/guacamole-1.5.0.war
+    url: https://archive.apache.org/dist/guacamole/1.5.2/binary/guacamole-1.5.2.war
+    dest: /tmp/guacamole-1.5.2.war
 
 - name: Move .war
-  copy: remote_src=True src=/tmp/guacamole-1.5.0.war dest=/etc/guacamole/guacamole.war
+  copy: remote_src=True src=/tmp/guacamole-1.5.2.war dest=/etc/guacamole/guacamole.war
 
 - name: link guacamole.war
   shell:

packer/ansible/roles/guacamole/tasks/guacamole_server.yml

@@ -2,13 +2,13 @@
 
 - name: Download Guacamole
   get_url: 
-    url: https://archive.apache.org/dist/guacamole/1.5.0/source/guacamole-server-1.5.0.tar.gz
-    dest: /tmp/guacamole-server-1.5.0.tar.gz
+    url: https://archive.apache.org/dist/guacamole/1.5.2/source/guacamole-server-1.5.2.tar.gz
+    dest: /tmp/guacamole-server-1.5.2.tar.gz
 
 - name: Extract the source tarball after download
   shell:
     cmd: |
-      tar -xzf /tmp/guacamole-server-1.5.0.tar.gz -C /tmp/
+      tar -xzf /tmp/guacamole-server-1.5.2.tar.gz -C /tmp/
 
 - name: Configure and install Guacamole
   shell:
@@ -17,7 +17,7 @@
       make
       sudo make install
       sudo ldconfig
-    chdir: /tmp/guacamole-server-1.5.0
+    chdir: /tmp/guacamole-server-1.5.2
 
 - name: System daemon reload
   become: true

packer/ansible/roles/linux_common/tasks/main.yml

@@ -3,3 +3,4 @@
 - include: update_packages.yml
 - include: disable-dnssec.yml
 - include: disable-autoupgrade.yml
+- include: update_sshd_config.yml

packer/ansible/roles/linux_common/tasks/update_sshd_config.yml

@@ -0,0 +1,15 @@
+---
+
+- name: Configure sshd
+  lineinfile:
+    path: "/etc/ssh/sshd_config"
+    line: "{{item.key}} {{item.value}}"
+  loop:
+    - { key: "HostKeyAlgorithms", value: "+ssh-rsa" }
+    - { key: "PubkeyAcceptedKeyTypes", value: "+ssh-rsa" }
+
+- name: Restart SSHd
+  become: true
+  service:
+    name: sshd
+    state: restarted

packer/ansible/roles/linux_install_art/tasks/main.yml

@@ -0,0 +1,13 @@
+---
+
+- name: Run Atomic Red Team
+  become: true
+  shell: |
+    pwsh -Command 'IEX (IWR https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicsfolder.ps1 -UseBasicParsing); 
+    Install-AtomicsFolder -Force; 
+    IEX (IWR https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1); 
+    Install-AtomicRedTeam -Force'
+  register: output_art
+
+- debug:
+    var: output_art.stdout_lines

packer/ansible/roles/linux_osquery/files/osquery_install.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 export OSQUERY_KEY=1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
 sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys $OSQUERY_KEY
-sudo add-apt-repository 'deb [arch=amd64] https://pkg.osquery.io/deb deb main'
+sudo add-apt-repository --yes 'deb [arch=amd64] https://pkg.osquery.io/deb deb main'
 sudo apt-get update
 sudo apt-get install osquery

packer/ansible/roles/linux_osquery/tasks/main.yml

@@ -5,4 +5,4 @@
 
 - name: restart splunk
   become: true
-  command: "/opt/splunkforwarder/bin/splunk restart"
+  command: "systemctl restart SplunkForwarder"

packer/ansible/roles/linux_sysmon/tasks/main.yml

@@ -5,4 +5,4 @@
 
 - name: restart splunk
   become: true
-  command: "/opt/splunkforwarder/bin/splunk restart"
+  command: "systemctl restart SplunkForwarder"

packer/ansible/roles/osquery_linux/files/osquery_install.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 export OSQUERY_KEY=1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
 sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys $OSQUERY_KEY
-sudo add-apt-repository 'deb [arch=amd64] https://pkg.osquery.io/deb deb main'
+sudo add-apt-repository --yes 'deb [arch=amd64] https://pkg.osquery.io/deb deb main'
 sudo apt-get update
 sudo apt-get install osquery

packer/ansible/roles/windows_install_attack_simulation/tasks/main.yml

@@ -0,0 +1,42 @@
+---
+
+- name: Enable strong dotnet crypto
+  win_regedit:
+    key: "{{ item }}"
+    value: SchUseStrongCrypto
+    datatype: dword
+    data: 1
+  with_items:
+    - "HKLM:\\SOFTWARE\\Microsoft\\.NetFramework\\v4.0.30319"
+    - "HKLM:\\SOFTWARE\\Wow6432Node\\Microsoft\\.NetFramework\\v4.0.30319"
+
+- name: Check installed providers
+  win_shell: Get-PackageProvider -ListAvailable
+  register: providers
+
+- name: Install NuGet Provider
+  win_shell: |
+    Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
+  when: providers.stdout is not search("NuGet")
+
+- name: Install Atomic Red Team
+  win_shell: |
+    Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Internet Explorer\Main" -Name "DisableFirstRunCustomize" -Value 2
+    IEX (IWR https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1)
+    Install-AtomicRedTeam -Force
+    IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicsfolder.ps1' -UseBasicParsing)
+    Install-AtomicsFolder -Force -RepoOwner "{{ atomic_red_team_repo }}" -Branch "{{ atomic_red_team_branch }}"
+  register: install_art
+
+- debug:
+    var: install_art
+
+- name: Download Latest PurpleSharp Binary
+  win_shell: |
+    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls, [Net.SecurityProtocolType]::Tls11, [Net.SecurityProtocolType]::Tls12, [Net.SecurityProtocolType]::Ssl3
+    [Net.ServicePointManager]::SecurityProtocol = 'Tls, Tls11, Tls12, Ssl3'
+    If (-not (Test-Path c:\Tools\PurpleSharp)) { New-Item -Path c:\Tools\ -Name PurpleSharp -ItemType directory }
+    $tag = (Invoke-WebRequest 'https://api.github.com/repos/mvelazc0/PurpleSharp/releases' -UseBasicParsing | ConvertFrom-Json)[0].tag_name
+    $purplesharpDownloadUrl = 'https://github.com/mvelazc0/PurpleSharp/releases/download/' + $tag + '/PurpleSharp_x64.exe'
+    If (-not (Test-Path c:\Tools\PurpleSharp\PurpleSharp.exe)) { Invoke-WebRequest -Uri $purplesharpDownloadUrl -OutFile c:\Tools\PurpleSharp\PurpleSharp.exe }
+  

packer/ansible/windows.yml

@@ -9,6 +9,8 @@
     - role: windows_universal_forwarder
       when: use_prebuilt_images_with_packer == "0"
     - role: windows_aurora_agent
-      when: use_prebuilt_images_with_packer == "0"
+      when: (use_prebuilt_images_with_packer == "0") and (aurora_agent == "1")
     - role: sysmon
       when: use_prebuilt_images_with_packer == "0"
+    - role: windows_install_attack_simulation
+      when: use_prebuilt_images_with_packer == "0"      

packer/linux_server/linux_aws.pkr.hcl

@@ -31,15 +31,15 @@ variable "splunk_server" {
 
 data "amazon-ami" "ubuntu-ami" {
   filters = {
-    name                = "*ubuntu-focal-20.04-amd64-server-*"
+    name                = "*ubuntu-jammy-22.04-amd64-server-*"
     root-device-type    = "ebs"
     virtualization-type = "hvm"
   }
   most_recent = true
   owners      = ["099720109477"]
 }
 
-source "amazon-ebs" "ubuntu-18-04" {
+source "amazon-ebs" "ubuntu" {
   ami_name              = "linux-v${replace(var.general.version, ".", "-")}"
   region                = var.aws.region
   instance_type         = "t3.xlarge"
@@ -56,13 +56,14 @@ source "amazon-ebs" "ubuntu-18-04" {
 build {
 
   sources = [
-    "source.amazon-ebs.ubuntu-18-04"
+    "source.amazon-ebs.ubuntu"
   ]
 
   provisioner "ansible" {
-    extra_arguments = ["--extra-vars", "${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.general : "${key}=\"${value}\""])}"]
+    extra_arguments = ["--scp-extra-args", "'-O'", "--extra-vars", "${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.general : "${key}=\"${value}\""])}"]
     playbook_file   = "packer/ansible/linux_server.yml"
     user            = "ubuntu"
+    ansible_ssh_extra_args = ["-oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedKeyTypes=+ssh-rsa"]
   }
 
 }

packer/nginx_server/nginx_aws.pkr.hcl

@@ -32,7 +32,7 @@ variable "splunk_server" {
 
 data "amazon-ami" "nginx-ami" {
   filters = {
-    name                = "*ubuntu-bionic-18.04-amd64-server-*"
+    name                = "*ubuntu-jammy-22.04-amd64-server-*"
     root-device-type    = "ebs"
     virtualization-type = "hvm"
   }
@@ -61,9 +61,10 @@ build {
   ]
 
   provisioner "ansible" {
-    extra_arguments = ["--extra-vars", "${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.general : "${key}=\"${value}\""])}"]
+    extra_arguments = ["--scp-extra-args", "'-O'", "--extra-vars", "${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.general : "${key}=\"${value}\""])}"]
     playbook_file   = "packer/ansible/nginx_web_proxy.yml"
     user            = "ubuntu"
+    ansible_ssh_extra_args = ["-oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedKeyTypes=+ssh-rsa"]
   }
 
 }

packer/splunk_server/splunk_aws.pkr.hcl

@@ -32,15 +32,15 @@ variable "splunk_server" {
 
 data "amazon-ami" "ubuntu-ami" {
   filters = {
-    name                = "*ubuntu-focal-20.04-amd64-server-*"
+    name                = "*ubuntu-jammy-22.04-amd64-server-*"
     root-device-type    = "ebs"
     virtualization-type = "hvm"
   }
   most_recent = true
   owners      = ["099720109477"]
 }
 
-source "amazon-ebs" "splunk-ubuntu-18-04" {
+source "amazon-ebs" "splunk-ubuntu" {
   ami_name              = "splunk-v${replace(var.general.version, ".", "-")}"
   region = var.aws.region
   instance_type         = "t3.2xlarge"
@@ -58,13 +58,14 @@ source "amazon-ebs" "splunk-ubuntu-18-04" {
 build {
 
   sources = [
-    "source.amazon-ebs.splunk-ubuntu-18-04"
+    "source.amazon-ebs.splunk-ubuntu"
   ]
 
   provisioner "ansible" {
-    extra_arguments = ["--extra-vars", "${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.general : "${key}=\"${value}\""])}"]
+    extra_arguments = ["--scp-extra-args", "'-O'", "--extra-vars", "${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.general : "${key}=\"${value}\""])}"]
     playbook_file   = "packer/ansible/splunk_server.yml"
     user            = "ubuntu"
+    ansible_ssh_extra_args = ["-oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedKeyTypes=+ssh-rsa"]
   }
 
 }

packer/zeek_server/zeek_aws.pkr.hcl

@@ -39,7 +39,7 @@ data "amazon-ami" "ubuntu-ami" {
   owners      = ["099720109477"]
 }
 
-source "amazon-ebs" "ubuntu-18-04" {
+source "amazon-ebs" "ubuntu" {
   ami_name              = "zeek-v${replace(var.general.version, ".", "-")}"
   region = var.aws.region
   instance_type         = "t3.xlarge"
@@ -56,13 +56,14 @@ source "amazon-ebs" "ubuntu-18-04" {
 build {
 
   sources = [
-    "source.amazon-ebs.ubuntu-18-04"
+    "source.amazon-ebs.ubuntu"
   ]
 
   provisioner "ansible" {
-    extra_arguments = ["--extra-vars", "${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.general : "${key}=\"${value}\""])}"]
+    extra_arguments = ["--scp-extra-args", "'-O'", "--extra-vars", "${join(" ", [for key, value in var.splunk_server : "${key}=\"${value}\""])} ${join(" ", [for key, value in var.general : "${key}=\"${value}\""])}"]
     playbook_file   = "packer/ansible/zeek.yml"
     user            = "ubuntu"
+    ansible_ssh_extra_args = ["-oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedKeyTypes=+ssh-rsa"]
   }
 
 }

terraform/ansible/roles/linux_server_post/tasks/change_splunk_password.yml

@@ -12,6 +12,6 @@
   shell: '/opt/splunkforwarder/bin/splunk set servername {{ hostname }} -auth admin:{{ attack_range_password }}'
   become: yes
 
-- name: Restart Splunk
-  shell: '/opt/splunkforwarder/bin/splunk restart'
-  become: yes
+- name: restart splunk
+  become: true
+  command: "systemctl restart SplunkForwarder"