L0250 Lab Software Package Procurement
Some software components cannot be provided in the lab environment prior to class due to licensing restrictions.
Procure the necessary software and configuration components that will be used in upcoming labs.
Download and extract software and configuration components.
Log into the Domain Controller and launch PowerShell. Execute the supplied PowerShell commands to download components and extract the components into a fileshare.
Download and Expand Packages on DC01
Login to DC01
Connect with Remote Desktop to the Domain Controller, DC01. For instructions on logging into the Domain Controller, See Lab L0200.
Launch the PowerShell Console
Click on the "Start" button and then click on the PowerShell Icon.
Change Directory
In the PowerShell console, first start by changing directory to c:\labs . Note that C:\labs on the Domain Controller, DC01, is mapped to a domain network share, //DC01.labs.local/Labs. After changing directories, list the contents of the c:\labs folder.
cd c:\labs
ls
PS C:\Users\itadmin> cd C:\Labs
PS C:\Labs> ls
Directory: C:\Labs
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/21/2020 1:39 PM scripts
-a---- 9/21/2020 1:39 PM 741997 labs.zip
-a---- 9/10/2020 7:40 PM 1179024 putty.exe
PS C:\Labs>
Allow TLS 1.2
Allow TLS 1.2 with Invoke-WebRequest, this is necessary as TLS1.2 is disabled by default for Invoke-WebRequest on Windows 2016. The command returns to the PowerShell prompt. This is expected. This change is only persistent for this PowerShell session.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
PS C:\Labs> [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
PS C:\Labs>
Download Components
Use Invoke-WebRequest to download the necessary components. Each of these commands will download the package from the URI specified and save it to the filename specified with the -OutFile flag. After the components have downloaded, list the directory contents with "ls".
$ProgressPreference = 'SilentlyContinue'
Invoke-WebRequest –URI https://download.sysinternals.com/files/Sysmon.zip -OutFile “Sysmon.zip”
Invoke-WebRequest –URI https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-7.10.2-windows-x86_64.zip -OutFile “WinLogBeat.zip”
Invoke-WebRequest –URI https://github.com/olafhartong/sysmon-modular/archive/master.zip -OutFile “sysmon-modular.zip”
Invoke-WebRequest –URI https://github.com/palantir/windows-event-forwarding/archive/master.zip -OutFile “palantir.zip”
Invoke-WebRequest –URI https://github.com/DefensiveOrigins/LABPACK/archive/master.zip -OutFile LabPack.zip
ls
PS C:\Labs> ls
Directory: C:\Labs
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/21/2020 1:39 PM scripts
-a---- 9/21/2020 8:42 PM 8259641 LabPack.zip
-a---- 9/21/2020 8:41 PM 84382 palantir.zip
-a---- 9/10/2020 7:40 PM 1179024 putty.exe
-a---- 9/21/2020 8:41 PM 2067905 sysmon-modular.zip
-a---- 9/21/2020 8:41 PM 1872865 Sysmon.zip
-a---- 9/21/2020 8:41 PM 17634230 WinLogBeat.zip
Expand Archives
Next, use Expand-Archive to expand each downloaded archive. This will expand each archive into an additional folder within the C:\Labs (and consequently \DC01.labs.local\Labs SMB fileshare.)
Expand-Archive .\Sysmon.zip
Expand-Archive .\sysmon-modular.zip
Expand-Archive .\palantir.zip
Expand-Archive .\WinLogBeat.zip
Expand-Archive .\LabPack.zip
Verify Components
Run "ls" to show the directory listing of c:\labs on the Domain Controller.
ls
PS C:\labs> ls
Directory: C:\labs
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/21/2020 8:44 PM LabPack
d----- 9/21/2020 8:44 PM labs
d----- 9/21/2020 8:43 PM palantir
d----- 9/21/2020 1:39 PM scripts
d----- 9/21/2020 8:43 PM Sysmon
d----- 9/21/2020 8:43 PM sysmon-modular
d----- 9/21/2020 8:43 PM WinLogBeat
-a---- 9/21/2020 8:42 PM 8259641 LabPack.zip
-a---- 9/21/2020 8:41 PM 84382 palantir.zip
-a---- 9/10/2020 7:40 PM 1179024 putty.exe
-a---- 9/21/2020 8:41 PM 2067905 sysmon-modular.zip
-a---- 9/21/2020 8:41 PM 1872865 Sysmon.zip
-a---- 9/21/2020 8:41 PM 17634230 WinLogBeat.zip
Clean up C:\Labs directory
Delete the remaining .zip files from c:\labs on the Domain Controller.
Remove-Item .\Sysmon.zip
Remove-Item .\sysmon-modular.zip
Remove-Item .\palantir.zip
Remove-Item .\WinLogBeat.zip
Remove-item .\LabPack.zip
ls
PS C:\labs> ls
Directory: C:\labs
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/21/2020 8:44 PM LabPack
d----- 9/21/2020 8:44 PM labs
d----- 9/21/2020 8:43 PM palantir
d----- 9/21/2020 1:39 PM scripts
d----- 9/21/2020 8:43 PM Sysmon
d----- 9/21/2020 8:43 PM sysmon-modular
d----- 9/21/2020 8:43 PM WinLogBeat
-a---- 9/10/2020 7:40 PM 1179024 putty.exe
Create Active Directory objects
BadBlood was created by David Rowe (@davidprowe) to make a mess of an Active Directory installation. You are going to use it now to make a mess of your Active Directory installation. This particular fork of the software includes a number of easter eggs and common bad practices.
cd C:\labs\scripts\BadBlood-master\
Set-ExecutionPolicy bypass -force
$ProgressPreference = 'SilentlyContinue'
.\Invoke-BadBlood.ps1
The build process should take between 10 and 15 minutes.
At this point, software and packages have been downloaded and expanded. The directory has been cleaned up to keep things tidy. Active Directory objects have been created. You have completed this lab.
