Last active
          October 31, 2024 03:04 
        
      - 
      
- 
        Save nquangit/83633b69f28757217b1222d112b1a4c3 to your computer and use it in GitHub Desktop. 
    Vagrant for auto setup CAPEv2 Guest
  
        
  
    
      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
      Learn more about bidirectional Unicode characters
    
  
  
    
  | # -*- mode: ruby -*- | |
| # vi: set ft=ruby : | |
| # Provision script for Windows 10 | |
| $script = <<-SCRIPT | |
| # Ensure the script is running with elevated permissions | |
| if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { | |
| Write-Host "Run this script as Administrator!" -ForegroundColor Red | |
| exit | |
| } | |
| # Disable Firewall | |
| Set-NetFirewallProfile -All -Enabled False | |
| Write-Host "Firewall disabled" | |
| # Disable UAC | |
| Set-ItemProperty -Path "HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" -Name "EnableLUA" -Value 0 | |
| # Windows Update | |
| Stop-Service -Name wuauserv -Force | |
| Set-Service -Name wuauserv -StartupType Disabled | |
| Write-Host "Windows Update disabled" | |
| # Check if Python Launcher is installed | |
| $pythonLauncher = Get-WmiObject -Query "SELECT * FROM Win32_Product WHERE Name LIKE 'Python Launcher%'" 2>$null | |
| if ($pythonLauncher) { | |
| # Uninstall Python Launcher | |
| Write-Host "Python Launcher found. Uninstalling..." | |
| foreach ($launcher in $pythonLauncher) { | |
| $launcher.Uninstall() | Out-Null | |
| Write-Host "Python Launcher uninstalled successfully." | |
| } | |
| } else { | |
| Write-Host "Python Launcher not found." | |
| } | |
| # Check python exist | |
| Write-Host "Checking if Python is installed..." | |
| $pythonCheck = & python --version 2>$null | |
| if (-Not $pythonCheck) { | |
| # Download python | |
| Write-Host "Python not installed. Installing Python..." | |
| Invoke-WebRequest -Uri "https://www.python.org/ftp/python/3.8.0/python-3.8.0.exe" -OutFile "C:\\python-3.8.0.exe" | |
| # Install python as Administrator | |
| Start-Process "C:\\python-3.8.0.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1" -Verb RunAs -Wait | |
| # Optionally remove the installer after installation | |
| Remove-Item "C:\\python-3.8.0.exe" | |
| Write-Host "Python installed" | |
| } else { | |
| Write-Host "Python exist" | |
| } | |
| Write-Host "Installing Python modules..." | |
| # Python install module | |
| python -m pip install --upgrade pip | |
| python -m pip install Pillow==9.5.0 | |
| python -m pip install etw | |
| python -m pip install numpy | |
| python -m pip install pywintrace | |
| # Download and run the agent | |
| Write-Host "Downloading the agent and creating a scheduled task..." | |
| # Define the file path and task name | |
| $filePath = "C:\\my_secret.pyw" | |
| $taskName = "RunMySecretAgent" | |
| # Check if the file exists | |
| if (Test-Path $filePath) { | |
| Write-Host "File already exists. Exiting..." | |
| } else { | |
| Write-Host "Downloading the agent..." | |
| # Download the agent | |
| Invoke-WebRequest -Uri "https://raw.githubusercontent.com/kevoreilly/CAPEv2/249bbe3af709919c4fac0975a914bb0e977ede6b/agent/agent.py" -OutFile $filePath | |
| Write-Host "Agent downloaded to $filePath." | |
| } | |
| Write-Host "Creating a scheduled task to run the agent at logon..." | |
| # Check if the scheduled task already exists | |
| if (Get-ScheduledTask -TaskName $taskName -ErrorAction SilentlyContinue) { | |
| Write-Host "Task '$taskName' already exists. No need to create it again." | |
| } else { | |
| # Create a scheduled task to run the script at logon with highest privileges | |
| $action = New-ScheduledTaskAction -Execute "pythonw.exe" -Argument $filePath | |
| $trigger = New-ScheduledTaskTrigger -AtLogOn | |
| $principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest | |
| Register-ScheduledTask -Action $action -Trigger $trigger -Principal $principal -TaskName $taskName -Description "Run my secret agent at logon" | |
| Write-Host "Download completed and scheduled task created." | |
| # Run | |
| pythonw $filePath | |
| } | |
| # Reduce Overall Noise | |
| $scriptPath = "C:\\disable_win7noise.bat" | |
| # Download the script | |
| Invoke-WebRequest -Uri "https://raw.githubusercontent.com/kevoreilly/CAPEv2/master/installer/disable_win7noise.bat" -OutFile $scriptPath | |
| # Run the script with elevated privileges | |
| Start-Process -FilePath $scriptPath -Verb RunAs | |
| # Step 1: Disable real-time protection using Set-MpPreference (Temporary, depends on system settings) | |
| Set-MpPreference -DisableRealtimeMonitoring $true | |
| Set-MpPreference -DisableScanningNetworkFiles $true | |
| Set-MpPreference -MAPSReporting Disabled | |
| Set-MpPreference -SubmitSamplesConsent 2 | |
| # Step 2: Disable additional security features | |
| Set-MpPreference -DisableBehaviorMonitoring $true | |
| Set-MpPreference -DisableScriptScanning $true | |
| Set-MpPreference -DisableAutoExclusions $true | |
| Set-MpPreference -DisableBlockAtFirstSeen $true | |
| Set-MpPreference -DisableIntrusionPreventionSystem $true | |
| # Step 3: Modify registry to permanently disable Windows Defender | |
| $defenderRegPath = "HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender" | |
| if (-not (Test-Path $defenderRegPath)) { | |
| New-Item -Path $defenderRegPath -Force | Out-Null | |
| } | |
| Set-ItemProperty -Path $defenderRegPath -Name "DisableAntiSpyware" -Value 1 -Force | |
| # Step 4: Disable Real-Time Protection components via registry | |
| $realTimeProtectionPath = "$defenderRegPath\\Real-Time Protection" | |
| if (-not (Test-Path $realTimeProtectionPath)) { | |
| New-Item -Path $realTimeProtectionPath -Force | Out-Null | |
| } | |
| Set-ItemProperty -Path $realTimeProtectionPath -Name "DisableRealtimeMonitoring" -Value 1 -Force | |
| Set-ItemProperty -Path $realTimeProtectionPath -Name "DisableBehaviorMonitoring" -Value 1 -Force | |
| Set-ItemProperty -Path $realTimeProtectionPath -Name "DisableScanOnRealtimeEnable" -Value 1 -Force | |
| Set-ItemProperty -Path $realTimeProtectionPath -Name "DisableIOAVProtection" -Value 1 -Force | |
| # Step 5: Notify the user to restart the system for changes to take effect | |
| Write-Host "Windows Defender real-time protection and related features have been disabled. Restart your system for the changes to take effect." -ForegroundColor Yellow | |
| # Disable Windows Defender | |
| sc stop WinDefend | |
| # Replace 'REPLACE_VM_ADAPTER' with the actual name of your Ethernet adapter | |
| $adapterName = "REPLACE_VM_ADAPTER" | |
| $ipAddress = "REPLACE_VM_IP" | |
| $subnetMask = "REPLACE_VM_SUBNET" | |
| $defaultGateway = "REPLACE_VM_GW" # Adjust this based on your network configuration | |
| $dnsServer = "REPLACE_VM_DNS" # You can specify your preferred DNS server | |
| # Set the static IP address | |
| New-NetIPAddress -InterfaceAlias $adapterName -IPAddress $ipAddress -PrefixLength 24 -DefaultGateway $defaultGateway | |
| # Set the DNS server | |
| Set-DnsClientServerAddress -InterfaceAlias $adapterName -ServerAddresses $dnsServer | |
| Write-Output "Static IP address set to $ipAddress on adapter $adapterName." | |
| # Disable Noisy Network Services | |
| netsh interface teredo set state disabled | |
| $packagesClientTools = Get-ChildItem -Path "$env:SystemRoot\\servicing\\Packages" -Filter "Microsoft-Windows-GroupPolicy-ClientTools-Package~*.mum" | |
| foreach ($package in $packagesClientTools) { | |
| DISM /Online /NoRestart /Add-Package:"$($package.FullName)" | |
| } | |
| $packagesClientExtensions = Get-ChildItem -Path "$env:SystemRoot\\servicing\\Packages" -Filter "Microsoft-Windows-GroupPolicy-ClientExtensions-Package~*.mum" | |
| foreach ($package in $packagesClientExtensions) { | |
| DISM /Online /NoRestart /Add-Package:"$($package.FullName)" | |
| } | |
| SCRIPT | |
| # All Vagrant configuration is done below. The "2" in Vagrant.configure | |
| # configures the configuration version (we support older styles for | |
| # backwards compatibility). Please don't change it unless you know what | |
| # you're doing. | |
| Vagrant.configure("2") do |config| | |
| # The most common configuration options are documented and commented below. | |
| # For a complete reference, please see the online documentation at | |
| # https://docs.vagrantup.com. | |
| # Every Vagrant development environment requires a box. You can search for | |
| # boxes at https://vagrantcloud.com/search. | |
| config.vm.box = "gusztavvargadr/windows-10" | |
| config.vm.boot_timeout = 99999999 | |
| # WinRM | |
| # config.winrm.host = "REPLACE_VM_IP" | |
| # Disable automatic box update checking. If you disable this, then | |
| # boxes will only be checked for updates when the user runs | |
| # `vagrant box outdated`. This is not recommended. | |
| config.vm.box_check_update = false | |
| # Create a forwarded port mapping which allows access to a specific port | |
| # within the machine from a port on the host machine. In the example below, | |
| # accessing "localhost:8080" will access port 80 on the guest machine. | |
| # NOTE: This will enable public access to the opened port | |
| # config.vm.network "forwarded_port", guest: 80, host: 8080 | |
| # Create a forwarded port mapping which allows access to a specific port | |
| # within the machine from a port on the host machine and only allow access | |
| # via 127.0.0.1 to disable public access | |
| # config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1" | |
| # Create a private network, which allows host-only access to the machine | |
| # using a specific IP. | |
| # config.vm.network "private_network", ip: "192.168.33.10" | |
| # Create a public network, which generally matched to bridged network. | |
| # Bridged networks make the machine appear as another physical device on | |
| # your network. | |
| # config.vm.network "public_network" | |
| # Share an additional folder to the guest VM. The first argument is | |
| # the path on the host to the actual folder. The second argument is | |
| # the path on the guest to mount the folder. And the optional third | |
| # argument is a set of non-required options. | |
| # config.vm.synced_folder "../data", "/vagrant_data" | |
| # Provider-specific configuration so you can fine-tune various | |
| # backing providers for Vagrant. These expose provider-specific options. | |
| # Example for VirtualBox: | |
| # | |
| # config.vm.provider "virtualbox" do |vb| | |
| # # Display the VirtualBox GUI when booting the machine | |
| # vb.gui = true | |
| # | |
| # # Customize the amount of memory on the VM: | |
| # vb.memory = "1024" | |
| # end | |
| # | |
| # View the documentation for the provider you are using for more | |
| # information on available options. | |
| # Enable provisioning with a shell script. Additional provisioners such as | |
| # Ansible, Chef, Docker, Puppet and Salt are also available. Please see the | |
| # documentation for more information about their specific syntax and use. | |
| # config.vm.provision "shell", inline: <<-SHELL | |
| # apt-get update | |
| # apt-get install -y apache2 | |
| # SHELL | |
| config.vm.provider "virtualbox" do |vb| | |
| vb.name = "REPLACE_VM_NAME" | |
| vb.cpus = REPLACE_VM_CPU | |
| vb.memory = "REPLACE_VM_RAM" | |
| # Network config | |
| config.vm.network "private_network", :type => 'dhcp', :name => 'REPLACE_VM_NETWORK', :adapter => 2 | |
| end | |
| config.vm.provision "shell", inline: $script, privileged: true | |
| end | 
  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment