diff --git a/Packer/sandbox.json b/Packer/sandbox.json index 223f1a3..47f21dd 100644 --- a/Packer/sandbox.json +++ b/Packer/sandbox.json @@ -1,104 +1,104 @@ -{ - "variables": { - "iso_checksum": "27e4feb9102f7f2b21ebdb364587902a70842fb550204019d1a14b120918e455", - "iso_checksum_type": "sha256", - "iso_url": "https://software-download.microsoft.com/download/pr/17134.1.180410-1804.rs4_release_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso", - "autounattend": "./answer_files/10/Autounattend.xml", - "disk_size": "61440" - }, - "builders": [ - { - "type": "virtualbox-iso", - "vm_name": "sandbox", - "communicator": "winrm", - "iso_url": "{{user `iso_url`}}", - "iso_checksum_type": "{{user `iso_checksum_type`}}", - "iso_checksum": "{{user `iso_checksum`}}", - "headless": false, - "boot_wait": "6m", - "boot_command": "", - "winrm_username": "vagrant", - "winrm_password": "vagrant", - "winrm_timeout": "4h", - "shutdown_command": "shutdown /s /t 10 /f /d p:4:1 /c \"Packer Shutdown\"", - "guest_os_type": "Windows81_64", - "guest_additions_mode": "disable", - "disk_size": "{{user `disk_size`}}", - "floppy_files": [ - "{{user `autounattend`}}", - "./floppy/WindowsPowershell.lnk", - "./floppy/PinTo10.exe", - "./scripts/fixnetwork.ps1", - "./scripts/MakeWindows10GreatAgain.ps1", - "./scripts/MakeWindows10GreatAgain.reg", - "./scripts/rearm-windows.ps1", - "./scripts/disable-screensaver.ps1", - "./scripts/disable-winrm.ps1", - "./scripts/enable-winrm.ps1", - "./scripts/microsoft-updates.bat", - "./scripts/win-updates.ps1", - "./scripts/oracle-cert.cer" - ], - "vboxmanage": [ - [ - "modifyvm", - "{{.Name}}", - "--memory", - "2048" - ], - [ - "modifyvm", - "{{.Name}}", - "--cpus", - "2" - ] - ] - } - ], - "provisioners": [ - { - "type": "windows-shell", - "remote_path": "/tmp/script.bat", - "execute_command": "{{ .Vars }} cmd /c \"{{ .Path }}\"", - "scripts": [ - "./scripts/enable-rdp.bat" - ] - }, - { - "type": "powershell", - "scripts": [ - "./scripts/debloat-windows.ps1", - "./scripts/rearm-windows.ps1", - "./scripts/MakeWindows10GreatAgain.ps1" - ] - }, - { - "type": "windows-restart" - }, - { - "type": "powershell", - "scripts": [ - "./scripts/set-powerplan.ps1", - "./scripts/docker/disable-windows-defender.ps1" - ] - }, - { - "type": "windows-shell", - "remote_path": "/tmp/script.bat", - "execute_command": "{{ .Vars }} cmd /c \"{{ .Path }}\"", - "scripts": [ - "./scripts/pin-powershell.bat", - "./scripts/compile-dotnet-assemblies.bat", - "./scripts/set-winrm-automatic.bat", - "./scripts/compact.bat" - ] - } - ], - "post-processors": [ - { - "type": "vagrant", - "keep_input_artifact": false, - "output": "sandbox_{{.Provider}}.box" - } - ] -} +{ + "builders": [ + { + "boot_command": "", + "boot_wait": "6m", + "communicator": "winrm", + "disk_size": "{{user `disk_size`}}", + "floppy_files": [ + "{{user `autounattend`}}", + "./floppy/WindowsPowershell.lnk", + "./floppy/PinTo10.exe", + "./scripts/fixnetwork.ps1", + "./scripts/MakeWindows10GreatAgain.ps1", + "./scripts/MakeWindows10GreatAgain.reg", + "./scripts/rearm-windows.ps1", + "./scripts/disable-screensaver.ps1", + "./scripts/disable-winrm.ps1", + "./scripts/enable-winrm.ps1", + "./scripts/microsoft-updates.bat", + "./scripts/win-updates.ps1", + "./scripts/oracle-cert.cer" + ], + "guest_additions_mode": "attach", + "guest_os_type": "Windows81_64", + "headless": true, + "iso_checksum": "{{user `iso_checksum_type`}}:{{user `iso_checksum`}}", + "iso_url": "{{user `iso_url`}}", + "shutdown_command": "shutdown /s /t 10 /f /d p:4:1 /c \"Packer Shutdown\"", + "type": "virtualbox-iso", + "vboxmanage": [ + [ + "modifyvm", + "{{.Name}}", + "--memory", + "8192" + ], + [ + "modifyvm", + "{{.Name}}", + "--cpus", + "2" + ] + ], + "vm_name": "sandbox", + "winrm_password": "vagrant", + "winrm_timeout": "4h", + "winrm_username": "vagrant" + } + ], + "post-processors": [ + { + "keep_input_artifact": false, + "output": "sandbox_{{.Provider}}.box", + "type": "vagrant" + } + ], + "provisioners": [ + { + "execute_command": "{{ .Vars }} cmd /c \"{{ .Path }}\"", + "remote_path": "/tmp/script.bat", + "scripts": [ + "./scripts/enable-rdp.bat" + ], + "type": "windows-shell" + }, + { + "scripts": [ + "./scripts/debloat-windows.ps1", + "./scripts/rearm-windows.ps1", + "./scripts/MakeWindows10GreatAgain.ps1" + ], + "type": "powershell" + }, + { + "type": "windows-restart" + }, + { + "scripts": [ + "./scripts/set-powerplan.ps1", + "./scripts/docker/disable-windows-defender.ps1" + ], + "type": "powershell" + }, + { + "execute_command": "{{ .Vars }} cmd /c \"{{ .Path }}\"", + "remote_path": "/tmp/script.bat", + "scripts": [ + "./scripts/pin-powershell.bat", + "./scripts/compile-dotnet-assemblies.bat", + "./scripts/set-winrm-automatic.bat", + "./scripts/compact.bat" + ], + "type": "windows-shell" + } + ], + "variables": { + "autounattend": "./answer_files/10/Autounattend.xml", + "disk_size": "61440", + "iso_checksum": "27e4feb9102f7f2b21ebdb364587902a70842fb550204019d1a14b120918e455", + "iso_checksum_type": "sha256", + "iso_url": "https://software-download.microsoft.com/download/pr/17134.1.180410-1804.rs4_release_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso" + } +} + diff --git a/Packer/scripts/MakeWindows10GreatAgain.ps1 b/Packer/scripts/MakeWindows10GreatAgain.ps1 index 4d4b4b7..c548b6f 100644 --- a/Packer/scripts/MakeWindows10GreatAgain.ps1 +++ b/Packer/scripts/MakeWindows10GreatAgain.ps1 @@ -14,6 +14,115 @@ c:\Windows\SysWOW64\OneDriveSetup.exe /uninstall Write-Host "Running Update-Help..." Update-Help -Force -ErrorAction SilentlyContinue +Write-Host "Removing bloatware" + Get-AppxPackage "Microsoft.3DBuilder" | Remove-AppxPackage + Get-AppxPackage "Microsoft.AppConnector" | Remove-AppxPackage + Get-AppxPackage "Microsoft.BingFinance" | Remove-AppxPackage + Get-AppxPackage "Microsoft.BingFoodAndDrink" | Remove-AppxPackage + Get-AppxPackage "Microsoft.BingHealthAndFitness" | Remove-AppxPackage + Get-AppxPackage "Microsoft.BingMaps" | Remove-AppxPackage + Get-AppxPackage "Microsoft.BingNews" | Remove-AppxPackage + Get-AppxPackage "Microsoft.BingSports" | Remove-AppxPackage + Get-AppxPackage "Microsoft.BingTranslator" | Remove-AppxPackage + Get-AppxPackage "Microsoft.BingTravel" | Remove-AppxPackage + Get-AppxPackage "Microsoft.BingWeather" | Remove-AppxPackage + Get-AppxPackage "Microsoft.CommsPhone" | Remove-AppxPackage + Get-AppxPackage "Microsoft.ConnectivityStore" | Remove-AppxPackage + Get-AppxPackage "Microsoft.FreshPaint" | Remove-AppxPackage + Get-AppxPackage "Microsoft.GetHelp" | Remove-AppxPackage + Get-AppxPackage "Microsoft.Getstarted" | Remove-AppxPackage + Get-AppxPackage "Microsoft.HelpAndTips" | Remove-AppxPackage + Get-AppxPackage "Microsoft.Media.PlayReadyClient.2" | Remove-AppxPackage + Get-AppxPackage "Microsoft.Messaging" | Remove-AppxPackage + Get-AppxPackage "Microsoft.Microsoft3DViewer" | Remove-AppxPackage + Get-AppxPackage "Microsoft.MicrosoftOfficeHub" | Remove-AppxPackage + Get-AppxPackage "Microsoft.MicrosoftPowerBIForWindows" | Remove-AppxPackage + Get-AppxPackage "Microsoft.MicrosoftSolitaireCollection" | Remove-AppxPackage + Get-AppxPackage "Microsoft.MicrosoftStickyNotes" | Remove-AppxPackage + Get-AppxPackage "Microsoft.MinecraftUWP" | Remove-AppxPackage + Get-AppxPackage "Microsoft.MixedReality.Portal" | Remove-AppxPackage + Get-AppxPackage "Microsoft.MoCamera" | Remove-AppxPackage + Get-AppxPackage "Microsoft.MSPaint" | Remove-AppxPackage + Get-AppxPackage "Microsoft.NetworkSpeedTest" | Remove-AppxPackage + Get-AppxPackage "Microsoft.OfficeLens" | Remove-AppxPackage + Get-AppxPackage "Microsoft.Office.OneNote" | Remove-AppxPackage + Get-AppxPackage "Microsoft.Office.Sway" | Remove-AppxPackage + Get-AppxPackage "Microsoft.OneConnect" | Remove-AppxPackage + Get-AppxPackage "Microsoft.People" | Remove-AppxPackage + Get-AppxPackage "Microsoft.Print3D" | Remove-AppxPackage + Get-AppxPackage "Microsoft.Reader" | Remove-AppxPackage + Get-AppxPackage "Microsoft.RemoteDesktop" | Remove-AppxPackage + Get-AppxPackage "Microsoft.SkypeApp" | Remove-AppxPackage + Get-AppxPackage "Microsoft.Todos" | Remove-AppxPackage + Get-AppxPackage "Microsoft.Wallet" | Remove-AppxPackage + Get-AppxPackage "Microsoft.WebMediaExtensions" | Remove-AppxPackage + Get-AppxPackage "Microsoft.Whiteboard" | Remove-AppxPackage + Get-AppxPackage "Microsoft.WindowsAlarms" | Remove-AppxPackage + Get-AppxPackage "Microsoft.WindowsCamera" | Remove-AppxPackage + Get-AppxPackage "microsoft.windowscommunicationsapps" | Remove-AppxPackage + Get-AppxPackage "Microsoft.WindowsFeedbackHub" | Remove-AppxPackage + Get-AppxPackage "Microsoft.WindowsMaps" | Remove-AppxPackage + Get-AppxPackage "Microsoft.WindowsPhone" | Remove-AppxPackage + Get-AppxPackage "Microsoft.Windows.Photos" | Remove-AppxPackage + Get-AppxPackage "Microsoft.WindowsReadingList" | Remove-AppxPackage + Get-AppxPackage "Microsoft.WindowsScan" | Remove-AppxPackage + Get-AppxPackage "Microsoft.WindowsSoundRecorder" | Remove-AppxPackage + Get-AppxPackage "Microsoft.WinJS.1.0" | Remove-AppxPackage + Get-AppxPackage "Microsoft.WinJS.2.0" | Remove-AppxPackage + Get-AppxPackage "Microsoft.YourPhone" | Remove-AppxPackage + Get-AppxPackage "Microsoft.ZuneMusic" | Remove-AppxPackage + Get-AppxPackage "Microsoft.ZuneVideo" | Remove-AppxPackage + Get-AppxPackage "Microsoft.Advertising.Xaml" | Remove-AppxPackage # Dependency for microsoft.windowscommunicationsapps, Microsoft.BingWeather + Get-AppxPackage "2414FC7A.Viber" | Remove-AppxPackage + Get-AppxPackage "41038Axilesoft.ACGMediaPlayer" | Remove-AppxPackage + Get-AppxPackage "46928bounde.EclipseManager" | Remove-AppxPackage + Get-AppxPackage "4DF9E0F8.Netflix" | Remove-AppxPackage + Get-AppxPackage "64885BlueEdge.OneCalendar" | Remove-AppxPackage + Get-AppxPackage "7EE7776C.LinkedInforWindows" | Remove-AppxPackage + Get-AppxPackage "828B5831.HiddenCityMysteryofShadows" | Remove-AppxPackage + Get-AppxPackage "89006A2E.AutodeskSketchBook" | Remove-AppxPackage + Get-AppxPackage "9E2F88E3.Twitter" | Remove-AppxPackage + Get-AppxPackage "A278AB0D.DisneyMagicKingdoms" | Remove-AppxPackage + Get-AppxPackage "A278AB0D.DragonManiaLegends" | Remove-AppxPackage + Get-AppxPackage "A278AB0D.MarchofEmpires" | Remove-AppxPackage + Get-AppxPackage "ActiproSoftwareLLC.562882FEEB491" | Remove-AppxPackage + Get-AppxPackage "AD2F1837.GettingStartedwithWindows8" | Remove-AppxPackage + Get-AppxPackage "AD2F1837.HPJumpStart" | Remove-AppxPackage + Get-AppxPackage "AD2F1837.HPRegistration" | Remove-AppxPackage + Get-AppxPackage "AdobeSystemsIncorporated.AdobePhotoshopExpress" | Remove-AppxPackage + Get-AppxPackage "Amazon.com.Amazon" | Remove-AppxPackage + Get-AppxPackage "C27EB4BA.DropboxOEM" | Remove-AppxPackage + Get-AppxPackage "CAF9E577.Plex" | Remove-AppxPackage + Get-AppxPackage "CyberLinkCorp.hs.PowerMediaPlayer14forHPConsumerPC" | Remove-AppxPackage + Get-AppxPackage "D52A8D61.FarmVille2CountryEscape" | Remove-AppxPackage + Get-AppxPackage "D5EA27B7.Duolingo-LearnLanguagesforFree" | Remove-AppxPackage + Get-AppxPackage "DB6EA5DB.CyberLinkMediaSuiteEssentials" | Remove-AppxPackage + Get-AppxPackage "DolbyLaboratories.DolbyAccess" | Remove-AppxPackage + Get-AppxPackage "Drawboard.DrawboardPDF" | Remove-AppxPackage + Get-AppxPackage "Facebook.Facebook" | Remove-AppxPackage + Get-AppxPackage "Fitbit.FitbitCoach" | Remove-AppxPackage + Get-AppxPackage "flaregamesGmbH.RoyalRevolt2" | Remove-AppxPackage + Get-AppxPackage "GAMELOFTSA.Asphalt8Airborne" | Remove-AppxPackage + Get-AppxPackage "KeeperSecurityInc.Keeper" | Remove-AppxPackage + Get-AppxPackage "king.com.BubbleWitch3Saga" | Remove-AppxPackage + Get-AppxPackage "king.com.CandyCrushFriends" | Remove-AppxPackage + Get-AppxPackage "king.com.CandyCrushSaga" | Remove-AppxPackage + Get-AppxPackage "king.com.CandyCrushSodaSaga" | Remove-AppxPackage + Get-AppxPackage "king.com.FarmHeroesSaga" | Remove-AppxPackage + Get-AppxPackage "Nordcurrent.CookingFever" | Remove-AppxPackage + Get-AppxPackage "PandoraMediaInc.29680B314EFC2" | Remove-AppxPackage + Get-AppxPackage "PricelinePartnerNetwork.Booking.comBigsavingsonhot" | Remove-AppxPackage + Get-AppxPackage "SpotifyAB.SpotifyMusic" | Remove-AppxPackage + Get-AppxPackage "ThumbmunkeysLtd.PhototasticCollage" | Remove-AppxPackage + Get-AppxPackage "WinZipComputing.WinZipUniversal" | Remove-AppxPackage + Get-AppxPackage "XINGAG.XING" | Remove-AppxPackage + Get-WindowsOptionalFeature -Online | Where-Object { $_.FeatureName -like "Internet-Explorer-Optional*" } | Disable-WindowsOptionalFeature -Online -NoRestart -WarningAction SilentlyContinue | Out-Null + Get-WindowsCapability -Online | Where-Object { $_.Name -like "Browser.InternetExplorer*" } | Remove-WindowsCapability -Online | Out-Null + If (!(Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\OneDrive")) { + New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\OneDrive" | Out-Null + } + Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\OneDrive" -Name "DisableFileSyncNGSC" -Type DWord -Value 1 + Write-Host "Removing Microsoft Store, Mail, and Edge shortcuts from the taskbar..." $appname = "Microsoft Edge" ((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true} diff --git a/Vagrant/Vagrantfile b/Vagrant/Vagrantfile index 4ab0746..38858af 100644 --- a/Vagrant/Vagrantfile +++ b/Vagrant/Vagrantfile @@ -1,7 +1,7 @@ Vagrant.configure("2") do |config| config.vm.define "sandbox" do |cfg| - cfg.vm.box = "boomboxes/sandbox" + cfg.vm.box = "../Boxes/sandbox_virtualbox.box" cfg.vm.hostname = "sandbox" cfg.vm.boot_timeout = 600 cfg.winrm.transport = :plaintext @@ -26,12 +26,12 @@ Vagrant.configure("2") do |config| cfg.vm.synced_folder ".", "/vagrant", disabled: true cfg.vm.provider "virtualbox" do |vb, override| - vb.gui = true + vb.gui = false vb.name = "sandbox" vb.default_nic_type = "82545EM" - vb.customize ["modifyvm", :id, "--memory", 4096] + vb.customize ["modifyvm", :id, "--memory", 8192] vb.customize ["modifyvm", :id, "--cpus", 2] - vb.customize ["modifyvm", :id, "--vram", "32"] + vb.customize ["modifyvm", :id, "--vram", "256"] vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"] vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ] end @@ -44,11 +44,11 @@ Vagrant.configure("2") do |config| cfg.vm.network :private_network, ip: "192.168.30.100", gateway: "192.168.30.1", dns: "8.8.8.8" cfg.vm.provider "virtualbox" do |vb, override| - vb.gui = true + vb.gui = false vb.name = "cuckoo" - vb.customize ["modifyvm", :id, "--memory", 2048] + vb.customize ["modifyvm", :id, "--memory", 8192] vb.customize ["modifyvm", :id, "--cpus", 2] - vb.customize ["modifyvm", :id, "--vram", "32"] + vb.customize ["modifyvm", :id, "--vram", "256"] vb.customize ["modifyvm", :id, "--nicpromisc2", "allow-all"] vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"] vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ] diff --git a/Vagrant/bootstrap.sh b/Vagrant/bootstrap.sh index 4ab442a..f9280fd 100644 --- a/Vagrant/bootstrap.sh +++ b/Vagrant/bootstrap.sh @@ -21,7 +21,15 @@ apt_install_prerequisites() { apt-get -qq update apt-get -qq install -y apt-fast echo "[$(date +%H:%M:%S)]: Running apt-fast install..." - apt-fast -qq install -y crudini python python-pip python-dev libffi-dev libssl-dev python-virtualenv python-setuptools libjpeg-dev zlib1g-dev swig mongodb postgresql libpq-dev tcpdump apparmor-utils libcap2-bin libguac-client-rdp0 libguac-client-vnc0 libguac-client-ssh0 guacd samba-common-bin + apt-fast -qq install -y gcc crudini python python-dev libffi-dev libssl-dev python-virtualenv python-setuptools libjpeg-dev zlib1g-dev swig mongodb postgresql libpq-dev tcpdump apparmor-utils libcap2-bin libguac-client-rdp0 libguac-client-vnc0 libguac-client-ssh0 guacd samba-common-bin + echo "[$(date +%H:%M:%S)]: Updating pip..." +# pip install --upgrade pip + + + wget https://bootstrap.pypa.io/pip/2.7/get-pip.py + python get-pip.py + + echo "[$(date +%H:%M:%S)]: Installing and configuring inetsim..." echo "deb http://www.inetsim.org/debian/ binary/" > /etc/apt/sources.list.d/inetsim.list wget -O - http://www.inetsim.org/inetsim-archive-signing-key.asc | apt-key add - @@ -33,6 +41,8 @@ apt_install_prerequisites() { service inetsim restart echo "[$(date +%H:%M:%S)]: Installing Supervisor..." pip install -U supervisor + echo "[$(date +%H:%M:%S)]: Installing python3..." + apt-get -qq install -y python3 } configure_prerequisites() { diff --git a/Vagrant/scripts/disable_internet.ps1 b/Vagrant/scripts/disable_internet.ps1 index 64c3f3d..5fb5555 100644 --- a/Vagrant/scripts/disable_internet.ps1 +++ b/Vagrant/scripts/disable_internet.ps1 @@ -1,2 +1,2 @@ # Purpose: remove internet access so malware can't reach out to the internet -Disable-NetAdapter -Name "Ethernet 3" -Confirm:$False +# Disable-NetAdapter -Name "Ethernet 3" -Confirm:$False diff --git a/Vagrant/scripts/disable_probing.ps1 b/Vagrant/scripts/disable_probing.ps1 index dfa6e28..0505ca6 100644 --- a/Vagrant/scripts/disable_probing.ps1 +++ b/Vagrant/scripts/disable_probing.ps1 @@ -1,5 +1,3 @@ # Purpose: Disable internet connectivity probe that displays a pop-up window # Purpose: Removing pop-ups caused by inetsim reg add "HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v EnableActiveProbing /t REG_DWORD /f /d 0 -taskkill /f /im OneDrive.exe -C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall diff --git a/Vagrant/scripts/enable_rpc.ps1 b/Vagrant/scripts/enable_rpc.ps1 index a30d491..44fa78d 100644 --- a/Vagrant/scripts/enable_rpc.ps1 +++ b/Vagrant/scripts/enable_rpc.ps1 @@ -1,7 +1,6 @@ -# In Windows 7 the following commands can be entered into an Administrative command prompt to enable auto-logon and Remote RPC. reg add "hklm\software\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultUserName /d vagrant /t REG_SZ /f reg add "hklm\software\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultPassword /d vagrant /t REG_SZ /f reg add "hklm\software\Microsoft\Windows NT\CurrentVersion\WinLogon" /v AutoAdminLogon /d 1 /t REG_SZ /f reg add "hklm\system\CurrentControlSet\Control\TerminalServer" /v AllowRemoteRPC /d 0x01 /t REG_DWORD /f -reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /d 0x01 /t REG_DWORD /f \ No newline at end of file +reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /d 0x01 /t REG_DWORD /f diff --git a/Vagrant/scripts/install_agent.ps1 b/Vagrant/scripts/install_agent.ps1 index 0b109de..78074fe 100644 --- a/Vagrant/scripts/install_agent.ps1 +++ b/Vagrant/scripts/install_agent.ps1 @@ -1,5 +1,30 @@ Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing legacy cuckoo agent.py to sandbox" $agentStartupFolder = "C:\Users\vagrant\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" $cuckooAgent = 'C:\Users\vagrant\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spy.pyw' +# GitHub requires TLS 1.2 as of 2/1/2018 +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest https://raw.githubusercontent.com/cuckoosandbox/cuckoo/2.0-rc2/agent/agent.py -o "C:\Users\vagrant\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spy.pyw" &$cuckooAgent + + Write-Output "Uninstalling OneDrive..." + Stop-Process -Name "OneDrive" -Force -ErrorAction SilentlyContinue + Start-Sleep -s 2 + $onedrive = "$env:SYSTEMROOT\SysWOW64\OneDriveSetup.exe" + If (!(Test-Path $onedrive)) { + $onedrive = "$env:SYSTEMROOT\System32\OneDriveSetup.exe" + } + Start-Process $onedrive "/uninstall" -NoNewWindow -Wait + Start-Sleep -s 2 + Stop-Process -Name "explorer" -Force -ErrorAction SilentlyContinue + Start-Sleep -s 2 + If ((Get-ChildItem -Path "$env:USERPROFILE\OneDrive" -ErrorAction SilentlyContinue | Measure-Object).Count -eq 0) { + Remove-Item -Path "$env:USERPROFILE\OneDrive" -Force -Recurse -ErrorAction SilentlyContinue + } + Remove-Item -Path "$env:LOCALAPPDATA\Microsoft\OneDrive" -Force -Recurse -ErrorAction SilentlyContinue + Remove-Item -Path "$env:PROGRAMDATA\Microsoft OneDrive" -Force -Recurse -ErrorAction SilentlyContinue + Remove-Item -Path "$env:SYSTEMDRIVE\OneDriveTemp" -Force -Recurse -ErrorAction SilentlyContinue + If (!(Test-Path "HKCR:")) { + New-PSDrive -Name "HKCR" -PSProvider "Registry" -Root "HKEY_CLASSES_ROOT" | Out-Null + } + Remove-Item -Path "HKCR:\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" -Recurse -ErrorAction SilentlyContinue + Remove-Item -Path "HKCR:\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" -Recurse -ErrorAction SilentlyContinue diff --git a/Vagrant/scripts/install_choco.ps1 b/Vagrant/scripts/install_choco.ps1 index 00dbf9b..c436705 100644 --- a/Vagrant/scripts/install_choco.ps1 +++ b/Vagrant/scripts/install_choco.ps1 @@ -1,24 +1,7 @@ -# Purpose: Install chocolatey to install various windows packages -# Using TLS1.2 -[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing Chocolatey" -$chocoInstall = "C:\ProgramData\chocolatey" -if (-not(Test-Path $chocoInstall)) -{ - Invoke-Expression ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1')) - Write-Host "Chocolatey is now installed" -} -else -{ - Write-Host "Chocolatey is already installed" -} +Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')) choco feature enable -n allowGlobalConfirmation -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing Adobe Reader" -choco install adobereader -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing Adobe Flash Player" -choco install flashplayerplugin -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing Firefox" -choco install firefox -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing Chrome" -choco install googlechrome +choco install virtualbox-guest-additions-guest.install +#Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing Adobe Reader" +#choco install adobereader +#Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing Firefox" +#choco install firefox diff --git a/build.sh b/build.sh index a882422..bf2ea45 100755 --- a/build.sh +++ b/build.sh @@ -9,6 +9,11 @@ print_usage() { exit 0 } +install_deps() { + apt-get update ; apt-get -y install vagrant packer ruby + gem install winrm ; gem install winrm-elevated +} + parse_cli_arguments() { # If no argument was supplied, list available providers if [ "$#" -eq 0 ]; then @@ -270,7 +275,7 @@ main() { DL_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" PACKER_ONLY=0 VAGRANT_ONLY=0 - + install_deps parse_cli_arguments "$@" prereq_checks diff --git a/revert.sh b/revert.sh index af7ac11..495ca75 100755 --- a/revert.sh +++ b/revert.sh @@ -1,7 +1,8 @@ #!/bin/bash + (echo >&2 "Powering off virtual machine...") $(which vboxmanage) controlvm sandbox poweroff sleep 5s $(which vboxmanage) snapshot sandbox restorecurrent sleep 5s -$(which vboxmanage) startvm sandbox +$(which vboxmanage) startvm sandbox --type headless