Adding timestamps to scripts, Vagrantfile_prebuilt, logo

Packer/scripts/compact.bat

@@ -1,39 +1,32 @@
-if "%PACKER_BUILDER_TYPE:~0,6%"=="hyperv" (
+if not exist "C:\Windows\Temp\7z1900-x64.msi" (
-  echo "Skip compact steps in Hyper-V build."
+  powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://www.7-zip.org/a/7z1900-x64.msi', 'C:\Windows\Temp\7z1900-x64.msi')" <NUL
-  goto :eof
 )
-if not exist "C:\Windows\Temp\7z920-x64.msi" (
+msiexec /qb /i C:\Windows\Temp\7z1900-x64.msi
-	powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://www.7-zip.org/a/7z920-x64.msi', 'C:\Windows\Temp\7z920-x64.msi')" <NUL
-)
-msiexec /qb /i C:\Windows\Temp\7z920-x64.msi
 
 if not exist "C:\Windows\Temp\ultradefrag.zip" (
-	powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://downloads.sourceforge.net/project/ultradefrag/stable-release/6.1.0/ultradefrag-portable-6.1.0.bin.amd64.zip', 'C:\Windows\Temp\ultradefrag.zip')" <NUL
+  powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://downloads.sourceforge.net/project/ultradefrag/stable-release/6.1.0/ultradefrag-portable-6.1.0.bin.amd64.zip', 'C:\Windows\Temp\ultradefrag.zip')" <NUL
 )
 
 if not exist "C:\Windows\Temp\ultradefrag-portable-6.1.0.amd64\udefrag.exe" (
-	cmd /c ""C:\Program Files\7-Zip\7z.exe" x C:\Windows\Temp\ultradefrag.zip -oC:\Windows\Temp"
+  cmd /c ""C:\Program Files\7-Zip\7z.exe" x C:\Windows\Temp\ultradefrag.zip -oC:\Windows\Temp"
 )
 
 if not exist "C:\Windows\Temp\SDelete.zip" (
-  powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://download.sysinternals.com/files/SDelete.zip', 'C:\Windows\Temp\SDelete.zip')" <NUL
+  powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://download.sysinternals.com/files/SDelete.zip', 'C:\Windows\Temp\SDelete.zip')" <NUL
   powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://vagrantboxes.blob.core.windows.net/box/sdelete/v1.6.1/sdelete.exe', 'C:\Windows\Temp\sdelete.exe')" <NUL
 )
 
 if not exist "C:\Windows\Temp\sdelete.exe" (
-	cmd /c ""C:\Program Files\7-Zip\7z.exe" x C:\Windows\Temp\SDelete.zip -oC:\Windows\Temp"
+  cmd /c ""C:\Program Files\7-Zip\7z.exe" x C:\Windows\Temp\SDelete.zip -oC:\Windows\Temp"
 )
 
-msiexec /qb /x C:\Windows\Temp\7z920-x64.msi
+msiexec /qb /x C:\Windows\Temp\7z1900-x64.msi
 
-net stop wuauserv
+net stop wuauserv 1> nul 2>&1
 rmdir /S /Q C:\Windows\SoftwareDistribution\Download
 mkdir C:\Windows\SoftwareDistribution\Download
 net start wuauserv
 
-if "%PACKER_BUILDER_TYPE%" neq "hyperv-iso" (
+cmd /c C:\Windows\Temp\ultradefrag-portable-6.1.0.amd64\udefrag.exe --optimize --repeat C:
-	cmd /c C:\Windows\Temp\ultradefrag-portable-6.1.0.amd64\udefrag.exe --optimize --repeat C:
+cmd /c %SystemRoot%\System32\reg.exe ADD HKCU\Software\Sysinternals\SDelete /v EulaAccepted /t REG_DWORD /d 1 /f
-
+cmd /c C:\Windows\Temp\sdelete.exe -q -z C:
-	cmd /c %SystemRoot%\System32\reg.exe ADD HKCU\Software\Sysinternals\SDelete /v EulaAccepted /t REG_DWORD /d 1 /f
-	cmd /c C:\Windows\Temp\sdelete.exe -q -z C:
-)

Packer/scripts/vm-guest-tools.bat

@@ -1,67 +1,51 @@
-if not exist "C:\Windows\Temp\7z920-x64.msi" (
+if not exist "C:\Windows\Temp\7z1900-x64.msi" (
-    powershell -Command "Start-Sleep 5; Invoke-WebRequest -Uri 'https://astuteinternet.dl.sourceforge.net/project/sevenzip/7-Zip/9.20/7z920-x64.msi' -Outfile 'C:\Windows\Temp\7z920-x64.msi'" <NUL
+  powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://www.7-zip.org/a/7z1900-x64.msi', 'C:\Windows\Temp\7z1900-x64.msi')" <NUL
 )
-if not exist "C:\Windows\Temp\7z920-x64.msi" (
+if not exist "C:\Windows\Temp\7z1900-x64.msi" (
-    powershell -Command "Start-Sleep 5; Invoke-WebRequest -Uri 'http://www.7-zip.org/a/7z920-x64.msi' -Outfile 'C:\Windows\Temp\7z920-x64.msi')" <NUL
+  powershell -Command "Start-Sleep 5 ; (New-Object System.Net.WebClient).DownloadFile('https://www.7-zip.org/a/7z1900-x64.msi', 'C:\Windows\Temp\7z1900-x64.msi')" <NUL
 )
-msiexec /qb /i C:\Windows\Temp\7z920-x64.msi
+msiexec /qb /i C:\Windows\Temp\7z1900-x64.msi
 
 if "%PACKER_BUILDER_TYPE%" equ "vmware-iso" goto :vmware
 if "%PACKER_BUILDER_TYPE%" equ "virtualbox-iso" goto :virtualbox
-if "%PACKER_BUILDER_TYPE%" equ "parallels-iso" goto :parallels
 goto :done
 
 :vmware
 
 if exist "C:\Users\vagrant\windows.iso" (
-    move /Y C:\Users\vagrant\windows.iso C:\Windows\Temp
+  move /Y C:\Users\vagrant\windows.iso C:\Windows\Temp
 )
 
 if not exist "C:\Windows\Temp\windows.iso" (
-    powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://softwareupdate.vmware.com/cds/vmw-desktop/ws/14.1.3/9474260/windows/packages/tools-windows.tar', 'C:\Windows\Temp\vmware-tools.tar')" <NUL
+  powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://softwareupdate.vmware.com/cds/vmw-desktop/ws/15.0.4/12990004/windows/packages/tools-windows.tar', 'C:\Windows\Temp\vmware-tools.tar')" <NUL
-    cmd /c ""C:\Program Files\7-Zip\7z.exe" x C:\Windows\Temp\vmware-tools.tar -oC:\Windows\Temp"
+  cmd /c ""C:\Program Files\7-Zip\7z.exe" x C:\Windows\Temp\vmware-tools.tar -oC:\Windows\Temp"
-    FOR /r "C:\Windows\Temp" %%a in (VMware-tools-windows-*.iso) DO REN "%%~a" "windows.iso"
+  FOR /r "C:\Windows\Temp" %%a in (VMware-tools-windows-*.iso) DO REN "%%~a" "windows.iso"
-    rd /S /Q "C:\Program Files (x86)\VMWare"
+  rd /S /Q "C:\Program Files (x86)\VMWare"
 )
 
 cmd /c ""C:\Program Files\7-Zip\7z.exe" x "C:\Windows\Temp\windows.iso" -oC:\Windows\Temp\VMWare"
 cmd /c C:\Windows\Temp\VMWare\setup.exe /S /v"/qn REBOOT=R\"
 
-sc query vmtools > NUL
+del /Q "C:\Windows\Temp\vmware-tools.tar"
-IF ERRORLEVEL 1060 cmd /c C:\Windows\Temp\VMWare\setup.exe /S /v"/qn REBOOT=R\"
+del /Q "C:\Windows\Temp\windows.iso"
-sc query vmtools > NUL
-IF ERRORLEVEL 1060 ECHO "Unable to install VMware Tools." & exit /b 1
-
-rd /Q "C:\Windows\Temp\vmware-tools.tar"
-rd /Q "C:\Windows\Temp\windows.iso"
 rd /S /Q "C:\Windows\Temp\VMware"
 goto :done
 
 :virtualbox
 
 if exist "C:\Users\vagrant\VBoxGuestAdditions.iso" (
-    move /Y C:\Users\vagrant\VBoxGuestAdditions.iso C:\Windows\Temp
+  move /Y C:\Users\vagrant\VBoxGuestAdditions.iso C:\Windows\Temp
 )
 
 if not exist "C:\Windows\Temp\VBoxGuestAdditions.iso" (
-    powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://download.virtualbox.org/virtualbox/5.2.16/VBoxGuestAdditions_5.2.16.iso', 'C:\Windows\Temp\VBoxGuestAdditions.iso')" <NUL
+  powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://download.virtualbox.org/virtualbox/5.2.26/VBoxGuestAdditions_5.2.26.iso', 'C:\Windows\Temp\VBoxGuestAdditions.iso')" <NUL
 )
 
 cmd /c ""C:\Program Files\7-Zip\7z.exe" x C:\Windows\Temp\VBoxGuestAdditions.iso -oC:\Windows\Temp\virtualbox"
-certutil -addstore -f "TrustedPublisher" C:\Windows\Temp\virtualbox\cert\vbox-sha256-r3.cer
+cmd /c for %%i in (C:\Windows\Temp\virtualbox\cert\vbox*.cer) do C:\Windows\Temp\virtualbox\cert\VBoxCertUtil add-trusted-publisher %%i --root %%i
-certutil -addstore -f "TrustedPublisher" C:\Windows\Temp\virtualbox\cert\vbox-sha256.cer
-certutil -addstore -f "TrustedPublisher" C:\Windows\Temp\virtualbox\cert\vbox-sha1.cer
 cmd /c C:\Windows\Temp\virtualbox\VBoxWindowsAdditions.exe /S
 rd /S /Q "C:\Windows\Temp\virtualbox"
 goto :done
 
-:parallels
-if exist "C:\Users\vagrant\prl-tools-win.iso" (
-	move /Y C:\Users\vagrant\prl-tools-win.iso C:\Windows\Temp
-	cmd /C "C:\Program Files\7-Zip\7z.exe" x C:\Windows\Temp\prl-tools-win.iso -oC:\Windows\Temp\parallels
-	cmd /C C:\Windows\Temp\parallels\PTAgent.exe /install_silent
-	rd /S /Q "C:\Windows\Temp\parallels"
-)
-
 :done
-msiexec /qb /x C:\Windows\Temp\7z920-x64.msi
+msiexec /qb /x C:\Windows\Temp\7z1900-x64.msi

README.md

@@ -1,3 +1,4 @@
+![DetectionLab](./img/DetectionLab.png)
 # Detection Lab
 DetectionLab is tested weekly on Saturdays via a scheduled CircleCI workflow to ensure that builds are passing.
 

Vagrant/Vagrantfile_Prebuilt

@@ -0,0 +1,120 @@
+Vagrant.configure("2") do |config|
+
+  config.vm.define "logger" do |cfg|
+    cfg.vm.box = "bento/ubuntu-16.04"
+    cfg.vm.hostname = "logger"
+    config.vm.provision :shell, path: "bootstrap.sh"
+    cfg.vm.network :private_network, ip: "192.168.38.105", gateway: "192.168.38.1", dns: "8.8.8.8"
+
+    cfg.vm.provider "vmware_desktop" do |v, override|
+      v.vmx["displayname"] = "logger"
+      v.memory = 4096
+      v.cpus = 2
+      v.gui = true
+    end
+
+    cfg.vm.provider "virtualbox" do |vb, override|
+      vb.gui = true
+      vb.name = "logger"
+      vb.customize ["modifyvm", :id, "--memory", 4096]
+      vb.customize ["modifyvm", :id, "--cpus", 2]
+      vb.customize ["modifyvm", :id, "--vram", "32"]
+      vb.customize ["modifyvm", :id, "--nicpromisc2", "allow-all"]
+      vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
+      vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
+    end
+  end
+
+  config.vm.define "dc" do |cfg|
+    cfg.vm.box = "detectionlab/dc-prebuilt"
+    cfg.vm.hostname = "dc"
+    cfg.vm.boot_timeout = 600
+    cfg.winrm.transport = :plaintext
+    cfg.vm.communicator = "winrm"
+    cfg.winrm.basic_auth_only = true
+    cfg.winrm.timeout = 300
+    cfg.winrm.retry_limit = 20
+    cfg.vm.network :private_network, ip: "192.168.38.102", gateway: "192.168.38.1"
+
+    cfg.vm.provider "vmware_desktop" do |v, override|
+      v.vmx["displayname"] = "dc.windomain.local"
+      v.memory = 3072
+      v.cpus = 2
+      v.gui = true
+      v.enable_vmrun_ip_lookup = false
+    end
+
+    cfg.vm.provider "virtualbox" do |vb, override|
+      vb.gui = true
+      vb.name = "dc.windomain.local"
+      vb.default_nic_type = "82545EM"
+      vb.customize ["modifyvm", :id, "--memory", 3072]
+      vb.customize ["modifyvm", :id, "--cpus", 2]
+      vb.customize ["modifyvm", :id, "--vram", "32"]
+      vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
+      vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
+    end
+  end
+
+  config.vm.define "wef" do |cfg|
+    cfg.vm.box = "detectionlab/wef-prebuilt"
+    cfg.vm.hostname = "wef"
+    cfg.vm.boot_timeout = 600
+    cfg.vm.communicator = "winrm"
+    cfg.winrm.basic_auth_only = true
+    cfg.winrm.timeout = 300
+    cfg.winrm.retry_limit = 20
+    cfg.vm.network :private_network, ip: "192.168.38.103", gateway: "192.168.38.1", dns: "192.168.38.102"
+
+    cfg.vm.provider "vmware_desktop" do |v, override|
+      v.vmx["displayname"] = "wef.windomain.local"
+      v.memory = 2048
+      v.cpus = 2
+      v.gui = true
+      v.enable_vmrun_ip_lookup = false
+    end
+
+    cfg.vm.provider "virtualbox" do |vb, override|
+      vb.gui = true
+      vb.name = "wef.windomain.local"
+      vb.default_nic_type = "82545EM"
+      vb.customize ["modifyvm", :id, "--memory", 2048]
+      vb.customize ["modifyvm", :id, "--cpus", 2]
+      vb.customize ["modifyvm", :id, "--vram", "32"]
+      vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
+      vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
+    end
+  end
+
+  config.vm.define "win10" do |cfg|
+    cfg.vm.box = "detectionlab/win10-prebuilt"
+    cfg.vm.hostname = "win10"
+    cfg.vm.boot_timeout = 600
+    cfg.vm.communicator = "winrm"
+    cfg.winrm.basic_auth_only = true
+    cfg.winrm.timeout = 300
+    cfg.winrm.retry_limit = 20
+    cfg.vm.network :private_network, ip: "192.168.38.104", gateway: "192.168.38.1", dns: "192.168.38.102"
+
+    cfg.vm.provider "vmware_desktop" do |v, override|
+      v.vmx["displayname"] = "win10.windomain.local"
+      v.vmx["gui.fullscreenatpoweron"] = "FALSE"
+      v.vmx["gui.viewModeAtPowerOn"] = "windowed"
+      v.memory = 2048
+      v.cpus = 1
+      v.gui = true
+      v.enable_vmrun_ip_lookup = false
+    end
+
+    cfg.vm.provider "virtualbox" do |vb, override|
+      vb.gui = true
+      vb.name = "win10.windomain.local"
+      vb.default_nic_type = "82545EM"
+      vb.customize ["modifyvm", :id, "--memory", 2048]
+      vb.customize ["modifyvm", :id, "--cpus", 1]
+      vb.customize ["modifyvm", :id, "--vram", "32"]
+      vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
+      vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
+    end
+  end
+end

Vagrant/bootstrap.sh

@@ -9,17 +9,17 @@ apt_install_prerequisites() {
   # Add repository for apt-fast
   add-apt-repository -y ppa:apt-fast/stable
   # Install prerequisites and useful tools
-  echo "Running apt-get update..."
+  echo "[$(date +%H:%M:%S)]: Running apt-get update..."
   apt-get -qq update
   apt-get -qq install -y apt-fast
-  echo "Running apt-fast install..."
+  echo "[$(date +%H:%M:%S)]: Running apt-fast install..."
   apt-fast -qq install -y jq whois build-essential git docker docker-compose unzip
 }
 
 test_prerequisites() {
   for package in jq whois build-essential git docker docker-compose unzip
   do
-    echo "[TEST] Validating that $package is correctly installed..."
+    echo "[$(date +%H:%M:%S)]: [TEST] Validating that $package is correctly installed..."
     # Loop through each package using dpkg
     if ! dpkg -S $package > /dev/null; then
       # If which returns a non-zero return code, try to re-install the package
@@ -53,9 +53,9 @@ fix_eth1_static_ip() {
     ifup eth1
     ETH1_IP=$(ifconfig eth1 | grep 'inet addr' | cut -d ':' -f 2 | cut -d ' ' -f 1)
     if [ "$ETH1_IP" == "192.168.38.105" ]; then
-      echo "The static IP has been fixed and set to 192.168.38.105"
+      echo "[$(date +%H:%M:%S)]: The static IP has been fixed and set to 192.168.38.105"
     else
-      echo "Failed to fix the broken static IP for eth1. Exiting because this will cause problems with other VMs."
+      echo "[$(date +%H:%M:%S)]: Failed to fix the broken static IP for eth1. Exiting because this will cause problems with other VMs."
       exit 1
     fi
   fi
@@ -63,37 +63,37 @@ fix_eth1_static_ip() {
 
 install_golang() {
   if ! which go > /dev/null; then
-    echo "Installing Golang v.1.12..."
+    echo "[$(date +%H:%M:%S)]: Installing Golang v.1.12..."
     cd /home/vagrant || exit
     wget --progress=bar:force https://dl.google.com/go/go1.12.linux-amd64.tar.gz
     tar -C /usr/local -xzf go1.12.linux-amd64.tar.gz
     mkdir /root/go
   else
-    echo "Golang seems to be installed already. Skipping."
+    echo "[$(date +%H:%M:%S)]: Golang seems to be installed already. Skipping."
   fi
 }
 
 install_splunk() {
   # Check if Splunk is already installed
   if [ -f "/opt/splunk/bin/splunk" ]; then
-    echo "Splunk is already installed"
+    echo "[$(date +%H:%M:%S)]: Splunk is already installed"
   else
-    echo "Installing Splunk..."
+    echo "[$(date +%H:%M:%S)]: Installing Splunk..."
     # Get download.splunk.com into the DNS cache. Sometimes resolution randomly fails during wget below
     dig @8.8.8.8 download.splunk.com > /dev/null
     dig @8.8.8.8 splunk.com > /dev/null
     mkdir splunk
 
     # Try to resolve the latest version of Splunk by parsing the HTML on the downloads page
-    echo "Attempting to autoresolve the latest version of Splunk..."
+    echo "[$(date +%H:%M:%S)]: Attempting to autoresolve the latest version of Splunk..."
     LATEST_SPLUNK=$(curl https://www.splunk.com/en_us/download/splunk-enterprise.html | grep -i deb | grep -Eo "data-link=\"................................................................................................................................" | cut -d '"' -f 2)
     # Sanity check what was returned from the auto-parse attempt
     if [[ "$(echo $LATEST_SPLUNK | grep -c "^https:")" -eq 1 ]] && [[ "$(echo $LATEST_SPLUNK | grep -c "\.deb$")" -eq 1 ]]; then
-      echo "The URL to the latest Splunk version was automatically resolved as: $LATEST_SPLUNK"
+      echo "[$(date +%H:%M:%S)]: The URL to the latest Splunk version was automatically resolved as: $LATEST_SPLUNK"
-      echo "Attempting to download..."
+      echo "[$(date +%H:%M:%S)]: Attempting to download..."
       wget --progress=bar:force -P splunk/ "$LATEST_SPLUNK"
     else
-      echo "Unable to auto-resolve the latest Splunk version. Falling back to hardcoded URL..."
+      echo "[$(date +%H:%M:%S)]: Unable to auto-resolve the latest Splunk version. Falling back to hardcoded URL..."
       # Download Hardcoded Splunk
       wget --progress=bar:force -O splunk/splunk-7.2.6-c0bf0f679ce9-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.6&product=splunk&filename=splunk-7.2.6-c0bf0f679ce9-linux-2.6-amd64.deb&wget=true'
     fi
@@ -129,11 +129,11 @@ install_splunk() {
     sed -i.bak 's/max_memtable_bytes = 10000000/max_memtable_bytes = 30000000/g' /opt/splunk/etc/system/local/limits.conf
 
     # Skip Splunk Tour and Change Password Dialog
-    echo "Disabling the Splunk tour prompt..."
+    echo "[$(date +%H:%M:%S)]: Disabling the Splunk tour prompt..."
     touch /opt/splunk/etc/.ui_login
     mkdir /opt/splunk/etc/users/admin/search/local
     echo -e "[search-tour]\nviewed = 1" > /opt/splunk/etc/users/admin/search/local/ui-tour.conf
-    
+
     # Enable SSL Login for Splunk
     echo -e "[settings]\nenableSplunkWebSSL = true" > /opt/splunk/etc/system/local/web.conf
     # Reboot Splunk to make changes take effect
@@ -147,9 +147,9 @@ install_splunk() {
 install_fleet() {
   # Install Fleet
   if [ -f "/home/vagrant/kolide-quickstart" ]; then
-    echo "Fleet is already installed"
+    echo "[$(date +%H:%M:%S)]: Fleet is already installed"
   else
-    echo "Installing Fleet..."
+    echo "[$(date +%H:%M:%S)]: Installing Fleet..."
     echo -e "\n127.0.0.1       kolide" >> /etc/hosts
     echo -e "\n127.0.0.1       logger" >> /etc/hosts
     git clone https://github.com/kolide/kolide-quickstart.git
@@ -168,10 +168,10 @@ install_fleet() {
 
 download_palantir_osquery_config() {
   if [ -f /home/vagrant/osquery-configuration ]; then
-    echo "osquery configs have already been downloaded"
+    echo "[$(date +%H:%M:%S)]: osquery configs have already been downloaded"
   else
     # Import Palantir osquery configs into Fleet
-    echo "Downloading Palantir configs..."
+    echo "[$(date +%H:%M:%S)]: Downloading Palantir osquery configs..."
     git clone https://github.com/palantir/osquery-configuration.git
   fi
 }
@@ -198,6 +198,7 @@ import_osquery_config_into_fleet() {
 }
 
 install_bro() {
+  echo "[$(date +%H:%M:%S)]: Installing Bro..."
   # Environment variables
   NODECFG=/opt/bro/etc/node.cfg
   SPLUNK_BRO_JSON=/opt/splunk/etc/apps/TA-bro_json
@@ -279,7 +280,7 @@ install_bro() {
 
 install_suricata() {
   # Run iwr -Uri testmyids.com -UserAgent "BlackSun" in Powershell to generate test alerts
-
+  echo "[$(date +%H:%M:%S)]: Installing Suricata..."
   # Install yq to maniuplate the suricata.yaml inline
   /usr/local/go/bin/go get -u github.com/mikefarah/yq
 
@@ -344,7 +345,7 @@ install_suricata() {
 test_suricata_prerequisites() {
   for package in suricata crudini
   do
-    echo "[TEST] Validating that $package is correctly installed..."
+    echo "[$(date +%H:%M:%S)]: [TEST] Validating that $package is correctly installed..."
     # Loop through each package using dpkg
     if ! dpkg -S $package > /dev/null; then
       # If which returns a non-zero return code, try to re-install the package
@@ -361,7 +362,7 @@ test_suricata_prerequisites() {
   done
 
   # One-off support for packages which aren't installed via dpkg
-  echo "[TEST] Validating that yq is correctly installed..."
+  echo "[$(date +%H:%M:%S)]: [TEST] Validating that yq is correctly installed..."
   # Check if the binary exists
   if ! [ -f /root/go/bin/yq ]; then
     # If it doesn't exist, try to re-install the package

Vagrant/scripts/MakeWindows10GreatAgain.ps1

@@ -1,20 +1,20 @@
 # Import the registry keys
-Write-Host "Making Windows 10 Great again"
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Making Windows 10 Great again"
-Write-Host "Importing registry keys..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Importing registry keys..."
 regedit /s a:\MakeWindows10GreatAgain.reg
 
 # Remove OneDrive from the System
-Write-Host "Removing OneDrive..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Removing OneDrive..."
 $onedrive = Get-Process onedrive -ErrorAction SilentlyContinue
 if ($onedrive) {
   taskkill /f /im OneDrive.exe
 }
 c:\Windows\SysWOW64\OneDriveSetup.exe /uninstall
 
-Write-Host "Running Update-Help..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Running Update-Help..."
 Update-Help -Force -ErrorAction SilentlyContinue
 
-Write-Host "Removing Microsoft Store and Edge shortcuts from the taskbar..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Removing Microsoft Store and Edge shortcuts from the taskbar..."
 $appname = "Microsoft Edge"
 ((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true}
 $appname = "Microsoft Store"
@@ -22,13 +22,13 @@ $appname = "Microsoft Store"
 $appname = "Mail"
 ((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true}
 
-Write-Host "Disabling automatic screen turnoff in order to prevent screen locking..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Disabling automatic screen turnoff in order to prevent screen locking..."
 powercfg -change -monitor-timeout-ac 0
 powercfg -change -standby-timeout-ac 0
 powercfg -change -hibernate-timeout-ac 0
 
 # Download and install ShutUp10
-Write-Host "Downloading ShutUp10..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading ShutUp10..."
 [Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"
 $shutUp10DownloadUrl = "https://dl5.oo-software.com/files/ooshutup10/OOSU10.exe"
 $shutUp10RepoPath = "C:\Users\vagrant\AppData\Local\Temp\OOSU10.exe"

Vagrant/scripts/configure-AuditingPolicyGPOs.ps1

@@ -1,5 +1,5 @@
 # Purpose: Installs the GPOs for the custom WinEventLog auditing policy.
-Write-Host "Configuring auditing policy GPOS..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Configuring auditing policy GPOs..."
 $GPOName = 'Domain Controllers Enhanced Auditing Policy'
 $OU = "ou=Domain Controllers,dc=windomain,dc=local"
 Write-Host "Importing $GPOName..."
@@ -17,7 +17,7 @@ else
 }
 $GPOName = 'Servers Enhanced Auditing Policy'
 $OU = "ou=Servers,dc=windomain,dc=local"
-Write-Host "Importing $GPOName..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Importing $GPOName..."
 Import-GPO -BackupGpoName $GPOName -Path "c:\vagrant\resources\GPO\Servers_Enhanced_Auditing_Policy" -TargetName $GPOName -CreateIfNeeded
 $gpLinks = $null
 $gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
@@ -32,8 +32,8 @@ else
 }
 
 $GPOName = 'Workstations Enhanced Auditing Policy'
-$OU = "ou=Workstations,dc=windomain,dc=local" 
+$OU = "ou=Workstations,dc=windomain,dc=local"
-Write-Host "Importing $GPOName..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Importing $GPOName..."
 Import-GPO -BackupGpoName $GPOName -Path "c:\vagrant\resources\GPO\Workstations_Enhanced_Auditing_Policy" -TargetName $GPOName -CreateIfNeeded
 $gpLinks = $null
 $gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
@@ -46,4 +46,3 @@ else
 {
     Write-Host "GpLink $GPOName already linked on $OU. Moving On."
 }
-

Vagrant/scripts/configure-ou.ps1

@@ -1,6 +1,6 @@
 # Purpose: Sets up the Server and Workstations OUs
 
-Write-Host "Checking AD services status..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Checking AD services status..."
 $svcs = "adws","dns","kdc","netlogon"
 Get-Service -name $svcs -ComputerName localhost | Select Machinename,Name,Status
 
@@ -11,8 +11,8 @@ Add-Content "c:\windows\system32\drivers\etc\hosts" "        192.168.38.102    d
 ping /n 1 dc.windomain.local
 ping /n 1 windomain.local
 
-Write-Host "Creating Server and Workstation OUs..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Server and Workstation OUs..."
-Write-Host "Creating Servers OU..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Servers OU..."
 
 if (!([ADSI]::Exists("LDAP://OU=Servers,DC=windomain,DC=local")))
 {
@@ -23,7 +23,7 @@ else
     Write-Host "Servers OU already exists. Moving On."
 }
 
-Write-Host "Creating Workstations OU"
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Workstations OU"
 if (!([ADSI]::Exists("LDAP://OU=Workstations,DC=windomain,DC=local")))
 {
   New-ADOrganizationalUnit -Name "Workstations" -Server "dc.windomain.local"

Vagrant/scripts/configure-powershelllogging.ps1

@@ -1,5 +1,5 @@
 # Purpose: Install the GPO that specifies the WEF collector
-Write-Host "Importing the GPO to enable Powershell Module, ScriptBlock and Transcript logging..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Importing the GPO to enable Powershell Module, ScriptBlock and Transcript logging..."
 Import-GPO -BackupGpoName 'Powershell Logging' -Path "c:\vagrant\resources\GPO\powershell_logging" -TargetName 'Powershell Logging' -CreateIfNeeded
 $OU = "ou=Workstations,dc=windomain,dc=local"
 $gPLinks = $null

Vagrant/scripts/configure-pslogstranscriptsshare.ps1

@@ -1,6 +1,6 @@
 # Purpose: Configure an SMB share for Powershell transcription logs to be written to
 # Source: https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/
-Write-Host "Configuring the Powershell Transcripts Share"
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Configuring the Powershell Transcripts Share"
 If (-not (Test-Path c:\pslogs))
 {
     md c:\pslogs

Vagrant/scripts/configure-rdp-user-gpo.ps1

@@ -1,5 +1,5 @@
 # Purpose: Install the GPO that allows windomain\vagrant to RDP
-Write-Host "Importing the GPO to allow windomain/vagrant to RDP..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Importing the GPO to allow windomain/vagrant to RDP..."
 Import-GPO -BackupGpoName 'Allow Domain Users RDP' -Path "c:\vagrant\resources\GPO\rdp_users" -TargetName 'Allow Domain Users RDP' -CreateIfNeeded
 
 $OU = "ou=Workstations,dc=windomain,dc=local"

Vagrant/scripts/configure-wef-gpo.ps1

@@ -1,9 +1,10 @@
 # Purpose: Installs the GPOs needed to specify a Windows Event Collector and makes certain event channels readable by Event Logger
-Write-Host "Importing the GPO to specify the WEF collector"
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Importing the GPO to specify the WEF collector"
 $GPOName = 'Windows Event Forwarding Server'
 Import-GPO -BackupGpoName $GPOName -Path "c:\vagrant\resources\GPO\wef_configuration" -TargetName $GPOName -CreateIfNeeded
 $gpLinks = $null
 $OU = "OU=Servers,dc=windomain,dc=local"
+
 $gPLinks = Get-ADOrganizationalUnit -Server "dc.windomain.local" -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
 $GPO = Get-GPO -Name $GPOName
 If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path)
@@ -33,7 +34,7 @@ If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path)
     Write-Host "GpLink $GPOName already linked on $OU. Moving On."
 }
 
-Write-Host "Importing the GPO to modify ACLs on Custom Event Channels"
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Importing the GPO to modify ACLs on Custom Event Channels"
 
 $GPOName = 'Custom Event Channel Permissions'
 Import-GPO -BackupGpoName $GPOName -Path "c:\vagrant\resources\GPO\wef_configuration" -TargetName $GPOName -CreateIfNeeded

Vagrant/scripts/create-domain.ps1

@@ -8,11 +8,11 @@ $domain= "windomain.local"
 
 if ((gwmi win32_computersystem).partofdomain -eq $false) {
 
-  Write-Host 'Installing RSAT tools'
+  Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing RSAT tools"
   Import-Module ServerManager
   Add-WindowsFeature RSAT-AD-PowerShell,RSAT-AD-AdminCenter
 
-  Write-Host 'Creating domain controller'
+  Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating domain controller..."
   # Disable password complexity policy
   secedit /export /cfg C:\secpol.cfg
   (gc C:\secpol.cfg).replace("PasswordComplexity = 1", "PasswordComplexity = 0") | Out-File C:\secpol.cfg
@@ -48,13 +48,13 @@ if ((gwmi win32_computersystem).partofdomain -eq $false) {
   $newDNSServers = "127.0.0.1", "8.8.8.8", "4.4.4.4"
   $adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object { $_.IPAddress -And ($_.IPAddress).StartsWith($subnet) }
   if ($adapters) {
-    Write-Host Setting DNS
+    Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Setting DNS"
     $adapters | ForEach-Object {$_.SetDNSServerSearchOrder($newDNSServers)}
   }
-  Write-Host "Setting timezone to UTC"
+  Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Setting timezone to UTC"
   c:\windows\system32\tzutil.exe /s "UTC"
-  
+
-  Write-Host "Excluding NAT interface from DNS"
+  Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Excluding NAT interface from DNS"
   $nics=Get-WmiObject "Win32_NetworkAdapterConfiguration where IPEnabled='TRUE'" |? { $_.IPAddress[0] -ilike "172.25.*" }
   $dnslistenip=$nics.IPAddress
   $dnslistenip
@@ -74,11 +74,11 @@ if ((gwmi win32_computersystem).partofdomain -eq $false) {
  foreach($RR in $RRs)
  {
   if ( (Select-Object  -InputObject $RR HostName,RecordType -ExpandProperty RecordData).IPv4Address -ilike "10.*")
-  { 
+  {
    Remove-DnsServerResourceRecord -ZoneName $domain -RRType A -Name "@" -RecordData $RR.RecordData.IPv4Address -Confirm
   }
 
  }
   Restart-Service DNS
-  
+
 }

Vagrant/scripts/download_palantir_osquery.ps1

@@ -1,6 +1,6 @@
 # Purpose: Downloads and unzips a copy of the Palantir osquery Github Repo. These configs are added to the Fleet server in bootstrap.sh.
 # The items from this config file are used later in install-osquery.ps1
-Write-Host "Downloading and unzipping the Palantir osquery Repo from Github..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading and unzipping the Palantir osquery Repo from Github..."
 
 $osqueryRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\osquery-Master.zip'
 if (-not (Test-Path $osqueryRepoPath))
@@ -14,4 +14,4 @@ else
 {
     Write-Host "$osqueryRepoPath already exists. Moving On."
 }
-Write-Host "Palantir osquery config download complete!"
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Palantir osquery config download complete!"

Vagrant/scripts/download_palantir_wef.ps1

@@ -1,6 +1,6 @@
 # Purpose: Downloads and unzips a copy of the Palantir WEF Github Repo. This includes WEF subscriptions and custom WEF channels.
 
-Write-Host "Downloading and unzipping the Palantir Windows Event Forwarding Repo from Github..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading and unzipping the Palantir Windows Event Forwarding Repo from Github..."
 
 $wefRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\wef-Master.zip'
 
@@ -15,4 +15,4 @@ else
 {
     Write-Host "$wefRepoPath already exists. Moving On."
 }
-Write-Host "Palantir WEF download complete!"
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Palantir WEF download complete!"

Vagrant/scripts/fix-second-network.ps1

@@ -5,6 +5,7 @@ if (! (Test-Path 'C:\Program Files\VMware\VMware Tools')) {
   Write-Host "Nothing to do for other providers than VMware."
   exit 0
 }
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date))"
 Write-Host "Setting IP address and DNS information for the Ethernet1 interface"
 Write-Host "If this step times out, it's because vagrant is connecting to the VM on the wrong interface"
 Write-Host "See https://github.com/clong/DetectionLab/issues/114 for more information"

Vagrant/scripts/install-autorunstowineventlog.ps1

@@ -1,6 +1,6 @@
 # Purpose: Installs AutorunsToWinEventLog from the Palantir WEF repo: (https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog)
 # TL;DR - Logs all entries from Autoruns to the Windows event log to be indexed by Splunk
-Write-Host "Installing AutorunsToWinEventLog..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing AutorunsToWinEventLog..."
 If ((Get-ScheduledTask -TaskName "AutorunsToWinEventLog" -ea silent) -eq $null)
 {
     . c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\AutorunsToWinEventLog\Install.ps1

Vagrant/scripts/install-bginfo.ps1

@@ -1,5 +1,6 @@
 # Installs BGInfo on the host for easy identification
 # Source: https://github.com/StefanScherer/adfs2
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing BGInfo..."
 if (!(Test-Path 'c:\Program Files\sysinternals')) {
   New-Item -Path 'c:\Program Files\sysinternals' -type directory -Force -ErrorAction SilentlyContinue
 }

Vagrant/scripts/install-choco-extras.ps1

@@ -1,6 +1,6 @@
 # Purpose: Install additional packages from Chocolatey.
 
-Write-Host "Installing additional Choco packages..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing additional Choco packages..."
 
 If (-not (Test-Path "C:\ProgramData\chocolatey")) {
   Write-Host "Installing Chocolatey"
@@ -13,4 +13,4 @@ Write-Host "Installing Chocolatey extras..."
 choco install -y --limit-output --no-progress wireshark
 choco install -y --limit-output --no-progress winpcap
 
-Write-Host "Choco addons complete!"
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Choco addons complete!"

Vagrant/scripts/install-inputsconf.ps1

@@ -1,6 +1,6 @@
 # Purpose: Configures the inputs.conf for the Splunk forwarders on the Windows hosts
 
-Write-Host "Setting up Splunk Inputs for Sysmon & osquery"
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Setting up Splunk Inputs for Sysmon & osquery"
 
 $inputsPath = "C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf"
 $currentContent = get-content $inputsPath
@@ -8,22 +8,22 @@ $targetContent = get-content c:\vagrant\resources\splunk_forwarder\inputs.conf
 
 if ($currentContent -ne $targetContent)
 {
-  Write-Host "Stopping the Splunk forwarder"
+  Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Stopping the Splunk forwarder"
   try {
     Stop-Service splunkforwarder -ErrorAction Stop
   } catch {
-    Write-Host "Failed to stop SplunkForwarder. Trying again..."
+    Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Failed to stop SplunkForwarder. Trying again..."
     Set-Location "C:\Program Files\SplunkUniversalForwarder\bin"
     & ".\splunk.exe" "stop"
   }
 
-  Write-Host "Deleting the default configuration"
+  Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Deleting the default configuration"
   Remove-Item $inputsPath
 
-  Write-Host "Copying over the custom configuration"
+  Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Copying over the custom configuration"
   Copy-Item c:\vagrant\resources\splunk_forwarder\inputs.conf $inputsPath
 
-  Write-Host "Starting the Splunk forwarder"
+  Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Starting the Splunk forwarder"
   Start-Service splunkforwarder
 }
 else
@@ -34,4 +34,4 @@ If ((Get-Service -name splunkforwarder).Status -ne "Running")
 {
   throw "splunkforwarder service was not running."
 }
-Write-Host "Splunk forwarder installation complete!"
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Splunk forwarder installation complete!"

Vagrant/scripts/install-microsoft-ata.ps1

@@ -28,7 +28,7 @@ public static class SSLValidator {
 if (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center"))
 {
     $download = $false
-    if (-not (Test-Path "$env:temp\$title.iso")) 
+    if (-not (Test-Path "$env:temp\$title.iso"))
     {
         Write-Host "$title.iso doesn't exist yet, downloading..."
         $download = $true
@@ -40,13 +40,13 @@ if (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center
         {
             Write-Host "$title.iso exists, but has wrong hash, downloading..."
             $download = $true
-        } 
+        }
     }
     if ($download -eq $true)
     {
         Write-Host "Downloading $title..."
         Invoke-WebRequest -Uri $downloadUrl -OutFile "$env:temp\$title.iso"
-        $actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash 
+        $actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash
         If (-not ($actualHash -eq $fileHash))
         {
             throw "$title.iso was not downloaded correctly: hash from downloaded file: $actualHash, should've been: $fileHash"
@@ -59,19 +59,19 @@ if (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center
     $Install
     $Mount | Dismount-DiskImage -Confirm:$false
     $body = get-content "C:\vagrant\resources\microsoft_ata\microsoft-ata-config.json"
-    
+
     $req = [System.Net.WebRequest]::CreateHttp("https://wef")
-    try 
+    try
     {
         $req.GetResponse()
     }
-    catch 
+    catch
     {
         # we don't care about errors here, we just want to get the cert ;)
     }
     $ThumbPrint = $req.ServicePoint.Certificate.GetCertHashString()
     $body = $body -replace "{{THUMBPRINT}}", $ThumbPrint
-    
+
     Invoke-RestMethod -uri https://localhost/api/management/systemProfiles/center -body $body -Method Post -UseBasicParsing -UseDefaultCredentials -ContentType "application/json"
 
 }
@@ -79,9 +79,9 @@ if (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center
 Start-Sleep -Seconds 60
 
 Invoke-Command -computername dc -Credential (new-object pscredential("windomain\vagrant",(ConvertTo-SecureString -AsPlainText -Force -String "vagrant"))) -ScriptBlock {
-    
+
-    Write-Host "[$env:computername] Installing ATA Lightweight gateway..."
+    Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Installing ATA Lightweight gateway..."
-    
+
     # Enable web requests to endpoints with invalid SSL certs (like self-signed certs)
     if (-not("SSLValidator" -as [type])) {
         add-type -TypeDefinition @"
@@ -89,13 +89,13 @@ Invoke-Command -computername dc -Credential (new-object pscredential("windomain\
     using System.Net;
     using System.Net.Security;
     using System.Security.Cryptography.X509Certificates;
-    
+
     public static class SSLValidator {
         public static bool ReturnTrue(object sender,
             X509Certificate certificate,
             X509Chain chain,
             SslPolicyErrors sslPolicyErrors) { return true; }
-    
+
         public static RemoteCertificateValidationCallback GetDelegate() {
             return new RemoteCertificateValidationCallback(SSLValidator.ReturnTrue);
         }
@@ -103,7 +103,7 @@ Invoke-Command -computername dc -Credential (new-object pscredential("windomain\
 "@
     }
     [System.Net.ServicePointManager]::ServerCertificateValidationCallback = [SSLValidator]::GetDelegate()
-    
+
     If (-not (Test-Path "$env:temp\gatewaysetup.zip"))
     {
         Invoke-WebRequest -uri https://wef/api/management/softwareUpdates/gateways/deploymentPackage -UseBasicParsing -OutFile "$env:temp\gatewaysetup.zip" -Credential (new-object pscredential("wef\vagrant",(convertto-securestring -AsPlainText -Force -String "vagrant")))
@@ -115,10 +115,10 @@ Invoke-Command -computername dc -Credential (new-object pscredential("windomain\
     }
     if (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics"))
     {
-        Set-Location "$env:temp\gatewaysetup"    
+        Set-Location "$env:temp\gatewaysetup"
         Start-Process -Wait -FilePath ".\Microsoft ATA Gateway Setup.exe" -ArgumentList "/q NetFrameworkCommandLineArguments=`"/q`" ConsoleAccountName=`"wef\vagrant`" ConsoleAccountPassword=`"vagrant`""
     }
-    else 
+    else
     {
         Write-Host "[$env:computername] ATA Gateway already installed. Moving On."
     }
@@ -144,4 +144,4 @@ Invoke-RestMethod -Uri "https://localhost/api/management/systemProfiles/gateways
 If ((Get-Service -name "ATACenter").Status -ne "Running")
 {
     throw "MS ATA service was not running."
-}
+}

Vagrant/scripts/install-osquery.ps1

@@ -2,7 +2,7 @@
 # Note: by default, osquery will be configured to connect to the Fleet server on the "logger" host via TLS.
 # If you would like to have osquery run without TLS & Fleet, uncomment line 15 and comment lines 21-30.
 
-Write-Host "Installing osquery"
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing osquery..."
 $packsDir = "c:\programdata\osquery\packs"
 choco install -y --limit-output --no-progress osquery | Out-String  # Apparently Out-String makes the process wait
 $service = Get-WmiObject -Class Win32_Service -Filter "Name='osqueryd'"

Vagrant/scripts/install-redteam.ps1

@@ -1,11 +1,11 @@
 # Purpose: Installs Mimikatz and Powersploit into c:\Tools\Mimikatz. Used to install redteam related tooling.
 
-Write-Host "Installing Red Team Tooling..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing Red Team Tooling..."
 
 # Windows Defender should be disabled already by O&O ShutUp10
 
 # Purpose: Downloads and unzips a copy of the latest Mimikatz trunk
-Write-Host "Determining latest release of Mimikatz..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Determining latest release of Mimikatz..."
 # GitHub requires TLS 1.2 as of 2/27
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 $tag = (Invoke-WebRequest "https://api.github.com/repos/gentilkiwi/mimikatz/releases" -UseBasicParsing | ConvertFrom-Json)[0].tag_name
@@ -22,7 +22,7 @@ else
 }
 
 # Download and unzip a copy of PowerSploit
-Write-Host "Downloading Powersploit..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Powersploit..."
 # GitHub requires TLS 1.2 as of 2/27
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 $powersploitDownloadUrl = "https://github.com/PowerShellMafia/PowerSploit/archive/dev.zip"
@@ -36,7 +36,7 @@ if (-not (Test-Path $powersploitRepoPath)) {
 }
 
 # Download and unzip a copy of Atomic Red Team
-Write-Host "Downloading Atomic Red Team..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Atomic Red Team..."
 # GitHub requires TLS 1.2 as of 2/27
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 $atomicRedTeamDownloadUrl = "https://github.com/redcanaryco/atomic-red-team/archive/master.zip"
@@ -48,4 +48,4 @@ if (-not (Test-Path $atomicRedTeamRepoPath)) {
   Write-Host "Atomic Red Team was already installed. Moving On."
 }
 
-Write-Host "Red Team tooling installation complete!"
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Red Team tooling installation complete!"

Vagrant/scripts/install-splunkuf.ps1

@@ -4,7 +4,7 @@ If (-not (Test-Path "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"))
   Write-Host "Downloading Splunk Universal Forwarder"
   $msiFile = $env:Temp + "\splunkforwarder-7.1.0-2e75b3406c5b-x64-release.msi"
 
-  Write-Host "Installing & Starting Splunk"
+  Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing & Starting Splunk"
   (New-Object System.Net.WebClient).DownloadFile('https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=windows&version=7.1.0&product=universalforwarder&filename=splunkforwarder-7.1.0-2e75b3406c5b-x64-release.msi&wget=true', $msiFile)
   Start-Process -FilePath "c:\windows\system32\msiexec.exe" -ArgumentList '/i', "$msiFile", 'RECEIVING_INDEXER="192.168.38.105:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_APP_ENABLE=1 AGREETOLICENSE=Yes SERVICESTARTTYPE=1 LAUNCHSPLUNK=1 SPLUNKPASSWORD=changeme /quiet' -Wait
 } Else {
@@ -14,4 +14,4 @@ If ((Get-Service -name splunkforwarder).Status -ne "Running")
 {
   throw "Splunk forwarder service not running"
 }
-Write-Host "Splunk installation complete!"
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Splunk installation complete!"

Vagrant/scripts/install-sysinternals.ps1

@@ -1,5 +1,6 @@
 # Purpose: Installs a handful of SysInternals tools on the host into c:\Tools\Sysinternals
 
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing SysInternals Tooling..."
 $sysinternalsDir = "C:\Tools\Sysinternals"
 $sysmonDir = "C:\ProgramData\Sysmon"
 If(!(test-path $sysinternalsDir)) {
@@ -27,31 +28,31 @@ $sysmonConfigPath = "$sysmonDir\sysmonConfig.xml"
 
 # Microsoft likes TLSv1.2 as well
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-Write-Host "Downloading Autoruns64.exe..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Autoruns64.exe..."
 (New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Autoruns64.exe', $autorunsPath)
-Write-Host "Downloading Procmon.exe..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Procmon.exe..."
 (New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Procmon.exe', $procmonPath)
-Write-Host "Downloading PsExec64.exe..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading PsExec64.exe..."
 (New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/PsExec64.exe', $psexecPath)
-Write-Host "Downloading procexp64.exe..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading procexp64.exe..."
 (New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/procexp64.exe', $procexpPath)
-Write-Host "Downloading Sysmon64.exe..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Sysmon64.exe..."
 (New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Sysmon64.exe', $sysmonPath)
-Write-Host "Downloading Tcpview.exe..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Tcpview.exe..."
 (New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Tcpview.exe', $tcpviewPath)
 Copy-Item $sysmonPath $sysmonDir
 
 # Download Olaf Hartongs Sysmon config
-Write-Host "Downloading Olaf Hartong's Sysmon config..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Olaf Hartong's Sysmon config..."
 (New-Object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml', "$sysmonConfigPath")
 # Alternative: Download SwiftOnSecurity's Sysmon config
 # Write-Host "Downloading SwiftOnSecurity's Sysmon config..."
 # (New-Object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml', "$sysmonConfigPath")
 
 # Start Sysmon
-Write-Host "Starting Sysmon..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Starting Sysmon..."
 Start-Process -FilePath "$sysmonDir\Sysmon64.exe" -ArgumentList "-accepteula -i $sysmonConfigPath"
-Write-Host "Verifying that the Sysmon service is running..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Verifying that the Sysmon service is running..."
 Start-Sleep 5 # Give the service time to start
 If ((Get-Service -name Sysmon64).Status -ne "Running")
 {

Vagrant/scripts/install-utilities.ps1

@@ -7,7 +7,7 @@ If (-not (Test-Path "C:\ProgramData\chocolatey")) {
   Write-Host "Chocolatey is already installed."
 }
 
-Write-Host "Installing utilities..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing utilities..."
 If ($(hostname) -eq "win10") {
   # Because the Windows10 start menu sucks
   choco install -y --limit-output --no-progress classic-shell -installArgs ADDLOCAL=ClassicStartMenu

Vagrant/scripts/install-wefsubscriptions.ps1

@@ -1,31 +1,31 @@
 # Purpose: Imports the custom Windows Event Channel and XML subscriptions on the WEF host
 # Note: This only needs to be installed on the WEF server
 
-Write-Host "Installing WEF Subscriptions..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing WEF Subscriptions..."
 
-Write-Host "Copying Custom Event Channels DLL..."
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Copying Custom Event Channels DLL..."
 if (-not (Test-Path "$env:windir\system32\CustomEventChannels.dll"))
 {
     Copy-Item c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\windows-event-channels\CustomEventChannels.dll "$env:windir\system32"
     Copy-Item c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\windows-event-channels\CustomEventChannels.man "$env:windir\system32"
 
-    Write-Host "Installing Custom Event Channels Manifest..."
+    Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing Custom Event Channels Manifest..."
     wevtutil im "c:\windows\system32\CustomEventChannels.man"
     Write-Host "Resizing Channels to 4GB..."
     $xml = wevtutil el | select-string -pattern "WEC"
     foreach ($subscription in $xml) { wevtutil sl $subscription /ms:4294967296 }
 
-    Write-Host "Starting the Windows Event Collector Service..."
+    Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Starting the Windows Event Collector Service..."
     net start wecsvc
 
-    Write-Host "Creating custom event subscriptions..."
+    Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating custom event subscriptions..."
     cd c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions
     cmd /c "for /r %i in (*.xml) do wecutil cs %i"
 
-    Write-Host "Enabling custom event subscriptions..."
+    Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Enabling custom event subscriptions..."
     cmd /c "for /r %i in (*.xml) do wecutil ss %~ni /e:true"
 
-    Write-Host "Enabling WecUtil Quick Config..."
+    Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Enabling WecUtil Quick Config..."
     wecutil qc /q:true
 }
 else

Vagrant/scripts/install-windows_ta.ps1

@@ -1,7 +1,7 @@
 # Purpose: Installs the Windows Splunk Technial Add-On
 # Note: This only needs to be installed on the WEF server
 
-Write-Host "Installing the Windows TA for Splunk"
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing the Windows TA for Splunk"
 
 If (test-path "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default") {
   Write-Host "Windows TA is already installed. Moving on."
@@ -11,7 +11,7 @@ If (test-path "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_wind
 # Install Windows TA (this only needs to be done on the WEF server)
 $windowstaPath = "C:\vagrant\resources\splunk_forwarder\splunk-add-on-for-microsoft-windows_500.tgz"
 $inputsPath = "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf"
-Write-Host "Installing the Windows TA"
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing the Windows TA"
 Start-Process -FilePath "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" -ArgumentList "install app $windowstaPath -auth admin:changeme" -NoNewWindow
 
 # Create local directory
@@ -19,10 +19,10 @@ New-Item -ItemType Directory -Force -Path "C:\Program Files\SplunkUniversalForwa
 Copy-Item c:\vagrant\resources\splunk_forwarder\wef_inputs.conf $inputsPath
 
 # Add a check here to make sure the TA was installed correctly
-Write-Host "Sleeping for 15 seconds"
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Sleeping for 15 seconds"
 start-sleep -s 15
 If (test-path "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default") {
-  Write-Host "Windows TA installed successfully."
+  Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Windows TA installed successfully."
 } Else {
   Write-Host "Something went wrong during installation."
   exit 1

Vagrant/scripts/join-domain.ps1

@@ -1,14 +1,14 @@
 # Purpose: Joins a Windows host to the windomain.local domain which was created with "create-domain.ps1".
 # Source: https://github.com/StefanScherer/adfs2
 
-Write-Host 'Join the domain'
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Joining the domain..."
 
-Write-Host "First, set DNS to DC to join the domain"
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) First, set DNS to DC to join the domain..."
 $newDNSServers = "192.168.38.102"
 $adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.IPAddress -match "192.168.38."}
 $adapters | ForEach-Object {$_.SetDNSServerSearchOrder($newDNSServers)}
 
-Write-Host "Now join the domain"
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Now join the domain..."
 $hostname = $(hostname)
 $user = "windomain.local\vagrant"
 $pass = ConvertTo-SecureString "vagrant" -AsPlainText -Force

Vagrant/scripts/provision.ps1

@@ -4,21 +4,21 @@
 $box = Get-ItemProperty -Path HKLM:SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName -Name "ComputerName"
 $box = $box.ComputerName.ToString().ToLower()
 
-Write-Host "Setting timezone to UTC"
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Setting timezone to UTC..."
 c:\windows\system32\tzutil.exe /s "UTC"
 
 if ($env:COMPUTERNAME -imatch 'vagrant') {
 
-  Write-Host 'Hostname is still the original one, skip provisioning for reboot'
+  Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Hostname is still the original one, skip provisioning for reboot..."
 
-  Write-Host 'Installing bginfo...'
+  Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing bginfo..."
   . c:\vagrant\scripts\install-bginfo.ps1
 
   Write-Host -fore red 'Hint: vagrant reload' $box '--provision'
 
 } elseif ((gwmi win32_computersystem).partofdomain -eq $false) {
 
-  Write-Host -fore red "Current domain is set to 'workgroup'. Time to join the domain!"
+  Write-Host -fore red "$('[{0:HH:mm}]' -f (Get-Date)) Current domain is set to 'workgroup'. Time to join the domain!"
 
   if (!(Test-Path 'c:\Program Files\sysinternals\bginfo.exe')) {
     Write-Host 'Install bginfo'
@@ -39,12 +39,12 @@ if ($env:COMPUTERNAME -imatch 'vagrant') {
 
 } else {
 
-  Write-Host -fore green "I am domain joined!"
+  Write-Host -fore green "$('[{0:HH:mm}]' -f (Get-Date)) I am domain joined!"
 
   if (!(Test-Path 'c:\Program Files\sysinternals\bginfo.exe')) {
     Write-Host 'Install bginfo'
     . c:\vagrant\scripts\install-bginfo.ps1
   }
 
-  Write-Host 'Provisioning after joining domain...'
+  Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Provisioning after joining domain..."
 }