search

clong / DetectionLab

Automate the creation of a lab environment complete with security tooling and logging best practices
MIT License
4.64k stars 987 forks source link

dc shell inline wevtutil command access denied #171

Closed vdog90 closed 5 years ago

vdog90 commented 5 years ago 
Operating System Version: Ubuntu 18.04
Provider (VirtualBox/VMWare): VirtualBox 5.2.18
Vagrant Version: 2.2.1
Packer Version: 1.0.4
Is the issue reproducible or intermittent? reproducible

When provisioning any of the three windows boxes, I'm getting the error:

dc: AutorunsToWinEventLog already installed. Moving On. ==> dc: Running provisioner: shell... dc: Running: inline PowerShell script dc: powershell.exe : Failed to clear log Microsoft-Windows-LiveId/Analytic. Access is denied. dc: + CategoryInfo : NotSpecified: (Failed to clear...cess is denied.:String) [], RemoteException dc: + FullyQualifiedErrorId : NativeCommandError dc: Failed to clear log Microsoft-Windows-LiveId/Operational. dc: Access is denied. The following WinRM command responded with a non-zero exit status. Vagrant assumes that this means the command failed!

powershell -ExecutionPolicy Bypass -OutputFormat Text -file "c:\tmp\vagrant-shell.ps1"

Stdout from the command:

Stderr from the command:

powershell.exe : Failed to clear log Microsoft-Windows-LiveId/Analytic. Access is denied.

  • CategoryInfo : NotSpecified: (Failed to clear...cess is denied.:String) [], RemoteException
  • FullyQualifiedErrorId : NativeCommandError Failed to clear log Microsoft-Windows-LiveId/Operational. Access is denied.

It is clear it is erroring on this command in Vagrantfile:

cfg.vm.provision "shell", inline: 'wevtutil el | Foreach-Object {wevtutil cl "$_"}', privileged: false

I tried provisioning with both privileged: true and false values in Vagrantfile with no luck.
The output above was with privileged "false". However, running it as "true" produces errors referred to here: https://github.com/clong/DetectionLab/issues/168

I ran this from each windows host manually as administrator:

PS C:\vagrant\scripts> wevtutil el | Foreach-Object {wevtutil cl "$_"} Failed to clear log Microsoft-Windows-LiveId/Analytic. Access is denied. Failed to clear log Microsoft-Windows-LiveId/Operational. Access is denied.

Thoughts to proceed or workaround? (other than commenting the inline commands out and running them manually) Thanks!

clong commented 5 years ago

Just a quick question, does this error cause the entire provisioning process to stop? I'm not sure why those specific event logs throw access denied errors, but if it doesn't halt the build process I'm not sure it needs to be fixed (unless someone just wants to exclude those 2 channels).

clong commented 5 years ago

I was able to reproduce this and I actually think it's worth filtering out those event channels from being deleted just to suppress this error, as it can be confusing to the user even if it doesn't break the build. Will address this in a future commit.

vdog90 commented 5 years ago

Awesome, thanks so much clong!

clong commented 5 years ago

This should be fixed in https://github.com/clong/DetectionLab/pull/174