From 4d59639680d77b50fb9d8cb5f2b902a5034ccaff Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Mon, 9 Sep 2024 15:42:47 +0200 Subject: [PATCH] EDR Agent Improvements --- configs/attack_range_default.yml | 22 +++++++++++++++++-- scripts/helpers/attack_range_apps.py | 4 ++++ terraform/ansible/linux_server.yml | 3 ++- .../carbon_black_cloud_agent/tasks/main.yml | 4 ---- .../tasks/install.yml | 2 +- .../tasks/main.yml | 4 ++++ .../templates/inputs.conf.j2 | 2 +- .../crowdstrike_falcon_agent/tasks/main.yml | 4 ---- .../tasks/crowdstrike_install.yml | 21 ++++++++++++++++++ .../tasks/main.yml | 4 ++++ .../tasks/crowdstrike_install.yml | 2 +- .../tasks/main.yml | 4 ++++ terraform/ansible/windows.yml | 4 ++-- 13 files changed, 64 insertions(+), 16 deletions(-) delete mode 100644 terraform/ansible/roles/carbon_black_cloud_agent/tasks/main.yml rename terraform/ansible/roles/{carbon_black_cloud_agent => carbon_black_cloud_agent_win}/tasks/install.yml (78%) create mode 100644 terraform/ansible/roles/carbon_black_cloud_agent_win/tasks/main.yml delete mode 100644 terraform/ansible/roles/crowdstrike_falcon_agent/tasks/main.yml create mode 100644 terraform/ansible/roles/crowdstrike_falcon_agent_linux/tasks/crowdstrike_install.yml create mode 100644 terraform/ansible/roles/crowdstrike_falcon_agent_linux/tasks/main.yml rename terraform/ansible/roles/{crowdstrike_falcon_agent => crowdstrike_falcon_agent_win}/tasks/crowdstrike_install.yml (77%) create mode 100644 terraform/ansible/roles/crowdstrike_falcon_agent_win/tasks/main.yml diff --git a/configs/attack_range_default.yml b/configs/attack_range_default.yml index 762dc683..31997912 100644 --- a/configs/attack_range_default.yml +++ b/configs/attack_range_default.yml @@ -19,7 +19,6 @@ general: crowdstrike_falcon: "0" # Enable/Disable CrowdStrike Falcon by setting this to 1 or 0. - crowdstrike_agent_name: "WindowsSensor.exe" crowdstrike_customer_ID: "" crowdstrike_logs_region: "" crowdstrike_logs_access_key_id: "" @@ -31,7 +30,6 @@ general: carbon_black_cloud: "0" # Enable/Disable VMWare Carbon Black Cloud by setting this to 1 or 0. - carbon_black_cloud_agent_name: "installer_vista_win7_win8-64-3.8.0.627.msi" carbon_black_cloud_company_code: "" carbon_black_cloud_s3_bucket: "" # All these fields are needed to automatically deploy a Carbon Black Agent and ingest Carbon Black logs into the Splunk Server. @@ -142,6 +140,7 @@ splunk_server: - splunk_attack_range_reporting-1.0.9.tar.gz - status-indicator---custom-visualization_150.tgz - ta-for-zeek_108.tgz + - vmware-carbon-black-cloud_210.tgz # List of Splunk Apps to install on the Splunk Server byo_splunk: "0" @@ -198,6 +197,18 @@ windows_servers_default: # Install Bad Blood by setting this to 1 or 0. # More information in chapter Bad Blood under Attack Range Features. + install_crowdstrike: "0" + # Install CrowdStrike Falcon by setting this to 1. + + crowdstrike_windows_agent: "WindowsSensor.exe" + # Name of the CrowdStrike Windows Agent stored in apps/ folder. + + install_carbon_black: "0" + # Install Carbon Black Cloud by setting this to 1. + + carbon_black_windows_agent: "installer_vista_win7_win8-64-4.0.1.1428.msi" + # Name of the Carbon Black Windows Agent stored in apps/ folder. + aurora_agent: "0" # Install Aurora Agent @@ -211,6 +222,13 @@ linux_servers_default: sysmon_config: "SysMonLinux-CatchAll.xml" # Specify a Sysmon config located under configs/ . + install_crowdstrike: "0" + # Install CrowdStrike Falcon by setting this to 1. + + crowdstrike_linux_agent: "falcon-sensor_7.18.0-17106_amd64.deb" + # Name of the CrowdStrike Windows Agent stored in apps/ folder. + + kali_server: kali_server: "0" # Enable Kali Server by setting this to 1. diff --git a/scripts/helpers/attack_range_apps.py b/scripts/helpers/attack_range_apps.py index ef5c22c5..7c26edd5 100644 --- a/scripts/helpers/attack_range_apps.py +++ b/scripts/helpers/attack_range_apps.py @@ -47,6 +47,10 @@ "name": "Snort Alert for Splunk", "url": "https://splunkbase.splunk.com/app/5488", }, + { + "name": "VMware Carbon Black Cloud", + "url": "https://splunkbase.splunk.com/app/5332", + }, ] ATTACK_RANGE_LOCAL_APPS = [ diff --git a/terraform/ansible/linux_server.yml b/terraform/ansible/linux_server.yml index b04c7c19..b516b520 100644 --- a/terraform/ansible/linux_server.yml +++ b/terraform/ansible/linux_server.yml @@ -12,4 +12,5 @@ - linux_server_post - update_sysmon_config_linux - splunk_byo_linux - - contentctl \ No newline at end of file + - contentctl + - crowdstrike_falcon_agent_linux \ No newline at end of file diff --git a/terraform/ansible/roles/carbon_black_cloud_agent/tasks/main.yml b/terraform/ansible/roles/carbon_black_cloud_agent/tasks/main.yml deleted file mode 100644 index fe0a0dbe..00000000 --- a/terraform/ansible/roles/carbon_black_cloud_agent/tasks/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- - -- include: install.yml - when: general.carbon_black_cloud == "1" \ No newline at end of file diff --git a/terraform/ansible/roles/carbon_black_cloud_agent/tasks/install.yml b/terraform/ansible/roles/carbon_black_cloud_agent_win/tasks/install.yml similarity index 78% rename from terraform/ansible/roles/carbon_black_cloud_agent/tasks/install.yml rename to terraform/ansible/roles/carbon_black_cloud_agent_win/tasks/install.yml index c25229b4..04578ec7 100644 --- a/terraform/ansible/roles/carbon_black_cloud_agent/tasks/install.yml +++ b/terraform/ansible/roles/carbon_black_cloud_agent_win/tasks/install.yml @@ -2,7 +2,7 @@ - name: Copy carbon black cloud agent win_copy: - src: "../../apps/{{ general.carbon_black_cloud_agent_name }}" + src: "../../apps/{{ windows_servers.carbon_black_windows_agent }}" dest: C:\Temp\WindowsSensor.msi - name: install carbon black cloud agent diff --git a/terraform/ansible/roles/carbon_black_cloud_agent_win/tasks/main.yml b/terraform/ansible/roles/carbon_black_cloud_agent_win/tasks/main.yml new file mode 100644 index 00000000..c8eec228 --- /dev/null +++ b/terraform/ansible/roles/carbon_black_cloud_agent_win/tasks/main.yml @@ -0,0 +1,4 @@ +--- + +- include_tasks: install.yml + when: windows_servers.install_carbon_black == "1" \ No newline at end of file diff --git a/terraform/ansible/roles/carbon_black_cloud_logs/templates/inputs.conf.j2 b/terraform/ansible/roles/carbon_black_cloud_logs/templates/inputs.conf.j2 index 7e1395f8..f92075ff 100644 --- a/terraform/ansible/roles/carbon_black_cloud_logs/templates/inputs.conf.j2 +++ b/terraform/ansible/roles/carbon_black_cloud_logs/templates/inputs.conf.j2 @@ -1,5 +1,5 @@ [aws_s3://cb_events] -aws_account = splunk_role_{{ general.attack_range_name }}_{{ general.key_name }} +aws_account = splunk_role_{{ general.key_name }}_{{ general.attack_range_name }} bucket_name = {{ general.carbon_black_cloud_s3_bucket }} character_set = auto ct_blacklist = ^$ diff --git a/terraform/ansible/roles/crowdstrike_falcon_agent/tasks/main.yml b/terraform/ansible/roles/crowdstrike_falcon_agent/tasks/main.yml deleted file mode 100644 index 9fdd0895..00000000 --- a/terraform/ansible/roles/crowdstrike_falcon_agent/tasks/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- - -- include: crowdstrike_install.yml - when: general.crowdstrike_falcon == "1" \ No newline at end of file diff --git a/terraform/ansible/roles/crowdstrike_falcon_agent_linux/tasks/crowdstrike_install.yml b/terraform/ansible/roles/crowdstrike_falcon_agent_linux/tasks/crowdstrike_install.yml new file mode 100644 index 00000000..18e3b29f --- /dev/null +++ b/terraform/ansible/roles/crowdstrike_falcon_agent_linux/tasks/crowdstrike_install.yml @@ -0,0 +1,21 @@ +--- + +- name: Copy CrowdStrike Falcon agent + copy: + src: "../../apps/{{ linux_servers.crowdstrike_linux_agent }}" + dest: /tmp/crowdstrike_linux_agent.deb + +- name: Install CrowdStrike Falcon agent + apt: + deb: "/tmp/crowdstrike_linux_agent.deb" + state: present + become: yes + +- name: Set your CID on the sensor + shell: /opt/CrowdStrike/falconctl -s --cid={{ general.crowdstrike_customer_ID }} + become: yes + +- name: restart crowdstrike falcon agent + service: + name: falcon-sensor + state: restarted \ No newline at end of file diff --git a/terraform/ansible/roles/crowdstrike_falcon_agent_linux/tasks/main.yml b/terraform/ansible/roles/crowdstrike_falcon_agent_linux/tasks/main.yml new file mode 100644 index 00000000..3441cf15 --- /dev/null +++ b/terraform/ansible/roles/crowdstrike_falcon_agent_linux/tasks/main.yml @@ -0,0 +1,4 @@ +--- + +- include_tasks: crowdstrike_install.yml + when: linux_servers.install_crowdstrike == "1" \ No newline at end of file diff --git a/terraform/ansible/roles/crowdstrike_falcon_agent/tasks/crowdstrike_install.yml b/terraform/ansible/roles/crowdstrike_falcon_agent_win/tasks/crowdstrike_install.yml similarity index 77% rename from terraform/ansible/roles/crowdstrike_falcon_agent/tasks/crowdstrike_install.yml rename to terraform/ansible/roles/crowdstrike_falcon_agent_win/tasks/crowdstrike_install.yml index 0515ca59..8571e3b0 100644 --- a/terraform/ansible/roles/crowdstrike_falcon_agent/tasks/crowdstrike_install.yml +++ b/terraform/ansible/roles/crowdstrike_falcon_agent_win/tasks/crowdstrike_install.yml @@ -2,7 +2,7 @@ - name: Copy crowdstrike falcon agent win_copy: - src: "../../apps/{{ general.crowdstrike_agent_name }}" + src: "../../apps/{{ windows_servers.crowdstrike_windows_agent }}" dest: c:\temp\WindowsSensor.exe - name: install crowdstrike falcon agent diff --git a/terraform/ansible/roles/crowdstrike_falcon_agent_win/tasks/main.yml b/terraform/ansible/roles/crowdstrike_falcon_agent_win/tasks/main.yml new file mode 100644 index 00000000..49f20374 --- /dev/null +++ b/terraform/ansible/roles/crowdstrike_falcon_agent_win/tasks/main.yml @@ -0,0 +1,4 @@ +--- + +- include_tasks: crowdstrike_install.yml + when: windows_servers.install_crowdstrike == "1" \ No newline at end of file diff --git a/terraform/ansible/windows.yml b/terraform/ansible/windows.yml index 915aa9c2..039b5cdc 100644 --- a/terraform/ansible/windows.yml +++ b/terraform/ansible/windows.yml @@ -20,5 +20,5 @@ - splunk_byo_windows - windows_aurora_agent - windows_install_attack_simulation - - crowdstrike_falcon_agent - - carbon_black_cloud_agent \ No newline at end of file + - crowdstrike_falcon_agent_win + - carbon_black_cloud_agent_win \ No newline at end of file