Error Building DC - appears that debloat/utilities script not disabling defender for server 2016

[jezkerwin]

• Operating System Version: Windows 10 Enterprise
• Provider (VirtualBox/VMWare): VMWare
• Vagrant Version: 2.2.3
• Packer Version: 1.3.4
• Is the issue reproducible or intermittent? Reproducible

Description of the issue:

When performing vagrant up --provider vmware_desktop The deploy of DC fails with the following error. Looks like that defender isn't being disabled.

powershell.exe : Copy-Item : Operation did not complete successfully because the file contains a virus or
    + CategoryInfo          : NotSpecified: (Copy-Item : Ope...ins a virus or :String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
potentially unwanted software.
At C:\tmp\vagrant-shell.ps1:57 char:3
+   Copy-Item "c:\Tools\PowerSploit\PowerSploit-master\*" "$Env:windir\ ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (Find-AVSignature.ps1:FileInfo) [Copy-Item], IOExceptio
   n
    + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShell.Commands.CopyItem
   Command

[jezkerwin]

I disabled Defender on DC and re provisioned and it seemed to work. but when it moved onto WEF host it failed again installing powersploit because of defender

[jezkerwin]

Been tinkering with this and it appears that the debloat or utilities script isn't running when deploying the windows vms so it's not uninstalling defender

[jezkerwin]

I re-ran the build script using Virtualbox and it appears to be a problem with VMWare workstation. Virtualbox appears to have built successfully.

[clong]

Are you using the stock boxes (downloaded boxes) or did you build them yourself using Packer?

[jezkerwin]

I'm pretty sure that I tried it using both methods, stock boxes and building them myself. I'll re-run the build process again over the weekend using both methods and report back.

[jezkerwin]

I went back, cleaned everything up and re-ran the build script. allowed them to build own boxes using Packer. This is the output.

==> Builds finished. The artifacts of successful builds are:
--> vmware-iso: 'vmware' provider box: windows_10_vmware.box
[packer_build_box] Finished for windows_10. Got exit code: 0
[move_boxes] Running..
[move_boxes] Finished.
[main] Running vagrant_up_host for: logger
[vagrant_up_host] Running for logger
Attempting to bring up the logger host using Vagrant
[vagrant_up_host] Finished for logger. Got exit code: 0
[main] vagrant_up_host finished. Exitcode: 0
Good news! logger was built successfully!
[main] Finished for: logger
[main] Running vagrant_up_host for: dc
[vagrant_up_host] Running for dc
Attempting to bring up the dc host using Vagrant
[vagrant_up_host] Finished for dc. Got exit code: 1
[main] vagrant_up_host finished. Exitcode: 1
WARNING: Something went wrong while attempting to build the dc box.
Attempting to reload and reprovision the host...
[main] Running vagrant_reload_host for: dc
[vagrant_reload_host] Running for dc
[vagrant_reload_host] Finished for dc. Got exit code: 1
C:\Users\Jez\Documents\DetectionLab\build.ps1 : Failed to bring up dc after a reload. Exiting
At line:1 char:1
+ .\build.ps1 -providername vmware_desktop
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,build.ps1

[main] Running post_build_checks
[post_build_checks] Running Caldera Check.
[download] Running for https://192.168.38.105:8888, looking for <title>CALDERA</title>
Error occured on webrequest: Exception calling "DownloadString" with "1" argument(s): "Unable to connect to the remote server"
[post_build_checks] Cladera Result: False
[post_build_checks] Running Splunk Check.
[download] Running for https://192.168.38.105:8000/en-US/account/login?return_to=%2Fen-US%2F, looking for This browser is not supported by Splunk
Error occured on webrequest: Exception calling "DownloadString" with "1" argument(s): "Unable to connect to the remote server"
[post_build_checks] Splunk Result: False
[post_build_checks] Running Fleet Check.
[download] Running for https://192.168.38.105:8412, looking for Kolide Fleet
Error occured on webrequest: Exception calling "DownloadString" with "1" argument(s): "Unable to connect to the remote server"
[post_build_checks] Fleet Result: False
[post_build_checks] Running MS ATA Check.
[download] Running for https://192.168.38.103, looking for
Error occured on webrequest: Exception calling "DownloadString" with "1" argument(s): "Unable to connect to the remote server"
[post_build_checks] ATA Result: False
WARNING: Caldera failed post-build tests and may not be functioning correctly.
WARNING: Splunk failed post-build tests and may not be functioning correctly.
WARNING: Fleet failed post-build tests and may not be functioning correctly.
WARNING: MS ATA failed post-build tests and may not be functioning correctly.
[main] Finished post_build_checks

[jezkerwin]

I've attached the log file from the DC

vagrant_up_dc.log

[clong]

Hey @jezkerwin - I'm totally unable to reproduce this bug in the CI pipeline (Virtualbox) and on my personal machine (VMware). I'll keep this open for now, but I can't seem to hit the same issue you're running into

[jezkerwin]

Ok, thanks @clong , I'll do some more testing on my end and see if I can figure it out.

[clong]

Hey @jezkerwin - is it okay to close this issue? I'm unable to reproduce this after multiple builds of the Server 2016 ISO