search

clong / DetectionLab

Automate the creation of a lab environment complete with security tooling and logging best practices
MIT License
4.64k stars 987 forks source link

Velociraptor installation fails on DC #757

Closed bortok closed 2 years ago

bortok commented 2 years ago

Please verify that you are building from an updated Master branch before filing an issue. CONFIRMED

Description of the issue:

Velociraptor installation fails on DC. Here is the log when re-running deployment script on the DC VM manually:

PS C:\tmp> .\vagrant-shell.ps1
[18:29] Hosts file already updated. Moving on.
[18:29] Determining latest release of Velociraptor...
[18:29] Downloading Velociraptor...
Invoke-WebRequest : The request was aborted: The connection was closed unexpectedly.
At C:\tmp\vagrant-shell.ps1:23 char:3
+   Invoke-WebRequest -Uri "$velociraptorDownloadUrl" -OutFile $velocir ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
   eption
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

[18:29] Installing Velociraptor...
Copy-Item : Access to the path 'C:\Program Files\Velociraptor' is denied.
At C:\tmp\vagrant-shell.ps1:26 char:3
+   Copy-Item "c:\vagrant\resources\velociraptor\Velociraptor.config.ya ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (C:\vagrant\reso...tor.config.yaml:FileInfo) [Copy-Item], Unauthorized
   AccessException
    + FullyQualifiedErrorId : CopyFileInfoItemUnauthorizedAccessError,Microsoft.PowerShell.Commands.CopyItemCommand

Restart-Service : Cannot find any service with service name 'Velociraptor'.
At C:\tmp\vagrant-shell.ps1:27 char:3
+   Restart-Service Velociraptor
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Velociraptor:String) [Restart-Service], ServiceCommandException
    + FullyQualifiedErrorId : NoServiceFoundForGivenName,Microsoft.PowerShell.Commands.RestartServiceCommand

[18:29] Velociraptor successfully installed!
Get-Service : Cannot find any service with service name 'Velociraptor'.
At C:\tmp\vagrant-shell.ps1:32 char:6
+ If ((Get-Service -name Velociraptor).Status -ne "Running")
+      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Velociraptor:String) [Get-Service], ServiceCommandException
    + FullyQualifiedErrorId : NoServiceFoundForGivenName,Microsoft.PowerShell.Commands.GetServiceCommand

Velociraptor service is not running
At C:\tmp\vagrant-shell.ps1:34 char:3
+   Throw "Velociraptor service is not running"
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Velociraptor service is not running:String) [], RuntimeException
    + FullyQualifiedErrorId : Velociraptor service is not running
bortok commented 2 years ago

Here is an error I'm getting when trying to re-provision the DC:

==> dc: Running provisioner: shell...
    dc: Running: scripts/install-velociraptor.ps1 as C:\tmp\vagrant-shell.ps1
    dc: [05:06] Hosts file already updated. Moving on.
    dc: [05:06] Determining latest release of Velociraptor...
    dc: [05:06] Downloading Velociraptor...
    dc: powershell.exe : Invoke-WebRequest : The request was aborted: The connection was closed unexpectedly.
    dc:     + CategoryInfo          : NotSpecified: (Invoke-WebReque...d unexpectedly.:String) [], RemoteException
    dc:     + FullyQualifiedErrorId : NativeCommandError
    dc: At C:\tmp\vagrant-shell.ps1:23 char:3
    dc: +   Invoke-WebRequest -Uri "$velociraptorDownloadUrl" -OutFile $velocir ...
    dc: +   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    dc:     + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invok
    dc:    e-WebRequest], WebException
    dc:     + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeW
    dc:    ebRequestCommand
    dc:
    dc: [05:06] Installing Velociraptor...
    dc: Restart-Service : Cannot find any service with service name 'Velociraptor'.
    dc: At C:\tmp\vagrant-shell.ps1:27 char:3
    dc: +   Restart-Service Velociraptor
    dc: +   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    dc:     + CategoryInfo          : ObjectNotFound: (Velociraptor:String) [Restart-Service], ServiceCom
    dc:    mandException
    dc:     + FullyQualifiedErrorId : NoServiceFoundForGivenName,Microsoft.PowerShell.Commands.RestartSer
    dc:    viceCommand
    dc:
    dc: [05:06] Velociraptor successfully installed!
    dc: Get-Service : Cannot find any service with service name 'Velociraptor'.
    dc: At C:\tmp\vagrant-shell.ps1:32 char:6
    dc: + If ((Get-Service -name Velociraptor).Status -ne "Running")
    dc: +      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    dc:     + CategoryInfo          : ObjectNotFound: (Velociraptor:String) [Get-Service], ServiceCommand
    dc:    Exception
    dc:     + FullyQualifiedErrorId : NoServiceFoundForGivenName,Microsoft.PowerShell.Commands.GetService
    dc:    Command
    dc:
    dc: Velociraptor service is not running
    dc: At C:\tmp\vagrant-shell.ps1:34 char:3
    dc: +   Throw "Velociraptor service is not running"
    dc: +   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    dc:     + CategoryInfo          : OperationStopped: (Velociraptor service is not running:String) [],
    dc:    RuntimeException
    dc:     + FullyQualifiedErrorId : Velociraptor service is not running
    dc:
The following WinRM command responded with a non-zero exit status.
Vagrant assumes that this means the command failed!

powershell -ExecutionPolicy Bypass -OutputFormat Text -file "C:\tmp\vagrant-shell.ps1"

Stdout from the command:

[05:06] Hosts file already updated. Moving on.
[05:06] Determining latest release of Velociraptor...
[05:06] Downloading Velociraptor...
[05:06] Installing Velociraptor...
[05:06] Velociraptor successfully installed!

Stderr from the command:

powershell.exe : Invoke-WebRequest : The request was aborted: The connection was closed unexpectedly.
    + CategoryInfo          : NotSpecified: (Invoke-WebReque...d unexpectedly.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
At C:\tmp\vagrant-shell.ps1:23 char:3
+   Invoke-WebRequest -Uri "$velociraptorDownloadUrl" -OutFile $velocir ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invok
   e-WebRequest], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeW
   ebRequestCommand

Restart-Service : Cannot find any service with service name 'Velociraptor'.
At C:\tmp\vagrant-shell.ps1:27 char:3
+   Restart-Service Velociraptor
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Velociraptor:String) [Restart-Service], ServiceCom
   mandException
    + FullyQualifiedErrorId : NoServiceFoundForGivenName,Microsoft.PowerShell.Commands.RestartSer
   viceCommand

Get-Service : Cannot find any service with service name 'Velociraptor'.
At C:\tmp\vagrant-shell.ps1:32 char:6
+ If ((Get-Service -name Velociraptor).Status -ne "Running")
+      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Velociraptor:String) [Get-Service], ServiceCommand
   Exception
    + FullyQualifiedErrorId : NoServiceFoundForGivenName,Microsoft.PowerShell.Commands.GetService
   Command

Velociraptor service is not running
At C:\tmp\vagrant-shell.ps1:34 char:3
+   Throw "Velociraptor service is not running"
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Velociraptor service is not running:String) [],
   RuntimeException
    + FullyQualifiedErrorId : Velociraptor service is not running
xoften commented 2 years ago

Its line number 18 that messes up the install script: $velociraptorDownloadUrl = "https://github.com" + ((Invoke-WebRequest "https://github.com/Velocidex/velociraptor /releases/latest" -UseBasicParsing).links | Select-Object -ExpandProperty href | Select-String "windows-amd64.msi$")

It matches two msi packages, 6.2-windows-amd64.msi and 6.2-1-windows-amd64.msi.

I fixed the issue by changing the install-velociraptor.ps1 to 6.2-1.windows-amd64.msi instead and then it works and match only one download URI

clong commented 2 years ago

I think this is fixed now (https://github.com/clong/DetectionLab/pull/756)