From b59e12a61000dca9003007f8eaee3b39ec75e212 Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Mon, 31 Jul 2023 14:15:04 +0200 Subject: [PATCH] AR local improvements --- modules/vagrant_controller.py | 2 + packer/ansible/roles/guacamole/tasks/main.yml | 6 +- .../roles/linux_osquery/tasks/main.yml | 10 ++- .../roles/linux_prelude_agent/tasks/main.yml | 4 -- .../ansible/roles/linux_sysmon/tasks/main.yml | 10 ++- .../files/outputs.conf | 5 -- .../tasks/install_universal_forwarder.yml | 12 +++- .../templates/outputs.conf.j2 | 9 +++ .../roles/nginx_web_proxy/tasks/main.yml | 2 +- .../roles/osquery_linux/tasks/main.yml | 10 ++- .../splunk_server/templates/outputs.conf.j2 | 20 ------ .../ansible/roles/sysmon_linux/tasks/main.yml | 2 +- .../windows_common/tasks/install_choco.yml | 7 +++ .../roles/windows_common/tasks/main.yml | 2 + .../tasks/configure_outputs.yml | 6 +- .../templates/outputs.conf.j2 | 9 +++ .../roles/zeek_sensor/tasks/splunkuf.yml | 2 +- .../guacamole/tasks/guacamole_server_post.yml | 7 +++ .../ansible/roles/guacamole/tasks/main.yml | 3 +- .../templates/user-mapping-local.xml | 62 +++++++++++++++++++ .../roles/join_domain/tasks/create_local.yml | 27 ++++++++ .../ansible/roles/join_domain/tasks/main.yaml | 5 +- .../tasks/install_local.yml | 9 ++- .../roles/linux_agent_prelude/tasks/main.yml | 5 +- .../tasks/change_splunk_password.yml | 10 ++- .../roles/splunk_byo_linux/tasks/config.yml | 2 +- .../roles/splunk_server_post/tasks/main.yml | 5 +- .../tasks/phantom_server_configure_local.yml | 43 +++++++++++++ .../tasks/install_local.yml | 31 ++++++++++ .../windows_agent_prelude/tasks/main.yml | 2 +- vagrant/linux_server/Vagrantfile | 10 ++- vagrant/splunk_server/Vagrantfile | 5 +- vagrant/windows_server/Vagrantfile | 5 +- 33 files changed, 281 insertions(+), 68 deletions(-) delete mode 100644 packer/ansible/roles/linux_prelude_agent/tasks/main.yml delete mode 100644 packer/ansible/roles/linux_universal_forwarder/files/outputs.conf create mode 100644 packer/ansible/roles/linux_universal_forwarder/templates/outputs.conf.j2 delete mode 100644 packer/ansible/roles/splunk_server/templates/outputs.conf.j2 create mode 100644 packer/ansible/roles/windows_common/tasks/install_choco.yml create mode 100644 packer/ansible/roles/windows_universal_forwarder/templates/outputs.conf.j2 create mode 100644 terraform/ansible/roles/guacamole/templates/user-mapping-local.xml create mode 100644 terraform/ansible/roles/join_domain/tasks/create_local.yml rename packer/ansible/roles/linux_prelude_agent/tasks/install.yml => terraform/ansible/roles/linux_agent_prelude/tasks/install_local.yml (59%) create mode 100644 terraform/ansible/roles/splunk_server_post/tasks/phantom_server_configure_local.yml create mode 100644 terraform/ansible/roles/windows_agent_prelude/tasks/install_local.yml diff --git a/modules/vagrant_controller.py b/modules/vagrant_controller.py index 43cb1cb1..37db45e6 100644 --- a/modules/vagrant_controller.py +++ b/modules/vagrant_controller.py @@ -19,6 +19,7 @@ def __init__(self, config: dict): super().__init__(config) def build(self) -> None: + self.logger.info("[action] > build\n") vagrantfile = 'Vagrant.configure("2") do |config| \n \n' @@ -115,6 +116,7 @@ def show(self) -> None: messages.append("\nAccess Splunk via:\n\tWeb > https://localhost:8000\n\tSSH > cd vagrant & vagrant ssh " + status.name + " \n\tusername: admin \n\tpassword: " + self.config['general']['attack_range_password']) else: messages.append("\nAccess Splunk via:\n\tWeb > http://localhost:8000\n\tSSH > cd vagrant & vagrant ssh " + status.name + " \n\tusername: admin \n\tpassword: " + self.config['general']['attack_range_password']) + messages.append("\nAccess Guacamole via:\n\tWeb > http://localhost:8080/guacamole" + "\n\tusername: Admin \n\tpassword: " + self.config['general']['attack_range_password']) elif status.name.startswith("ar-phantom"): messages.append("\nAccess Phantom via:\n\tWeb > https://localhost:443 \n\tSSH > cd vagrant & vagrant ssh " + status.name + " \n\tusername: admin \n\tpassword: " + self.config['general']['attack_range_password']) elif status.name.startswith("ar-win"): diff --git a/packer/ansible/roles/guacamole/tasks/main.yml b/packer/ansible/roles/guacamole/tasks/main.yml index 53d00952..2c92e7b6 100644 --- a/packer/ansible/roles/guacamole/tasks/main.yml +++ b/packer/ansible/roles/guacamole/tasks/main.yml @@ -1,10 +1,6 @@ --- - include: install_packages.yml - when: cloud_provider != "local" - include: setup_tomcat.yml - when: cloud_provider != "local" - include: guacamole_server.yml - when: cloud_provider != "local" -- include: guacamole_client.yml - when: cloud_provider != "local" \ No newline at end of file +- include: guacamole_client.yml \ No newline at end of file diff --git a/packer/ansible/roles/linux_osquery/tasks/main.yml b/packer/ansible/roles/linux_osquery/tasks/main.yml index 2b3c4a98..ed70762f 100644 --- a/packer/ansible/roles/linux_osquery/tasks/main.yml +++ b/packer/ansible/roles/linux_osquery/tasks/main.yml @@ -3,6 +3,12 @@ - include: install_osquery_linux.yml - include: collect_osquery_logs.yml -- name: restart splunk +- name: Restart splunk uf become: true - command: "systemctl restart SplunkForwarder" \ No newline at end of file + command: "systemctl restart SplunkForwarder" + when: cloud_provider != "local" + +- name: Restart splunk uf + become: true + command: "/opt/splunkforwarder/bin/splunk restart" + when: cloud_provider == "local" \ No newline at end of file diff --git a/packer/ansible/roles/linux_prelude_agent/tasks/main.yml b/packer/ansible/roles/linux_prelude_agent/tasks/main.yml deleted file mode 100644 index 9289c8da..00000000 --- a/packer/ansible/roles/linux_prelude_agent/tasks/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- - -- include: install.yml - when: prelude == "1" diff --git a/packer/ansible/roles/linux_sysmon/tasks/main.yml b/packer/ansible/roles/linux_sysmon/tasks/main.yml index 8081ff30..55442f60 100644 --- a/packer/ansible/roles/linux_sysmon/tasks/main.yml +++ b/packer/ansible/roles/linux_sysmon/tasks/main.yml @@ -3,6 +3,12 @@ - include: install_sysmon_linux.yml - include: configure_inputs.yml -- name: restart splunk +- name: Restart splunk uf become: true - command: "systemctl restart SplunkForwarder" \ No newline at end of file + command: "systemctl restart SplunkForwarder" + when: cloud_provider != "local" + +- name: Restart splunk uf + become: true + command: "/opt/splunkforwarder/bin/splunk restart" + when: cloud_provider == "local" \ No newline at end of file diff --git a/packer/ansible/roles/linux_universal_forwarder/files/outputs.conf b/packer/ansible/roles/linux_universal_forwarder/files/outputs.conf deleted file mode 100644 index a715bf78..00000000 --- a/packer/ansible/roles/linux_universal_forwarder/files/outputs.conf +++ /dev/null @@ -1,5 +0,0 @@ -[tcpout] -defaultGroup=my_indexers - -[tcpout:my_indexers] -server=10.0.1.12:9997 \ No newline at end of file diff --git a/packer/ansible/roles/linux_universal_forwarder/tasks/install_universal_forwarder.yml b/packer/ansible/roles/linux_universal_forwarder/tasks/install_universal_forwarder.yml index 2ef4862f..ef1cd4a4 100644 --- a/packer/ansible/roles/linux_universal_forwarder/tasks/install_universal_forwarder.yml +++ b/packer/ansible/roles/linux_universal_forwarder/tasks/install_universal_forwarder.yml @@ -27,8 +27,8 @@ when: splunk_path.stat.exists == false - name: copy outputs.conf to forward data to splunk server - copy: - src: outputs.conf + template: + src: outputs.conf.j2 dest: /opt/splunkforwarder/etc/system/local/outputs.conf owner: splunk group: splunk @@ -44,7 +44,13 @@ - name: setup to start at boot become: true - command: "/opt/splunkforwarder/bin/splunk enable boot-start -user splunk" + command: "/opt/splunkforwarder/bin/splunk enable boot-start" + when: cloud_provider != "local" + +- name: setup to start at boot + become: true + command: "/opt/splunkforwarder/bin/splunk enable boot-start" + when: cloud_provider == "local" - name: Start splunk uf become: true diff --git a/packer/ansible/roles/linux_universal_forwarder/templates/outputs.conf.j2 b/packer/ansible/roles/linux_universal_forwarder/templates/outputs.conf.j2 new file mode 100644 index 00000000..4ec01efe --- /dev/null +++ b/packer/ansible/roles/linux_universal_forwarder/templates/outputs.conf.j2 @@ -0,0 +1,9 @@ +[tcpout] +defaultGroup=my_indexers + +[tcpout:my_indexers] +{% if cloud_provider == 'local' %} +server=192.168.56.12:9997 +{%- else -%} +server=10.0.1.12:9997 +{%- endif %} \ No newline at end of file diff --git a/packer/ansible/roles/nginx_web_proxy/tasks/main.yml b/packer/ansible/roles/nginx_web_proxy/tasks/main.yml index 1cf1599d..8cc64293 100644 --- a/packer/ansible/roles/nginx_web_proxy/tasks/main.yml +++ b/packer/ansible/roles/nginx_web_proxy/tasks/main.yml @@ -7,7 +7,7 @@ - name: restart splunk become: true - command: "/opt/splunkforwarder/bin/splunk restart" + command: "systemctl restart SplunkForwarder" - name: restart nginx again become: true diff --git a/packer/ansible/roles/osquery_linux/tasks/main.yml b/packer/ansible/roles/osquery_linux/tasks/main.yml index 32e01275..4c8f7139 100644 --- a/packer/ansible/roles/osquery_linux/tasks/main.yml +++ b/packer/ansible/roles/osquery_linux/tasks/main.yml @@ -6,6 +6,12 @@ - include: collect_osquery_logs.yml -- name: restart splunk +- name: Restart splunk uf become: true - command: "/opt/splunkforwarder/bin/splunk restart" \ No newline at end of file + command: "systemctl restart SplunkForwarder" + when: cloud_provider != "local" + +- name: Restart splunk uf + become: true + command: "/opt/splunkforwarder/bin/splunk restart" + when: cloud_provider == "local" \ No newline at end of file diff --git a/packer/ansible/roles/splunk_server/templates/outputs.conf.j2 b/packer/ansible/roles/splunk_server/templates/outputs.conf.j2 deleted file mode 100644 index 50f466ff..00000000 --- a/packer/ansible/roles/splunk_server/templates/outputs.conf.j2 +++ /dev/null @@ -1,20 +0,0 @@ -#jinja2: trim_blocks:False -[indexAndForward] -index = true - -[tcpout] -defaultGroup={%- if install_dsp -%}dsp{% endif %} -indexAndForward = true - -{% if install_dsp %} -[tcpout:dsp] -server={% for ip in nodes -%}{{ip}}:9997{% if not loop.last -%},{% endif -%}{% endfor%} -disabled= False -dropClonedEventsOnQueueFull = 0s -dropEventsOnQueueFull = 0s -clientCert=/opt/splunk/etc/apps/dsp_outputs_app/client.pem -sslRootCAPath=/opt/splunk/etc/apps/dsp_outputs_app/DigiCertGlobalRootCA.pem -sslVerifyServerCert=true -useACK=true -indexAndForward = true -{% endif %} diff --git a/packer/ansible/roles/sysmon_linux/tasks/main.yml b/packer/ansible/roles/sysmon_linux/tasks/main.yml index 806a78a8..d2f053f1 100644 --- a/packer/ansible/roles/sysmon_linux/tasks/main.yml +++ b/packer/ansible/roles/sysmon_linux/tasks/main.yml @@ -7,4 +7,4 @@ - name: restart splunk become: true - command: "/opt/splunkforwarder/bin/splunk restart" \ No newline at end of file + command: "systemctl restart SplunkForwarder" \ No newline at end of file diff --git a/packer/ansible/roles/windows_common/tasks/install_choco.yml b/packer/ansible/roles/windows_common/tasks/install_choco.yml new file mode 100644 index 00000000..c7867ee1 --- /dev/null +++ b/packer/ansible/roles/windows_common/tasks/install_choco.yml @@ -0,0 +1,7 @@ +--- + +- name: install Chocolatey CLI v1.4.0 + win_chocolatey: + name: 'chocolatey' + state: present + version: '1.4.0' diff --git a/packer/ansible/roles/windows_common/tasks/main.yml b/packer/ansible/roles/windows_common/tasks/main.yml index c4db2fb8..4f7b0bb5 100644 --- a/packer/ansible/roles/windows_common/tasks/main.yml +++ b/packer/ansible/roles/windows_common/tasks/main.yml @@ -3,6 +3,8 @@ - include: windows-disable-defender.yml - include: windows-enable-ps-logging.yml - include: windows-enable-4688-cmd-line-audit.yml +- include: install_choco.yml + when: cloud_provider == "local" - include: install_app_chocolatey.yml with_items: - "firefox" diff --git a/packer/ansible/roles/windows_universal_forwarder/tasks/configure_outputs.yml b/packer/ansible/roles/windows_universal_forwarder/tasks/configure_outputs.yml index 5bc60278..82536ec4 100644 --- a/packer/ansible/roles/windows_universal_forwarder/tasks/configure_outputs.yml +++ b/packer/ansible/roles/windows_universal_forwarder/tasks/configure_outputs.yml @@ -6,7 +6,7 @@ with_items: - 'C:\Program Files\SplunkUniversalForwarder\etc\apps\win_outputs_app\local' -- name: Copy an outputs.conf using templating - win_copy: - src: outputs.conf +- name: Copy an outputs.conf + win_template: + src: outputs.conf.j2 dest: C:\Program Files\SplunkUniversalForwarder\etc\apps\win_outputs_app\local\outputs.conf diff --git a/packer/ansible/roles/windows_universal_forwarder/templates/outputs.conf.j2 b/packer/ansible/roles/windows_universal_forwarder/templates/outputs.conf.j2 new file mode 100644 index 00000000..4ec01efe --- /dev/null +++ b/packer/ansible/roles/windows_universal_forwarder/templates/outputs.conf.j2 @@ -0,0 +1,9 @@ +[tcpout] +defaultGroup=my_indexers + +[tcpout:my_indexers] +{% if cloud_provider == 'local' %} +server=192.168.56.12:9997 +{%- else -%} +server=10.0.1.12:9997 +{%- endif %} \ No newline at end of file diff --git a/packer/ansible/roles/zeek_sensor/tasks/splunkuf.yml b/packer/ansible/roles/zeek_sensor/tasks/splunkuf.yml index 0c28e7d9..1da20fa4 100644 --- a/packer/ansible/roles/zeek_sensor/tasks/splunkuf.yml +++ b/packer/ansible/roles/zeek_sensor/tasks/splunkuf.yml @@ -10,4 +10,4 @@ - name: restart splunkuf become: true - command: "/opt/splunkforwarder/bin/splunk restart" + command: "systemctl restart SplunkForwarder" diff --git a/terraform/ansible/roles/guacamole/tasks/guacamole_server_post.yml b/terraform/ansible/roles/guacamole/tasks/guacamole_server_post.yml index b65ba1ac..acb23f7e 100644 --- a/terraform/ansible/roles/guacamole/tasks/guacamole_server_post.yml +++ b/terraform/ansible/roles/guacamole/tasks/guacamole_server_post.yml @@ -26,6 +26,13 @@ template: src: user-mapping.xml dest: /etc/guacamole/user-mapping.xml + when: cloud_provider != "local" + +- name: Copy user-mapping-local.xml + template: + src: user-mapping-local.xml + dest: /etc/guacamole/user-mapping.xml + when: cloud_provider == "local" - name: Restart guacd and tomcat shell: diff --git a/terraform/ansible/roles/guacamole/tasks/main.yml b/terraform/ansible/roles/guacamole/tasks/main.yml index c1f8793a..c8271b5a 100644 --- a/terraform/ansible/roles/guacamole/tasks/main.yml +++ b/terraform/ansible/roles/guacamole/tasks/main.yml @@ -1,4 +1,3 @@ --- -- include: guacamole_server_post.yml - when: cloud_provider != "local" \ No newline at end of file +- include: guacamole_server_post.yml \ No newline at end of file diff --git a/terraform/ansible/roles/guacamole/templates/user-mapping-local.xml b/terraform/ansible/roles/guacamole/templates/user-mapping-local.xml new file mode 100644 index 00000000..db2241e7 --- /dev/null +++ b/terraform/ansible/roles/guacamole/templates/user-mapping-local.xml @@ -0,0 +1,62 @@ + + + + + ssh + localhost + 22 + vagrant + vagrant + + + {% if phantom_server == '1' %} + + ssh + 192.168.56.13 + 22 + vagrant + vagrant + + {% endif %} + + {% for server in range(windows_servers_count) %} + + rdp + 192.168.56.{{loop.index-1+14}} + 3389 + {% if cloud_provider == 'azure' %} + AzureAdmin + {% else %} + Administrator + {% endif %} + {{attack_range_password}} + true + + {% endfor %} + + {% for server in range(linux_servers_count) %} + + ssh + 192.168.56.{{loop.index-1+21}} + 22 + vagrant + vagrant + + {% endfor %} + + {% if kali_server == '1' %} + + ssh + 192.168.56.30 + 22 + vagrant + vagrant + + {% endif %} + + + + \ No newline at end of file diff --git a/terraform/ansible/roles/join_domain/tasks/create_local.yml b/terraform/ansible/roles/join_domain/tasks/create_local.yml new file mode 100644 index 00000000..af17cd08 --- /dev/null +++ b/terraform/ansible/roles/join_domain/tasks/create_local.yml @@ -0,0 +1,27 @@ +--- + +- name: Change dns server to domain controller + win_dns_client: + adapter_names: "{{ ansible_interfaces.0.connection_name }}" + ipv4_addresses: "192.168.56.14" + +- name: reboot | Rebooting Server + win_reboot: + +- name: Copy join domain script to host + win_copy: + src: "join_domain.ps1" + dest: 'C:\join_domain.ps1' + +- name: Run join domain + win_shell: "C:\\join_domain.ps1 attackrange.local {{ ansible_user }}@attackrange.local {{ attack_range_password }}" + register: win_shell_output + retries: 20 + delay: 60 + until: win_shell_output.stderr == "" + +- debug: + var: win_shell_output + +- name: reboot | Rebooting Server + win_reboot: diff --git a/terraform/ansible/roles/join_domain/tasks/main.yaml b/terraform/ansible/roles/join_domain/tasks/main.yaml index 72e4d8ad..0fb72143 100644 --- a/terraform/ansible/roles/join_domain/tasks/main.yaml +++ b/terraform/ansible/roles/join_domain/tasks/main.yaml @@ -1,6 +1,9 @@ - include: create.yml - when: join_domain == "1" + when: join_domain == "1" and cloud_provider != "local" + +- include: create_local.yml + when: join_domain == "1" and cloud_provider == "local" - include: windows-disable-firewall.yml when: join_domain == "1" \ No newline at end of file diff --git a/packer/ansible/roles/linux_prelude_agent/tasks/install.yml b/terraform/ansible/roles/linux_agent_prelude/tasks/install_local.yml similarity index 59% rename from packer/ansible/roles/linux_prelude_agent/tasks/install.yml rename to terraform/ansible/roles/linux_agent_prelude/tasks/install_local.yml index 096f5316..78f701f7 100644 --- a/packer/ansible/roles/linux_prelude_agent/tasks/install.yml +++ b/terraform/ansible/roles/linux_agent_prelude/tasks/install_local.yml @@ -3,19 +3,18 @@ - name: Wait for redirector to be ready wait_for: port: 2323 - host: "{{ splunk_indexer_ip }}" + host: "192.168.56.12" connect_timeout: 30 delay: 60 timeout: 900 - name: Download Prelude Pneuma from headless Operator get_url: - url: http://{{ splunk_indexer_ip }}:3391/payloads/pneuma/v1.5/pneuma-linux + url: http://192.168.56.12:3391/payloads/pneuma/v1.6/pneuma-linux dest: /opt/prelude-pneuma mode: 755 - name: Start Prelude Pneuma and Connect to headless Operator - shell: /opt/prelude-pneuma -name "$(hostname)" -address {{ splunk_indexer_ip }}:2323 & + shell: /opt/prelude-pneuma -name "$(hostname)" -address 192.168.56.12:2323 & async: 10 - poll: 0 - + poll: 0 \ No newline at end of file diff --git a/terraform/ansible/roles/linux_agent_prelude/tasks/main.yml b/terraform/ansible/roles/linux_agent_prelude/tasks/main.yml index a7b7780f..dd87e583 100644 --- a/terraform/ansible/roles/linux_agent_prelude/tasks/main.yml +++ b/terraform/ansible/roles/linux_agent_prelude/tasks/main.yml @@ -1,4 +1,7 @@ --- - include: install.yml - when: prelude == "1" \ No newline at end of file + when: prelude == "1" and cloud_provider!='local' + +- include: install_local.yml + when: prelude == "1" and cloud_provider=='local' \ No newline at end of file diff --git a/terraform/ansible/roles/linux_server_post/tasks/change_splunk_password.yml b/terraform/ansible/roles/linux_server_post/tasks/change_splunk_password.yml index 01f009aa..9abea806 100644 --- a/terraform/ansible/roles/linux_server_post/tasks/change_splunk_password.yml +++ b/terraform/ansible/roles/linux_server_post/tasks/change_splunk_password.yml @@ -12,6 +12,12 @@ shell: '/opt/splunkforwarder/bin/splunk set servername {{ hostname }} -auth admin:{{ attack_range_password }}' become: yes -- name: restart splunk +- name: Restart splunk uf become: true - command: "systemctl restart SplunkForwarder" \ No newline at end of file + command: "systemctl restart SplunkForwarder" + when: cloud_provider != "local" + +- name: Restart splunk uf + become: true + command: "/opt/splunkforwarder/bin/splunk restart" + when: cloud_provider == "local" \ No newline at end of file diff --git a/terraform/ansible/roles/splunk_byo_linux/tasks/config.yml b/terraform/ansible/roles/splunk_byo_linux/tasks/config.yml index f93bb09d..56e7ea51 100644 --- a/terraform/ansible/roles/splunk_byo_linux/tasks/config.yml +++ b/terraform/ansible/roles/splunk_byo_linux/tasks/config.yml @@ -10,4 +10,4 @@ - name: restart splunk become: true - command: "/opt/splunkforwarder/bin/splunk restart" \ No newline at end of file + command: "systemctl restart SplunkForwarder" \ No newline at end of file diff --git a/terraform/ansible/roles/splunk_server_post/tasks/main.yml b/terraform/ansible/roles/splunk_server_post/tasks/main.yml index 42f0eb29..e21f6478 100644 --- a/terraform/ansible/roles/splunk_server_post/tasks/main.yml +++ b/terraform/ansible/roles/splunk_server_post/tasks/main.yml @@ -3,7 +3,10 @@ - include: change_splunk_password.yml - include: phantom_server_configure.yml - when: phantom_server == "1" + when: phantom_server == "1" and not cloud_provider == "local" + +- include: phantom_server_configure_local.yml + when: phantom_server == "1" and cloud_provider == "local" - include: install_enterprise_security.yml when: install_es == "1" diff --git a/terraform/ansible/roles/splunk_server_post/tasks/phantom_server_configure_local.yml b/terraform/ansible/roles/splunk_server_post/tasks/phantom_server_configure_local.yml new file mode 100644 index 00000000..7c96e4e9 --- /dev/null +++ b/terraform/ansible/roles/splunk_server_post/tasks/phantom_server_configure_local.yml @@ -0,0 +1,43 @@ +--- + +- name: fetch phantom api token version 5.x + uri: + url: https://192.168.56.13:8443/rest/ph_user/2/token + method: GET + user: admin + password: "{{ attack_range_password }}" + force_basic_auth: yes + validate_certs: no + register: api_token_5 + until: api_token_5.status == 200 + retries: 25 + delay: 60 + when: phantom_app | regex_search("splunk_soar-unpriv-5") + +- name: Connect Splunk Phantom App with Phantom v5 + shell: curl -k -u "admin:{{ attack_range_password }}" --data '{"verify_certs":"false","enable_logging":"false","config":[{"ph-auth-token":"{{ api_token_5.json.key | replace("=","%3D") | replace("+","%2B") }}","server":"https://10.0.1.13:8443","custom_name":"phantom","default":false,"user":"","ph_auth_config_id":"193b2ffc-48fb-4087-bc75-c44184e7fa07","proxy":"","validate":true}],"accepted":"true","save":true}' https://localhost:8089/services/update_phantom_config?output_mode=json + register: shell_output + when: phantom_app | regex_search("splunk_soar-unpriv-5") + +- name: fetch phantom api token + uri: + url: https://192.168.56.13:8443/rest/ph_user/2/token + method: GET + user: soar_local_admin + password: "{{ attack_range_password }}" + force_basic_auth: yes + validate_certs: no + register: api_token_6 + until: api_token_6.status == 200 + retries: 25 + delay: 60 + when: phantom_app | regex_search("splunk_soar-unpriv-6") + +- name: Connect Splunk Phantom App with Phantom v6 + shell: curl -k -u "admin:{{ attack_range_password }}" --data '{"verify_certs":"false","enable_logging":"false","config":[{"ph-auth-token":"{{ api_token_6.json.key | replace("=","%3D") | replace("+","%2B") }}","server":"https://10.0.1.13:8443","custom_name":"phantom","default":false,"user":"","ph_auth_config_id":"193b2ffc-48fb-4087-bc75-c44184e7fa07","proxy":"","validate":true}],"accepted":"true","save":true}' https://localhost:8089/services/update_phantom_config?output_mode=json + register: shell_output + when: phantom_app | regex_search("splunk_soar-unpriv-6") + +- name: restart splunk + service: name=splunk state=restarted + become: yes \ No newline at end of file diff --git a/terraform/ansible/roles/windows_agent_prelude/tasks/install_local.yml b/terraform/ansible/roles/windows_agent_prelude/tasks/install_local.yml new file mode 100644 index 00000000..01f0da9d --- /dev/null +++ b/terraform/ansible/roles/windows_agent_prelude/tasks/install_local.yml @@ -0,0 +1,31 @@ +--- + +- name: Wait for redirector to be ready + win_wait_for: + port: 2323 + host: "192.168.56.12" + connect_timeout: 30 + delay: 60 + timeout: 900 + +- name: Download Prelude Pneuma from headless Operator + win_get_url: + url: "http://192.168.56.12:3391/payloads/pneuma/v1.6/pneuma-windows.exe" + dest: c:\pneuma-windows.exe + +- name: Create a task to Start Prelude Pneuma on boot + win_scheduled_task: + name: Pneuma + description: Start Pneuma on boot + actions: + - path: C:\pneuma-windows.exe + arguments: "-name {{ ansible_hostname }} -address 192.168.56.12:2323" + triggers: + - type: boot + username: SYSTEM + run_level: highest + state: present + +- name: Start Prelude Pneuma and Connect to headless Operator + win_shell: Start-Process -FilePath c:\pneuma-windows.exe -ArgumentList "-name $env:COMPUTERNAME -address 192.168.56.12" + \ No newline at end of file diff --git a/terraform/ansible/roles/windows_agent_prelude/tasks/main.yml b/terraform/ansible/roles/windows_agent_prelude/tasks/main.yml index a7b7780f..ac9772e2 100644 --- a/terraform/ansible/roles/windows_agent_prelude/tasks/main.yml +++ b/terraform/ansible/roles/windows_agent_prelude/tasks/main.yml @@ -1,4 +1,4 @@ --- - include: install.yml - when: prelude == "1" \ No newline at end of file + when: prelude == "1" \ No newline at end of file diff --git a/vagrant/linux_server/Vagrantfile b/vagrant/linux_server/Vagrantfile index 37a9c817..79571d57 100644 --- a/vagrant/linux_server/Vagrantfile +++ b/vagrant/linux_server/Vagrantfile @@ -1,9 +1,10 @@ config.vm.define "ar-linux-{{config.general.key_name}}-{{config.general.attack_range_name}}-{{count}}" do |config| - config.vm.box = "generic/ubuntu2004" + config.vm.box = "bento/ubuntu-22.04" config.vm.hostname = "{{ server.hostname }}" config.vm.boot_timeout = 600 - config.vm.network :private_network, ip: "10.0.1.{{21 + count}}" + config.vm.network :private_network, ip: "192.168.56.{{21 + count}}" config.vm.network "forwarded_port", guest: 22, host: {{ 2022 + count }} + config.vm.synced_folder '.', '/vagrant', disabled: true config.vm.provision "ansible" do |ansible| ansible.playbook = "../packer/ansible/linux_server.yml" @@ -12,7 +13,10 @@ config.vm.define "ar-linux-{{config.general.key_name}}-{{config.general.attack_r ansible_python_interpreter: "/usr/bin/python3", splunk_admin_password: 'Pl3ase-k1Ll-me:p', use_prebuilt_images_with_packer: '0', - splunk_uf_url: 'https://download.splunk.com/products/universalforwarder/releases/8.2.5/linux/splunkforwarder-8.2.5-77015bc7a462-linux-2.6-amd64.deb' + splunk_uf_url: 'https://download.splunk.com/products/universalforwarder/releases/8.2.5/linux/splunkforwarder-8.2.5-77015bc7a462-linux-2.6-amd64.deb', +{% for key, value in config.general.items() %} + {{ key }}: "{{ value }}", +{% endfor %} } end diff --git a/vagrant/splunk_server/Vagrantfile b/vagrant/splunk_server/Vagrantfile index f3229e64..6b3ed1e1 100644 --- a/vagrant/splunk_server/Vagrantfile +++ b/vagrant/splunk_server/Vagrantfile @@ -5,7 +5,8 @@ config.vm.define "ar-splunk-{{config.general.key_name}}-{{config.general.attack_ config.vm.boot_timeout = 600 config.vm.network "forwarded_port", guest: 8000, host: 8000, protocol: "tcp" config.vm.network "forwarded_port", guest: 8089, host: 8089, protocol: "tcp" - config.vm.network :private_network, ip: "10.0.1.12" + config.vm.network "forwarded_port", guest: 8080, host: 8080, protocol: "tcp" + config.vm.network :private_network, ip: "192.168.56.12" config.vm.provision "ansible" do |ansible| ansible.playbook = "../packer/ansible/splunk_server.yml" @@ -29,6 +30,8 @@ config.vm.define "ar-splunk-{{config.general.key_name}}-{{config.general.attack_ ansible.compatibility_mode = "2.0" ansible.extra_vars = { ansible_python_interpreter: "/usr/bin/python3", + windows_servers_count: {{ config.windows_servers|length }}, + linux_servers_count: {{ config.linux_servers|length }}, {% for key, value in config.general.items() %} {{ key }}: "{{ value }}", {% endfor %} diff --git a/vagrant/windows_server/Vagrantfile b/vagrant/windows_server/Vagrantfile index adf8b1b1..bdf4c12d 100644 --- a/vagrant/windows_server/Vagrantfile +++ b/vagrant/windows_server/Vagrantfile @@ -9,7 +9,7 @@ config.vm.define "ar-win-{{config.general.key_name}}-{{config.general.attack_ran config.winrm.retry_limit = 20 config.vm.network "forwarded_port", guest: 5985, host: {{ 5985 + count }} config.vm.network "forwarded_port", guest: 3389, host: {{ 5389 + count }} - config.vm.network :private_network, ip: "10.0.1.{{ 14 + count }}" + config.vm.network :private_network, ip: "192.168.56.{{ 14 + count }}" config.vm.synced_folder '.', '/vagrant', disabled: true config.vm.provision "shell", inline: "net user Administrator {{ config.general.attack_range_password }}" @@ -22,6 +22,9 @@ config.vm.define "ar-win-{{config.general.key_name}}-{{config.general.attack_ran splunk_uf_win_url: 'https://download.splunk.com/products/universalforwarder/releases/8.2.5/windows/splunkforwarder-8.2.5-77015bc7a462-x64-release.msi', win_password: 'Pl3ase-k1Ll-me:p', use_prebuilt_images_with_packer: '0', +{% for key, value in config.general.items() %} + {{ key }}: "{{ value }}", +{% endfor %} {% for key, value in server.items() %} {{ key }}: "{{ value }}", {% endfor %}