OTRF/Security-Datasets

Updating, Removing, Adding GPOs

Cyb3rWard0g opened this issue · 3 comments

Cyb3rWard0g commented

What is the process to perform this dynamically?

For example:

I would like to enable firewalls on every endpoint to replicate scenarios like this where the FW needs to be enabled:

https://twitter.com/HunterPlaybook/status/1166090088461361154

At the moment, this GPO is enabled: https://github.com/Cyb3rWard0g/mordor/tree/ca93d617f5b5a791cb7a67666a272dbf98602ea5/environment/shire/aws/scripts/DC/GPOBackup/disable_windows_defender_firewall

Can this be done dynamically? Thank you in advance.

jsecurity101 commented

Hi @Cyb3rWard0g -
Yes the environment is meant to be dynamic. So if you the user of this environment wanted to make changes, you wouldn't have to manually do so within each box. We discussed this a couple of times before releasing the lab.

https://posts.specterops.io/aws-knocked-and-the-gates-of-mordor-have-answered-58540d8e3995

"This environment was built to be dynamic, so that any updates in the future are easy to add."

How to do this?

  1. Create a script that will do your desired task.
  2. Go to main.tf
  3. Pull the script onto the desired machine from your local. Command similar to the following:
    https://github.com/Cyb3rWard0g/mordor/blob/29ab450da3dcd5256be575c49d3b7b191c4314c7/environment/shire/aws/terraform/main.tf#L265.

If you want to do Windows the Connection portion will need to similar to:
https://github.com/Cyb3rWard0g/mordor/blob/29ab450da3dcd5256be575c49d3b7b191c4314c7/environment/shire/aws/terraform/main.tf#L441

Then within main.tf call this script, similar:
https://github.com/Cyb3rWard0g/mordor/blob/29ab450da3dcd5256be575c49d3b7b191c4314c7/environment/shire/aws/terraform/main.tf#L454

If you have anymore questions, I am happy to assist.
Thanks.

Cyb3rWard0g commented

Quick question, so the DC already has GPOs in place. Those are part of the AMI right? So if I want to disable a GPO, I will have to run a script that disables it correct? Im wondering if it makes sense to push the GPO dynamically? maybe? I believe that would require all the boxes to constantly run a gpupdate /force command? just sharing some thoughts.

jsecurity101 commented

"So if I want to disable a GPO, I will have to run a script that disables it correct?"
Yes run the steps I previously defined.

"Im wondering if it makes sense to push the GPO dynamically? maybe? I believe that would require all the boxes to constantly run a gpupdate /force command? just sharing some thoughts."

Yes, we have discussed this before. It does make sense, however the way terraform runs it doesn't allow this option "correctly".

There was a connectivity issue during builds, making updates to the GPOs to take longer the ideal to actually take affect. If a box builds before the DC and runs gpupdate /force with will fail because it cannot communicate with the DC.

Next question, assumably - "Is there a way to specify what builds first to relieve this problem?"

Yes. This will be taken care of in a future update when I implement modules to terraform, until then if you want to make changes you will have to follow my steps or start the lab and then do a gpupdate /force after you make your changes.