From c9e06634e5d6583916cd66286ad9ce1a87eeb675 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau Date: Mon, 26 Aug 2019 21:21:16 -0400 Subject: [PATCH 01/19] Split Windows 10 templates into sub-versions --- .../win10_x64_analyst.json} | 6 +++--- .../win10_x86_analyst.json} | 6 +++--- malboxes/templates/win10_1607_x64_analyst.json | 4 ++++ malboxes/templates/win10_1607_x86_analyst.json | 4 ++++ malboxes/templates/win10_x64_analyst.json | 1 + malboxes/templates/win10_x86_analyst.json | 1 + 6 files changed, 16 insertions(+), 6 deletions(-) rename malboxes/templates/{win10_64_analyst.json => snippets/win10_x64_analyst.json} (75%) rename malboxes/templates/{win10_32_analyst.json => snippets/win10_x86_analyst.json} (75%) create mode 100644 malboxes/templates/win10_1607_x64_analyst.json create mode 100644 malboxes/templates/win10_1607_x86_analyst.json create mode 100644 malboxes/templates/win10_x64_analyst.json create mode 100644 malboxes/templates/win10_x86_analyst.json diff --git a/malboxes/templates/win10_64_analyst.json b/malboxes/templates/snippets/win10_x64_analyst.json similarity index 75% rename from malboxes/templates/win10_64_analyst.json rename to malboxes/templates/snippets/win10_x64_analyst.json index c54f153..49a3323 100644 --- a/malboxes/templates/win10_64_analyst.json +++ b/malboxes/templates/snippets/win10_x64_analyst.json @@ -10,10 +10,10 @@ {% endif %} "iso_urls": [ - "file://{{ iso_path }}/14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X64FRE_EN-US.ISO", - "http://download.microsoft.com/download/2/5/4/254230E8-AEA5-43C5-94F6-88CE222A5846/14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X64FRE_EN-US.ISO" + "file://{{ iso_path }}/{{ iso_filename }}", + "{{ iso_url }}" ], - "iso_checksum": "a86ae3d664553cd0ee9a6bcd83a5dbe92e3dc41a", + "iso_checksum": "{{ iso_checksum }}", "iso_checksum_type": "sha1", "floppy_files": [ diff --git a/malboxes/templates/win10_32_analyst.json b/malboxes/templates/snippets/win10_x86_analyst.json similarity index 75% rename from malboxes/templates/win10_32_analyst.json rename to malboxes/templates/snippets/win10_x86_analyst.json index 2d85225..b2dab30 100644 --- a/malboxes/templates/win10_32_analyst.json +++ b/malboxes/templates/snippets/win10_x86_analyst.json @@ -10,10 +10,10 @@ {% endif %} "iso_urls": [ - "file://{{ iso_path }}/14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X86FRE_EN-US.ISO", - "http://download.microsoft.com/download/2/5/4/254230E8-AEA5-43C5-94F6-88CE222A5846/14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X86FRE_EN-US.ISO" + "file://{{ iso_path }}/{{ iso_filename }}", + "{{ iso_url }}" ], - "iso_checksum": "0b8e56772c71dc7bb73654c61e53998a997e1e4d", + "iso_checksum": "{{ iso_checksum }}", "iso_checksum_type": "sha1", "floppy_files": [ diff --git a/malboxes/templates/win10_1607_x64_analyst.json b/malboxes/templates/win10_1607_x64_analyst.json new file mode 100644 index 0000000..4cdc75d --- /dev/null +++ b/malboxes/templates/win10_1607_x64_analyst.json @@ -0,0 +1,4 @@ +{% set iso_filename = '14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X64FRE_EN-US.ISO' %} +{% set iso_url = 'http://download.microsoft.com/download/2/5/4/254230E8-AEA5-43C5-94F6-88CE222A5846/14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X64FRE_EN-US.ISO' %} +{% set iso_checksum = 'a86ae3d664553cd0ee9a6bcd83a5dbe92e3dc41a' %} +{% include 'snippets/win10_x64_analyst.json' %} diff --git a/malboxes/templates/win10_1607_x86_analyst.json b/malboxes/templates/win10_1607_x86_analyst.json new file mode 100644 index 0000000..fb3108b --- /dev/null +++ b/malboxes/templates/win10_1607_x86_analyst.json @@ -0,0 +1,4 @@ +{% set iso_filename = '14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X86FRE_EN-US.ISO' %} +{% set iso_url = 'http://download.microsoft.com/download/2/5/4/254230E8-AEA5-43C5-94F6-88CE222A5846/14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X86FRE_EN-US.ISO' %} +{% set iso_checksum = '0b8e56772c71dc7bb73654c61e53998a997e1e4d' %} +{% include 'snippets/win10_x86_analyst.json' %} diff --git a/malboxes/templates/win10_x64_analyst.json b/malboxes/templates/win10_x64_analyst.json new file mode 100644 index 0000000..a24d4d4 --- /dev/null +++ b/malboxes/templates/win10_x64_analyst.json @@ -0,0 +1 @@ +{% include 'win10_1607_x64_analyst.json' %} diff --git a/malboxes/templates/win10_x86_analyst.json b/malboxes/templates/win10_x86_analyst.json new file mode 100644 index 0000000..19e0ec1 --- /dev/null +++ b/malboxes/templates/win10_x86_analyst.json @@ -0,0 +1 @@ +{% include 'win10_1607_x86_analyst.json' %} From 4f48639492081810314601c6beea0e973dfee4c5 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau Date: Tue, 27 Aug 2019 10:37:07 -0400 Subject: [PATCH 02/19] Failed attempt at Windows 10 1903 (19H1) x64 --- malboxes/templates/win10_1903_x64_analyst.json | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 malboxes/templates/win10_1903_x64_analyst.json diff --git a/malboxes/templates/win10_1903_x64_analyst.json b/malboxes/templates/win10_1903_x64_analyst.json new file mode 100644 index 0000000..c9e4c21 --- /dev/null +++ b/malboxes/templates/win10_1903_x64_analyst.json @@ -0,0 +1,4 @@ +{% set iso_filename = '18362.30.190401-1528.19h1_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso' %} +{% set iso_url = 'https://software-download.microsoft.com/download/pr/18362.30.190401-1528.19h1_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso' %} +{% set iso_checksum = '743FC483BB8BF1901C0534A0AE15208A5A72A3C5' %} +{% include 'snippets/win10_x64_analyst.json' %} From 0c3e4ab27170edf5fc3684f6b1bebdd2263ac012 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau Date: Tue, 27 Aug 2019 10:37:38 -0400 Subject: [PATCH 03/19] doc: more Windows 10 download links and hashes --- docs/windows-licenses.adoc | 38 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 36 insertions(+), 2 deletions(-) diff --git a/docs/windows-licenses.adoc b/docs/windows-licenses.adoc index a82c0e8..135b7b6 100644 --- a/docs/windows-licenses.adoc +++ b/docs/windows-licenses.adoc @@ -10,13 +10,47 @@ If you want to use a trial version make sure you have the following in your "trial": true -=== Windows 10 32-bit +=== Windows 10 + +==== 1903 May 2019 Update (19H1) + +===== x64 + +* filename: 18362.30.190401-1528.19h1_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso +* sha1sum: 743FC483BB8BF1901C0534A0AE15208A5A72A3C5 +* download link: https://software-download.microsoft.com/download/pr/18362.30.190401-1528.19h1_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso + +===== x86 + +* filename: 18362.30.190401-1528.19h1_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x86FRE_en-us.iso +* sha1sum: d0373ab9d590ff3d512d9e91b7e3d458026ea1c6 +* download link: https://software-download.microsoft.com/download/pr/18362.30.190401-1528.19h1_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x86FRE_en-us.iso + + +==== 1703 Creators Update (Redstone 2) + +===== x64 + +* filename: 15063.0.170317-1834.RS2_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X64FRE_EN-US.ISO +* sha1sum: 6c60f91bf0ad7b20f469ab8f80863035c517f34f +* download link: http://care.dlservice.microsoft.com/dl/download/B/8/B/B8B452EC-DD2D-4A8F-A88C-D2180C177624/15063.0.170317-1834.RS2_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X64FRE_EN-US.ISO + +===== x86 + +* filename: 15063.0.170317-1834.RS2_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X86FRE_EN-US.ISO +* sha1sum: 1aa6d3c4451e79e69e84118ec629ad99e2ad36e7 +* download link: http://care.dlservice.microsoft.com/dl/download/B/8/B/B8B452EC-DD2D-4A8F-A88C-D2180C177624/15063.0.170317-1834.RS2_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X86FRE_EN-US.ISO + + +==== 1607 Anniversary Update (Redstone 1) + +===== 32-bit * filename: 14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X86FRE_EN-US.ISO * sha1 checksum: 0b8e56772c71dc7bb73654c61e53998a997e1e4d * download link: http://download.microsoft.com/download/2/5/4/254230E8-AEA5-43C5-94F6-88CE222A5846/14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X86FRE_EN-US.ISO -=== Windows 10 64-bit +=== 64-bit * filename: 14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X64FRE_EN-US.ISO" * sha1 checksum: a86ae3d664553cd0ee9a6bcd83a5dbe92e3dc41a From 0b19625ec3eeba6a01be6f85f9a4dc7d879ad081 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau Date: Wed, 28 Aug 2019 00:01:43 -0400 Subject: [PATCH 04/19] Windows 10 1903 required changes to Autounattend.xml Sorry for the line noise but some of my previous changes mixed line termination characters and this fixes that too. --- .../installconfig/windows10/Autounattend.xml | 23 ++++++++++++------- .../windows10_64/Autounattend.xml | 23 ++++++++++++------- 2 files changed, 30 insertions(+), 16 deletions(-) diff --git a/malboxes/installconfig/windows10/Autounattend.xml b/malboxes/installconfig/windows10/Autounattend.xml index 6b86fff..7484a90 100644 --- a/malboxes/installconfig/windows10/Autounattend.xml +++ b/malboxes/installconfig/windows10/Autounattend.xml @@ -49,7 +49,7 @@ en-US Never - {{ input_locale or 'en-US' }} + {{ input_locale or 'en-US' }} en-US en-US en-US @@ -62,13 +62,20 @@ - {% if proxy %} - - 0 - true - {{ proxy }} - - {% endif %} + + en-US + en-US + en-US + en-US + en-US + + {% if proxy %} + + 0 + true + {{ proxy }} + + {% endif %} diff --git a/malboxes/installconfig/windows10_64/Autounattend.xml b/malboxes/installconfig/windows10_64/Autounattend.xml index 6b211fe..2c5eb2f 100644 --- a/malboxes/installconfig/windows10_64/Autounattend.xml +++ b/malboxes/installconfig/windows10_64/Autounattend.xml @@ -49,7 +49,7 @@ en-US Never - {{ input_locale or 'en-US' }} + {{ input_locale or 'en-US' }} en-US en-US en-US @@ -62,13 +62,20 @@ - {% if proxy %} - - 0 - true - {{ proxy }} - - {% endif %} + + en-US + en-US + en-US + en-US + en-US + + {% if proxy %} + + 0 + true + {{ proxy }} + + {% endif %} From aa975f58770b84f5f2da67459306cbde5251a437 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau Date: Wed, 28 Aug 2019 00:12:07 -0400 Subject: [PATCH 05/19] Windows 10 1903 (19H1) x86 --- malboxes/templates/win10_1903_x86_analyst.json | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 malboxes/templates/win10_1903_x86_analyst.json diff --git a/malboxes/templates/win10_1903_x86_analyst.json b/malboxes/templates/win10_1903_x86_analyst.json new file mode 100644 index 0000000..9f330b2 --- /dev/null +++ b/malboxes/templates/win10_1903_x86_analyst.json @@ -0,0 +1,4 @@ +{% set iso_filename = '18362.30.190401-1528.19h1_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x86FRE_en-us.iso' %} +{% set iso_url = 'https://software-download.microsoft.com/download/pr/18362.30.190401-1528.19h1_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x86FRE_en-us.iso' %} +{% set iso_checksum = 'd0373ab9d590ff3d512d9e91b7e3d458026ea1c6' %} +{% include 'snippets/win10_x86_analyst.json' %} From 49c74798616905a2bf54439eeb717c7aa3f422d3 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau Date: Wed, 28 Aug 2019 00:15:23 -0400 Subject: [PATCH 06/19] Default Windows 10 builds now default to 19H1 (1903) --- malboxes/templates/win10_x64_analyst.json | 2 +- malboxes/templates/win10_x86_analyst.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/malboxes/templates/win10_x64_analyst.json b/malboxes/templates/win10_x64_analyst.json index a24d4d4..1ca3609 100644 --- a/malboxes/templates/win10_x64_analyst.json +++ b/malboxes/templates/win10_x64_analyst.json @@ -1 +1 @@ -{% include 'win10_1607_x64_analyst.json' %} +{% include 'win10_1903_x64_analyst.json' %} diff --git a/malboxes/templates/win10_x86_analyst.json b/malboxes/templates/win10_x86_analyst.json index 19e0ec1..0b78cfc 100644 --- a/malboxes/templates/win10_x86_analyst.json +++ b/malboxes/templates/win10_x86_analyst.json @@ -1 +1 @@ -{% include 'win10_1607_x86_analyst.json' %} +{% include 'win10_1903_x86_analyst.json' %} From 6abefd4f8823b59f63bf4271433d14ddd653ff59 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau Date: Fri, 30 Aug 2019 16:26:20 -0400 Subject: [PATCH 07/19] Found a way to disable the new Defender Tamper Protection Adding only for Windows 10 --- malboxes/scripts/windows/disable_defender.ps1 | 5 ++ .../disable_defender_tamper_protection.ps1 | 70 +++++++++++++++++++ .../snippets/provision_powershell.json | 14 +++- 3 files changed, 88 insertions(+), 1 deletion(-) create mode 100644 malboxes/scripts/windows/disable_defender_tamper_protection.ps1 diff --git a/malboxes/scripts/windows/disable_defender.ps1 b/malboxes/scripts/windows/disable_defender.ps1 index 179b385..9a6377d 100644 --- a/malboxes/scripts/windows/disable_defender.ps1 +++ b/malboxes/scripts/windows/disable_defender.ps1 @@ -1,3 +1,8 @@ + +# This disables Tamper Protection introduced in Windows 10 1903 (May 2019 Update) +# but it requires us to run disable_defender_tamper_protection.ps1 beforehand to allow registry changes +Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows Defender\Features" -Name "TamperProtection" -Value 0 + # Disable Windows Defender on Windows 10 Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value 1 Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableRoutinelyTakingAction" -Value 1 diff --git a/malboxes/scripts/windows/disable_defender_tamper_protection.ps1 b/malboxes/scripts/windows/disable_defender_tamper_protection.ps1 new file mode 100644 index 0000000..70cc57b --- /dev/null +++ b/malboxes/scripts/windows/disable_defender_tamper_protection.ps1 @@ -0,0 +1,70 @@ +# Disables Windows Defender Tamper Protection +# This is required to be able to disable defender. A restart is required after this is run. + +# The Take-Permissions function was taken from StackOverflow and is used under the site's CC BY-SA 3.0 +# Authored by: Argimko and edited by SaintFrag +# https://stackoverflow.com/questions/12044432/how-do-i-take-ownership-of-a-registry-key-via-powershell +function Take-Permissions { + # Developed for PowerShell v4.0 + # Required Admin privileges + # Links: + # http://shrekpoint.blogspot.ru/2012/08/taking-ownership-of-dcom-registry.html + # http://www.remkoweijnen.nl/blog/2012/01/16/take-ownership-of-a-registry-key-in-powershell/ + # https://powertoe.wordpress.com/2010/08/28/controlling-registry-acl-permissions-with-powershell/ + + param($rootKey, $key, [System.Security.Principal.SecurityIdentifier]$sid = 'S-1-5-32-545', $recurse = $true) + + switch -regex ($rootKey) { + 'HKCU|HKEY_CURRENT_USER' { $rootKey = 'CurrentUser' } + 'HKLM|HKEY_LOCAL_MACHINE' { $rootKey = 'LocalMachine' } + 'HKCR|HKEY_CLASSES_ROOT' { $rootKey = 'ClassesRoot' } + 'HKCC|HKEY_CURRENT_CONFIG' { $rootKey = 'CurrentConfig' } + 'HKU|HKEY_USERS' { $rootKey = 'Users' } + } + + ### Step 1 - escalate current process's privilege + # get SeTakeOwnership, SeBackup and SeRestore privileges before executes next lines, script needs Admin privilege + $import = '[DllImport("ntdll.dll")] public static extern int RtlAdjustPrivilege(ulong a, bool b, bool c, ref bool d);' + $ntdll = Add-Type -Member $import -Name NtDll -PassThru + $privileges = @{ SeTakeOwnership = 9; SeBackup = 17; SeRestore = 18 } + foreach ($i in $privileges.Values) { + $null = $ntdll::RtlAdjustPrivilege($i, 1, 0, [ref]0) + } + + function Take-KeyPermissions { + param($rootKey, $key, $sid, $recurse, $recurseLevel = 0) + + ### Step 2 - get ownerships of key - it works only for current key + $regKey = [Microsoft.Win32.Registry]::$rootKey.OpenSubKey($key, 'ReadWriteSubTree', 'TakeOwnership') + $acl = New-Object System.Security.AccessControl.RegistrySecurity + $acl.SetOwner($sid) + $regKey.SetAccessControl($acl) + + ### Step 3 - enable inheritance of permissions (not ownership) for current key from parent + $acl.SetAccessRuleProtection($false, $false) + $regKey.SetAccessControl($acl) + + ### Step 4 - only for top-level key, change permissions for current key and propagate it for subkeys + # to enable propagations for subkeys, it needs to execute Steps 2-3 for each subkey (Step 5) + if ($recurseLevel -eq 0) { + $regKey = $regKey.OpenSubKey('', 'ReadWriteSubTree', 'ChangePermissions') + $rule = New-Object System.Security.AccessControl.RegistryAccessRule($sid, 'FullControl', 'ContainerInherit', 'None', 'Allow') + $acl.ResetAccessRule($rule) + $regKey.SetAccessControl($acl) + } + + ### Step 5 - recursively repeat steps 2-5 for subkeys + if ($recurse) { + foreach($subKey in $regKey.OpenSubKey('').GetSubKeyNames()) { + Take-KeyPermissions $rootKey ($key+'\'+$subKey) $sid $recurse ($recurseLevel+1) + } + } + } + + Take-KeyPermissions $rootKey $key $sid $recurse +} + +# Local Administrators become owners (full control) of the following registry path +# Without this Tamper Protection can't be disabled thus neither can Windows Defender be disabled +Take-Permissions "HKLM" "Software\Microsoft\Windows Defender\Features" "S-1-5-32-544" +Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows Defender\Features" -Name "TamperProtection" -Value 0 \ No newline at end of file diff --git a/malboxes/templates/snippets/provision_powershell.json b/malboxes/templates/snippets/provision_powershell.json index 4927eff..4d2d5a6 100644 --- a/malboxes/templates/snippets/provision_powershell.json +++ b/malboxes/templates/snippets/provision_powershell.json @@ -1,8 +1,20 @@ +{% if not windows_defender == "true" %} + { + "type": "powershell", + "script": "{{ dir }}/scripts/windows/disable_defender_tamper_protection.ps1" + }, + { + "type": "windows-restart" + }, + { + "type": "powershell", + "script": "{{ dir }}/scripts/windows/disable_defender.ps1" + }, +{% endif %} { "type": "powershell", "scripts": [ {% if not windows_updates == "true" %}"{{ dir }}/scripts/windows/disable_auto-updates.ps1",{% endif %} - {% if not windows_defender == "true" %}"{{ dir }}/scripts/windows/disable_defender.ps1",{% endif %} {% if hypervisor == "virtualbox" %} "{{ dir }}/scripts/windows/vmtools.ps1", {% endif %} From 9f331afd29f4d36e41e98e6d95b3890154c25341 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau Date: Tue, 3 Sep 2019 17:09:26 -0400 Subject: [PATCH 08/19] Defender: Disable Tamper Protection as SYSTEM --- malboxes/templates/snippets/provision_powershell.json | 2 ++ 1 file changed, 2 insertions(+) diff --git a/malboxes/templates/snippets/provision_powershell.json b/malboxes/templates/snippets/provision_powershell.json index 4d2d5a6..3f6640d 100644 --- a/malboxes/templates/snippets/provision_powershell.json +++ b/malboxes/templates/snippets/provision_powershell.json @@ -1,6 +1,8 @@ {% if not windows_defender == "true" %} { "type": "powershell", + "elevated_user": "SYSTEM", + "elevated_password": "", "script": "{{ dir }}/scripts/windows/disable_defender_tamper_protection.ps1" }, { From 6c0345c25697291b850027248af80bd2f8a2f513 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau Date: Tue, 3 Sep 2019 21:42:58 -0400 Subject: [PATCH 09/19] Bump requirements for Packer due to powershell as SYSTEM Turns out that the upstream feature was introduced in 1.3.3 released on December 5, 2018 and merged in https://github.com/hashicorp/packer/pull/6972. --- README.adoc | 2 +- tests/smoke/Dockerfile | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.adoc b/README.adoc index 86ea1b4..959126a 100644 --- a/README.adoc +++ b/README.adoc @@ -35,7 +35,7 @@ https://github.com/gosecure/malboxes == Requirements * Python 3.3+ -* packer: https://www.packer.io/docs/install/index.html +* https://www.packer.io/docs/install/index.html[Packer] 1.3.3+ * vagrant: https://www.vagrantup.com/downloads.html * https://www.virtualbox.org/wiki/Downloads[VirtualBox] or an vSphere / ESXi server diff --git a/tests/smoke/Dockerfile b/tests/smoke/Dockerfile index 521e937..04c7c30 100644 --- a/tests/smoke/Dockerfile +++ b/tests/smoke/Dockerfile @@ -4,8 +4,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends curl ca-certifi curl -sSL https://www.virtualbox.org/download/oracle_vbox_2016.asc | apt-key add - && \ echo "deb http://download.virtualbox.org/virtualbox/debian xenial contrib" >> /etc/apt/sources.list.d/virtualbox.list && \ apt-get update && apt-get install -y --no-install-recommends virtualbox-5.2 module-init-tools python3 python3-pip python3-setuptools wget unzip bash git && \ - wget https://releases.hashicorp.com/packer/1.3.1/packer_1.3.1_linux_amd64.zip && unzip packer_1.3.1_linux_amd64.zip -d packer && \ - mv packer/packer /usr/local/bin/ && chmod a+x /usr/local/bin/packer && rm packer_1.3.1_linux_amd64.zip && rmdir packer + wget https://releases.hashicorp.com/packer/1.4.3/packer_1.4.3_linux_amd64.zip && unzip packer_1.4.3_linux_amd64.zip -d packer && \ + mv packer/packer /usr/local/bin/ && chmod a+x /usr/local/bin/packer && rm packer_1.4.3_linux_amd64.zip && rmdir packer # Enable this RUN statement when you need to connect to the VRDP server of the VM to troubleshoot issues From c99c9f54f2da1a80671d5967dcdb52852e709ce6 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau Date: Wed, 4 Sep 2019 11:41:01 -0400 Subject: [PATCH 10/19] Added a mechanism to communicate from the template to Malboxes core Used it to communicate to the user if a specific version of Windows is spun so that it has instructions on how to disable Defender. --- malboxes/malboxes.py | 18 ++++++++++++++++-- malboxes/messages/defender-1903.txt | 6 ++++++ .../templates/snippets/win10_x64_analyst.json | 1 - .../templates/snippets/win10_x86_analyst.json | 1 - malboxes/templates/win10_1607_x64_analyst.json | 2 ++ malboxes/templates/win10_1607_x86_analyst.json | 2 ++ malboxes/templates/win10_1903_x64_analyst.json | 2 ++ malboxes/templates/win10_1903_x86_analyst.json | 2 ++ 8 files changed, 30 insertions(+), 4 deletions(-) create mode 100644 malboxes/messages/defender-1903.txt diff --git a/malboxes/malboxes.py b/malboxes/malboxes.py index c6b549c..f45b00c 100644 --- a/malboxes/malboxes.py +++ b/malboxes/malboxes.py @@ -151,8 +151,17 @@ def prepare_packer_template(config, template_name): # write to temporary file f = create_cachefd('{}.json'.format(template_name)) - packer_config = template.render(config) # pylint: disable=no-member - f.write(packer_config) + + # load packer config as JSON + packer_config = json.loads(template.render(config)) # pylint: disable=no-member + + # merge special _malboxes key into config and get rid of it + # packer doesn't like unknown keys yet we need to pass info from template to malboxes + if packer_config.get('_malboxes'): + config.update(packer_config['_malboxes']) + packer_config.pop('_malboxes') + + json.dump(packer_config, f, indent=4) f.close() if DEBUG: @@ -466,6 +475,11 @@ def spin(parser, args): print("Vagrantfile generated. You can move it in your analysis directory " "and issue a `vagrant up` to get started with your VM.") + if config.get("windows_defender", "false") == "false" \ + and config.get("os") == "Windows10" and config.get("os_version") >= 1903: + _r = resource_stream(__name__, 'messages/defender-1903.txt') + print(_r.read().decode()) + def prepare_profile(template, config): """Converts the profile to a powershell script.""" diff --git a/malboxes/messages/defender-1903.txt b/malboxes/messages/defender-1903.txt new file mode 100644 index 0000000..23b3e88 --- /dev/null +++ b/malboxes/messages/defender-1903.txt @@ -0,0 +1,6 @@ + +Starting with Windows 10 May 2019 Update (version 1903) Windows Defender has a Tamper Protection enabled by default. This protection is meant to be unremovable without user intervention (if you know how let us know). If you need Defender disabled it is advised that you manually disable it and then run as Administrator the batch script provided in C:\Tools of the VM. This is only required once. + +Instructions to disable Windows Defender Tamper Protection: https://www.windowscentral.com/how-manage-windows-security-tamper-protection-windows-10-may-2019-update + +Batch script to run as Administrator in the VM: C:\Tools\disable_defender.bat \ No newline at end of file diff --git a/malboxes/templates/snippets/win10_x64_analyst.json b/malboxes/templates/snippets/win10_x64_analyst.json index 49a3323..ccbcd8f 100644 --- a/malboxes/templates/snippets/win10_x64_analyst.json +++ b/malboxes/templates/snippets/win10_x64_analyst.json @@ -43,4 +43,3 @@ {% endfor %} {% endif %} ] -} diff --git a/malboxes/templates/snippets/win10_x86_analyst.json b/malboxes/templates/snippets/win10_x86_analyst.json index b2dab30..46d22f9 100644 --- a/malboxes/templates/snippets/win10_x86_analyst.json +++ b/malboxes/templates/snippets/win10_x86_analyst.json @@ -44,4 +44,3 @@ {% endfor %} {% endif %} ] -} diff --git a/malboxes/templates/win10_1607_x64_analyst.json b/malboxes/templates/win10_1607_x64_analyst.json index 4cdc75d..405d594 100644 --- a/malboxes/templates/win10_1607_x64_analyst.json +++ b/malboxes/templates/win10_1607_x64_analyst.json @@ -2,3 +2,5 @@ {% set iso_url = 'http://download.microsoft.com/download/2/5/4/254230E8-AEA5-43C5-94F6-88CE222A5846/14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X64FRE_EN-US.ISO' %} {% set iso_checksum = 'a86ae3d664553cd0ee9a6bcd83a5dbe92e3dc41a' %} {% include 'snippets/win10_x64_analyst.json' %} + , "_malboxes": {"os": "Windows10", "os_version": 1607} +} \ No newline at end of file diff --git a/malboxes/templates/win10_1607_x86_analyst.json b/malboxes/templates/win10_1607_x86_analyst.json index fb3108b..91c2fb8 100644 --- a/malboxes/templates/win10_1607_x86_analyst.json +++ b/malboxes/templates/win10_1607_x86_analyst.json @@ -2,3 +2,5 @@ {% set iso_url = 'http://download.microsoft.com/download/2/5/4/254230E8-AEA5-43C5-94F6-88CE222A5846/14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X86FRE_EN-US.ISO' %} {% set iso_checksum = '0b8e56772c71dc7bb73654c61e53998a997e1e4d' %} {% include 'snippets/win10_x86_analyst.json' %} + , "_malboxes": {"os": "Windows10", "os_version": 1607} +} \ No newline at end of file diff --git a/malboxes/templates/win10_1903_x64_analyst.json b/malboxes/templates/win10_1903_x64_analyst.json index c9e4c21..a90053a 100644 --- a/malboxes/templates/win10_1903_x64_analyst.json +++ b/malboxes/templates/win10_1903_x64_analyst.json @@ -2,3 +2,5 @@ {% set iso_url = 'https://software-download.microsoft.com/download/pr/18362.30.190401-1528.19h1_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso' %} {% set iso_checksum = '743FC483BB8BF1901C0534A0AE15208A5A72A3C5' %} {% include 'snippets/win10_x64_analyst.json' %} + , "_malboxes": {"os": "Windows10", "os_version": 1903} +} \ No newline at end of file diff --git a/malboxes/templates/win10_1903_x86_analyst.json b/malboxes/templates/win10_1903_x86_analyst.json index 9f330b2..bd50f1d 100644 --- a/malboxes/templates/win10_1903_x86_analyst.json +++ b/malboxes/templates/win10_1903_x86_analyst.json @@ -2,3 +2,5 @@ {% set iso_url = 'https://software-download.microsoft.com/download/pr/18362.30.190401-1528.19h1_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x86FRE_en-us.iso' %} {% set iso_checksum = 'd0373ab9d590ff3d512d9e91b7e3d458026ea1c6' %} {% include 'snippets/win10_x86_analyst.json' %} + , "_malboxes": {"os": "Windows10", "os_version": 1903} +} \ No newline at end of file From e5434b1628f7e55a51688a030f094e43c6f73e18 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau Date: Wed, 4 Sep 2019 13:39:06 -0400 Subject: [PATCH 11/19] Revert "Defender: Disable Tamper Protection as SYSTEM" This reverts commit 9f331afd29f4d36e41e98e6d95b3890154c25341. --- malboxes/templates/snippets/provision_powershell.json | 2 -- 1 file changed, 2 deletions(-) diff --git a/malboxes/templates/snippets/provision_powershell.json b/malboxes/templates/snippets/provision_powershell.json index 3f6640d..4d2d5a6 100644 --- a/malboxes/templates/snippets/provision_powershell.json +++ b/malboxes/templates/snippets/provision_powershell.json @@ -1,8 +1,6 @@ {% if not windows_defender == "true" %} { "type": "powershell", - "elevated_user": "SYSTEM", - "elevated_password": "", "script": "{{ dir }}/scripts/windows/disable_defender_tamper_protection.ps1" }, { From 85f57392d2cd28e7d8a2e2b9771785517cd728e9 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau Date: Wed, 4 Sep 2019 13:39:30 -0400 Subject: [PATCH 12/19] Revert "Found a way to disable the new Defender Tamper Protection" This reverts commit 6abefd4f8823b59f63bf4271433d14ddd653ff59. --- malboxes/scripts/windows/disable_defender.ps1 | 5 -- .../disable_defender_tamper_protection.ps1 | 70 ------------------- .../snippets/provision_powershell.json | 14 +--- 3 files changed, 1 insertion(+), 88 deletions(-) delete mode 100644 malboxes/scripts/windows/disable_defender_tamper_protection.ps1 diff --git a/malboxes/scripts/windows/disable_defender.ps1 b/malboxes/scripts/windows/disable_defender.ps1 index 9a6377d..179b385 100644 --- a/malboxes/scripts/windows/disable_defender.ps1 +++ b/malboxes/scripts/windows/disable_defender.ps1 @@ -1,8 +1,3 @@ - -# This disables Tamper Protection introduced in Windows 10 1903 (May 2019 Update) -# but it requires us to run disable_defender_tamper_protection.ps1 beforehand to allow registry changes -Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows Defender\Features" -Name "TamperProtection" -Value 0 - # Disable Windows Defender on Windows 10 Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value 1 Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableRoutinelyTakingAction" -Value 1 diff --git a/malboxes/scripts/windows/disable_defender_tamper_protection.ps1 b/malboxes/scripts/windows/disable_defender_tamper_protection.ps1 deleted file mode 100644 index 70cc57b..0000000 --- a/malboxes/scripts/windows/disable_defender_tamper_protection.ps1 +++ /dev/null @@ -1,70 +0,0 @@ -# Disables Windows Defender Tamper Protection -# This is required to be able to disable defender. A restart is required after this is run. - -# The Take-Permissions function was taken from StackOverflow and is used under the site's CC BY-SA 3.0 -# Authored by: Argimko and edited by SaintFrag -# https://stackoverflow.com/questions/12044432/how-do-i-take-ownership-of-a-registry-key-via-powershell -function Take-Permissions { - # Developed for PowerShell v4.0 - # Required Admin privileges - # Links: - # http://shrekpoint.blogspot.ru/2012/08/taking-ownership-of-dcom-registry.html - # http://www.remkoweijnen.nl/blog/2012/01/16/take-ownership-of-a-registry-key-in-powershell/ - # https://powertoe.wordpress.com/2010/08/28/controlling-registry-acl-permissions-with-powershell/ - - param($rootKey, $key, [System.Security.Principal.SecurityIdentifier]$sid = 'S-1-5-32-545', $recurse = $true) - - switch -regex ($rootKey) { - 'HKCU|HKEY_CURRENT_USER' { $rootKey = 'CurrentUser' } - 'HKLM|HKEY_LOCAL_MACHINE' { $rootKey = 'LocalMachine' } - 'HKCR|HKEY_CLASSES_ROOT' { $rootKey = 'ClassesRoot' } - 'HKCC|HKEY_CURRENT_CONFIG' { $rootKey = 'CurrentConfig' } - 'HKU|HKEY_USERS' { $rootKey = 'Users' } - } - - ### Step 1 - escalate current process's privilege - # get SeTakeOwnership, SeBackup and SeRestore privileges before executes next lines, script needs Admin privilege - $import = '[DllImport("ntdll.dll")] public static extern int RtlAdjustPrivilege(ulong a, bool b, bool c, ref bool d);' - $ntdll = Add-Type -Member $import -Name NtDll -PassThru - $privileges = @{ SeTakeOwnership = 9; SeBackup = 17; SeRestore = 18 } - foreach ($i in $privileges.Values) { - $null = $ntdll::RtlAdjustPrivilege($i, 1, 0, [ref]0) - } - - function Take-KeyPermissions { - param($rootKey, $key, $sid, $recurse, $recurseLevel = 0) - - ### Step 2 - get ownerships of key - it works only for current key - $regKey = [Microsoft.Win32.Registry]::$rootKey.OpenSubKey($key, 'ReadWriteSubTree', 'TakeOwnership') - $acl = New-Object System.Security.AccessControl.RegistrySecurity - $acl.SetOwner($sid) - $regKey.SetAccessControl($acl) - - ### Step 3 - enable inheritance of permissions (not ownership) for current key from parent - $acl.SetAccessRuleProtection($false, $false) - $regKey.SetAccessControl($acl) - - ### Step 4 - only for top-level key, change permissions for current key and propagate it for subkeys - # to enable propagations for subkeys, it needs to execute Steps 2-3 for each subkey (Step 5) - if ($recurseLevel -eq 0) { - $regKey = $regKey.OpenSubKey('', 'ReadWriteSubTree', 'ChangePermissions') - $rule = New-Object System.Security.AccessControl.RegistryAccessRule($sid, 'FullControl', 'ContainerInherit', 'None', 'Allow') - $acl.ResetAccessRule($rule) - $regKey.SetAccessControl($acl) - } - - ### Step 5 - recursively repeat steps 2-5 for subkeys - if ($recurse) { - foreach($subKey in $regKey.OpenSubKey('').GetSubKeyNames()) { - Take-KeyPermissions $rootKey ($key+'\'+$subKey) $sid $recurse ($recurseLevel+1) - } - } - } - - Take-KeyPermissions $rootKey $key $sid $recurse -} - -# Local Administrators become owners (full control) of the following registry path -# Without this Tamper Protection can't be disabled thus neither can Windows Defender be disabled -Take-Permissions "HKLM" "Software\Microsoft\Windows Defender\Features" "S-1-5-32-544" -Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows Defender\Features" -Name "TamperProtection" -Value 0 \ No newline at end of file diff --git a/malboxes/templates/snippets/provision_powershell.json b/malboxes/templates/snippets/provision_powershell.json index 4d2d5a6..4927eff 100644 --- a/malboxes/templates/snippets/provision_powershell.json +++ b/malboxes/templates/snippets/provision_powershell.json @@ -1,20 +1,8 @@ -{% if not windows_defender == "true" %} - { - "type": "powershell", - "script": "{{ dir }}/scripts/windows/disable_defender_tamper_protection.ps1" - }, - { - "type": "windows-restart" - }, - { - "type": "powershell", - "script": "{{ dir }}/scripts/windows/disable_defender.ps1" - }, -{% endif %} { "type": "powershell", "scripts": [ {% if not windows_updates == "true" %}"{{ dir }}/scripts/windows/disable_auto-updates.ps1",{% endif %} + {% if not windows_defender == "true" %}"{{ dir }}/scripts/windows/disable_defender.ps1",{% endif %} {% if hypervisor == "virtualbox" %} "{{ dir }}/scripts/windows/vmtools.ps1", {% endif %} From d0abd92f7db2263881ede4478729c16ba9175db9 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau Date: Wed, 4 Sep 2019 14:14:35 -0400 Subject: [PATCH 13/19] Notice about Defender Tamper Protection and new Defender disable script --- malboxes/messages/defender-1903.txt | 3 +- malboxes/scripts/windows/disable_defender.bat | 45 +++++++++++++++++++ malboxes/scripts/windows/disable_defender.ps1 | 13 ------ ...shell.json => provision_win10_common.json} | 14 +++++- .../templates/snippets/win10_x64_analyst.json | 2 +- .../templates/snippets/win10_x86_analyst.json | 2 +- 6 files changed, 62 insertions(+), 17 deletions(-) create mode 100644 malboxes/scripts/windows/disable_defender.bat delete mode 100644 malboxes/scripts/windows/disable_defender.ps1 rename malboxes/templates/snippets/{provision_powershell.json => provision_win10_common.json} (68%) diff --git a/malboxes/messages/defender-1903.txt b/malboxes/messages/defender-1903.txt index 23b3e88..4cb3da2 100644 --- a/malboxes/messages/defender-1903.txt +++ b/malboxes/messages/defender-1903.txt @@ -1,6 +1,7 @@ Starting with Windows 10 May 2019 Update (version 1903) Windows Defender has a Tamper Protection enabled by default. This protection is meant to be unremovable without user intervention (if you know how let us know). If you need Defender disabled it is advised that you manually disable it and then run as Administrator the batch script provided in C:\Tools of the VM. This is only required once. -Instructions to disable Windows Defender Tamper Protection: https://www.windowscentral.com/how-manage-windows-security-tamper-protection-windows-10-may-2019-update +Instructions to disable Windows Defender Tamper Protection: +https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-windows-defender-antivirus.html Batch script to run as Administrator in the VM: C:\Tools\disable_defender.bat \ No newline at end of file diff --git a/malboxes/scripts/windows/disable_defender.bat b/malboxes/scripts/windows/disable_defender.bat new file mode 100644 index 0000000..2cfbc67 --- /dev/null +++ b/malboxes/scripts/windows/disable_defender.bat @@ -0,0 +1,45 @@ +@echo off +rem A modified version of the disable defender script from: https://pastebin.com/kYCVzZPz + +rem 1 - Disable Real-time protection +reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f +reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f +reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f +reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f +reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f +reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f +reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f +reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f +reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f +reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f +reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f +reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f +reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f +reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f + +rem 0 - Disable Logging +reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f +reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f + +rem Disable WD Tasks +schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable +schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable +schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable +schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable +schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable + +rem Disable WD systray icon +reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f +reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f + +rem Remove WD context menu +reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f +reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f +reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f + +rem Disable WD services +reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f +reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f +reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f +reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f +reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f \ No newline at end of file diff --git a/malboxes/scripts/windows/disable_defender.ps1 b/malboxes/scripts/windows/disable_defender.ps1 deleted file mode 100644 index 179b385..0000000 --- a/malboxes/scripts/windows/disable_defender.ps1 +++ /dev/null @@ -1,13 +0,0 @@ -# Disable Windows Defender on Windows 10 -Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value 1 -Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableRoutinelyTakingAction" -Value 1 - -# Disable Windows Defender cloud protection and automatic sample submission -$spynet = "HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet" - -If (!(Test-Path $spynet)) { - New-Item -Path $spynet -Force | Out-Null -} - -Set-ItemProperty -Path $spynet -Name "SpynetReporting" -Type DWord -Value 0 -Set-ItemProperty -Path $spynet -Name "SubmitSamplesConsent" -Type DWord -Value 2 \ No newline at end of file diff --git a/malboxes/templates/snippets/provision_powershell.json b/malboxes/templates/snippets/provision_win10_common.json similarity index 68% rename from malboxes/templates/snippets/provision_powershell.json rename to malboxes/templates/snippets/provision_win10_common.json index 4927eff..7daa0d6 100644 --- a/malboxes/templates/snippets/provision_powershell.json +++ b/malboxes/templates/snippets/provision_win10_common.json @@ -1,8 +1,20 @@ +{% if not windows_defender == "true" %} + { + "type": "windows-shell", + "script": "{{ dir }}/scripts/windows/disable_defender.bat" + }, + {% if os_version >= 1903 %} + { + "type": "file", + "source": "{{ dir }}/scripts/windows/disable_defender.bat", + "destination": "C:\\Tools\\disable_defender.bat" + }, + {% endif %} +{% endif %} { "type": "powershell", "scripts": [ {% if not windows_updates == "true" %}"{{ dir }}/scripts/windows/disable_auto-updates.ps1",{% endif %} - {% if not windows_defender == "true" %}"{{ dir }}/scripts/windows/disable_defender.ps1",{% endif %} {% if hypervisor == "virtualbox" %} "{{ dir }}/scripts/windows/vmtools.ps1", {% endif %} diff --git a/malboxes/templates/snippets/win10_x64_analyst.json b/malboxes/templates/snippets/win10_x64_analyst.json index ccbcd8f..73325df 100644 --- a/malboxes/templates/snippets/win10_x64_analyst.json +++ b/malboxes/templates/snippets/win10_x64_analyst.json @@ -28,7 +28,7 @@ "provisioners": [ - {% include 'snippets/provision_powershell.json' %} + {% include 'snippets/provision_win10_common.json' %} {% if tools_path %}, {% include 'snippets/tools.json' %} diff --git a/malboxes/templates/snippets/win10_x86_analyst.json b/malboxes/templates/snippets/win10_x86_analyst.json index 46d22f9..faec9cd 100644 --- a/malboxes/templates/snippets/win10_x86_analyst.json +++ b/malboxes/templates/snippets/win10_x86_analyst.json @@ -30,7 +30,7 @@ "provisioners": [ - {% include 'snippets/provision_powershell.json' %} + {% include 'snippets/provision_win10_common.json' %} {% if tools_path %}, {% include 'snippets/tools.json' %} From 9410b2704e10506f2ac1aac8e8a703d4a220f27c Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau Date: Wed, 4 Sep 2019 14:17:34 -0400 Subject: [PATCH 14/19] Fix: copying disable_defender anyway since os_version not available --- malboxes/templates/snippets/provision_win10_common.json | 2 -- 1 file changed, 2 deletions(-) diff --git a/malboxes/templates/snippets/provision_win10_common.json b/malboxes/templates/snippets/provision_win10_common.json index 7daa0d6..b9130c5 100644 --- a/malboxes/templates/snippets/provision_win10_common.json +++ b/malboxes/templates/snippets/provision_win10_common.json @@ -3,13 +3,11 @@ "type": "windows-shell", "script": "{{ dir }}/scripts/windows/disable_defender.bat" }, - {% if os_version >= 1903 %} { "type": "file", "source": "{{ dir }}/scripts/windows/disable_defender.bat", "destination": "C:\\Tools\\disable_defender.bat" }, - {% endif %} {% endif %} { "type": "powershell", From 3c69a5979906e1a5c2ab5efedc3f3f6e6a532387 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau Date: Wed, 4 Sep 2019 14:47:41 -0400 Subject: [PATCH 15/19] Force success on the defender disable script and minor output improvements --- malboxes/scripts/windows/disable_defender.bat | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/malboxes/scripts/windows/disable_defender.bat b/malboxes/scripts/windows/disable_defender.bat index 2cfbc67..9e53642 100644 --- a/malboxes/scripts/windows/disable_defender.bat +++ b/malboxes/scripts/windows/disable_defender.bat @@ -1,6 +1,10 @@ @echo off rem A modified version of the disable defender script from: https://pastebin.com/kYCVzZPz +@echo on +rem ========================================== +rem This section will Disable Windows Defender +rem You can ignore error messages rem 1 - Disable Real-time protection reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f @@ -42,4 +46,8 @@ reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f -reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f \ No newline at end of file +reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f + +rem Force success exit code +exit /b 0 +rem ========================================== \ No newline at end of file From 003c461fac872483437dca724c5b771d138c3892 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau Date: Wed, 4 Sep 2019 23:06:01 -0400 Subject: [PATCH 16/19] Fix: Forgot to migrate Windows 7 to new Defender disable script --- ...ion_powershell_win7.json => provision_win7_common.json} | 7 ++++++- malboxes/templates/win7_32_analyst.json | 2 +- malboxes/templates/win7_64_analyst.json | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) rename malboxes/templates/snippets/{provision_powershell_win7.json => provision_win7_common.json} (88%) diff --git a/malboxes/templates/snippets/provision_powershell_win7.json b/malboxes/templates/snippets/provision_win7_common.json similarity index 88% rename from malboxes/templates/snippets/provision_powershell_win7.json rename to malboxes/templates/snippets/provision_win7_common.json index 908f0c3..5a06b67 100644 --- a/malboxes/templates/snippets/provision_powershell_win7.json +++ b/malboxes/templates/snippets/provision_win7_common.json @@ -1,9 +1,14 @@ {# Needed a different provision script due to chocolatey / .Net 4.0 install issues on Windows 7 (gh#59) #} +{% if not windows_defender == "true" %} + { + "type": "windows-shell", + "script": "{{ dir }}/scripts/windows/disable_defender.bat" + }, +{% endif %} { "type": "powershell", "scripts": [ {% if not windows_updates == "true" %}"{{ dir }}/scripts/windows/disable_auto-updates.ps1",{% endif %} - {% if not windows_defender == "true" %}"{{ dir }}/scripts/windows/disable_defender.ps1",{% endif %} {% if hypervisor == "virtualbox" %} "{{ dir }}/scripts/windows/vmtools.ps1" {% endif %} diff --git a/malboxes/templates/win7_32_analyst.json b/malboxes/templates/win7_32_analyst.json index b5b2d79..316a390 100644 --- a/malboxes/templates/win7_32_analyst.json +++ b/malboxes/templates/win7_32_analyst.json @@ -27,7 +27,7 @@ "provisioners": [ - {% include 'snippets/provision_powershell_win7.json' %} + {% include 'snippets/provision_win7_common.json' %} {% if tools_path %}, {% include 'snippets/tools.json' %} diff --git a/malboxes/templates/win7_64_analyst.json b/malboxes/templates/win7_64_analyst.json index 97dd8e1..8901f1a 100644 --- a/malboxes/templates/win7_64_analyst.json +++ b/malboxes/templates/win7_64_analyst.json @@ -27,7 +27,7 @@ "provisioners": [ - {% include 'snippets/provision_powershell_win7.json' %} + {% include 'snippets/provision_win7_common.json' %} {% if tools_path %}, {% include 'snippets/tools.json' %} From 6e7622fc69d5573d79c4c6b3e24af4741610c769 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau Date: Thu, 5 Sep 2019 13:35:21 -0400 Subject: [PATCH 17/19] Windows 7 template now named x86 and x64 instead of 32 and 64 README updated to reflect that for both Win 10 and Win 7 --- README.adoc | 6 +++--- .../{win7_64_analyst.json => win7_x64_analyst.json} | 0 .../{win7_32_analyst.json => win7_x86_analyst.json} | 0 3 files changed, 3 insertions(+), 3 deletions(-) rename malboxes/templates/{win7_64_analyst.json => win7_x64_analyst.json} (100%) rename malboxes/templates/{win7_32_analyst.json => win7_x86_analyst.json} (100%) diff --git a/README.adoc b/README.adoc index 959126a..490ebfa 100644 --- a/README.adoc +++ b/README.adoc @@ -127,7 +127,7 @@ include it in a Vagrantfile afterwards. For example: - malboxes build win10_64_analyst + malboxes build win10_x64_analyst <<_configuration,The configuration section>> contains further information about what can be configured with malboxes. @@ -135,7 +135,7 @@ what can be configured with malboxes. === Per analysis instances - malboxes spin win10_64_analyst + malboxes spin win10_x64_analyst This will create a `Vagrantfile` prepared to use for malware analysis. Move it into a directory of your choice and issue: @@ -147,7 +147,7 @@ can be changed by commenting the relevant part of the `Vagrantfile`. For example: - malboxes spin win7_32_analyst 20160519.cryptolocker.xyz + malboxes spin win7_x86_analyst 20160519.cryptolocker.xyz == Configuration diff --git a/malboxes/templates/win7_64_analyst.json b/malboxes/templates/win7_x64_analyst.json similarity index 100% rename from malboxes/templates/win7_64_analyst.json rename to malboxes/templates/win7_x64_analyst.json diff --git a/malboxes/templates/win7_32_analyst.json b/malboxes/templates/win7_x86_analyst.json similarity index 100% rename from malboxes/templates/win7_32_analyst.json rename to malboxes/templates/win7_x86_analyst.json From 84a274b5a80cbf8b2fd4692a26e851c06e60b248 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau Date: Thu, 5 Sep 2019 13:41:10 -0400 Subject: [PATCH 18/19] doc adjustment --- docs/windows-licenses.adoc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/windows-licenses.adoc b/docs/windows-licenses.adoc index 135b7b6..3cfa2a6 100644 --- a/docs/windows-licenses.adoc +++ b/docs/windows-licenses.adoc @@ -44,18 +44,19 @@ If you want to use a trial version make sure you have the following in your ==== 1607 Anniversary Update (Redstone 1) -===== 32-bit +===== x86 * filename: 14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X86FRE_EN-US.ISO * sha1 checksum: 0b8e56772c71dc7bb73654c61e53998a997e1e4d * download link: http://download.microsoft.com/download/2/5/4/254230E8-AEA5-43C5-94F6-88CE222A5846/14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X86FRE_EN-US.ISO -=== 64-bit +===== x64 * filename: 14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X64FRE_EN-US.ISO" * sha1 checksum: a86ae3d664553cd0ee9a6bcd83a5dbe92e3dc41a * download link: http://download.microsoft.com/download/2/5/4/254230E8-AEA5-43C5-94F6-88CE222A5846/14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X64FRE_EN-US.ISO" + === Windows 7 32-bit * filename: 7600.16385.090713-1255_x86fre_enterprise_en-us_EVAL_Eval_Enterprise-GRMCENEVAL_EN_DVD.iso From 1a48e6f7ec3d08efb5105e4085b768be7f35ba71 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau Date: Thu, 5 Sep 2019 13:42:57 -0400 Subject: [PATCH 19/19] Packer minimum version out No longer required since we dropped the requirement on using SYSTEM elevated_user for powershell because that fix didn't work. --- README.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.adoc b/README.adoc index ae5821e..63d8254 100644 --- a/README.adoc +++ b/README.adoc @@ -35,7 +35,7 @@ https://github.com/gosecure/malboxes == Requirements * Python 3.3+ -* https://www.packer.io/docs/install/index.html[Packer] 1.3.3+ +* https://www.packer.io/docs/install/index.html[Packer] * vagrant: https://www.vagrantup.com/downloads.html * https://www.virtualbox.org/wiki/Downloads[VirtualBox] or an vSphere / ESXi server