Merge pull request splunk#816 from splunk/improvements_features

Improvements
Zeik0s · Jun 28, 2023 · 8c4838a · 8c4838a
2 parents 98e8b75 + dc6f146
commit 8c4838a
Show file tree

Hide file tree

Showing 4 changed files with 170 additions and 3 deletions.
diff --git a/packer/ansible/roles/windows_common/tasks/advanced_logging.yml b/packer/ansible/roles/windows_common/tasks/advanced_logging.yml
@@ -0,0 +1,143 @@
+- name: Enable Windows Security Logging "Account Logon"
+  win_audit_policy_system:
+    subcategory: Credential Validation
+    audit_type: success, failure
+
+
+- name: Enable Windows Security Logging "Account Logon"
+  win_audit_policy_system:
+    subcategory: Kerberos Authentication Service
+    audit_type: success, failure
+
+
+- name: Enable Windows Security Logging "Account Logon"
+  win_audit_policy_system:
+    subcategory: Kerberos Service Ticket Operations
+    audit_type: success, failure
+
+
+- name: Enable Windows Security Logging "Account Management"
+  win_audit_policy_system:
+    subcategory: User Account Management
+    audit_type: success, failure
+
+
+- name: Enable Windows Security Logging "Account Management"
+  win_audit_policy_system:
+    subcategory: Security Group Management
+    audit_type: success, failure
+
+
+- name: Enable Windows Security Logging "Account Management"
+  win_audit_policy_system:
+    subcategory: Distribution Group Management
+    audit_type: success, failure
+
+
+- name: Enable Windows Security Logging "Account Management"
+  win_audit_policy_system:
+    subcategory: Computer Account Management
+    audit_type: success, failure
+
+
+- name: Enable Windows Security Logging "Detailed Tracking"
+  win_audit_policy_system:
+    subcategory: Process Creation
+    audit_type: success, failure
+
+
+- name: Enable Windows Security Logging "Detailed Tracking"
+  win_audit_policy_system:
+    subcategory: Process Termination
+    audit_type: success, failure
+
+
+- name: Enable Windows Security Logging "Detailed Tracking"
+  win_audit_policy_system:
+    subcategory: Directory Service Access
+    audit_type: success, failure
+
+
+- name: Enable Windows Security Logging "Logon Logoff"
+  win_audit_policy_system:
+    subcategory: Account Lockout
+    audit_type: success, failure
+
+
+- name: Enable Windows Security Logging "Logon Logoff"
+  win_audit_policy_system:
+    subcategory: Logoff
+    audit_type: success, failure
+
+
+- name: Enable Windows Security Logging "Logon Logoff"
+  win_audit_policy_system:
+    subcategory: Logon
+    audit_type: success, failure
+
+
+- name: Enable Windows Security Logging "Logon Logoff"
+  win_audit_policy_system:
+    subcategory: Special Logon
+    audit_type: success, failure
+
+
+- name: Enable Windows Security Logging "Object Access"
+  win_audit_policy_system:
+    subcategory: Detailed File Share
+    audit_type: success, failure
+
+
+- name: Enable Windows Security Logging "Object Access"
+  win_audit_policy_system:
+    subcategory: File Share
+    audit_type: success, failure
+
+
+- name: Enable Windows Security Logging "Object Access"
+  win_audit_policy_system:
+    subcategory: Filtering Platform Connection
+    audit_type: success, failure
+
+
+- name: Enable Windows Security Logging "Object Access"
+  win_audit_policy_system:
+    subcategory: Kernel Object
+    audit_type: success, failure
+
+
+- name: Enable Windows Security Logging "Object Access"
+  win_audit_policy_system:
+    subcategory: Other Object Access Events
+    audit_type: success, failure
+
+
+- name: Enable Windows Security Logging "Object Access"
+  win_audit_policy_system:
+    subcategory: Registry
+    audit_type: success, failure
+
+
+- name: Enable Windows Security Logging "Object Access"
+  win_audit_policy_system:
+    subcategory: Removable Storage
+    audit_type: success, failure
+
+
+- name: Enable Windows Security Logging "Object Access"
+  win_audit_policy_system:
+    subcategory: SAM
+    audit_type: success, failure
+
+
+- name: Enable Windows Security Logging "Privilege Use"
+  win_audit_policy_system:
+    subcategory: Sensitive Privilege Use
+    audit_type: success, failure
+
+
+- name: Enable Windows Security Logging "System"
+  win_audit_policy_system:
+    subcategory: Security State Change
+    audit_type: success, failure
+
diff --git a/terraform/ansible/roles/create_domain_controller/tasks/windows-create-domain.yml b/terraform/ansible/roles/create_domain_controller/tasks/windows-create-domain.yml
@@ -55,3 +55,22 @@
     safe_mode_password: "{{ attack_range_password }}"
     state: "domain_controller"
   register: _windows_domain_controller
+
+# - name: Enable Windows Security Logging "Account Logon"
+#   win_audit_policy_system:
+#     subcategory: Kerberos Authentication Service
+#     audit_type: success, failure
+
+# - name: Enable Windows Security Logging "Account Logon"
+#   win_audit_policy_system:
+#     subcategory: Kerberos Service Ticket Operations
+#     audit_type: success, failure
+
+- name: Enable Kerberos LogLevel
+  win_shell: reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v “LogLevel” /t REG_DWORD /d 1
+
+- name: Enable Kerberos Authentication Service Logging
+  win_shell: auditpol /set /category:"Account Logon" /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable
+
+- name: Enable Kerberos Service Ticket Operations Logging
+  win_shell: auditpol /set /category:"Account Logon" /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable
diff --git a/terraform/ansible/roles/windows_install_attack_simulation/files/profile.ps1 b/terraform/ansible/roles/windows_install_attack_simulation/files/profile.ps1
@@ -0,0 +1,3 @@
+
+Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force 
+$PSDefaultParameterValues = @{"Invoke-AtomicTest:PathToAtomicsFolder"="C:\AtomicRedTeam\atomics"}
diff --git a/terraform/ansible/roles/windows_install_attack_simulation/tasks/main.yml b/terraform/ansible/roles/windows_install_attack_simulation/tasks/main.yml
@@ -28,8 +28,10 @@
     Install-AtomicsFolder -Force -RepoOwner "{{ atomic_red_team_repo }}" -Branch "{{ atomic_red_team_branch }}"
   register: install_art
 
-- debug:
-    var: install_art
+- name: copy default powershell profile
+  win_copy:
+    src: profile.ps1
+    dest: C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1
 
 - name: Download Latest PurpleSharp Binary
   win_shell: |
@@ -39,4 +41,4 @@
     $tag = (Invoke-WebRequest 'https://api.github.com/repos/mvelazc0/PurpleSharp/releases' -UseBasicParsing | ConvertFrom-Json)[0].tag_name
     $purplesharpDownloadUrl = 'https://github.com/mvelazc0/PurpleSharp/releases/download/' + $tag + '/PurpleSharp_x64.exe'
     If (-not (Test-Path c:\Tools\PurpleSharp\PurpleSharp.exe)) { Invoke-WebRequest -Uri $purplesharpDownloadUrl -OutFile c:\Tools\PurpleSharp\PurpleSharp.exe }
-  
+