diff --git a/scripts/ADDS/Register-ScheduledTask.ps1 b/scripts/ADDS/Register-ScheduledTask.ps1 index 57b7986..21973d6 100644 --- a/scripts/ADDS/Register-ScheduledTask.ps1 +++ b/scripts/ADDS/Register-ScheduledTask.ps1 @@ -4,4 +4,4 @@ Param( ) # Create scheduled task -& schtasks.exe /Create /TN 'OVF-Properties' /SC ONSTART /RU SYSTEM /TR "powershell.exe -file C:\Payload\Apply-OVFProperties.ps1" \ No newline at end of file +& schtasks.exe /Create /TN 'FirstBoot' /SC ONSTART /RU SYSTEM /TR "powershell.exe -file C:\Payload\Apply-FirstBootConfig.ps1" \ No newline at end of file diff --git a/scripts/ADDS/payload/Apply-OVFProperties.ps1 b/scripts/ADDS/payload/Apply-FirstBootConfig.ps1 similarity index 90% rename from scripts/ADDS/payload/Apply-OVFProperties.ps1 rename to scripts/ADDS/payload/Apply-FirstBootConfig.ps1 index 4a4bdd5..be4da5a 100644 --- a/scripts/ADDS/payload/Apply-OVFProperties.ps1 +++ b/scripts/ADDS/payload/Apply-FirstBootConfig.ps1 @@ -4,18 +4,23 @@ Param( # No parameters ) +$SetLocationSplat = @{ + Path = $PSScriptRoot +} +Set-Location @SetLocationSplat + $NewEventLogSplat = @{ LogName = 'Application' - Source = 'OVF-Properties' + Source = 'FirstBoot' ErrorAction = 'SilentlyContinue' } New-EventLog @NewEventLogSplat $WriteEventLogSplat = @{ LogName = 'Application' - Source = 'OVF-Properties' + Source = 'FirstBoot' EntryType = 'Information' EventID = 1 - Message = 'OVF-Properties sequence initiated' + Message = "FirstBoot sequence initiated [working directory: '$PWD']" } Write-EventLog @WriteEventLogSplat @@ -44,13 +49,13 @@ Switch ($ovfPropertyValues['deployment.type']) { # Mandatory values missing, cannot provision. $WriteEventLogSplat = @{ LogName = 'Application' - Source = 'OVF-Properties' + Source = 'FirstBoot' EntryType = 'Error' EventID = 66 Message = "Unexpected or no value set for property 'deployment.type', cannot provision." } Write-EventLog @WriteEventLogSplat - & schtasks.exe /Change /TN 'OVF-Properties' /DISABLE + & schtasks.exe /Change /TN 'FirstBoot' /DISABLE Stop-Computer -Force Exit } @@ -64,13 +69,13 @@ If ($MissingProperties.Length -gt 0) { # Mandatory values missing, cannot provision. $WriteEventLogSplat = @{ LogName = 'Application' - Source = 'OVF-Properties' + Source = 'FirstBoot' EntryType = 'Error' EventID = 66 - Message = "Missing values for mandatory properties $(($MissingProperties | ForEach-Object {'{0}' -f $_}) -join ', '), cannot provision." + Message = "Missing values for mandatory properties $(($MissingProperties | ForEach-Object {"'{0}'" -f $_}) -join ', '), cannot provision." } Write-EventLog @WriteEventLogSplat - & schtasks.exe /Change /TN 'OVF-Properties' /DISABLE + & schtasks.exe /Change /TN 'FirstBoot' /DISABLE Stop-Computer -Force Exit } @@ -113,7 +118,7 @@ If ((Get-WmiObject -Class 'Win32_NetworkAdapterConfiguration').IPAddress -NotCon If ($Timestamp.AddMinutes($TimeoutMinutes) -lt (Get-Date)) { $WriteEventLogSplat = @{ LogName = 'Application' - Source = 'OVF-Properties' + Source = 'FirstBoot' EntryType = 'Warning' EventID = 13 Message = "Timeout after $($TimeoutMinutes) minutes waiting for network connection to become available." @@ -197,7 +202,7 @@ If ((4,5) -NotContains (Get-WmiObject -Class 'Win32_ComputerSystem').DomainRole) # Exit } Catch { - & schtasks.exe /Change /TN 'OVF-Properties' /DISABLE + & schtasks.exe /Change /TN 'FirstBoot' /DISABLE Stop-Computer -Force Exit } @@ -221,7 +226,7 @@ If ((4,5) -NotContains (Get-WmiObject -Class 'Win32_ComputerSystem').DomainRole) # Exit } Catch { - & schtasks.exe /Change /TN 'OVF-Properties' /DISABLE + & schtasks.exe /Change /TN 'FirstBoot' /DISABLE Stop-Computer -Force Exit } @@ -234,7 +239,7 @@ Do { If ($Timestamp.AddMinutes($TimeoutMinutes) -lt (Get-Date)) { $WriteEventLogSplat = @{ LogName = 'Application' - Source = 'OVF-Properties' + Source = 'FirstBoot' EntryType = 'Warning' EventID = 13 Message = "Timeout after $($TimeoutMinutes) minutes waiting for Active Directory to become available." @@ -257,25 +262,28 @@ Do { $GetItemSplat = @{ Path = "$($PSScriptRoot)\Scripts\*.ps1" } -Get-Item @GetItemSplat | ForEach-Object { +ForEach ($Script in (Get-Item @GetItemSplat)) { Try { $WriteEventLogSplat = @{ LogName = 'Application' - Source = 'OVF-Properties' + Source = 'FirstBoot' EntryType = 'Information' EventID = 4 - Message = "Running script: '$($_.FullName)'" + Message = "Running script: '$($Script.FullName)'" } Write-EventLog @WriteEventLogSplat - & $_.FullName -Parameter $ovfPropertyValues + & $Script.FullName -Parameter $ovfPropertyValues } Catch { $WriteEventLogSplat = @{ LogName = 'Application' - Source = 'OVF-Properties' + Source = 'FirstBoot' EntryType = 'Error' EventID = 66 - Message = $_.Exception.Message + Message = @" +Error occurred while executing script '$($Script.Name)': +$($_.Exception.Message) +"@ } Write-EventLog @WriteEventLogSplat } @@ -283,10 +291,10 @@ Get-Item @GetItemSplat | ForEach-Object { $WriteEventLogSplat = @{ LogName = 'Application' - Source = 'OVF-Properties' + Source = 'FirstBoot' EntryType = 'Information' EventID = 42 - Message = 'OVF-Properties sequence applied and finished' + Message = 'FirstBoot sequence applied and finished' } Write-EventLog @WriteEventLogSplat -& schtasks.exe /Change /TN 'OVF-Properties' /DISABLE +& schtasks.exe /Change /TN 'FirstBoot' /DISABLE diff --git a/scripts/ADDS/payload/Provision-VaultPassword.ps1 b/scripts/ADDS/payload/Provision-VaultPassword.ps1 index 046f56d..881e298 100644 --- a/scripts/ADDS/payload/Provision-VaultPassword.ps1 +++ b/scripts/ADDS/payload/Provision-VaultPassword.ps1 @@ -7,15 +7,16 @@ Param( [Parameter()] [string]$VaultPwPolicy, [Parameter(Mandatory)] - [string]$VaulSecret, + [string]$VaultSecret, [Parameter(Mandatory)] [string]$Username ) # Generate new password $InvokeWebRequestSplat = @{ - Uri = "$($VaultAPIAddress)/sys/policies/password/$($VaultPasswordPolicy)/generate" - Headers = @{'X-Vault-Token'="$VaultToken"} + Uri = "$($VaultAPIAddress)/sys/policies/password/$($VaultPwPolicy)/generate" + Headers = @{'X-Vault-Token'="$VaultToken"} + UseBasicParsing = $True } $NewPassword = (Invoke-WebRequest @InvokeWebRequestSplat | ConvertFrom-Json).data.password @@ -23,13 +24,13 @@ $NewPassword = (Invoke-WebRequest @InvokeWebRequestSplat | ConvertFrom-Json).dat $Response, $ErrResponse = $Null, $Null Try { $InvokeWebRequestSplat = @{ - Uri = "$(VaultAPIAddress)/secret/metadata/$($VaultSecret)" + Uri = "$($VaultAPIAddress)/secret/metadata/$($VaultSecret)" Headers = @{'X-Vault-Token' = "$VaultToken"} UseBasicParsing = $True } $Response = Invoke-WebRequest @InvokeWebRequestSplat } -Catch { +Catch [System.Net.WebException] { $StreamReader = [System.IO.StreamReader]::new($_.Exception.Response.GetResponseStream()) $StreamReader.BaseStream.Position = 0 $ErrResponse = $StreamReader.ReadToEnd() @@ -39,7 +40,7 @@ Catch { If ([boolean]$Response) { # Secret already exists; retrieve existing key/value pairs $InvokeWebRequestSplat = @{ - Uri = "$(VaultAPIAddress)/secret/data/$($VaultSecret)" + Uri = "$($VaultAPIAddress)/secret/data/$($VaultSecret)" Headers = @{'X-Vault-Token' = "$VaultToken"} UseBasicParsing = $True } @@ -56,28 +57,30 @@ If ([boolean]$Response) { # Store as new version $InvokeWebRequestSplat = @{ - Uri = "$($VaultAPIAddress)/secret/data/$($VaulSecret)" - Method = 'POST' - Headers = @{'X-Vault-Token'="$VaultToken"} - Body = @{ + Uri = "$($VaultAPIAddress)/secret/data/$($VaultSecret)" + Method = 'POST' + UseBasicParsing = $True + Headers = @{'X-Vault-Token'="$VaultToken"} + Body = @{ data = $Secret.data } | ConvertTo-Json } - Invoke-WebRequest @InvokeWebRequestSplat + Invoke-WebRequest @InvokeWebRequestSplat | Out-Null } ElseIf ([boolean]$ErrResponse) { # Secret did not exist yet, store as new secret $InvokeWebRequestSplat = @{ - Uri = "$($VaultAPIAddress)/secret/data/$($VaulSecret)" - Method = 'POST' - Headers = @{'X-Vault-Token'="$VaultToken"} - Body = @{ + Uri = "$($VaultAPIAddress)/secret/data/$($VaultSecret)" + Method = 'POST' + UseBasicParsing = $True + Headers = @{'X-Vault-Token'="$VaultToken"} + Body = @{ data = @{ "password.$($Username)" = $NewPassword } } | ConvertTo-Json } - Invoke-WebRequest @InvokeWebRequestSplat + Invoke-WebRequest @InvokeWebRequestSplat | Out-Null } Return $NewPassword \ No newline at end of file diff --git a/scripts/ADDS/payload/scripts/03.Users.yml b/scripts/ADDS/payload/scripts/03.Users.yml index 83469be..10fd71b 100644 --- a/scripts/ADDS/payload/scripts/03.Users.yml +++ b/scripts/ADDS/payload/scripts/03.Users.yml @@ -16,13 +16,13 @@ Users: Variables: - Name: password.janedoe Expression: | - & "$($PSScriptRoot)\..\Provision-VaultPassword.ps1" -VaulSecret $Parameter['vault.secret'] -Username 'janedoe' -VaultAPIAddress $Parameter['vault.api'] -VaultToken $Parameter['vault.token'] -VaultPwPolicy $Parameter['vault.pwpolicy'] + & ".\Provision-VaultPassword.ps1" -VaultSecret $Parameter['vault.secret'] -Username 'janedoe' -VaultAPIAddress $Parameter['vault.api'] -VaultToken $Parameter['vault.token'] -VaultPwPolicy $Parameter['vault.pwpolicy'] - Name: password.johndoe Expression: | - & "$($PSScriptRoot)\..\Provision-VaultPassword.ps1" -VaulSecret $Parameter['vault.secret'] -Username 'johndoe' -VaultAPIAddress $Parameter['vault.api'] -VaultToken $Parameter['vault.token'] -VaultPwPolicy $Parameter['vault.pwpolicy'] + & ".\Provision-VaultPassword.ps1" -VaultSecret $Parameter['vault.secret'] -Username 'johndoe' -VaultAPIAddress $Parameter['vault.api'] -VaultToken $Parameter['vault.token'] -VaultPwPolicy $Parameter['vault.pwpolicy'] - Name: password.amdjaned Expression: | - & "$($PSScriptRoot)\..\Provision-VaultPassword.ps1" -VaulSecret $Parameter['vault.secret'] -Username 'amdjaned' -VaultAPIAddress $Parameter['vault.api'] -VaultToken $Parameter['vault.token'] -VaultPwPolicy $Parameter['vault.pwpolicy'] + & ".\Provision-VaultPassword.ps1" -VaultSecret $Parameter['vault.secret'] -Username 'amdjaned' -VaultAPIAddress $Parameter['vault.api'] -VaultToken $Parameter['vault.token'] -VaultPwPolicy $Parameter['vault.pwpolicy'] - Name: password.zzldap Expression: | - & "$($PSScriptRoot)\..\Provision-VaultPassword.ps1" -VaulSecret $Parameter['vault.secret'] -Username 'zzldap' -VaultAPIAddress $Parameter['vault.api'] -VaultToken $Parameter['vault.token'] -VaultPwPolicy $Parameter['vault.pwpolicy'] + & ".\Provision-VaultPassword.ps1" -VaultSecret $Parameter['vault.secret'] -Username 'zzldap' -VaultAPIAddress $Parameter['vault.api'] -VaultToken $Parameter['vault.token'] -VaultPwPolicy $Parameter['vault.pwpolicy']