From c417becef22a4f17538da81e907f5a6d28676b2c Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Wed, 28 Jun 2023 12:38:39 +0200 Subject: [PATCH] Improvements --- .../windows_common/tasks/advanced_logging.yml | 143 ++++++++++++++++++ .../tasks/windows-create-domain.yml | 19 +++ .../files/profile.ps1 | 3 + .../tasks/main.yml | 8 +- 4 files changed, 170 insertions(+), 3 deletions(-) create mode 100644 packer/ansible/roles/windows_common/tasks/advanced_logging.yml create mode 100644 terraform/ansible/roles/windows_install_attack_simulation/files/profile.ps1 diff --git a/packer/ansible/roles/windows_common/tasks/advanced_logging.yml b/packer/ansible/roles/windows_common/tasks/advanced_logging.yml new file mode 100644 index 00000000..c6301657 --- /dev/null +++ b/packer/ansible/roles/windows_common/tasks/advanced_logging.yml @@ -0,0 +1,143 @@ +- name: Enable Windows Security Logging "Account Logon" + win_audit_policy_system: + subcategory: Credential Validation + audit_type: success, failure + + +- name: Enable Windows Security Logging "Account Logon" + win_audit_policy_system: + subcategory: Kerberos Authentication Service + audit_type: success, failure + + +- name: Enable Windows Security Logging "Account Logon" + win_audit_policy_system: + subcategory: Kerberos Service Ticket Operations + audit_type: success, failure + + +- name: Enable Windows Security Logging "Account Management" + win_audit_policy_system: + subcategory: User Account Management + audit_type: success, failure + + +- name: Enable Windows Security Logging "Account Management" + win_audit_policy_system: + subcategory: Security Group Management + audit_type: success, failure + + +- name: Enable Windows Security Logging "Account Management" + win_audit_policy_system: + subcategory: Distribution Group Management + audit_type: success, failure + + +- name: Enable Windows Security Logging "Account Management" + win_audit_policy_system: + subcategory: Computer Account Management + audit_type: success, failure + + +- name: Enable Windows Security Logging "Detailed Tracking" + win_audit_policy_system: + subcategory: Process Creation + audit_type: success, failure + + +- name: Enable Windows Security Logging "Detailed Tracking" + win_audit_policy_system: + subcategory: Process Termination + audit_type: success, failure + + +- name: Enable Windows Security Logging "Detailed Tracking" + win_audit_policy_system: + subcategory: Directory Service Access + audit_type: success, failure + + +- name: Enable Windows Security Logging "Logon Logoff" + win_audit_policy_system: + subcategory: Account Lockout + audit_type: success, failure + + +- name: Enable Windows Security Logging "Logon Logoff" + win_audit_policy_system: + subcategory: Logoff + audit_type: success, failure + + +- name: Enable Windows Security Logging "Logon Logoff" + win_audit_policy_system: + subcategory: Logon + audit_type: success, failure + + +- name: Enable Windows Security Logging "Logon Logoff" + win_audit_policy_system: + subcategory: Special Logon + audit_type: success, failure + + +- name: Enable Windows Security Logging "Object Access" + win_audit_policy_system: + subcategory: Detailed File Share + audit_type: success, failure + + +- name: Enable Windows Security Logging "Object Access" + win_audit_policy_system: + subcategory: File Share + audit_type: success, failure + + +- name: Enable Windows Security Logging "Object Access" + win_audit_policy_system: + subcategory: Filtering Platform Connection + audit_type: success, failure + + +- name: Enable Windows Security Logging "Object Access" + win_audit_policy_system: + subcategory: Kernel Object + audit_type: success, failure + + +- name: Enable Windows Security Logging "Object Access" + win_audit_policy_system: + subcategory: Other Object Access Events + audit_type: success, failure + + +- name: Enable Windows Security Logging "Object Access" + win_audit_policy_system: + subcategory: Registry + audit_type: success, failure + + +- name: Enable Windows Security Logging "Object Access" + win_audit_policy_system: + subcategory: Removable Storage + audit_type: success, failure + + +- name: Enable Windows Security Logging "Object Access" + win_audit_policy_system: + subcategory: SAM + audit_type: success, failure + + +- name: Enable Windows Security Logging "Privilege Use" + win_audit_policy_system: + subcategory: Sensitive Privilege Use + audit_type: success, failure + + +- name: Enable Windows Security Logging "System" + win_audit_policy_system: + subcategory: Security State Change + audit_type: success, failure + \ No newline at end of file diff --git a/terraform/ansible/roles/create_domain_controller/tasks/windows-create-domain.yml b/terraform/ansible/roles/create_domain_controller/tasks/windows-create-domain.yml index b52050b2..711cae6b 100644 --- a/terraform/ansible/roles/create_domain_controller/tasks/windows-create-domain.yml +++ b/terraform/ansible/roles/create_domain_controller/tasks/windows-create-domain.yml @@ -55,3 +55,22 @@ safe_mode_password: "{{ attack_range_password }}" state: "domain_controller" register: _windows_domain_controller + +# - name: Enable Windows Security Logging "Account Logon" +# win_audit_policy_system: +# subcategory: Kerberos Authentication Service +# audit_type: success, failure + +# - name: Enable Windows Security Logging "Account Logon" +# win_audit_policy_system: +# subcategory: Kerberos Service Ticket Operations +# audit_type: success, failure + +- name: Enable Kerberos LogLevel + win_shell: reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v “LogLevel” /t REG_DWORD /d 1 + +- name: Enable Kerberos Authentication Service Logging + win_shell: auditpol /set /category:"Account Logon" /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable + +- name: Enable Kerberos Service Ticket Operations Logging + win_shell: auditpol /set /category:"Account Logon" /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable \ No newline at end of file diff --git a/terraform/ansible/roles/windows_install_attack_simulation/files/profile.ps1 b/terraform/ansible/roles/windows_install_attack_simulation/files/profile.ps1 new file mode 100644 index 00000000..5851fed9 --- /dev/null +++ b/terraform/ansible/roles/windows_install_attack_simulation/files/profile.ps1 @@ -0,0 +1,3 @@ + +Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force +$PSDefaultParameterValues = @{"Invoke-AtomicTest:PathToAtomicsFolder"="C:\AtomicRedTeam\atomics"} \ No newline at end of file diff --git a/terraform/ansible/roles/windows_install_attack_simulation/tasks/main.yml b/terraform/ansible/roles/windows_install_attack_simulation/tasks/main.yml index f1acbf91..fcd4062b 100644 --- a/terraform/ansible/roles/windows_install_attack_simulation/tasks/main.yml +++ b/terraform/ansible/roles/windows_install_attack_simulation/tasks/main.yml @@ -28,8 +28,10 @@ Install-AtomicsFolder -Force -RepoOwner "{{ atomic_red_team_repo }}" -Branch "{{ atomic_red_team_branch }}" register: install_art -- debug: - var: install_art +- name: copy default powershell profile + win_copy: + src: profile.ps1 + dest: C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 - name: Download Latest PurpleSharp Binary win_shell: | @@ -39,4 +41,4 @@ $tag = (Invoke-WebRequest 'https://api.github.com/repos/mvelazc0/PurpleSharp/releases' -UseBasicParsing | ConvertFrom-Json)[0].tag_name $purplesharpDownloadUrl = 'https://github.com/mvelazc0/PurpleSharp/releases/download/' + $tag + '/PurpleSharp_x64.exe' If (-not (Test-Path c:\Tools\PurpleSharp\PurpleSharp.exe)) { Invoke-WebRequest -Uri $purplesharpDownloadUrl -OutFile c:\Tools\PurpleSharp\PurpleSharp.exe } - \ No newline at end of file +