commando-vm
commando-vm copied to clipboard
mandiant
Create Packer and/or Vagrant scripts for install
Due to Windows Tamper Protection I am not sure this will be a viable option for install.
I haven't looked at the code for this yet, but it looks promising: https://github.com/clong/DetectionLab/pull/307
from, this issues comments: https://github.com/clong/DetectionLab/issues/306
no problem :grin: glad to help where I can. thanks @clong for amazing dev work in DetectionLab.
@day1player there are a few different ways we can take the packer scripts.
- take the template from iso to full machine w/o waiting for snapshots in between. i.e. A-> Z
This would result in 1 VM with 1 final state.
- have incremental templates which would do something like so: a. iso -> "clean-ish" machine, which has some required changes to run the commando install script but not much more (disabling tamper protection for instance) A->M b. "clean-ish" -> final produced build. M->Z
This would result in 1 VM with 2 final states (snapshots), or 2 VMs with 1 state each (the b. step above would start by making a clone of the existing "clean-ish" VM to use).
Which do you think you would prefer?
Additionally, which builder targets do you need? right now I'm planning to use virtualbox, vmware-workstation, and hyper-v.
@DrJZoidberg I was about to start building packer/vagrant versions tomorrow for a project I am working on to make a quick deployment kit using RHEL Satellite server and Ansible/Vagrant. I anticipate the tamper protection being an issue for a single command packer build. However, I will pass along any lessons learned and the files here if I manage to find a way to do it.
As far as builder targets, I personally will be aiming for libvirt since my host OS for the deploy-able devices will be RHEL.
So I found a way to help automate all of the install BUT the final step where I have to type 'ENTER'
In the packer .json file I have a setup.ps1 file, the commando install.ps1 file, the AutoHotKey.exe portable exe, and the attached file (rename from .txt to .ahk) forked onto the box using the file provisioner.
The setup.ps1:
AutoHotKey.exe disable_defender.ahk
Set-ExecutionPolicy Unrestricted
Unblock-File .\install.ps1
.\install.ps1 -nochecks 1 -password '
An interesting article here: https://www.bleepingcomputer.com/news/microsoft/malware-can-no-longer-disable-microsoft-defender-via-the-registry/
I'm about 95% of the way to a fully automated packer build, right now the sticking point is that Packer thinks the intermediate reboots exit codes mean the end of the provisioning and therefore it fails. The current workaround is to let windows build completely without a shutdown command in Packer. Once the Windows install is done, then run the 'install.ps1' and Packer will ignore the reboots. Once complete run a shutdown and Packer will run any post needed (box file creation).
I've been taking a different approach @NebulousAnchor, I'll post up some gists tomorrow, but I'm trying to accomplish everything related to disabling Tamper Protection and Defender in the autounattend.xml file so that it is accomplished during the initial Windows setup.
@NebulousAnchor https://gist.github.com/DrJZoidberg/0f749591b9f6a2668d6e5eaa62372b29
You should be able to see that. Now i'm not taking care of tamper protection, but it seems that we are both probably at the same state in terms of disabling Defender. I'll see if there is anyway to disable Tamper Pro some today
@DrJZoidberg I need to redo my packer tomorrow. I'll try your files.
Create a new issue here if you are still looking to see this happen in CommandoVM: https://github.com/mandiant/VM-Packages/issues/new/choose
