forked from Azure/azure-quickstart-templates
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
g_jaj
authored and
g_jaj
committed
Jul 5, 2018
1 parent
940c1f8
commit 501632c
Showing
26 changed files
with
1,165 additions
and
0 deletions.
There are no files selected for viewing
98 changes: 98 additions & 0 deletions
98
101-VM-Virus-Attack-Prevention/Deploy-AzureResourceGroup.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,98 @@ | ||
| <# | ||
| Requires -Version 5.0 | ||
| Requires -Module AzureRM 6.2.1 | ||
| Requires -Module Azure.Storage 4.3.0 | ||
| #> | ||
|
|
||
| Param( | ||
| [string] [Parameter(Mandatory=$false)] $ResourceGroupName = "001-VM-Virus-Attack-Prevention", | ||
| [string] [Parameter(Mandatory=$false)] $Location = "eastus", | ||
| [switch] $SkipArtifactsUpload, | ||
| [string] $TemplateFile = $PSScriptRoot + '\azuredeploy.json', | ||
| [string] $TemplateParametersFile = $PSScriptRoot + '\azuredeploy.parameters.json' | ||
| ) | ||
|
|
||
| Function Get-StringHash([String]$String, $HashName = "SHA1") { | ||
| $StringBuilder = New-Object System.Text.StringBuilder | ||
| [System.Security.Cryptography.HashAlgorithm]::Create($HashName).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($String))| | ||
| ForEach-Object { [Void]$StringBuilder.Append($_.ToString("x2")) | ||
| } | ||
| $StringBuilder.ToString().Substring(0, 24) | ||
| } | ||
|
|
||
| Import-Module -Name AzureRM -RequiredVersion '6.2.1' | ||
| Import-Module -Name Azure.Storage -RequiredVersion '4.3.0' | ||
|
|
||
| $storageContainerName = "artifacts" | ||
|
|
||
| $artifactStagingDirectories = @( | ||
| "$PSScriptRoot\scripts" | ||
| "$PSScriptRoot\nested" | ||
| ) | ||
|
|
||
| $deploymentHash = (Get-StringHash ((Get-AzureRmContext).Subscription.Id)).substring(0, 9) | ||
| $storageAccountName = 'virusattack' + $deploymentHash | ||
|
|
||
| New-AzureRmResourceGroup -Name $ResourceGroupName -Location $Location -Force | ||
|
|
||
| Write-Verbose "Check if artifacts storage account exists." | ||
| $storageAccount = (Get-AzureRmStorageAccount | Where-Object {$_.StorageAccountName -eq $storageAccountName}) | ||
|
|
||
| # Create the storage account if it doesn't already exist | ||
| if ($storageAccount -eq $null) { | ||
| Write-Verbose "Artifacts storage account does not exists." | ||
| Write-Verbose "Provisioning artifacts storage account." | ||
| $storageAccount = New-AzureRmStorageAccount -StorageAccountName $storageAccountName -Type 'Standard_LRS' ` | ||
| -ResourceGroupName $ResourceGroupName -Location $Location | ||
| Write-Verbose "Artifacts storage account provisioned." | ||
| Write-Verbose "Creating storage container to upload a blobs." | ||
| New-AzureStorageContainer -Name $storageContainerName -Context $storageAccount.Context -ErrorAction SilentlyContinue *>&1 | ||
| } | ||
| else { | ||
| Write-Verbose "Artifacts storage account exists." | ||
| New-AzureStorageContainer -Name $storageContainerName -Context $storageAccount.Context -ErrorAction SilentlyContinue *>&1 | ||
| } | ||
|
|
||
| if(!$SkipArtifactsUpload){ | ||
| # Copy files from the local storage staging location to the storage account container | ||
| Write-Verbose "Uploading artifact staging directories." | ||
| foreach ($artifactStagingDirectory in $artifactStagingDirectories) { | ||
| $ArtifactFilePaths = Get-ChildItem $ArtifactStagingDirectory -Recurse -File | ForEach-Object -Process {$_.FullName} | ||
| foreach ($SourcePath in $ArtifactFilePaths) { | ||
| Set-AzureStorageBlobContent -File $SourcePath -Blob $SourcePath.Substring((Split-Path($ArtifactStagingDirectory)).length + 1) ` | ||
| -Container $storageContainerName -Context $storageAccount.Context -Force | ||
| } | ||
| } | ||
| } | ||
| Write-Verbose "Generating common deployment parameters" | ||
| $commonTemplateParameters = New-Object -TypeName Hashtable # Will be used to pass common parameters to the template. | ||
| $artifactsLocation = '_artifactsLocation' | ||
| $artifactsLocationSasToken = '_artifactsLocationSasToken' | ||
|
|
||
| $commonTemplateParameters[$artifactsLocation] = $storageAccount.Context.BlobEndPoint + $storageContainerName | ||
| $commonTemplateParameters[$artifactsLocationSasToken] = New-AzureStorageContainerSASToken -Container $storageContainerName -Context $storageAccount.Context -Permission r -ExpiryTime (Get-Date).AddHours(4) | ||
|
|
||
| $tmp = [System.IO.Path]::GetTempFileName() | ||
|
|
||
| $parametersObj = Get-Content -Path $TemplateParametersFile | ConvertFrom-Json | ||
| $parametersObj.parameters._artifactsLocation.value = $commonTemplateParameters[$artifactsLocation] | ||
| $parametersObj.parameters._artifactsLocationSasToken.value = $commonTemplateParameters[$artifactsLocationSasToken] | ||
| ( $parametersObj | ConvertTo-Json -Depth 10 ) -replace "\\u0027", "'" | Out-File $tmp | ||
|
|
||
| #Initiate resource group deployment | ||
| Write-Verbose "Initiate resource group deployment" | ||
| New-AzureRmResourceGroupDeployment -ResourceGroupName $ResourceGroupName ` | ||
| -TemplateFile $TemplateFile ` | ||
| -TemplateParameterFile $tmp -Name $ResourceGroupName -Mode Incremental ` | ||
| -DeploymentDebugLogLevel All -Verbose -Force | ||
|
|
||
| Write-Verbose "Deployment completed." | ||
| Write-Verbose "Deleting temp parameter file." | ||
| Remove-Item $tmp -Force | ||
|
|
||
| $deploymentOutput = Get-AzureRmResourceGroupDeployment -ResourceGroupName $ResourceGroupName -Name $ResourceGroupName | ||
|
|
||
| Write-Host "VM UserName :" $deploymentOutput.Outputs.Values.Value[0] | ||
| Write-Host "VM Password :" $deploymentOutput.Outputs.Values.Value[1] | ||
|
|
||
| Write-Verbose "User these credentials to access the VMs an execute the scenario." |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,168 @@ | ||
| # Virus attack on Virtual Machines Scenario | ||
|
|
||
|
|
||
|
|
||
| # Table of Contents | ||
| 1. [Objectives](#objectives) | ||
| 2. [Overview](#overview) | ||
| 3. [Pre-requisites](#prerequisites) | ||
| 4. [Deploy](#deployment) | ||
| 5. [Perform Attack](#attack) | ||
| 6. [Detect Attack](#detect) | ||
| 7. [Respond/Mitigate](#mitigate) | ||
| 8. [Teardown Deployment](#teardown) | ||
|
|
||
| <a name="objectives"></a> | ||
| # Objective of the POC | ||
| Showcase a Virus attack on a Virtual Machine detection & prevention. | ||
|
|
||
| <a name="overview"></a> | ||
| # Overview | ||
| It showcases following use cases | ||
| 1. Perform Virus attack on a Virtual Machine --> | ||
|
|
||
| * VM without Endpoint Protection | ||
|
|
||
| 2. Perform Virus attack on a Virtual Machine --> | ||
|
|
||
| * VM with Endpoint Protection | ||
|
|
||
|
|
||
| # Important Notes <a name="notes"></a> | ||
| Although the deployment takes 10-15mins, the log aggregation by OMS take a few hours to get configured in the backend. You may not see attack/mitigation logs for detection and prevention events during the aggregation time window. | ||
| Subsequently logs will take 10-15 mins to reflect in OMS. | ||
| <p>Current powershell version in Azure cloudshell is in preview mode.</p> | ||
|
|
||
|
|
||
| <a name="prerequisites"></a> | ||
| # Prerequisites | ||
| Access to Azure subscription to deploy following resources | ||
| 1. Virtual Machine | ||
| 2. OMS (Monitoring) | ||
|
|
||
| <a name="deployment"></a> | ||
| # Deploy | ||
|
|
||
| 1. Go to Edge Browser and Open [Azure Cloud Shell](https://shell.azure.com/) | ||
| 1. Change directory to CloudDrive directory | ||
|
|
||
| `cd $Home\clouddrive ` | ||
|
|
||
| 1. Clone the Azure quickstart repository. | ||
| `git clone https://github.com/Azure/azure-quickstart-templates.git` | ||
|
|
||
| 1. Change directory to azure-security-scenarios | ||
|
|
||
| `cd .\101-VM-Virus-Attack-Prevention\` | ||
|
|
||
| 1. Run the following command to start the deployment. | ||
|
|
||
| `.\Deploy-AzureResourceGroup.ps1 -Verbose` | ||
|
|
||
| If you are running the deployment for the second time and don't want to upload the artifacts just pass SkipArtifactsUpload switch. | ||
|
|
||
| `.\Deploy-AzureResourceGroup.ps1 -Verbose -SkipArtifactsUpload` | ||
| <a name="attack"></a> | ||
| # Perform Attack | ||
|
|
||
| Attack on VM without an Endpoint Protection. | ||
|
|
||
| 1. Go to Azure Portal --> Select Resource Groups services --> Select Resource Group - "prefix-virus-attack-on-vm-workload" | ||
|
|
||
| 2. Select VM with name 'vm-without-ep'. | ||
|
|
||
|  | ||
|
|
||
|
|
||
|
|
||
| 3. On Properties Page --> Click Connect to Download RDP file --> Save and Open RDP file. | ||
|  | ||
|
|
||
| 4. Enter login details (The VM login username and password is in deployment powershell output) | ||
|
|
||
| 5. Open Server Manager and Disable Internet Explorer Enhanced Security Configuration. | ||
|  | ||
|
|
||
| 6. Open Internet Explorer and Download (https://secure.eicar.org/eicar.com.txt) | ||
|
|
||
| 7. If IE blocks downloading, Go to View Downloads --> Right Click on File and Select Download Unsafe File. | ||
|  | ||
|
|
||
| 8. You will notice that Virus file gets downloads successfully on VM indicating attack was successful. | ||
|
|
||
| <a name="mitigate"></a> | ||
| # Mitigate | ||
|
|
||
| Azure Security Center gives you recommendations and also allows you to perform remediation steps from the console itself. | ||
|
|
||
| 1. Go to Home > Security Center - Overview > Compute > Endpoint protection issues > Endpoint Protection not installed on Azure VMs | ||
|
|
||
| 2. You will notice your VM with name "vm-without-ep" is listed with various other VMs which does not have endpoint protection installed. | ||
|
|
||
| 3. Select your VM with name "vm-without-ep" and Click on Install on VM. This will install endpoint protection on the VM | ||
|  | ||
|
|
||
| # Attack & Detection | ||
|
|
||
| Anti-malware Extension (Endpoint Protection) might take 5-10 mins to get installed on a VM. Hence, you will use another VM with name "vm-with-ep" which already has Anti-malware extension installed further for our Demo using loginid and pwd (The VM login username and password is in deployment powershell output) | ||
|
|
||
| To perform attack open Internet Explorer and Download (https://secure.eicar.org/eicar.com.txt) | ||
|
|
||
| However, this time when you try to download Eicar virus file, it will be immediately detected and will be quarantined by endpoint protection. | ||
|  | ||
|
|
||
| ## Detection using Endpoint protection client | ||
|
|
||
| When you try to access SCEP, you will get restricted access error. | ||
|  | ||
|
|
||
| To access endpoint protection client, you need to clean SCEP Policy on Windows workstation or server. | ||
| 1. Open **Powershell** | ||
| 1. Go to | ||
|
|
||
| `cd "C:\Program Files\Microsoft Security Client"` | ||
|
|
||
| 1. then run | ||
|
|
||
| `.\ConfigSecurityPolicy.exe .\CleanUpPolicy.xml` | ||
|
|
||
| 1. Now, Go to Start --> Type **System Center Endpoint Protection** --> Go to **History** tab on SCEP Client window. | ||
| 1. You will notice Eicar Test Virus file under Quarantined items. | ||
|  | ||
|
|
||
| ## Detection using centralised OMS. | ||
|
|
||
| 1. Go to **Azure Portal** --> navigate to resource group **<case no>-virus-attack-on-vm** | ||
|  | ||
|
|
||
| 1. Go to **Log analytics** --> Click on **Log Search** --> Type query `search "eicar"` | ||
|  | ||
|
|
||
|  | ||
|
|
||
| You will notice events related to Quarantined items. It might take few minutes for OMS to pull logs from virtual machine, so if you don't get any search results, please try again after sometime. | ||
|
|
||
|
|
||
|
|
||
| <a name="teardown"></a> | ||
| ## Teardown Deployment | ||
|
|
||
| Run following command to clear all the resources deployed during the demo. | ||
|
|
||
| `.\scripts\cleanup.ps1 -Verbose` | ||
|
|
||
| Verification steps - | ||
| 1. Login to Azure Portal / Subscription | ||
| 2. Check if the ResourceGroup is deleted. | ||
|
|
||
|
|
||
|
|
||
| References - | ||
|
|
||
| http://www.eicar.org/ | ||
|
|
||
| https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware | ||
|
|
||
| https://docs.microsoft.com/en-us/azure/operations-management-suite/operations-management-suite-overview | ||
|
|
||
|
|
Oops, something went wrong.