Aurora Agent Error during packer build

[neokjames]

Using Docker to build on AWS, now receiving the below error.

@P4T12ICK this is something you introduced recently right? the 'aurora_agent' flag?

amazon-ebs.windows: TASK [windows_aurora_agent : download the aurora-agent-lite-win-pack.zip file] *** amazon-ebs.windows: fatal: [default]: FAILED! => {"msg": "The conditional check '(use_prebuilt_images_with_packer == \"0\") and (aurora_agent == \"1\")' failed. The error was: error while evaluating conditional ((use_prebuilt_images_with_packer == \"0\") and (aurora_agent == \"1\")): 'aurora_agent' is undefined\n\nThe error appears to be in '/attack_range/packer/ansible/roles/windows_aurora_agent/tasks/install_aurora_agent.yml': line 3, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n# install nextron aurora agent https://www.nextron-systems.com/2021/11/13/aurora-sigma-based-edr-agent-preview/\n- name: download the aurora-agent-lite-win-pack.zip file\n ^ here\n"}

[P4T12ICK]

Yes let me have a quick look into this. Thank you for reporting it.

[neokjames]

Ahh there's no default value for it in configs/attack_range_default.yml - that'll do it.

It's undefined unless explicitly stated in attack_range.yml

[neokjames]

This might also be a similar problem but unsure when this was introduced @P4T12ICK

amazon-ebs.windows: TASK [windows_install_attack_simulation : Install Atomic Red Team] *************
amazon-ebs.windows: fatal: [default]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'atomic_red_team_repo' is undefined\n\nThe error appears to be in '/attack_range/packer/ansible/roles/windows_install_attack_simulation/tasks/main.yml': line 22, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Install Atomic Red Team\n  ^ here\n"}

[neokjames]

Ahh there's no default value for it in configs/attack_range_default.yml - that'll do it.

It's undefined unless explicitly stated in attack_range.yml

if I define aurora_agent: '1' under the 'general' stanza in the YAML, it works. It doesn't seem to be applying the aurora_agent definition further down in the YAML in the windows_servers_default stanza.

[neokjames]

Will test further tomorrow night, just noticed you pushed some changes in whilst I was looking into it :)

[P4T12ICK]

yeah it could be that you did some testing while I was pushing multiple things to the project. The default value is part of the latest develop branch: https://github.com/splunk/attack_range/blob/develop/configs/attack_range_default.yml

I was testing it 5 min ago and I didn't run into the same issue which you reported.

[neokjames]

@P4T12ICK I performed a git pull and tried again - it's still failing, here's the parameters being passed through with Ansible. aurora_agent is missing here.

Could it be that the default value is not being passed through specifically for the packer "first time image build" process?

==> amazon-ebs.windows: Executing Ansible: ansible-playbook -e packer_build_name="windows" -e packer_builder_type=amazon-ebs --extra-vars ansible_shell_type=powershell ansible_shell_executable=None ansible_user=Administrator ansible_password=infected ansible_become_pass=<no value> attack_range_name="ar" attack_range_password="infected" carbon_black_cloud="0" carbon_black_cloud_agent_name="installer_vista_win7_win8-64-3.8.0.627.msi" carbon_black_cloud_company_code="" carbon_black_cloud_s3_bucket="" cloud_provider="aws" crowdstrike_agent_name="WindowsSensor.exe" crowdstrike_customer_ID="" crowdstrike_falcon="0" crowdstrike_logs_access_key_id="" crowdstrike_logs_region="" crowdstrike_logs_secret_access_key="" crowdstrike_logs_sqs_url="" ip_whitelist="0.0.0.0/0" key_name="root-70344" statepath="/attack_range/modules/../terraform/aws/state/ar.terraform.tfstate" use_prebuilt_images_with_packer="0" version="3.0.0" byo_splunk="0" byo_splunk_ip="" ingest_bots3_data="0" install_contentctl="0" install_dltk="0" install_es="0" s3_bucket_url="https://attack-range-appbinaries.s3-us-west-2.amazonaws.com" splunk_es_app="splunk-enterprise-security_701.spl" splunk_image="splunk-v3-0-0" splunk_uf_url="https://download.splunk.com/products/universalforwarder/releases/9.0.5/linux/splunkforwarder-9.0.5-e9494146ae5c-linux-2.6-amd64.deb" splunk_uf_win_url="https://download.splunk.com/products/universalforwarder/releases/9.0.5/windows/splunkforwarder-9.0.5-e9494146ae5c-x64-release.msi" splunk_url="https://download.splunk.com/products/splunk/releases/9.0.5/linux/splunk-9.0.5-e9494146ae5c-Linux-x86_64.tgz" -e ansible_password=***** -i /tmp/packer-provisioner-ansible4274314919 /attack_range/packer/ansible/windows.yml

[neokjames]

If I add 'aurora_agent' into the 'general' stanza it fixes it, but I assume that's not the solution you're trying to get to.

[neokjames]

@P4T12ICK tested on both Docker and Ubuntu via WSL, both are having this 'aurora_agent' flag issue in the current code.

[P4T12ICK]

Yes you are right. The part is missing in the packer files. I will fix it asap.

[P4T12ICK]

This should be fixed.

[neokjames]

It appears to be! Nice work @P4T12ICK