Initial commit

2017-12-11 08:49:25 -08:00
commit 1577341ce9
157 changed files with 5271 additions and 0 deletions
@@ -0,0 +1,165 @@
+Vagrant.configure("2") do |config|
+
+  config.vm.define "logger" do |cfg|
+    cfg.vm.box = "bento/ubuntu-16.04"
+    cfg.vm.hostname = "logger"
+    config.vm.provision :shell, path: "bootstrap.sh"
+    cfg.vm.network :private_network, ip: "192.168.38.5", gateway: "192.168.38.1", dns: "8.8.8.8"
+    config.vm.network :forwarded_port, guest: 8000, host: 8000
+    config.vm.network :forwarded_port, guest: 8412, host: 8412
+
+    cfg.vm.provider "vmware_fusion" do |v, override|
+      v.memory = 2048
+      v.cpus = 1
+      v.gui = true
+    end
+
+    cfg.vm.provider "virtualbox" do |vb, override|
+      vb.gui = true
+      vb.customize ["modifyvm", :id, "--memory", 2048]
+      vb.customize ["modifyvm", :id, "--cpus", 1]
+      vb.customize ["modifyvm", :id, "--vram", "32"]
+      vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
+      vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
+    end
+  end
+
+  config.vm.define "dc" do |cfg|
+    cfg.vm.box = "../Boxes/windows_2016_virtualbox.box"
+    cfg.vm.hostname = "dc"
+
+    # use the plaintext WinRM transport and force it to use basic authentication.
+    # NB this is needed because the default negotiate transport stops working
+    #    after the domain controller is installed.
+    #    see https://groups.google.com/forum/#!topic/vagrant-up/sZantuCM0q4
+    cfg.winrm.transport = :plaintext
+    cfg.winrm.basic_auth_only = true
+
+    cfg.vm.communicator = "winrm"
+    cfg.vm.network :forwarded_port, guest: 5985, host: 5985, id: "winrm", auto_correct: true
+    cfg.vm.network :forwarded_port, guest: 22, host: 2222, id: "ssh", auto_correct: true
+    cfg.vm.network :forwarded_port, guest: 3389, host: 3389, id: "rdp", auto_correct: true
+    cfg.vm.network :private_network, ip: "192.168.38.2", gateway: "192.168.38.1"
+
+    cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "192.168.38.2"
+    cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
+    cfg.vm.provision "reload"
+    cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: true
+    cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: true
+    cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: true
+    cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: true
+    cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: true
+    cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: true
+    cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: true
+    cfg.vm.provision "shell", path: "scripts/configure-ou.ps1", privileged: true
+    cfg.vm.provision "shell", path: "scripts/configure-wef-gpo.ps1", privileged: true
+    cfg.vm.provision "shell", path: "scripts/configure-powershelllogging.ps1", privileged: true
+    cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: true
+    cfg.vm.provision "shell", path: "scripts/configure-AuditingPolicyGPOs.ps1", privileged: true
+    cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: true
+
+    cfg.vm.provider "vmware_fusion" do |v, override|
+      override.vm.box = "../Boxes/windows_2016_vmware.box"
+      v.memory = 2048
+      v.cpus = 1
+      v.gui = true
+    end
+
+    cfg.vm.provider "virtualbox" do |vb, override|
+      vb.gui = true
+      vb.customize ["modifyvm", :id, "--memory", 2048]
+      vb.customize ["modifyvm", :id, "--cpus", 1]
+      vb.customize ["modifyvm", :id, "--vram", "32"]
+      vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
+      vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
+    end
+  end
+
+  config.vm.define "wef" do |cfg|
+    cfg.vm.box = "../Boxes/windows_2016_virtualbox.box"
+    cfg.vm.hostname = "wef"
+
+    cfg.vm.communicator = "winrm"
+    cfg.vm.network :forwarded_port, guest: 5985, host: 5986, id: "winrm", auto_correct: true
+    cfg.vm.network :forwarded_port, guest: 22, host: 2223, id: "ssh", auto_correct: true
+    cfg.vm.network :forwarded_port, guest: 3389, host: 3390, id: "rdp", auto_correct: true
+    cfg.vm.network :private_network, ip: "192.168.38.3", gateway: "192.168.38.1", dns: "192.168.38.2"
+
+    cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.3 -dns 192.168.38.2"
+    cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
+    cfg.vm.provision "reload"
+    cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: true
+    cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: true
+    cfg.vm.provision "shell", path: "scripts/install-wefsubscriptions.ps1", privileged: true
+    cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: true
+    cfg.vm.provision "shell", path: "scripts/install-windows_ta.ps1", privileged: true
+    cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: true
+    cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: true
+    cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: true
+    cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: true
+    cfg.vm.provision "shell", path: "scripts/configure-pslogstranscriptsshare.ps1", privileged: true
+    cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: true
+    cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: true
+
+    cfg.vm.provider "vmware_fusion" do |v, override|
+      override.vm.box = "../Boxes/windows_2016_vmware.box"
+      v.memory = 2048
+      v.cpus = 1
+      v.gui = true
+    end
+
+    cfg.vm.provider "virtualbox" do |vb, override|
+      vb.gui = true
+      vb.customize ["modifyvm", :id, "--memory", 2048]
+      vb.customize ["modifyvm", :id, "--cpus", 1]
+      vb.customize ["modifyvm", :id, "--vram", "32"]
+      vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
+      vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
+    end
+  end
+
+  config.vm.define "win10" do |cfg|
+    cfg.vm.box = "../Boxes/windows_10_virtualbox.box"
+    cfg.vm.hostname = "win10"
+
+    cfg.vm.communicator = "winrm"
+    cfg.vm.network :forwarded_port, guest: 5985, host: 5987, id: "winrm", auto_correct: true
+    cfg.vm.network :forwarded_port, guest: 22, host: 2224, id: "ssh", auto_correct: true
+    cfg.vm.network :forwarded_port, guest: 3389, host: 3391, id: "rdp", auto_correct: true
+    cfg.vm.network :private_network, ip: "192.168.38.4", gateway: "192.168.38.1", dns: "192.168.38.2"
+
+    cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.4 -dns 192.168.38.2"
+    cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
+    cfg.vm.provision "reload"
+    cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
+
+    cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: true
+    cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: true
+    cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: true
+    cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: true
+    cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: true
+    cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: true
+    cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: true
+
+    cfg.vm.provider "vmware_fusion" do |v, override|
+      override.vm.box = "../Boxes/windows_10_vmware.box"
+      v.vmx["gui.fullscreenatpoweron"] = "FALSE"
+      v.vmx["gui.viewModeAtPowerOn"] = "windowed"
+      v.vmx["gui.fitguestusingnativedisplayresolution"] = "FALSE"
+      v.memory = 2048
+      v.cpus = 1
+      v.gui = true
+    end
+
+    cfg.vm.provider "virtualbox" do |vb, override|
+      vb.gui = true
+      vb.customize ["modifyvm", :id, "--memory", 2048]
+      vb.customize ["modifyvm", :id, "--cpus", 1]
+      vb.customize ["modifyvm", :id, "--vram", "32"]
+      vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
+      vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
+    end
+  end
+end
@@ -0,0 +1,111 @@
+#! /bin/bash
+
+# Install prerequisites and useful tools
+apt-get update
+apt-get install -y jq whois build-essential git docker docker-compose unzip
+
+# Install Golang v1.8
+wget https://storage.googleapis.com/golang/go1.8.linux-amd64.tar.gz
+tar -xvf go1.8.linux-amd64.tar.gz
+mv go /usr/local
+mkdir /home/vagrant/.go
+chown vagrant:vagrant /home/vagrant/.go
+mkdir /root/.go
+echo 'export GOPATH=$HOME/.go' >> /home/vagrant/.bashrc
+echo 'export GOROOT=/usr/local/go' >> /home/vagrant/.bashrc
+echo 'export GOPATH=$HOME/.go' >> /root/.bashrc
+echo '/home/vagrant/.bashrc' >> /root/.bashrc
+source ~/.bashrc
+sudo update-alternatives --install "/usr/bin/go" "go" "/usr/local/go/bin/go" 0
+sudo update-alternatives --set go /usr/local/go/bin/go
+/usr/bin/go get -u github.com/howeyc/gopass
+
+# Check if Splunk is already installed
+if [ -f "/opt/splunk/bin/splunk" ]
+  then echo "Splunk is already installed"
+else
+  # Get Splunk.com into the DNS cache. Sometimes resolution randomly fails during wget below
+  dig @8.8.8.8 splunk.com
+  # Download Splunk
+  wget --progress=bar:force -O splunk-7.0.1-2b5b15c4ee89-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.0.1&product=splunk&filename=splunk-7.0.1-2b5b15c4ee89-linux-2.6-amd64.deb&wget=true'
+  dpkg -i splunk-7.0.1-2b5b15c4ee89-linux-2.6-amd64.deb
+  /opt/splunk/bin/splunk start --accept-license
+  /opt/splunk/bin/splunk add index wineventlog -auth 'admin:changeme'
+  /opt/splunk/bin/splunk add index osquery -auth 'admin:changeme'
+  /opt/splunk/bin/splunk add index osquery-status -auth 'admin:changeme'
+  /opt/splunk/bin/splunk add index sysmon -auth 'admin:changeme'
+  /opt/splunk/bin/splunk add index powershell -auth 'admin:changeme'
+  /opt/splunk/bin/splunk install app /vagrant/resources/splunk_forwarder/splunk-add-on-for-microsoft-windows_483.tgz -auth 'admin:changeme'
+  /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/add-on-for-microsoft-sysmon_600.tgz -auth 'admin:changeme'
+  # Add a Splunk TCP input on port 9997
+  echo -e "[splunktcp://9997]\nconnection_host = ip" > /opt/splunk/etc/apps/search/local/inputs.conf
+  # Add props.conf and transforms.conf
+  cp /vagrant/resources/splunk_server/props.conf /opt/splunk/etc/apps/search/local/
+  cp /vagrant/resources/splunk_server/transforms.conf /opt/splunk/etc/apps/search/local/
+  # Skip Splunk Tour and Change Password Dialog
+  touch /opt/splunk/etc/.ui_login
+  # Enable SSL Login for Splunk
+  echo '[settings]
+  enableSplunkWebSSL = true' > /opt/splunk/etc/system/local/web.conf
+  # Reboot Splunk to make changes take effect
+  /opt/splunk/bin/splunk restart
+  /opt/splunk/bin/splunk enable boot-start
+fi
+
+# Install Fleet
+echo -e "\n127.0.0.1       kolide" >> /etc/hosts
+git clone https://github.com/kolide/kolide-quickstart.git
+cd kolide-quickstart
+cp /vagrant/resources/fleet/server.* .
+sed -i 's/ -it//g' demo.sh
+./demo.sh up simple
+# Set the enrollment secret to match what we deploy to Windows hosts
+docker run --rm --network=kolidequickstart_default mysql:5.7 mysql -h mysql -u kolide --password=kolide -e 'update app_configs set osquery_enroll_secret = "enrollmentsecret" where id=1;' --batch kolide
+echo "Updated enrollment secret"
+cd /home/vagrant
+
+# Import Palantir osquery configs into Fleet
+echo "Downloading Palantir configs"
+git clone https://github.com/palantir/osquery-configuration.git
+git clone https://github.com/kolide/configimporter.git
+cd configimporter
+go build
+cd /home/vagrant
+
+# Modify the config to work with config importer
+cat /home/vagrant/osquery-configuration/Endpoints/Windows/osquery.conf  | sed 's#packs/#../packs/#g' | grep -v unwanted-chrome-extensions | grep -v security-tooling-checks | grep -v performance-metrics > /home/vagrant/osquery-configuration/Endpoints/Windows/osquery_to_import.conf
+# Install configimporter
+echo "Installing configimporter"
+echo "Sleeping for 5"
+sleep 5
+export CONFIGIMPORTER_PASSWORD='admin123#'
+cd /home/vagrant/osquery-configuration/Endpoints/Windows/
+# Fleet requires you to login before importing packs
+# Login
+curl 'https://192.168.38.5:8412/api/v1/kolide/login' -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/login' -H 'authority: 192.168.38.5:8412' --data-binary '{"username":"admin","password":"admin123#"}' --compressed --insecure
+sleep 1
+curl 'https://192.168.38.5:8412/setup' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'upgrade-insecure-requests: 1' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' -H 'authority: 192.168.38.5:8412' --compressed --insecure
+sleep 1
+# Setup organization name and email address
+curl 'https://192.168.38.5:8412/api/v1/setup' -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/setup' -H 'authority: 192.168.38.5:8412' --data-binary '{"kolide_server_url":"https://192.168.38.5:8412","org_info":{"org_name":"detectionlab"},"admin":{"admin":true,"email":"example@example.com","password":"admin123#","password_confirmation":"admin123#","username":"admin"}}' --compressed --insecure
+sleep 3
+# Import all Windows configs
+/home/vagrant/configimporter/configimporter -host https://localhost:8412 -user 'admin' -config osquery_to_import.conf
+
+# Get auth token
+TOKEN=$(curl 'https://192.168.38.5:8412/api/v1/kolide/login' -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/login' -H 'authority: 192.168.38.5:8412' --data-binary '{"username":"admin","password":"admin123#"}' --compressed --insecure | grep token | cut -d '"' -f 4)
+# Set all packs to be targeted to Windows hosts
+curl 'https://192.168.38.5:8412/api/v1/kolide/packs/1' -X PATCH -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/packs/3/edit' -H 'authority: 192.168.38.5:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure
+sleep 1
+curl 'https://192.168.38.5:8412/api/v1/kolide/packs/2' -X PATCH -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/packs/3/edit' -H 'authority: 192.168.38.5:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure
+sleep 1
+curl 'https://192.168.38.5:8412/api/v1/kolide/packs/3' -X PATCH -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/packs/3/edit' -H 'authority: 192.168.38.5:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure
+sleep 1
+curl 'https://192.168.38.5:8412/api/v1/kolide/packs/4' -X PATCH -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/packs/3/edit' -H 'authority: 192.168.38.5:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure
+sleep 1
+curl 'https://192.168.38.5:8412/api/v1/kolide/packs/5' -X PATCH -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/packs/3/edit' -H 'authority: 192.168.38.5:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure
+# Rename primary pack
+curl 'https://192.168.38.5:8412/api/v1/kolide/packs/5' -X PATCH -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/packs/5/edit' -H 'authority: 192.168.38.5:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"name":"windows-pack"}' --compressed --insecure
+# Add Splunk monitors for Fleet
+/opt/splunk/bin/splunk add monitor "/home/vagrant/kolide-quickstart/osquery_result" -index osquery -sourcetype 'osquery:json' -auth 'admin:changeme'
+/opt/splunk/bin/splunk add monitor "/home/vagrant/kolide-quickstart/osquery_status" -index osquery-status -sourcetype 'osquery:status' -auth 'admin:changeme'
@@ -0,0 +1 @@
+<Backups xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" xmlns:mfst="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" mfst:version="1.0"><BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{83A705FC-7072-4EC3-A9BA-4AA571570D31}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{39471c5e-04d5-4275-bf10-47653a177887}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2017-07-26T19:39:58]]></BackupTime><ID><![CDATA[{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Domain Controllers Enhanced Auditing Policy]]></GPODisplayName></BackupInst></Backups>
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Copyright (c) Microsoft Corporation.  All rights reserved. --><GroupPolicyBackupScheme bkp:version="2.0" bkp:type="GroupPolicyBackupTemplate" xmlns:bkp="http://www.microsoft.com/GroupPolicy/GPOOperations" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations">
+    <GroupPolicyObject><SecurityGroups><Group><Sid/><SamAccountName><![CDATA[Event Log Readers]]></SamAccountName><Type><![CDATA[Unknown]]></Type><NetBIOSDomainName/><DnsDomainName/><UPN/></Group><Group><Sid/><SamAccountName><![CDATA[NETWORK SERVICE]]></SamAccountName><Type><![CDATA[Unknown]]></Type><NetBIOSDomainName/><DnsDomainName/><UPN/></Group><Group><Sid><![CDATA[S-1-5-21-2099590610-328841986-2664697228-11659]]></Sid><SamAccountName/><Type><![CDATA[Unknown]]></Type><NetBIOSDomainName/><DnsDomainName/><UPN/></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-3516590555-2060695796-1367554519-1000]]></Sid><SamAccountName><![CDATA[vagrant]]></SamAccountName><Type><![CDATA[User]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[vagrant@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-3516590555-2060695796-1367554519-519]]></Sid><SamAccountName><![CDATA[Enterprise Admins]]></SamAccountName><Type><![CDATA[UniversalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Enterprise Admins@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-3516590555-2060695796-1367554519-512]]></Sid><SamAccountName><![CDATA[Domain Admins]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Domain Admins@windomain.local]]></UPN></Group></SecurityGroups><FilePaths/><GroupPolicyCoreSettings><ID><![CDATA[{83A705FC-7072-4EC3-A9BA-4AA571570D31}]]></ID><Domain><![CDATA[windomain.local]]></Domain><SecurityDescriptor>01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 db e9 9a d1 f4 b8 d3 7a d7 39 83 51 e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 db e9 9a d1 f4 b8 d3 7a d7 39 83 51 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 db e9 9a d1 f4 b8 d3 7a d7 39 83 51 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00</SecurityDescriptor><DisplayName><![CDATA[Domain Controllers Enhanced Auditing Policy]]></DisplayName><Options><![CDATA[1]]></Options><UserVersionNumber><![CDATA[65537]]></UserVersionNumber><MachineVersionNumber><![CDATA[1703962]]></MachineVersionNumber><MachineExtensionGuids><![CDATA[[{00000000-0000-0000-0000-000000000000}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{B05566AC-FE9C-4368-BE01-7A4CBB6CBA11}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B087BE9D-ED37-454F-AF9C-04291E351182}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}]]]></MachineExtensionGuids><UserExtensionGuids/><WMIFilter/></GroupPolicyCoreSettings> 
+        <GroupPolicyExtension bkp:ID="{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" bkp:DescName="Registry">
+            <FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\registry.pol" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\registry.pol" bkp:Location="DomainSysvol\GPO\Machine\registry.pol"/>
+            
+            <FSObjectFile bkp:Path="%GPO_FSPATH%\Adm\*.*" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Adm\*.*"/>
+        </GroupPolicyExtension>
+        
+        
+        
+        
+        <GroupPolicyExtension bkp:ID="{827D319E-6EAC-11D2-A4EA-00C04F79F83A}" bkp:DescName="Security">
+            <FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\SecEdit\GptTmpl.inf" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf" bkp:ReEvaluateFunction="SecurityValidateSettings" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf"/>
+        </GroupPolicyExtension>
+        
+        
+        
+        
+    <GroupPolicyExtension bkp:ID="{F15C46CD-82A0-4C2D-A210-5D0D3182A418}" bkp:DescName="Unknown Extension"><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Applications" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\Applications" bkp:Location="DomainSysvol\GPO\Machine\Applications"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\comment.cmtx" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\comment.cmtx" bkp:Location="DomainSysvol\GPO\Machine\comment.cmtx"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\microsoft" bkp:Location="DomainSysvol\GPO\Machine\microsoft"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\microsoft\windows nt" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\Audit" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\microsoft\windows nt\Audit" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\Audit"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\Audit\audit.csv" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\microsoft\windows nt\Audit\audit.csv" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\SecEdit" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\microsoft\windows nt\SecEdit" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\Preferences" bkp:Location="DomainSysvol\GPO\Machine\Preferences"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\Preferences\Registry" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry\Registry.xml" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\Preferences\Registry\Registry.xml" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry\Registry.xml"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\Scripts" bkp:Location="DomainSysvol\GPO\Machine\Scripts"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Shutdown" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\Scripts\Shutdown" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Shutdown"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Startup" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\Scripts\Startup" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Startup"/></GroupPolicyExtension></GroupPolicyObject>
+</GroupPolicyBackupScheme>
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<RegistrySettings clsid="{A3CCFC41-DFDB-43a5-8D26-0FE8B954DA51}"><Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="RestrictRemoteSamEventThrottlingWindow" status="RestrictRemoteSamEventThrottlingWindow" image="7" changed="2017-07-26 04:57:18" uid="{D232208A-0CBB-4FA1-BE41-D8A402116908}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SYSTEM\CurrentControlSet\Control\Lsa" name="RestrictRemoteSamEventThrottlingWindow" type="REG_SZ" value="0"/></Registry>
+</RegistrySettings>
@@ -0,0 +1,12 @@
+<?xml version='1.0' encoding='utf-8'?>
+<policyComments xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/CommentDefinitions">
+  <policyNamespaces>
+    <using prefix="ns0" namespace="Microsoft.Policies.WindowsRemoteManagement"></using>
+  </policyNamespaces>
+  <comments>
+    <admTemplate></admTemplate>
+  </comments>
+  <resources minRequiredRevision="1.0">
+    <stringTable></stringTable>
+  </resources>
+</policyComments>
@@ -0,0 +1,38 @@
+Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value
+,System,Audit Credential Validation,{0cce923f-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Kerberos Authentication Service,{0cce9242-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Kerberos Service Ticket Operations,{0cce9240-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other Account Logon Events,{0cce9241-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Computer Account Management,{0cce9236-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Distribution Group Management,{0cce9238-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other Account Management Events,{0cce923a-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Security Group Management,{0cce9237-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit User Account Management,{0cce9235-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit DPAPI Activity,{0cce922d-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit PNP Activity,{0cce9248-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Process Creation,{0cce922b-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Process Termination,{0cce922c-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Detailed Directory Service Replication,{0cce923e-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Directory Service Access,{0cce923b-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Directory Service Changes,{0cce923c-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Directory Service Replication,{0cce923d-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Account Lockout,{0cce9217-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit User / Device Claims,{0cce9247-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Group Membership,{0cce9249-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Logoff,{0cce9216-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other Logon/Logoff Events,{0cce921c-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Special Logon,{0cce921b-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Detailed File Share,{0cce9244-69ae-11d9-bed3-505054503030},Failure,,2
+,System,Audit File Share,{0cce9224-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit File System,{0cce921d-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Filtering Platform Connection,{0cce9226-69ae-11d9-bed3-505054503030},Failure,,2
+,System,Audit Kernel Object,{0cce921f-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Removable Storage,{0cce9245-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit MPSSVC Rule-Level Policy Change,{0cce9232-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit IPsec Driver,{0cce9213-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3
@@ -0,0 +1 @@
+<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{83A705FC-7072-4EC3-A9BA-4AA571570D31}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{39471c5e-04d5-4275-bf10-47653a177887}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2017-07-26T19:39:58]]></BackupTime><ID><![CDATA[{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Domain Controllers Enhanced Auditing Policy]]></GPODisplayName></BackupInst>
@@ -0,0 +1 @@
+<Backups xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" xmlns:mfst="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" mfst:version="1.0"><BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{E1359F60-FACE-461A-9C5D-D1DF07E51A79}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{39471c5e-04d5-4275-bf10-47653a177887}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2017-07-26T19:30:11]]></BackupTime><ID><![CDATA[{E471372E-9280-47FB-963A-7B2A75182ACC}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Servers Enhanced Auditing Policy]]></GPODisplayName></BackupInst></Backups>
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Copyright (c) Microsoft Corporation.  All rights reserved. --><GroupPolicyBackupScheme bkp:version="2.0" bkp:type="GroupPolicyBackupTemplate" xmlns:bkp="http://www.microsoft.com/GroupPolicy/GPOOperations" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations">
+    <GroupPolicyObject><SecurityGroups><Group><Sid/><SamAccountName><![CDATA[Event Log Readers]]></SamAccountName><Type><![CDATA[Unknown]]></Type><NetBIOSDomainName/><DnsDomainName/><UPN/></Group><Group><Sid/><SamAccountName><![CDATA[NETWORK SERVICE]]></SamAccountName><Type><![CDATA[Unknown]]></Type><NetBIOSDomainName/><DnsDomainName/><UPN/></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-3516590555-2060695796-1367554519-1000]]></Sid><SamAccountName><![CDATA[vagrant]]></SamAccountName><Type><![CDATA[User]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[vagrant@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-3516590555-2060695796-1367554519-519]]></Sid><SamAccountName><![CDATA[Enterprise Admins]]></SamAccountName><Type><![CDATA[UniversalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Enterprise Admins@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-3516590555-2060695796-1367554519-512]]></Sid><SamAccountName><![CDATA[Domain Admins]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Domain Admins@windomain.local]]></UPN></Group></SecurityGroups><FilePaths/><GroupPolicyCoreSettings><ID><![CDATA[{E1359F60-FACE-461A-9C5D-D1DF07E51A79}]]></ID><Domain><![CDATA[windomain.local]]></Domain><SecurityDescriptor>01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 db e9 9a d1 f4 b8 d3 7a d7 39 83 51 e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 db e9 9a d1 f4 b8 d3 7a d7 39 83 51 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 db e9 9a d1 f4 b8 d3 7a d7 39 83 51 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00</SecurityDescriptor><DisplayName><![CDATA[Servers Enhanced Auditing Policy]]></DisplayName><Options><![CDATA[1]]></Options><UserVersionNumber><![CDATA[65537]]></UserVersionNumber><MachineVersionNumber><![CDATA[1376277]]></MachineVersionNumber><MachineExtensionGuids><![CDATA[[{00000000-0000-0000-0000-000000000000}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{B05566AC-FE9C-4368-BE01-7A4CBB6CBA11}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B087BE9D-ED37-454F-AF9C-04291E351182}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}][{F3CCC681-B74C-4060-9F26-CD84525DCA2A}{0F3F3735-573D-9804-99E4-AB2A69BA5FD4}]]]></MachineExtensionGuids><UserExtensionGuids/><WMIFilter/></GroupPolicyCoreSettings> 
+        <GroupPolicyExtension bkp:ID="{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" bkp:DescName="Registry">
+            <FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\registry.pol" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\registry.pol" bkp:Location="DomainSysvol\GPO\Machine\registry.pol"/>
+            
+            <FSObjectFile bkp:Path="%GPO_FSPATH%\Adm\*.*" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Adm\*.*"/>
+        </GroupPolicyExtension>
+        
+        
+        
+        
+        <GroupPolicyExtension bkp:ID="{827D319E-6EAC-11D2-A4EA-00C04F79F83A}" bkp:DescName="Security">
+            <FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\SecEdit\GptTmpl.inf" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf" bkp:ReEvaluateFunction="SecurityValidateSettings" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf"/>
+        </GroupPolicyExtension>
+        
+        
+        
+        
+    <GroupPolicyExtension bkp:ID="{F15C46CD-82A0-4C2D-A210-5D0D3182A418}" bkp:DescName="Unknown Extension"><FSObjectDir bkp:Path="%GPO_FSPATH%\Cadm" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Cadm" bkp:Location="DomainSysvol\GPO\Cadm"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Applications" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\Applications" bkp:Location="DomainSysvol\GPO\Machine\Applications"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\comment.cmtx" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\comment.cmtx" bkp:Location="DomainSysvol\GPO\Machine\comment.cmtx"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\microsoft" bkp:Location="DomainSysvol\GPO\Machine\microsoft"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\microsoft\windows nt" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\Audit" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\microsoft\windows nt\Audit" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\Audit"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\Audit\audit.csv" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\microsoft\windows nt\Audit\audit.csv" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\SecEdit" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\microsoft\windows nt\SecEdit" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\Preferences" bkp:Location="DomainSysvol\GPO\Machine\Preferences"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\Preferences\Registry" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry\Registry.xml" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\Preferences\Registry\Registry.xml" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry\Registry.xml"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences\Services" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\Preferences\Services" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Services"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\Scripts" bkp:Location="DomainSysvol\GPO\Machine\Scripts"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Shutdown" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\Scripts\Shutdown" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Shutdown"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Startup" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\Scripts\Startup" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Startup"/></GroupPolicyExtension></GroupPolicyObject>
+</GroupPolicyBackupScheme>
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<RegistrySettings clsid="{A3CCFC41-DFDB-43a5-8D26-0FE8B954DA51}"><Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="RestrictRemoteSamEventThrottlingWindow" status="RestrictRemoteSamEventThrottlingWindow" image="12" changed="2017-03-28 20:28:29" uid="{7E71B8A5-03A7-456C-9CC9-941C1045C0E1}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SYSTEM\CurrentControlSet\Control\Lsa" name="RestrictRemoteSamEventThrottlingWindow" type="REG_DWORD" value="00000000"/></Registry>
+</RegistrySettings>
@@ -0,0 +1,12 @@
+<?xml version='1.0' encoding='utf-8'?>
+<policyComments xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/CommentDefinitions">
+  <policyNamespaces>
+    <using prefix="ns0" namespace="Microsoft.Policies.WindowsRemoteManagement"></using>
+  </policyNamespaces>
+  <comments>
+    <admTemplate></admTemplate>
+  </comments>
+  <resources minRequiredRevision="1.0">
+    <stringTable></stringTable>
+  </resources>
+</policyComments>
@@ -0,0 +1,33 @@
+Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value
+,System,Audit Credential Validation,{0cce923f-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other Account Logon Events,{0cce9241-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Security Group Management,{0cce9237-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit User Account Management,{0cce9235-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit DPAPI Activity,{0cce922d-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit PNP Activity,{0cce9248-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Process Creation,{0cce922b-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Process Termination,{0cce922c-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Account Lockout,{0cce9217-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit User / Device Claims,{0cce9247-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Group Membership,{0cce9249-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Logoff,{0cce9216-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other Logon/Logoff Events,{0cce921c-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Special Logon,{0cce921b-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Detailed File Share,{0cce9244-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit File Share,{0cce9224-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit File System,{0cce921d-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Filtering Platform Connection,{0cce9226-69ae-11d9-bed3-505054503030},Failure,,2
+,System,Audit Other Object Access Events,{0cce9227-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Registry,{0cce921e-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Removable Storage,{0cce9245-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit MPSSVC Rule-Level Policy Change,{0cce9232-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other Policy Change Events,{0cce9234-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Non Sensitive Privilege Use,{0cce9229-69ae-11d9-bed3-505054503030},Failure,,2
+,System,Audit Sensitive Privilege Use,{0cce9228-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other System Events,{0cce9214-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3
@@ -0,0 +1 @@
+<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{E1359F60-FACE-461A-9C5D-D1DF07E51A79}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{39471c5e-04d5-4275-bf10-47653a177887}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2017-07-26T19:30:11]]></BackupTime><ID><![CDATA[{E471372E-9280-47FB-963A-7B2A75182ACC}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Servers Enhanced Auditing Policy]]></GPODisplayName></BackupInst>
@@ -0,0 +1 @@
+<Backups xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" xmlns:mfst="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" mfst:version="1.0"><BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{EC31A138-BD53-40CE-A368-0ED65005F02E}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{39471c5e-04d5-4275-bf10-47653a177887}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2017-07-26T19:35:10]]></BackupTime><ID><![CDATA[{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Workstations Enhanced Auditing Policy]]></GPODisplayName></BackupInst></Backups>
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Copyright (c) Microsoft Corporation.  All rights reserved. --><GroupPolicyBackupScheme bkp:version="2.0" bkp:type="GroupPolicyBackupTemplate" xmlns:bkp="http://www.microsoft.com/GroupPolicy/GPOOperations" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations">
+    <GroupPolicyObject><SecurityGroups><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-3516590555-2060695796-1367554519-1000]]></Sid><SamAccountName><![CDATA[vagrant]]></SamAccountName><Type><![CDATA[User]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[vagrant@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-3516590555-2060695796-1367554519-519]]></Sid><SamAccountName><![CDATA[Enterprise Admins]]></SamAccountName><Type><![CDATA[UniversalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Enterprise Admins@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-3516590555-2060695796-1367554519-512]]></Sid><SamAccountName><![CDATA[Domain Admins]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Domain Admins@windomain.local]]></UPN></Group></SecurityGroups><FilePaths/><GroupPolicyCoreSettings><ID><![CDATA[{EC31A138-BD53-40CE-A368-0ED65005F02E}]]></ID><Domain><![CDATA[windomain.local]]></Domain><SecurityDescriptor>01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 db e9 9a d1 f4 b8 d3 7a d7 39 83 51 e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 db e9 9a d1 f4 b8 d3 7a d7 39 83 51 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 db e9 9a d1 f4 b8 d3 7a d7 39 83 51 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00</SecurityDescriptor><DisplayName><![CDATA[Workstations Enhanced Auditing Policy]]></DisplayName><Options><![CDATA[1]]></Options><UserVersionNumber><![CDATA[65537]]></UserVersionNumber><MachineVersionNumber><![CDATA[1245203]]></MachineVersionNumber><MachineExtensionGuids><![CDATA[[{00000000-0000-0000-0000-000000000000}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{B05566AC-FE9C-4368-BE01-7A4CBB6CBA11}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B087BE9D-ED37-454F-AF9C-04291E351182}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}][{F3CCC681-B74C-4060-9F26-CD84525DCA2A}{0F3F3735-573D-9804-99E4-AB2A69BA5FD4}]]]></MachineExtensionGuids><UserExtensionGuids/><WMIFilter/></GroupPolicyCoreSettings> 
+        <GroupPolicyExtension bkp:ID="{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" bkp:DescName="Registry">
+            <FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\registry.pol" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\registry.pol" bkp:Location="DomainSysvol\GPO\Machine\registry.pol"/>
+            
+            <FSObjectFile bkp:Path="%GPO_FSPATH%\Adm\*.*" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Adm\*.*"/>
+        </GroupPolicyExtension>
+        
+        
+        
+        
+        <GroupPolicyExtension bkp:ID="{827D319E-6EAC-11D2-A4EA-00C04F79F83A}" bkp:DescName="Security">
+            <FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\SecEdit\GptTmpl.inf" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf" bkp:ReEvaluateFunction="SecurityValidateSettings" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf"/>
+        </GroupPolicyExtension>
+        
+        
+        
+        
+    <GroupPolicyExtension bkp:ID="{F15C46CD-82A0-4C2D-A210-5D0D3182A418}" bkp:DescName="Unknown Extension"><FSObjectDir bkp:Path="%GPO_FSPATH%\Cadm" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Cadm" bkp:Location="DomainSysvol\GPO\Cadm"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Applications" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\Applications" bkp:Location="DomainSysvol\GPO\Machine\Applications"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\comment.cmtx" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\comment.cmtx" bkp:Location="DomainSysvol\GPO\Machine\comment.cmtx"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\microsoft" bkp:Location="DomainSysvol\GPO\Machine\microsoft"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\microsoft\windows nt" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\Audit" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\microsoft\windows nt\Audit" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\Audit"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\Audit\audit.csv" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\microsoft\windows nt\Audit\audit.csv" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\SecEdit" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\microsoft\windows nt\SecEdit" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\Preferences" bkp:Location="DomainSysvol\GPO\Machine\Preferences"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\Preferences\Registry" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry\Registry.xml" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\Preferences\Registry\Registry.xml" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry\Registry.xml"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\Scripts" bkp:Location="DomainSysvol\GPO\Machine\Scripts"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Shutdown" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\Scripts\Shutdown" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Shutdown"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Startup" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\Scripts\Startup" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Startup"/></GroupPolicyExtension></GroupPolicyObject>
+</GroupPolicyBackupScheme>
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<RegistrySettings clsid="{A3CCFC41-DFDB-43a5-8D26-0FE8B954DA51}"><Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="RestrictRemoteSamEventThrottlingWindow" status="RestrictRemoteSamEventThrottlingWindow" image="12" bypassErrors="1" changed="2017-03-28 18:23:06" uid="{C6860994-A627-43A9-A8E9-433B483C697C}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SYSTEM\CurrentControlSet\Control\Lsa" name="RestrictRemoteSamEventThrottlingWindow" type="REG_DWORD" value="00000000"/></Registry>
+</RegistrySettings>
@@ -0,0 +1,12 @@
+<?xml version='1.0' encoding='utf-8'?>
+<policyComments xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/CommentDefinitions">
+  <policyNamespaces>
+    <using prefix="ns0" namespace="Microsoft.Policies.WindowsRemoteManagement"></using>
+  </policyNamespaces>
+  <comments>
+    <admTemplate></admTemplate>
+  </comments>
+  <resources minRequiredRevision="1.0">
+    <stringTable></stringTable>
+  </resources>
+</policyComments>
@@ -0,0 +1,33 @@
+Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value
+,System,Audit Credential Validation,{0cce923f-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other Account Logon Events,{0cce9241-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Security Group Management,{0cce9237-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit User Account Management,{0cce9235-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit DPAPI Activity,{0cce922d-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit PNP Activity,{0cce9248-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Process Creation,{0cce922b-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Process Termination,{0cce922c-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Account Lockout,{0cce9217-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit User / Device Claims,{0cce9247-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Group Membership,{0cce9249-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Logoff,{0cce9216-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other Logon/Logoff Events,{0cce921c-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Special Logon,{0cce921b-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Detailed File Share,{0cce9244-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit File Share,{0cce9224-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit File System,{0cce921d-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Filtering Platform Connection,{0cce9226-69ae-11d9-bed3-505054503030},Failure,,2
+,System,Audit Other Object Access Events,{0cce9227-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Registry,{0cce921e-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Removable Storage,{0cce9245-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit MPSSVC Rule-Level Policy Change,{0cce9232-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other Policy Change Events,{0cce9234-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Non Sensitive Privilege Use,{0cce9229-69ae-11d9-bed3-505054503030},Failure,,2
+,System,Audit Sensitive Privilege Use,{0cce9228-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other System Events,{0cce9214-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3
@@ -0,0 +1 @@
+<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{EC31A138-BD53-40CE-A368-0ED65005F02E}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{39471c5e-04d5-4275-bf10-47653a177887}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2017-07-26T19:35:10]]></BackupTime><ID><![CDATA[{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Workstations Enhanced Auditing Policy]]></GPODisplayName></BackupInst>
@@ -0,0 +1 @@
+<Backups xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" xmlns:mfst="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" mfst:version="1.0"><BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{52384B72-F463-4CF8-8432-C2E23FFC87C6}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{c9281a25-16b6-4f99-961e-281acbc19af8}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2017-04-20T00:41:04]]></BackupTime><ID><![CDATA[{44CF152B-475A-4217-A590-57C8BFA9B48F}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Powershell Logging]]></GPODisplayName></BackupInst></Backups>
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Copyright (c) Microsoft Corporation.  All rights reserved. --><GroupPolicyBackupScheme bkp:version="2.0" bkp:type="GroupPolicyBackupTemplate" xmlns:bkp="http://www.microsoft.com/GroupPolicy/GPOOperations" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations">
+    <GroupPolicyObject><SecurityGroups><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-4167842404-2528019904-656423439-1000]]></Sid><SamAccountName><![CDATA[vagrant]]></SamAccountName><Type><![CDATA[User]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[vagrant@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-4167842404-2528019904-656423439-519]]></Sid><SamAccountName><![CDATA[Enterprise Admins]]></SamAccountName><Type><![CDATA[UniversalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Enterprise Admins@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-4167842404-2528019904-656423439-512]]></Sid><SamAccountName><![CDATA[Domain Admins]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Domain Admins@windomain.local]]></UPN></Group></SecurityGroups><FilePaths/><GroupPolicyCoreSettings><ID><![CDATA[{52384B72-F463-4CF8-8432-C2E23FFC87C6}]]></ID><Domain><![CDATA[windomain.local]]></Domain><SecurityDescriptor>01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 64 3a 6c f8 c0 85 ae 96 0f 3a 20 27 e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 64 3a 6c f8 c0 85 ae 96 0f 3a 20 27 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 64 3a 6c f8 c0 85 ae 96 0f 3a 20 27 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00</SecurityDescriptor><DisplayName><![CDATA[Powershell Logging]]></DisplayName><Options><![CDATA[0]]></Options><UserVersionNumber><![CDATA[0]]></UserVersionNumber><MachineVersionNumber><![CDATA[131074]]></MachineVersionNumber><MachineExtensionGuids><![CDATA[[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}]]]></MachineExtensionGuids><UserExtensionGuids/><WMIFilter/></GroupPolicyCoreSettings> 
+        <GroupPolicyExtension bkp:ID="{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" bkp:DescName="Registry">
+            <FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\registry.pol" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{52384B72-F463-4CF8-8432-C2E23FFC87C6}\Machine\registry.pol" bkp:Location="DomainSysvol\GPO\Machine\registry.pol"/>
+            
+            <FSObjectFile bkp:Path="%GPO_FSPATH%\Adm\*.*" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{52384B72-F463-4CF8-8432-C2E23FFC87C6}\Adm\*.*"/>
+        </GroupPolicyExtension>
+        
+        
+        
+        
+        
+        
+        
+        
+        
+    <GroupPolicyExtension bkp:ID="{F15C46CD-82A0-4C2D-A210-5D0D3182A418}" bkp:DescName="Unknown Extension"><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\comment.cmtx" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{52384B72-F463-4CF8-8432-C2E23FFC87C6}\Machine\comment.cmtx" bkp:Location="DomainSysvol\GPO\Machine\comment.cmtx"/></GroupPolicyExtension></GroupPolicyObject>
+</GroupPolicyBackupScheme>
@@ -0,0 +1,12 @@
+<?xml version='1.0' encoding='utf-8'?>
+<policyComments xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/CommentDefinitions">
+  <policyNamespaces>
+    <using prefix="ns0" namespace="Microsoft.Policies.PowerShell"></using>
+  </policyNamespaces>
+  <comments>
+    <admTemplate></admTemplate>
+  </comments>
+  <resources minRequiredRevision="1.0">
+    <stringTable></stringTable>
+  </resources>
+</policyComments>
@@ -0,0 +1 @@
+<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{52384B72-F463-4CF8-8432-C2E23FFC87C6}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{c9281a25-16b6-4f99-961e-281acbc19af8}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2017-04-20T00:41:04]]></BackupTime><ID><![CDATA[{44CF152B-475A-4217-A590-57C8BFA9B48F}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Powershell Logging]]></GPODisplayName></BackupInst>
@@ -0,0 +1 @@
+<Backups xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" xmlns:mfst="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" mfst:version="1.0"><BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{68C5FF8C-1305-4ECC-B30B-1E2F2A5D3DE2}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{ab078dc9-15f8-49aa-98fe-a0e0b46dcb74}]]></GPODomainGuid><GPODomainController><![CDATA[dc]]></GPODomainController><BackupTime><![CDATA[2017-07-22T06:56:17]]></BackupTime><ID><![CDATA[{AE232F63-0190-47EE-BAF9-B78754178376}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Custom Event Channel Permissions]]></GPODisplayName></BackupInst><BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{4B3113E3-C8EF-4CED-813C-F0D888C55C61}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{ab078dc9-15f8-49aa-98fe-a0e0b46dcb74}]]></GPODomainGuid><GPODomainController><![CDATA[dc]]></GPODomainController><BackupTime><![CDATA[2017-07-22T06:46:11]]></BackupTime><ID><![CDATA[{F523FD69-7E4C-4315-93D0-557089F1B8A1}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Windows Event Forwarding Server]]></GPODisplayName></BackupInst></Backups>
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Copyright (c) Microsoft Corporation.  All rights reserved. --><GroupPolicyBackupScheme bkp:version="2.0" bkp:type="GroupPolicyBackupTemplate" xmlns:bkp="http://www.microsoft.com/GroupPolicy/GPOOperations" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations">
+    <GroupPolicyObject><SecurityGroups><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-2906110659-1782557030-2646142923-1000]]></Sid><SamAccountName><![CDATA[vagrant]]></SamAccountName><Type><![CDATA[User]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[vagrant@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-2906110659-1782557030-2646142923-519]]></Sid><SamAccountName><![CDATA[Enterprise Admins]]></SamAccountName><Type><![CDATA[UniversalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Enterprise Admins@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-2906110659-1782557030-2646142923-512]]></Sid><SamAccountName><![CDATA[Domain Admins]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Domain Admins@windomain.local]]></UPN></Group></SecurityGroups><FilePaths/><GroupPolicyCoreSettings><ID><![CDATA[{68C5FF8C-1305-4ECC-B30B-1E2F2A5D3DE2}]]></ID><Domain><![CDATA[windomain.local]]></Domain><SecurityDescriptor>01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 c3 ba 37 ad 66 a9 3f 6a cb ef b8 9d e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 c3 ba 37 ad 66 a9 3f 6a cb ef b8 9d 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 c3 ba 37 ad 66 a9 3f 6a cb ef b8 9d 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00</SecurityDescriptor><DisplayName><![CDATA[Custom Event Channel Permissions]]></DisplayName><Options><![CDATA[0]]></Options><UserVersionNumber><![CDATA[131074]]></UserVersionNumber><MachineVersionNumber><![CDATA[1572888]]></MachineVersionNumber><MachineExtensionGuids><![CDATA[[{00000000-0000-0000-0000-000000000000}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}][{B087BE9D-ED37-454F-AF9C-04291E351182}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}]]]></MachineExtensionGuids><UserExtensionGuids/><WMIFilter/></GroupPolicyCoreSettings> 
+        <GroupPolicyExtension bkp:ID="{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" bkp:DescName="Registry">
+            
+            
+            <FSObjectFile bkp:Path="%GPO_FSPATH%\Adm\*.*" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{68C5FF8C-1305-4ECC-B30B-1E2F2A5D3DE2}\Adm\*.*"/>
+        </GroupPolicyExtension>
+        
+        
+        
+        
+        
+        
+        
+        
+        
+    <GroupPolicyExtension bkp:ID="{F15C46CD-82A0-4C2D-A210-5D0D3182A418}" bkp:DescName="Unknown Extension"><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{68C5FF8C-1305-4ECC-B30B-1E2F2A5D3DE2}\Machine\Preferences" bkp:Location="DomainSysvol\GPO\Machine\Preferences"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{68C5FF8C-1305-4ECC-B30B-1E2F2A5D3DE2}\Machine\Preferences\Registry" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry\Registry.xml" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{68C5FF8C-1305-4ECC-B30B-1E2F2A5D3DE2}\Machine\Preferences\Registry\Registry.xml" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry\Registry.xml"/></GroupPolicyExtension></GroupPolicyObject>
+</GroupPolicyBackupScheme>
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<RegistrySettings clsid="{A3CCFC41-DFDB-43a5-8D26-0FE8B954DA51}"><Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="ChannelAccess" status="ChannelAccess" image="7" changed="2017-07-22 01:25:45" uid="{CA8FB1DB-B0A8-427A-A00D-08C1D499DC32}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-DNSServer/Audit" name="ChannelAccess" type="REG_SZ" value="O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)"/></Registry>
+	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="ChannelAccess" status="ChannelAccess" image="7" changed="2017-07-22 06:26:23" uid="{837364B6-ECD8-46E8-9FF1-35C7B0D9F5FF}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-SMBClient/Operational" name="ChannelAccess" type="REG_SZ" value="O:BAG:SYD:(A;;0x5;;;BA)(A;;0x1;;;S-1-5-20)(A;;0x1;;;S-1-5-32-573)"/></Registry>
+	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="ChannelAccess" status="ChannelAccess" image="7" changed="2017-07-22 06:27:30" uid="{43ADFF5A-9412-44C6-8476-839EC6602558}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-SMBServer/Audit" name="ChannelAccess" type="REG_SZ" value="O:BAG:SYD:(A;;0x5;;;BA)(A;;0x1;;;S-1-5-20)(A;;0x1;;;S-1-5-32-573)"/></Registry>
+	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="CustomSD" status="CustomSD" image="7" changed="2017-07-22 06:29:26" uid="{8D55AF86-069E-4A22-A9F9-AD8DCC1711C9}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SYSTEM\CurrentControlSet\Services\EventLog\DNS Server" name="CustomSD" type="REG_SZ" value="O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-20)(A;;0x1;;;S-1-5-32-573)"/></Registry>
+	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="CustomSD" status="CustomSD" image="7" changed="2017-07-22 06:54:47" uid="{59ECA0A8-307C-4B14-9D55-BB118CC1B9D4}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SYSTEM\CurrentControlSet\Services\EventLog\Security" name="CustomSD" type="REG_SZ" value="O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)"/></Registry>
+</RegistrySettings>
@@ -0,0 +1 @@
+<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{68C5FF8C-1305-4ECC-B30B-1E2F2A5D3DE2}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{ab078dc9-15f8-49aa-98fe-a0e0b46dcb74}]]></GPODomainGuid><GPODomainController><![CDATA[dc]]></GPODomainController><BackupTime><![CDATA[2017-07-22T06:56:17]]></BackupTime><ID><![CDATA[{AE232F63-0190-47EE-BAF9-B78754178376}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Custom Event Channel Permissions]]></GPODisplayName></BackupInst>
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Copyright (c) Microsoft Corporation.  All rights reserved. --><GroupPolicyBackupScheme bkp:version="2.0" bkp:type="GroupPolicyBackupTemplate" xmlns:bkp="http://www.microsoft.com/GroupPolicy/GPOOperations" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations">
+    <GroupPolicyObject><SecurityGroups><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-2906110659-1782557030-2646142923-1000]]></Sid><SamAccountName><![CDATA[vagrant]]></SamAccountName><Type><![CDATA[User]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[vagrant@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-2906110659-1782557030-2646142923-519]]></Sid><SamAccountName><![CDATA[Enterprise Admins]]></SamAccountName><Type><![CDATA[UniversalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Enterprise Admins@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-2906110659-1782557030-2646142923-512]]></Sid><SamAccountName><![CDATA[Domain Admins]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Domain Admins@windomain.local]]></UPN></Group></SecurityGroups><FilePaths/><GroupPolicyCoreSettings><ID><![CDATA[{4B3113E3-C8EF-4CED-813C-F0D888C55C61}]]></ID><Domain><![CDATA[windomain.local]]></Domain><SecurityDescriptor>01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 c3 ba 37 ad 66 a9 3f 6a cb ef b8 9d e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 c3 ba 37 ad 66 a9 3f 6a cb ef b8 9d 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 c3 ba 37 ad 66 a9 3f 6a cb ef b8 9d 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00</SecurityDescriptor><DisplayName><![CDATA[Windows Event Forwarding Server]]></DisplayName><Options><![CDATA[0]]></Options><UserVersionNumber><![CDATA[65537]]></UserVersionNumber><MachineVersionNumber><![CDATA[131074]]></MachineVersionNumber><MachineExtensionGuids><![CDATA[[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}]]]></MachineExtensionGuids><UserExtensionGuids/><WMIFilter/></GroupPolicyCoreSettings> 
+        <GroupPolicyExtension bkp:ID="{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" bkp:DescName="Registry">
+            <FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\registry.pol" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{4B3113E3-C8EF-4CED-813C-F0D888C55C61}\Machine\registry.pol" bkp:Location="DomainSysvol\GPO\Machine\registry.pol"/>
+            
+            <FSObjectFile bkp:Path="%GPO_FSPATH%\Adm\*.*" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{4B3113E3-C8EF-4CED-813C-F0D888C55C61}\Adm\*.*"/>
+        </GroupPolicyExtension>
+        
+        
+        
+        
+        
+        
+        
+        
+        
+    <GroupPolicyExtension bkp:ID="{F15C46CD-82A0-4C2D-A210-5D0D3182A418}" bkp:DescName="Unknown Extension"><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\comment.cmtx" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{4B3113E3-C8EF-4CED-813C-F0D888C55C61}\Machine\comment.cmtx" bkp:Location="DomainSysvol\GPO\Machine\comment.cmtx"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{4B3113E3-C8EF-4CED-813C-F0D888C55C61}\Machine\Scripts" bkp:Location="DomainSysvol\GPO\Machine\Scripts"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Shutdown" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{4B3113E3-C8EF-4CED-813C-F0D888C55C61}\Machine\Scripts\Shutdown" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Shutdown"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Startup" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{4B3113E3-C8EF-4CED-813C-F0D888C55C61}\Machine\Scripts\Startup" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Startup"/></GroupPolicyExtension></GroupPolicyObject>
+</GroupPolicyBackupScheme>
@@ -0,0 +1,12 @@
+<?xml version='1.0' encoding='utf-8'?>
+<policyComments xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/CommentDefinitions">
+  <policyNamespaces>
+    <using prefix="ns0" namespace="Microsoft.Policies.EventForwarding"></using>
+  </policyNamespaces>
+  <comments>
+    <admTemplate></admTemplate>
+  </comments>
+  <resources minRequiredRevision="1.0">
+    <stringTable></stringTable>
+  </resources>
+</policyComments>
@@ -0,0 +1 @@
+<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{4B3113E3-C8EF-4CED-813C-F0D888C55C61}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{ab078dc9-15f8-49aa-98fe-a0e0b46dcb74}]]></GPODomainGuid><GPODomainController><![CDATA[dc]]></GPODomainController><BackupTime><![CDATA[2017-07-22T06:46:11]]></BackupTime><ID><![CDATA[{F523FD69-7E4C-4315-93D0-557089F1B8A1}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Windows Event Forwarding Server]]></GPODisplayName></BackupInst>
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICnjCCAYYCCQD3m5L/nC/akjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZr
+b2xpZGUwHhcNMTcxMTAxMjAxMDIxWhcNMTgxMTAxMjAxMDIxWjARMQ8wDQYDVQQD
+DAZrb2xpZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDahfD8pVJN
+KSdE+GoYIPsteyHvyQXXGcCIlrt+EFI5TXKBcHE8Vyyi1xw7hTpGKA3DGbLBf43E
+j26w7NS0hGhbJHwjx5EBujWhDskbH8GTzhQllVoYOOwuU85MWiISQOAWhaytIFYg
+6wnBaA0EtNEOeYPD1J5t1Bt4k9pwS+ATJxAag9BSesMdmU6Uz2zCxSavsDMGepiv
+kaOAzT4Bhy3aVhq56mNayLT2fCdmyEyKlou9gUzteY0dp010ZNfqyxgcsnhogUij
+6LaEsVzsxDRH7HFPtCeGBb8CjnnPhMbAU9nzhn+9EEtiIUvN0Dl0G/DmgziTpKgD
+EEmddbqEK6g9AgMBAAEwDQYJKoZIhvcNAQELBQADggEBALVH183jm9WeKXd3Uhqn
+jyOZ8H4+RhaADm4rkABmVHUAIoqLQOfpnTuvcp/eiAAUBNaRk8B5T+yWosx+IP4u
+SUoRR949zdn5kd/BkoHE5rcJh169goJlKLtKGXkPyCRgcakXC/kDSZtWrIyw/vYu
+6WYjScDLiEDlgVQQuEdI3S5lDm9D0UMvCmiVsUyWYcTic2WgO9vaOErWS5UQMaPV
+crzxIJKxd1eK0++gdyiwWwakWBtHpDQnpjamfFBqltvXKdpY1cIVJsyXROlZ6xNk
+NqbzMLDLt/4zvGjG88zrpwqU2egigX2VkAgOMa8BEnnkvZMuCcgoYkCXbY3CXsts
+YOM=
+-----END CERTIFICATE-----
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA2oXw/KVSTSknRPhqGCD7LXsh78kF1xnAiJa7fhBSOU1ygXBx
+PFcsotccO4U6RigNwxmywX+NxI9usOzUtIRoWyR8I8eRAbo1oQ7JGx/Bk84UJZVa
+GDjsLlPOTFoiEkDgFoWsrSBWIOsJwWgNBLTRDnmDw9SebdQbeJPacEvgEycQGoPQ
+UnrDHZlOlM9swsUmr7AzBnqYr5GjgM0+AYct2lYauepjWsi09nwnZshMipaLvYFM
+7XmNHadNdGTX6ssYHLJ4aIFIo+i2hLFc7MQ0R+xxT7QnhgW/Ao55z4TGwFPZ84Z/
+vRBLYiFLzdA5dBvw5oM4k6SoAxBJnXW6hCuoPQIDAQABAoIBAGaidD5lc5NUGeKV
+/laY3wBMjfLuarTNnpVInoUmK0hIrNhItJaPpyJQgC0gdO9Qjq4s2r1xKGfCqk2k
+3n5ulgkAyOGRMPUrvVaI+EGqF6RRLTs9u5QW4C8eI43O46PJHrbVT/X8cxeA7RMO
+yNaGCo6O2ilXKpYRAloOr5EAwhyb5OeNrxe/XkngzU2/Sy/XPqqa/gUZGReJzEW1
+/M/iJULNSo2smKftdzDkiSVxH4x5En3q/ri7EUs6NMJZ9V7mUI7LJABeDOBYNta6
+e43b9f6sVfoecFU71FmrXx6QUvUJATNUPEqCwQqp4LfmUrv/Rnty/d39ktQqkpkV
+u4CQ700CgYEA9c6WoE7sK+M4ySmnc08ol0RxoUX4gp9oHbIUe+8fN4al6uLawvc1
+zgPjsev9kMGsw9Ejm2ID+PcuyQirJcE+MkT6Jdj6S39hE0umnFfxytF8vssqVcrG
+bSWS3fLgQ+5k7/IbWFJiQxRW7Y/4qjlOqeHE9tAbPMUyH+viT6nu6w8CgYEA45W3
+fSHVrr72h7WettUwb/dJLSjIj7MbMcMGrq2bStwHkZikXr1tgBtxFBTiOoc2p1JK
+bII0cilAyobp1wk6spOt501QeciYxnCgHBuenC4TDmzPdgwQvBOHQoMe8oS/ZBd
+SwGpuEBCfBnODnDrWNgAye9rxV1pAXwUTns45/MCgYEAqhLbs2WIEUGxS7ZvbuAp
+ZKhturlwHejvoARUGgA0aDXY3PFDjbyAVN/qDnQLSLpIsGAnM96Ygw18KIq/6GqR
+fzSso71CSTSEVVZ1nB1ZZgyWNGjcDOo1atWhjcH7m+T5n++zLeQqquEK2GpSEm1+
+WRqmLmOFRQHoEaAjQR2B+s8CgYBe5WvISpZuMgRcHBgdBpIW7dbedLYEbVt2iWq8
+5XjuYwbo5+wJ8RS6qTaid/7JBt58MG1A5sKUrwRXaHR1eY+PM2JVX8D4ROdqyS/4
+HGmEtoGyjxC1RfMBxm/b3ffMmjsG7e5ouz3IrUrLsnrgPKd1uUPC8AlRF50UWGej
+PfBBjwKBgDqk/kpJ7aYfJB/lB5F+v+V1YucNyCgxj6cQ/aiBxOq3pN7wi8/vra2K
+/cGiz4JWrSS3PeUmiu7eCsYbItxyi1yjNOcfI1/gJTjm8Mgoh7WT39a8IfPefsLD
+MpJ3ISw+VcV1Vcr8g7/LsZZNfRcTVEZbCWSdPH69KgdDn8vLU1O0
+-----END RSA PRIVATE KEY-----
@@ -0,0 +1,151 @@
+{
+  "options": {
+    "schedule_splay_percent": 10
+  },
+  "platform": "windows",
+  "schedule": {
+    "chocolatey_packages": {
+      "query": "SELECT * FROM chocolatey_packages;",
+      "interval": 3600,
+      "description": "List installed Chocolatey packages"
+    },
+    "chrome_extensions": {
+      "query": "SELECT * FROM users JOIN chrome_extensions USING (uid);",
+      "interval": 3600,
+      "description": "List installed Chrome Extensions for all users"
+    },
+    "drivers": {
+      "query": "SELECT * FROM drivers;",
+      "interval": 3600,
+      "description": "List in-use Windows drivers"
+    },
+    "drivers_snapshot": {
+      "query": "SELECT * FROM drivers;",
+      "interval": 28800,
+      "description": "Drivers snapshot query",
+      "snapshot": true
+    },
+    "etc_hosts": {
+      "query": "SELECT * FROM etc_hosts;",
+      "interval": 3600,
+      "description": "List the contents of the Windows hosts file"
+    },
+    "ie_extensions": {
+      "query": "SELECT * FROM ie_extensions;",
+      "interval": 3600,
+      "description": "List installed Internet Explorer extensions"
+    },
+    "kernel_info": {
+      "query": "SELECT * FROM kernel_info;",
+      "interval": 3600,
+      "description": "List the kernel path, version, etc."
+    },
+    "os_version": {
+      "query": "SELECT * FROM os_version;",
+      "interval": 3600,
+      "description": "List the version of the resident operating system"
+    },
+    "os_version_snapshot": {
+      "query": "SELECT * FROM os_version;",
+      "interval": 28800,
+      "description": "Operating system version snapshot query",
+      "snapshot": true
+    },
+    "osquery_info": {
+      "query": "SELECT * FROM osquery_info;",
+      "interval": 28800,
+      "description": "Information about the resident osquery process",
+      "snapshot": true
+    },
+    "patches": {
+      "query": "SELECT * FROM patches;",
+      "interval": 3600,
+      "description": "Lists all the patches applied"
+    },
+    "patches_snapshot": {
+      "query": "SELECT * FROM patches;",
+      "interval": 28800,
+      "description": "Patches snapshot query",
+      "snapshot": true
+    },
+    "programs": {
+      "query": "SELECT * FROM programs;",
+      "interval": 3600,
+      "description": "Lists installed programs"
+    },
+    "programs_snapshot": {
+      "query": "SELECT * FROM programs;",
+      "interval": 28800,
+      "description": "Programs snapshot query",
+      "snapshot": true
+    },
+    "scheduled_tasks": {
+      "query": "SELECT * FROM scheduled_tasks;",
+      "interval": 3600,
+      "description": "Lists all of the tasks in the Windows task scheduler"
+    },
+    "services": {
+      "query": "SELECT * FROM services WHERE start_type='DEMAND_START' OR start_type='AUTO_START';",
+      "interval": 3600,
+      "description": "Lists all installed services configured to start automatically at boot"
+    },
+    "services_snapshot": {
+      "query": "SELECT * FROM services;",
+      "interval": 28800,
+      "description": "Services snapshot query",
+      "snapshot": true
+    },
+    "shared_resources": {
+      "query": "SELECT * FROM shared_resources;",
+      "interval": 28800,
+      "description": "Displays shared resources on a computer system running Windows. This may be a disk drive, printer, interprocess communication, or other sharable device."
+    },
+    "system_info": {
+      "query": "SELECT * FROM system_info;",
+      "interval": 3600,
+      "description": "System information for identification."
+    },
+    "system_info_snapshot": {
+      "query": "SELECT * FROM system_info;",
+      "interval": 28800,
+      "description": "System info snapshot query",
+      "snapshot": true
+    },
+    "uptime": {
+      "query": "SELECT * FROM uptime;",
+      "interval": 3600,
+      "description": "System uptime"
+    },
+    "users": {
+      "query": "SELECT * FROM users;",
+      "interval": 3600,
+      "description": "Local system users."
+    },
+    "users_snapshot": {
+      "query": "SELECT * FROM users;",
+      "interval": 28800,
+      "description": "Users snapshot query",
+      "snapshot": true
+    },
+    "wmi_cli_event_consumers": {
+      "query": "SELECT * FROM wmi_cli_event_consumers;",
+      "interval": 3600,
+      "description": "WMI CommandLineEventConsumer, which can be used for persistance on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details."
+    },
+    "wmi_event_filters": {
+      "query": "SELECT * FROM wmi_event_filters;",
+      "interval": 3600,
+      "description": "Lists WMI event filters."
+    },
+    "wmi_filter_consumer_binding": {
+      "query": "SELECT * FROM wmi_filter_consumer_binding;",
+      "interval": 3600,
+      "description": "Lists the relationship between event consumers and filters."
+    },
+    "wmi_script_event_consumers": {
+      "query": "SELECT * FROM wmi_script_event_consumers;",
+      "interval": 3600,
+      "description": "WMI ActiveScriptEventConsumer, which can be used for persistance on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details."
+    }
+  }
+}
@@ -0,0 +1,3 @@
+--config_path=c:\programdata\osquery\osquery.conf
+--disable_events=true
+--disable_tables=windows_events
@@ -0,0 +1,29 @@
+[WinEventLog://Microsoft-Windows-Sysmon/Operational]
+index = sysmon
+disabled = false
+renderXml = true
+
+[monitor://c:\programdata\osquery\log\osqueryd.results.log]
+index = osquery
+disabled = false
+sourcetype = osquery:json
+
+[monitor://c:\programdata\osquery\log\osqueryd.snapshots.log]
+index = osquery
+disabled = false
+sourcetype = osquery:json
+
+[monitor://c:\programdata\osquery\log\osqueryd.INFO.*]
+index = osquery-status
+disabled = false
+sourcetype = osquery-info:syslog
+
+[monitor://c:\programdata\osquery\log\osqueryd.WARNING.*]
+index = osquery-status
+disabled = false
+sourcetype = osquery-warn:syslog
+
+[monitor://c:\programdata\osquery\log\osqueryd.ERROR.*]
+index = osquery-status
+disabled = false
+sourcetype = osquery-error:syslog
@@ -0,0 +1,402 @@
+[default]
+evt_resolve_ad_obj = 1
+evt_dc_name = ldaps.ad.ha.palantir
+evt_dns_name = ldaps.ad.ha.palantir
+evt_ad_cache_disabled = 0
+evt_ad_cache_max_entries = 40000
+evt_ad_cache_exp_neg = 10
+evt_sid_cache_disabled = 0
+evt_sid_cache_max_entries = 40000
+evt_sid_cache_exp_neg = 1000
+batch_size = 500
+
+[WinEventLog://ForwardedEvents]
+sourcetype = WinEventLog:ForwardedEvents
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC-Powershell]
+sourcetype = WinEventLog:Powershell
+source = WinEventLog:Powershell
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC-WMI]
+sourcetype = WinEventLog:WMI
+source = WinEventLog:WMI
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC-EMET]
+sourcetype = WinEventLog:Security
+source = WinEventLog:EMET
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC-Authentication]
+sourcetype = WinEventLog:Security
+source = WinEventLog:Authentication
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC-Services]
+sourcetype = WinEventLog:System
+source = WinEventLog:Services
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC-Process-Execution]
+sourcetype = WinEventLog:Security
+source = WinEventLog:Process-Execution
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC-Code-Integrity]
+sourcetype = WinEventLog:Security
+source = WinEventLog:Code-Integrity
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC2-Registry]
+sourcetype = WinEventLog:Security
+source = WinEventLog:Registry
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC2-Applocker]
+sourcetype = WinEventLog:Applocker
+source = WinEventLog:Applocker
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC2-Task-Scheduler]
+sourcetype = WinEventLog:Task-Scheduler
+source = WinEventLog:Task-Scheduler
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC2-Application-Crashes]
+sourcetype = WinEventLog:Application
+source = WinEventLog:Application-Crashes
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC2-Windows-Defender]
+sourcetype = WinEventLog:Windows-Defender
+source = WinEventLog:Windows-Defender
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC2-Group-Policy-Errors]
+sourcetype = WinEventLog:System
+source = WinEventLog:Group-Policy-Errors
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC3-Drivers]
+sourcetype = WinEventLog:System
+source = WinEventLog:Drivers
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC3-Account-Management]
+sourcetype = WinEventLog:Security
+source = WinEventLog:Account-Management
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC3-Windows-Diagnostics]
+sourcetype = WinEventLog:System
+source = WinEventLog:Windows-Diagnostics
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC3-Smart-Card]
+sourcetype = WinEventLog:Smart-Card
+source = WinEventLog:Smart-Card
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC3-USB]
+sourcetype = WinEventLog:USB
+source = WinEventLog:USB
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC3-Print]
+sourcetype = WinEventLog:Print
+source = WinEventLog:Print
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC3-Firewall]
+sourcetype = WinEventLog:Firewall
+source = WinEventLog:Firewall
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC4-Wireless]
+sourcetype = WinEventLog:Security
+source = WinEventLog:Wireless
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC4-Shares]
+sourcetype = WinEventLog:Security
+source = WinEventLog:Shares
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC4-Bits-Client]
+sourcetype = WinEventLog:Bits-Client
+source = WinEventLog:Bits-Client
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC4-Windows-Updates]
+sourcetype = WinEventLog:System
+source = WinEventLog:Windows-Updates
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC4-Hotpatching-Errors]
+sourcetype = WinEventLog:Security
+source = WinEventLog:Hotpatching-Errors
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC4-DNS]
+sourcetype = WinEventLog:DNS
+source = WinEventLog:DNS
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC4-System-Time-Change]
+sourcetype = WinEventLog:Security
+source = WinEventLog:System-Time-Change
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC5-Operating-System]
+sourcetype = WinEventLog:System
+source = WinEventLog:Operating-System
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC5-Certificate-Authority]
+sourcetype = WinEventLog:Security
+source = WinEventLog:Certificate-Authority
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC5-Crypto-API]
+sourcetype = WinEventLog:Security
+source = WinEventLog:Crypto-API
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC2-File-System]
+sourcetype = WinEventLog:Security
+source = WinEventLog:File-System
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC5-MSI-Packages]
+sourcetype = WinEventLog:Security
+source = WinEventLog:MSI-Packages
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC5-Log-Deletion-Security]
+sourcetype = WinEventLog:Security
+source = WinEventLog:Log-Deletion-Security
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC5-Log-Deletion-System]
+sourcetype = WinEventLog:System
+source = WinEventLog:Log-Deletion-System
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC5-Autoruns]
+sourcetype = WinEventLog:Autoruns
+source = WinEventLog:Autoruns
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC6-Sysmon]
+sourcetype = WinEventLog:Sysmon
+source = WinEventLog:Sysmon
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC6-Software-Restriction-Policies]
+sourcetype = WinEventLog:Software-Restriction-Policies
+source = WinEventLog:Software-Restriction-Policies
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC6-Microsoft-Office]
+sourcetype = WinEventLog:Microsoft-Office
+source = WinEventLog:Microsoft-Office
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC6-Exploit-Guard]
+sourcetype = WinEventLog:Security
+source = WinEventLog:Exploit-Guard
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC6-Duo-Security]
+sourcetype = WinEventLog:Duo-Security
+source = WinEventLog:Duo-Security
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC6-Device-Guard]
+sourcetype = WinEventLog:Security
+source = WinEventLog:Device-Guard
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC6-ADFS]
+sourcetype = WinEventLog:ADFS
+source = WinEventLog:ADFS
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[monitor://c:\pslogs]
+index = powershell
+sourcetype = powershell_transcript
+recursive = true
@@ -0,0 +1,14 @@
+[source::WinEventLog:*]
+TRANSFORMS-host = wef_computername_as_host
+
+[sourcetype::powershell_transcript]
+TRANSFORMS-powershell_rename_host = powershell_rename_host
+
+[powershell_transcript]
+BREAK_ONLY_BEFORE = THISREGEXDOESNTEXIST
+DATETIME_CONFIG =
+NO_BINARY_CHECK = true
+TIME_FORMAT = %Y%m%d%H%M%S
+TIME_PREFIX = Start\stime\:\s
+category = Custom
+pulldown_type = true
@@ -0,0 +1,10 @@
+[powershell_rename_host]
+DEST_KEY = MetaData:Host
+SOURCE_KEY = MetaData:Source
+REGEX = PowerShell_transcript\.([^\S]+)\.
+FORMAT = host::$1
+
+[wef_computername_as_host]
+DEST_KEY = MetaData:Host
+REGEX = (?m)ComputerName=(.+)
+FORMAT = host::$1
@@ -0,0 +1,13 @@
+# Purpose: Installs the GPOs for the custom WinEventLog auditing policy.
+Write-Host "Configuring auditing policy GPOS..."
+Write-Host "Importing Domain Controller Enhanced Auditing Policy..."
+Import-GPO -BackupGpoName 'Domain Controllers Enhanced Auditing Policy' -Path "c:\vagrant\resources\GPO\Domain_Controllers_Enhanced_Auditing_Policy" -TargetName 'Domain Controllers Enhanced Auditing Policy' -CreateIfNeeded
+New-GPLink -Name 'Domain Controllers Enhanced Auditing Policy' -Target "ou=Domain Controllers,dc=windomain,dc=local" -Enforced yes
+
+Write-Host "Importing Servers Enhanced Auditing Policy..."
+Import-GPO -BackupGpoName 'Servers Enhanced Auditing Policy' -Path "c:\vagrant\resources\GPO\Servers_Enhanced_Auditing_Policy" -TargetName 'Servers Enhanced Auditing Policy' -CreateIfNeeded
+New-GPLink -Name 'Servers Enhanced Auditing Policy' -Target "ou=Servers,dc=windomain,dc=local" -Enforced yes
+
+Write-Host "Importing Workstations Enhanced Auditing Policy..."
+Import-GPO -BackupGpoName 'Workstations Enhanced Auditing Policy' -Path "c:\vagrant\resources\GPO\Workstations_Enhanced_Auditing_Policy" -TargetName 'Workstations Enhanced Auditing Policy' -CreateIfNeeded
+New-GPLink -Name 'Workstations Enhanced Auditing Policy' -Target "ou=Workstations,dc=windomain,dc=local" -Enforced yes
@@ -0,0 +1,12 @@
+# Purpose: Sets up the Server and Workstations OUs
+Write-Host "Sleeping for 30 seconds, then creating Server and Workstation OUs"
+Start-Sleep 30
+Write-Host "Creating Servers OU"
+New-ADOrganizationalUnit -Name "Servers" -Server "dc.windomain.local"
+Write-Host "Creating Workstations OU"
+New-ADOrganizationalUnit -Name "Workstations" -Server "dc.windomain.local"
+
+# Sysprep breaks auto-login. Let's restore it here:
+Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -Value 1
+Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Value "vagrant"
+Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Value "vagrant"
@@ -0,0 +1,6 @@
+# Purpose: Install the GPO that specifies the WEF collector
+Write-Host "Importing the GPO to enable Powershell Module, ScriptBlock and Transcript logging..."
+Import-GPO -BackupGpoName 'Powershell Logging' -Path "c:\vagrant\resources\GPO\powershell_logging" -TargetName 'Powershell Logging' -CreateIfNeeded
+New-GPLink -Name 'Powershell Logging' -Target "dc=windomain,dc=local" -Enforced yes
+New-GPLink -Name 'Powershell Logging' -Target "ou=Domain Controllers,dc=windomain,dc=local" -Enforced yes
+gpupdate /force
@@ -0,0 +1,42 @@
+# Purpose: Configure an SMB share for Powershell transcription logs to be written to
+# Source: https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/
+Write-Host "Configuring the Powershell Transcripts Share"
+md c:\pslogs
+
+
+## Kill all inherited permissions
+$acl = Get-Acl c:\pslogs
+$acl.SetAccessRuleProtection($true, $false)
+
+
+## Grant Administrators full control
+$administrators = [System.Security.Principal.NTAccount] "Administrators"
+$permission = $administrators,"FullControl","ObjectInherit,ContainerInherit","None","Allow"
+$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
+$acl.AddAccessRule($accessRule)
+
+
+## Grant everyone else Write and ReadAttributes. This prevents users from listing
+## transcripts from other machines on the domain.
+$everyone = [System.Security.Principal.NTAccount] "Everyone"
+$permission = $everyone,"Write,ReadAttributes","ObjectInherit,ContainerInherit","None","Allow"
+$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
+$acl.AddAccessRule($accessRule)
+
+## TODO: Leaving this commented out so Splunk Forwader can read these files
+## Might be a way to leave this permission intact but still allow Splunk
+## Deny "Creator Owner" everything. This prevents users from
+## viewing the content of previously written files.
+#$creatorOwner = [System.Security.Principal.NTAccount] "Creator Owner"
+#$permission = $creatorOwner,"FullControl","ObjectInherit,ContainerInherit","InheritOnly","Deny"
+#$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
+#$acl.AddAccessRule($accessRule)
+
+
+## Set the ACL
+$acl | Set-Acl c:\pslogs\
+
+
+## Create the SMB Share, granting Everyone the right to read and write files. Specific
+## actions will actually be enforced by the ACL on the file folder.
+New-SmbShare -Name pslogs -Path c:\pslogs -ChangeAccess Everyone
@@ -0,0 +1,16 @@
+# Purpose: Installs the GPOs needed to specify a Windows Event Collector and makes certain event channels readable by Event Logger
+Write-Host "Importing the GPO to specify the WEF collector"
+Import-GPO -BackupGpoName 'Windows Event Forwarding Server' -Path "c:\vagrant\resources\GPO\wef_configuration" -TargetName 'Windows Event Forwarding Server' -CreateIfNeeded
+New-GPLink -Name 'Windows Event Forwarding Server' -Target "dc=windomain,dc=local" -Enforced yes
+New-GPLink -Name 'Windows Event Forwarding Server' -Target "ou=Domain Controllers,dc=windomain,dc=local" -Enforced yes
+Write-Host "Importing the GPO to modify ACLs on Custom Event Channels"
+Import-GPO -BackupGPOName 'Custom Event Channel Permissions' -Path "c:\vagrant\resources\GPO\wef_configuration" -TargetName 'Custom Event Channel Permissions' -CreateIfNeeded
+New-GPLink -Name 'Custom Event Channel Permissions' -Target "dc=windomain,dc=local" -Enforced yes
+New-GPLink -Name 'Custom Event Channel Permissions' -Target "ou=Domain Controllers,dc=windomain,dc=local" -Enforced yes
+New-GPLink -Name 'Custom Event Channel Permissions' -Target "ou=Servers,dc=windomain,dc=local" -Enforced yes
+New-GPLink -Name 'Custom Event Channel Permissions' -Target "ou=Workstations,dc=windomain,dc=local" -Enforced yes
+gpupdate /force
+# Enable WinRM
+Write-Host "Enabling WinRM"
+winrm qc /q:true
+Write-Host "Rebooting to make settings take effect..."
@@ -0,0 +1,55 @@
+# Purpose: Creates the "windomain.local" domain
+# Source: https://github.com/StefanScherer/adfs2
+param ([String] $ip)
+
+$subnet = $ip -replace "\.\d+$", ""
+
+if ((gwmi win32_computersystem).partofdomain -eq $false) {
+
+  Write-Host 'Installing RSAT tools'
+  Import-Module ServerManager
+  Add-WindowsFeature RSAT-AD-PowerShell,RSAT-AD-AdminCenter
+
+  Write-Host 'Creating domain controller'
+  # Disable password complexity policy
+  secedit /export /cfg C:\secpol.cfg
+  (gc C:\secpol.cfg).replace("PasswordComplexity = 1", "PasswordComplexity = 0") | Out-File C:\secpol.cfg
+  secedit /configure /db C:\Windows\security\local.sdb /cfg C:\secpol.cfg /areas SECURITYPOLICY
+  rm -force C:\secpol.cfg -confirm:$false
+
+  # Set administrator password
+  $computerName = $env:COMPUTERNAME
+  $adminPassword = "vagrant"
+  $adminUser = [ADSI] "WinNT://$computerName/Administrator,User"
+  $adminUser.SetPassword($adminPassword)
+
+  $PlainPassword = "vagrant" # "P@ssw0rd"
+  $SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force
+
+  # Windows Server 2016 R2
+  Install-WindowsFeature AD-domain-services
+  Import-Module ADDSDeployment
+  Install-ADDSForest `
+    -SafeModeAdministratorPassword $SecurePassword `
+    -CreateDnsDelegation:$false `
+    -DatabasePath "C:\Windows\NTDS" `
+    -DomainMode "7" `
+    -DomainName "windomain.local" `
+    -DomainNetbiosName "WINDOMAIN" `
+    -ForestMode "7" `
+    -InstallDns:$true `
+    -LogPath "C:\Windows\NTDS" `
+    -NoRebootOnCompletion:$true `
+    -SysvolPath "C:\Windows\SYSVOL" `
+    -Force:$true
+
+  $newDNSServers = "8.8.8.8", "4.4.4.4"
+  $adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object { $_.IPAddress -And ($_.IPAddress).StartsWith($subnet) }
+  if ($adapters) {
+    Write-Host Setting DNS
+    $adapters | ForEach-Object {$_.SetDNSServerSearchOrder($newDNSServers)}
+  }
+  Write-Host "Setting timezone to UTC"
+  c:\windows\system32\tzutil.exe /s "UTC"
+  Write-Host "Excluding NAT interface from DNS"
+}
@@ -0,0 +1,7 @@
+# Purpose: Downloads and unzips a copy of the Palantir osquery Github Repo. These configs are added to the Fleet server in bootstrap.sh.
+Write-Host "Downloading and unzipping the Palantir osquery Repo from Github..."
+
+$osqueryRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\osquery-Master.zip'
+
+Invoke-WebRequest -Uri "https://github.com/palantir/osquery-configuration/archive/master.zip" -OutFile $osqueryRepoPath
+Expand-Archive -path "$osqueryRepoPath" -destinationpath 'c:\Users\vagrant\AppData\Local\Temp' -Force
@@ -0,0 +1,7 @@
+# Purpose: Downloads and unzips a copy of the Palantir WEF Github Repo. This includes WEF subscriptions and custom WEF channels.
+Write-Host "Downloading and unzipping the Palantir Windows Event Forwarding Repo from Github..."
+
+$wefRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\wef-Master.zip'
+
+Invoke-WebRequest -Uri "https://github.com/palantir/windows-event-forwarding/archive/master.zip" -OutFile $wefRepoPath
+Expand-Archive -path "$wefRepoPath" -destinationpath 'c:\Users\vagrant\AppData\Local\Temp' -Force
@@ -0,0 +1,35 @@
+# Source: https://github.com/StefanScherer/adfs2
+param ([String] $ip, [String] $dns)
+
+if (Test-Path C:\Users\vagrant\enable-winrm-after-customization.bat) {
+  Write-Host "Nothing to do in vCloud."
+  exit 0
+}
+if (! (Test-Path 'C:\Program Files\VMware\VMware Tools')) {
+  Write-Host "Nothing to do for other providers than VMware."
+  exit 0
+}
+
+$subnet = $ip -replace "\.\d+$", ""
+
+$name = (Get-NetIPAddress -AddressFamily IPv4 `
+   | Where-Object -FilterScript { ($_.IPAddress).StartsWith($subnet) } `
+   ).InterfaceAlias
+
+if (!$name) {
+  $name = (Get-NetIPAddress -AddressFamily IPv4 `
+     | Where-Object -FilterScript { ($_.IPAddress).StartsWith("169.254.") } `
+     ).InterfaceAlias
+}
+
+if ($name) {
+  Write-Host "Set IP address to $ip of interface $name"
+  & netsh.exe int ip set address "$name" static $ip 255.255.255.0 "$subnet.1"
+
+  if ($dns) {
+    Write-Host "Set DNS server address to $dns of interface $name"
+    & netsh.exe interface ipv4 add dnsserver "$name" address=$dns index=1
+  }
+} else {
+  Write-Error "Could not find a interface with subnet $subnet.xx"
+}
@@ -0,0 +1,7 @@
+# Purpose: Installs AutorunsToWinEventLog from the Palantir WEF repo: (https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog)
+# TL;DR - Logs all entries from Autoruns to the Windows event log to be indexed by Splunk
+Write-Host "Installing AutorunsToWinEventLog..."
+cd "c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\AutorunsToWinEventLog"
+.\Install.ps1
+Write-Host "AutorunsToWinEventLog installed. Starting the scheduled task. Future runs will begin at 11am"
+Start-ScheduledTask -TaskName "AutorunsToWinEventLog"
@@ -0,0 +1,20 @@
+# Installs BGInfo on the host for easy identification
+# Source: https://github.com/StefanScherer/adfs2
+if (!(Test-Path 'c:\Program Files\sysinternals')) {
+  New-Item -Path 'c:\Program Files\sysinternals' -type directory -Force -ErrorAction SilentlyContinue
+}
+if (!(Test-Path 'c:\Program Files\sysinternals\bginfo.exe')) {
+  (New-Object Net.WebClient).DownloadFile('http://live.sysinternals.com/bginfo.exe', 'c:\Program Files\sysinternals\bginfo.exe')
+}
+$vbsScript = @'
+WScript.Sleep 15000
+Dim objShell
+Set objShell = WScript.CreateObject( "WScript.Shell" )
+objShell.Run("""c:\Program Files\sysinternals\bginfo.exe"" /accepteula ""c:\Program Files\sysinternals\bginfo.bgi"" /silent /timer:0")
+'@
+
+$vbsScript | Out-File 'c:\Program Files\sysinternals\bginfo.vbs'
+
+Copy-Item "C:\vagrant\scripts\bginfo.bgi" 'c:\Program Files\sysinternals\bginfo.bgi'
+
+Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -Name bginfo -Value 'wscript "c:\Program Files\sysinternals\bginfo.vbs"'
@@ -0,0 +1,16 @@
+# Purpose: Configures the inputs.conf for the Splunk forwarders on the Windows hosts
+
+Write-Host "Setting up Splunk Inputs for Sysmon & osquery"
+$inputsPath = "C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf"
+
+Write-Host "Stopping the Splunk forwarder"
+Stop-Service splunkforwarder
+
+Write-Host "Deleting the default configuration"
+Remove-Item $inputsPath
+
+Write-Host "Copying over the custom configuration"
+Copy-Item c:\vagrant\resources\splunk_forwarder\inputs.conf $inputsPath
+
+Write-Host "Starting the Splunk forwarder"
+Start-Service splunkforwarder
@@ -0,0 +1,40 @@
+# Purpose: Installs osquery on the host
+# Note: by default, osquery will be configured to connect to the Fleet server on the "logger" host via TLS.
+# If you would like to have osquery run without TLS & Fleet, uncomment line 15 and comment lines 21-30.
+
+Write-Host "Installing osquery"
+$packsDir = "c:\programdata\osquery\packs"
+choco install -y osquery | Out-String  # Apparently Out-String makes the process wait
+$service = Get-WmiObject -Class Win32_Service -Filter "Name='osqueryd'"
+If (-not ($service)) {
+  Write-Host "Setting osquery to run as a service"
+  Start-Process -FilePath "c:\programdata\osquery\osqueryd\osqueryd.exe" -ArgumentList "--install" -Wait
+  # Copy over the config and packs from the Palantir repo
+  Copy-Item "c:\Users\vagrant\AppData\Local\Temp\osquery-configuration-master\Endpoints\Windows\*" "c:\ProgramData\osquery"
+  Copy-Item "c:\Users\vagrant\AppData\Local\Temp\osquery-configuration-master\Endpoints\packs" -Path "c:\ProgramData\osquery"
+
+  ## Use the TLS config by default. Un-comment the line below to use the local configuration and avoid connecting to Fleet.
+  # Copy-Item "c:\ProgramData\osquery\osquery_no_tls.flags" -Path "c:\ProgramData\osquery\osquery.flags" -Force
+
+  ###  --- TLS CONFIG BEGINS ---
+  ### COMMENT ALL LINES BELOW UNTIL "TLS CONFIG ENDS" if using local configuration
+  ## Add entry to hosts file for Kolide for SSL validation
+  Add-Content "c:\windows\system32\drivers\etc\hosts" "        192.168.38.5    kolide"
+  ## Add kolide secret and avoid BOM
+  $Utf8NoBomEncoding = New-Object System.Text.UTF8Encoding $False
+  [System.IO.File]::WriteAllLines("c:\ProgramData\osquery\kolide_secret.txt", "enrollmentsecret", $Utf8NoBomEncoding)
+  ## Change TLS server hostname
+  (Get-Content c:\ProgramData\osquery\osquery.flags) -replace 'tls.endpoint.server.com', 'kolide:8412' | Set-Content c:\ProgramData\osquery\osquery.flags
+  ## Change path to secrets
+  (Get-Content c:\ProgramData\osquery\osquery.flags) -replace 'path\\to\\file\\containing\\secret.txt', 'ProgramData\osquery\kolide_secret.txt' | Set-Content c:\ProgramData\osquery\osquery.flags
+  ## Add certfile.crt
+  Copy-Item "c:\vagrant\resources\fleet\server.crt" "c:\ProgramData\osquery\certfile.crt"
+  ### --- TLS CONFIG ENDS ---
+
+  Stop-service osqueryd
+  Start-Sleep -s 5
+  Start-Service osqueryd
+}
+else {
+  Write-Host "osquery is already installed"
+}
@@ -0,0 +1,13 @@
+# Purpose: Installs a Splunk Universal Forwader on the host
+
+If (-not (Test-Path "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe")) {
+  Write-Host "Downloading Splunk"
+  $msiFile = $env:Temp + "\splunkforwarder-6.5.2-67571ef4b87d-x64-release.msi"
+
+  Write-Host "Installing & Starting Splunk"
+  (New-Object System.Net.WebClient).DownloadFile('https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=windows&version=6.5.2&product=universalforwarder&filename=splunkforwarder-6.5.2-67571ef4b87d-x64-release.msi&wget=true', $msiFile)
+  Start-Process -FilePath "c:\windows\system32\msiexec.exe" -ArgumentList '/i', "$msiFile", 'RECEIVING_INDEXER="192.168.38.5:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_APP_ENABLE=1 AGREETOLICENSE=Yes SERVICESTARTTYPE=1 LAUNCHSPLUNK=1 /quiet' -Wait
+} Else {
+  Write-Host "Splunk is already installed. Moving on."
+}
+Write-Host "Splunk installation complete!"
@@ -0,0 +1,40 @@
+# Purpose: Installs a handful of SysInternals tools on the host into c:\Tools\Sysinternals
+
+$sysinternalsDir = "C:\Tools\Sysinternals"
+$sysmonDir = "C:\ProgramData\Sysmon"
+If(!(test-path $sysinternalsDir)) {
+  New-Item -ItemType Directory -Force -Path $sysinternalsDir
+} Else {
+  Write-Host "Tools directory exists. Exiting."
+  exit
+}
+
+If(!(test-path $sysmonDir)) {
+  New-Item -ItemType Directory -Force -Path $sysmonDir
+} Else {
+  Write-Host "Sysmon directory exists. Exiting."
+  exit
+}
+
+$autorunsPath = "C:\Tools\Sysinternals\Autoruns64.exe"
+$procmonPath = "C:\Tools\Sysinternals\Procmon.exe"
+$psexecPath = "C:\Tools\Sysinternals\PsExec64.exe"
+$procexpPath = "C:\Tools\Sysinternals\procexp64.exe"
+$sysmonPath = "C:\Tools\Sysinternals\Sysmon64.exe"
+$tcpviewPath = "C:\Tools\Sysinternals\Tcpview.exe"
+$sysmonConfigPath = "$sysmonDir\sysmonConfig.xml"
+
+Invoke-WebRequest -Uri "https://live.sysinternals.com/Autoruns64.exe" -OutFile $autorunsPath
+Invoke-WebRequest -Uri "https://live.sysinternals.com/Procmon.exe" -OutFile $procmonPath
+Invoke-WebRequest -Uri "https://live.sysinternals.com/PsExec64.exe" -OutFile $psexecPath
+Invoke-WebRequest -Uri "https://live.sysinternals.com/procexp64.exe" -OutFile $procexpPath
+Invoke-WebRequest -Uri "https://live.sysinternals.com/Sysmon64.exe" -Outfile $sysmonPath
+Invoke-WebRequest -Uri "https://live.sysinternals.com/Tcpview.exe" -Outfile $tcpviewPath
+Copy-Item $sysmonPath $sysmonDir
+
+# Download SwiftOnSecurity's Sysmon config
+Invoke-WebRequest -Uri "https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml" -Outfile "$sysmonDir\sysmonConfig.xml"
+
+# Startup Sysmon
+Write-Host "Starting Sysmon..."
+Start-Process -FilePath "$sysmonDir\Sysmon64.exe" -ArgumentList "-accepteula -i $sysmonConfigPath"
@@ -0,0 +1,25 @@
+# Purpose: Installs chocolatey package manager, then installs custom utilities from Choco and adds syntax highlighting for Powershell, Batch, and Docker. Also installs Mimikatz into c:\Tools\Mimikatz.
+
+If (-not (Test-Path "C:\ProgramData\chocolatey")) {
+  Write-Host "Installing Chocolatey"
+  iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))
+}
+else {
+  Write-Host "Chocolatey is already installed."
+}
+
+Write-Host "Installing atom, Notepad++, Chrome, WinRar, and Mimikatz."
+choco install -y atom
+choco install -y NotepadPlusPlus
+choco install -y GoogleChrome
+choco install -y WinRar
+Write-Host $env:LOCALAPPDATA
+$env:PATH="$env:PATH;$env:LOCALAPPDATA\atom\bin"
+apm install language-powershell
+apm install language-batch
+apm install language-docker
+
+# Purpose: Downloads and unzips a copy of the Palantir osquery Github Repo. These configs are added to the Fleet server in bootstrap.sh.
+$mimikatzRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\osquery-Master.zip'
+Invoke-WebRequest -Uri "https://github.com/gentilkiwi/mimikatz/releases/download/2.1.1-20171203/mimikatz_trunk.zip" -OutFile $mimikatzRepoPath
+Expand-Archive -path "$mimikatzRepoPath" -destinationpath 'c:\Tools\Mimikatz' -Force
@@ -0,0 +1,27 @@
+# Purpose: Imports the custom Windows Event Channel and XML subscriptions on the WEF host
+# Note: This only needs to be installed on the WEF server
+
+Write-Host "Installing WEF Subscriptions"
+
+Write-Host "Copying Custom Event Channels DLL"
+Copy-Item c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\windows-event-channels\CustomEventChannels.dll c:\windows\system32
+Copy-Item c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\windows-event-channels\CustomEventChannels.man c:\windows\system32
+
+Write-Host "Installing Custom Event Channels Manifest"
+wevtutil im "c:\windows\system32\CustomEventChannels.man"
+Write-Host "Resizing Channels to 4GB"
+$xml = wevtutil el | select-string -pattern "WEC"
+foreach ($subscription in $xml) { wevtutil sl $subscription /ms:4294967296 }
+
+Write-Host "Starting the Windows Event Collector Service"
+net start wecsvc
+
+Write-Host "Creating custom event subscriptions"
+cd c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions
+cmd /c "for /r %i in (*.xml) do wecutil cs %i"
+
+Write-Host "Enabling custom event subscriptions"
+cmd /c "for /r %i in (*.xml) do wecutil ss %~ni /e:true"
+
+Write-Host "Enabling WecUtil Quick Config"
+wecutil qc /q:true
@@ -0,0 +1,29 @@
+# Purpose: Installs the Windows Splunk Technial Add-On
+# Note: This only needs to be installed on the WEF server
+
+Write-Host "Installing the Windows TA for Splunk"
+
+If (test-path "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default") {
+  Write-Host "Windows TA is already installed. Moving on."
+  Exit
+}
+
+# Install Windows TA (this only needs to be done on the WEF server)
+$windowstaPath = "C:\vagrant\resources\splunk_forwarder\splunk-add-on-for-microsoft-windows_483.tgz"
+$inputsPath = "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf"
+Write-Host "Installing the Windows TA"
+Start-Process -FilePath "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" -ArgumentList "install app $windowstaPath -auth admin:changeme" -NoNewWindow
+
+# Create local directory
+New-Item -ItemType Directory -Force -Path "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local"
+Copy-Item c:\vagrant\resources\splunk_forwarder\wef_inputs.conf $inputsPath
+
+# Add a check here to make sure the TA was installed correctly
+Write-Host "Sleeping for 15 seconds"
+start-sleep -s 15
+If (test-path "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default") {
+  Write-Host "Windows TA installed successfully."
+} Else {
+  Write-Host "Something went wrong during installation."
+  exit 1
+}
@@ -0,0 +1,29 @@
+# Purpose: Joins a Windows host to the windomain.local domain which was created with "create-domain.ps1".
+# Source: https://github.com/StefanScherer/adfs2
+
+Write-Host 'Join the domain'
+
+Write-Host "First, set DNS to DC to join the domain"
+$newDNSServers = "192.168.38.2"
+$adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.IPAddress -match "192.168.38."}
+$adapters | ForEach-Object {$_.SetDNSServerSearchOrder($newDNSServers)}
+
+Write-Host "Now join the domain"
+$hostname = $(hostname)
+$user = "windomain.local\vagrant"
+$pass = ConvertTo-SecureString "vagrant" -AsPlainText -Force
+$DomainCred = New-Object System.Management.Automation.PSCredential $user, $pass
+
+# Place the computer in the correct OU based on hostname
+If ($hostname -eq "wef") {
+  Add-Computer -DomainName "windomain.local" -credential $DomainCred -OUPath "ou=Servers,dc=windomain,dc=local" -PassThru
+} ElseIf ($hostname -eq "win10") {
+  Write-Host "Adding Win10 to the domain. Sometimes this step times out when using VMWare. If that happens, just run 'vagrant reload win10 --provision'" #debug
+  Add-Computer -DomainName "windomain.local" -credential $DomainCred -OUPath "ou=Workstations,dc=windomain,dc=local"
+} Else {
+  Add-Computer -DomainName "windomain.local" -credential $DomainCred -PassThru
+}
+
+Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -Value 1
+Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Value "vagrant"
+Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Value "vagrant"
@@ -0,0 +1,48 @@
+# Purpose: Sets timezone to UTC, sets hostname, creates/joins domain.
+# Source: https://github.com/StefanScherer/adfs2
+
+$box = Get-ItemProperty -Path HKLM:SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName -Name "ComputerName"
+$box = $box.ComputerName.ToString().ToLower()
+
+Write-Host "Setting timezone to UTC"
+c:\windows\system32\tzutil.exe /s "UTC"
+
+if ($env:COMPUTERNAME -imatch 'vagrant') {
+
+  Write-Host 'Hostname is still the original one, skip provisioning for reboot'
+
+  Write-Host 'Install bginfo'
+  . c:\vagrant\scripts\install-bginfo.ps1
+
+  Write-Host -fore red 'Hint: vagrant reload' $box '--provision'
+
+} elseif ((gwmi win32_computersystem).partofdomain -eq $false) {
+
+  Write-Host -fore red "Current domain is set to 'workgroup'. Time to join the domain!"
+
+  if (!(Test-Path 'c:\Program Files\sysinternals\bginfo.exe')) {
+    Write-Host 'Install bginfo'
+    . c:\vagrant\scripts\install-bginfo.ps1
+  }
+
+  if ($env:COMPUTERNAME -imatch 'dc') {
+    . c:\vagrant\scripts\create-domain.ps1 192.168.38.2
+  } else {
+    . c:\vagrant\scripts\join-domain.ps1
+  }
+  Write-Host -fore red 'Hint: vagrant reload' $box '--provision'
+
+} else {
+
+  Write-Host -fore green "I am domain joined!"
+
+  if (!(Test-Path 'c:\Program Files\sysinternals\bginfo.exe')) {
+    Write-Host 'Install bginfo'
+    . c:\vagrant\scripts\install-bginfo.ps1
+  }
+
+  Write-Host 'Provisioning after joining domain'
+
+  # $script = "c:\vagrant\scripts\provision-" + $box + ".ps1"
+  # . $script
+}
				`@@ -0,0 +1 @@`
				<Backups xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" xmlns:mfst="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" mfst:version="1.0"><BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{83A705FC-7072-4EC3-A9BA-4AA571570D31}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{39471c5e-04d5-4275-bf10-47653a177887}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2017-07-26T19:39:58]]></BackupTime><ID><![CDATA[{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Domain Controllers Enhanced Auditing Policy]]></GPODisplayName></BackupInst></Backups>
				`@@ -0,0 +1 @@`
				<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{83A705FC-7072-4EC3-A9BA-4AA571570D31}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{39471c5e-04d5-4275-bf10-47653a177887}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2017-07-26T19:39:58]]></BackupTime><ID><![CDATA[{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Domain Controllers Enhanced Auditing Policy]]></GPODisplayName></BackupInst>