From bd6c3520f3ca9bb62eea02b10b1a13007a1b3663 Mon Sep 17 00:00:00 2001
From: Chris Long <clong@cl0ng.com>
Date: Sat, 23 Jun 2018 23:27:23 -0700
Subject: [PATCH 1/3] Update Win10 to 1804 & Fixes

---
 .gitignore                                    |  2 +-
 Packer/scripts/MakeWindows10GreatAgain.ps1    | 12 +++--
 Packer/scripts/MakeWindows10GreatAgain.reg    |  6 ++-
 Packer/scripts/debloat-windows.ps1            |  3 --
 Packer/scripts/enable-winrm.ps1               |  3 +-
 Packer/scripts/vm-guest-tools.bat             |  5 ++-
 Packer/windows_10.json                        |  6 +--
 Vagrant/Vagrantfile                           | 44 ++++++++++++++++---
 Vagrant/bootstrap.sh                          | 23 ++++++++--
 Vagrant/scripts/configure-wef-gpo.ps1         |  6 +--
 Vagrant/scripts/download_palantir_osquery.ps1 |  5 ++-
 Vagrant/scripts/download_palantir_wef.ps1     |  2 +-
 Vagrant/scripts/fix-second-network.ps1        | 13 +++---
 .../scripts/install-autorunstowineventlog.ps1 |  5 +--
 Vagrant/scripts/install-caldera-agent.ps1     | 11 ++---
 Vagrant/scripts/install-splunkuf.ps1          |  8 ++--
 Vagrant/scripts/install-sysinternals.ps1      | 23 +++++++---
 Vagrant/scripts/install-utilities.ps1         | 39 +++++++++-------
 build.sh                                      |  3 +-
 19 files changed, 145 insertions(+), 74 deletions(-)

diff --git a/.gitignore b/.gitignore
index a5307ee..12f9c20 100755
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,5 @@
 Vagrant/.vagrant/*
-Vagrant/vagrant_build.log
+Vagrant/vagrant*.log
 Packer/packer_cache/*
 Packer/packer_build.log
 Boxes/*
diff --git a/Packer/scripts/MakeWindows10GreatAgain.ps1 b/Packer/scripts/MakeWindows10GreatAgain.ps1
index 8706268..16313f1 100644
--- a/Packer/scripts/MakeWindows10GreatAgain.ps1
+++ b/Packer/scripts/MakeWindows10GreatAgain.ps1
@@ -3,10 +3,6 @@ Write-Host "Making Windows 10 Great again"
 Write-Host "Importing registry keys..."
 regedit /s a:\MakeWindows10GreatAgain.reg
 
-# Install Powershell Help items
-Write-Host "Updating Powershell Help Library..."
-Update-Help
-
 # Remove OneDrive from the System
 Write-Host "Removing OneDrive..."
 $onedrive = Get-Process onedrive -ErrorAction SilentlyContinue
@@ -14,3 +10,11 @@ if ($onedrive) {
   taskkill /f /im OneDrive.exe
 }
 c:\Windows\SysWOW64\OneDriveSetup.exe /uninstall
+
+Update-Help -Force -ErrorAction SilentlyContinue
+
+# Remove Microsoft Store and Edge shortcuts from the taskbar
+$appname = "Microsoft Edge"
+((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true}
+$appname = "Microsoft Store"
+((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true}
diff --git a/Packer/scripts/MakeWindows10GreatAgain.reg b/Packer/scripts/MakeWindows10GreatAgain.reg
index 503d399..e8ed2d4 100644
--- a/Packer/scripts/MakeWindows10GreatAgain.reg
+++ b/Packer/scripts/MakeWindows10GreatAgain.reg
@@ -36,10 +36,14 @@ Windows Registry Editor Version 5.00
 
 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
 "{20D04FE0-3AEA-1069-A2D8-08002B30309D}"=dword:00000000
- 
+
 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu]
 "{20D04FE0-3AEA-1069-A2D8-08002B30309D}"=dword:00000000
 
 # Enable Developer Mode (prerequisite for Linux subsystem)
 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock]
 "AllowDevelopmentWithoutDevLicense"=dword:00000001
+
+# Disable Microsoft People icon from taskbar
+[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People]
+"PeopleBand"=dword:00000000
diff --git a/Packer/scripts/debloat-windows.ps1 b/Packer/scripts/debloat-windows.ps1
index 686943c..bae63da 100755
--- a/Packer/scripts/debloat-windows.ps1
+++ b/Packer/scripts/debloat-windows.ps1
@@ -14,9 +14,6 @@ if ($env:PACKER_BUILDER_TYPE -And $($env:PACKER_BUILDER_TYPE).startsWith("hyperv
   #. $env:TEMP\Debloat-Windows-10-master\scripts\block-telemetry.ps1
   #Write-Host Disable services
   #. $env:TEMP\Debloat-Windows-10-master\scripts\disable-services.ps1
-  Write-host Disable Windows Defender
-  #. $env:TEMP\Debloat-Windows-10-master\scripts\disable-windows-defender.ps1
-  Uninstall-WindowsFeature Windows-Defender-Features
   Write-host Optimize Windows Update
   . $env:TEMP\Debloat-Windows-10-master\scripts\optimize-windows-update.ps1
   #Write-host Disable Windows Update
diff --git a/Packer/scripts/enable-winrm.ps1 b/Packer/scripts/enable-winrm.ps1
index c0c7587..b294cd3 100755
--- a/Packer/scripts/enable-winrm.ps1
+++ b/Packer/scripts/enable-winrm.ps1
@@ -9,5 +9,6 @@ winrm set winrm/config/client/auth '@{Basic="true"}'
 winrm set winrm/config/listener?Address=*+Transport=HTTP '@{Port="5985"}'
 netsh advfirewall firewall set rule group="Windows Remote Administration" new enable=yes
 netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new enable=yes action=allow
-Set-Service winrm -startuptype "auto"
+sc config winrm start= disabled
+reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v StartWinRM /t REG_SZ /f /d "cmd.exe /c 'sc config winrm start= auto & sc start winrm'"
 Restart-Service winrm
diff --git a/Packer/scripts/vm-guest-tools.bat b/Packer/scripts/vm-guest-tools.bat
index cd33b74..137d4da 100755
--- a/Packer/scripts/vm-guest-tools.bat
+++ b/Packer/scripts/vm-guest-tools.bat
@@ -1,6 +1,9 @@
 if not exist "C:\Windows\Temp\7z920-x64.msi" (
     powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://www.7-zip.org/a/7z920-x64.msi', 'C:\Windows\Temp\7z920-x64.msi')" <NUL
 )
+if not exist "C:\Windows\Temp\7z920-x64.msi" (
+    powershell -Command "Start-Sleep 5 ; (New-Object System.Net.WebClient).DownloadFile('http://www.7-zip.org/a/7z920-x64.msi', 'C:\Windows\Temp\7z920-x64.msi')" <NUL
+)
 msiexec /qb /i C:\Windows\Temp\7z920-x64.msi
 
 if "%PACKER_BUILDER_TYPE%" equ "vmware-iso" goto :vmware
@@ -36,7 +39,7 @@ if exist "C:\Users\vagrant\VBoxGuestAdditions.iso" (
 )
 
 if not exist "C:\Windows\Temp\VBoxGuestAdditions.iso" (
-    powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://download.virtualbox.org/virtualbox/5.2.4/VBoxGuestAdditions_5.2.4.iso', 'C:\Windows\Temp\VBoxGuestAdditions.iso')" <NUL
+    powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://download.virtualbox.org/virtualbox/5.2.10/VBoxGuestAdditions_5.2.10.iso', 'C:\Windows\Temp\VBoxGuestAdditions.iso')" <NUL
 )
 
 cmd /c ""C:\Program Files\7-Zip\7z.exe" x C:\Windows\Temp\VBoxGuestAdditions.iso -oC:\Windows\Temp\virtualbox"
diff --git a/Packer/windows_10.json b/Packer/windows_10.json
index 40ed3ca..831fe6a 100644
--- a/Packer/windows_10.json
+++ b/Packer/windows_10.json
@@ -170,9 +170,9 @@
     }
   ],
   "variables": {
-    "iso_url": "http://care.dlservice.microsoft.com/dl/download/B/8/B/B8B452EC-DD2D-4A8F-A88C-D2180C177624/15063.0.170317-1834.RS2_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X64FRE_EN-US.ISO",
-    "iso_checksum_type": "sha1",
-    "iso_checksum": "6c60f91bf0ad7b20f469ab8f80863035c517f34f",
+    "iso_checksum": "27e4feb9102f7f2b21ebdb364587902a70842fb550204019d1a14b120918e455",
+    "iso_checksum_type": "sha256",
+    "iso_url": "https://software-download.microsoft.com/download/pr/17134.1.180410-1804.rs4_release_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso",
     "autounattend": "./answer_files/10/Autounattend.xml",
     "disk_size": "61440"
   }
diff --git a/Vagrant/Vagrantfile b/Vagrant/Vagrantfile
index 6bbc466..d268b86 100644
--- a/Vagrant/Vagrantfile
+++ b/Vagrant/Vagrantfile
@@ -12,6 +12,12 @@ Vagrant.configure("2") do |config|
       v.gui = true
     end
 
+    cfg.vm.provider "vmware_desktop" do |v, override|
+      v.memory = 2048
+      v.cpus = 1
+      v.gui = true
+    end
+
     cfg.vm.provider "virtualbox" do |vb, override|
       vb.gui = true
       vb.customize ["modifyvm", :id, "--memory", 2048]
@@ -31,9 +37,10 @@ Vagrant.configure("2") do |config|
     #    after the domain controller is installed.
     #    see https://groups.google.com/forum/#!topic/vagrant-up/sZantuCM0q4
     cfg.winrm.transport = :plaintext
-    cfg.winrm.basic_auth_only = true
-
     cfg.vm.communicator = "winrm"
+    cfg.winrm.basic_auth_only = true
+    cfg.winrm.timeout = 300
+    cfg.winrm.retry_limit = 20
     cfg.vm.network :private_network, ip: "192.168.38.2", gateway: "192.168.38.1"
 
     cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "192.168.38.2"
@@ -51,8 +58,8 @@ Vagrant.configure("2") do |config|
     cfg.vm.provision "shell", path: "scripts/configure-ou.ps1", privileged: true
     cfg.vm.provision "shell", path: "scripts/configure-wef-gpo.ps1", privileged: true
     cfg.vm.provision "shell", path: "scripts/configure-powershelllogging.ps1", privileged: true
-    cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: true
     cfg.vm.provision "shell", path: "scripts/configure-AuditingPolicyGPOs.ps1", privileged: true
+    cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: true
     cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: true
 
     cfg.vm.provider "vmware_fusion" do |v, override|
@@ -62,6 +69,13 @@ Vagrant.configure("2") do |config|
       v.gui = true
     end
 
+    cfg.vm.provider "vmware_desktop" do |v, override|
+      override.vm.box = "../Boxes/windows_2016_vmware.box"
+      v.memory = 2560
+      v.cpus = 2
+      v.gui = true
+    end
+
     cfg.vm.provider "virtualbox" do |vb, override|
       vb.gui = true
       vb.customize ["modifyvm", :id, "--memory", 2560]
@@ -75,8 +89,10 @@ Vagrant.configure("2") do |config|
   config.vm.define "wef" do |cfg|
     cfg.vm.box = "../Boxes/windows_2016_virtualbox.box"
     cfg.vm.hostname = "wef"
-
     cfg.vm.communicator = "winrm"
+    cfg.winrm.basic_auth_only = true
+    cfg.winrm.timeout = 300
+    cfg.winrm.retry_limit = 20
     cfg.vm.network :private_network, ip: "192.168.38.3", gateway: "192.168.38.1", dns: "192.168.38.2"
 
     cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.3 -dns 192.168.38.2"
@@ -105,6 +121,13 @@ Vagrant.configure("2") do |config|
       v.gui = true
     end
 
+    cfg.vm.provider "vmware_desktop" do |v, override|
+      override.vm.box = "../Boxes/windows_2016_vmware.box"
+      v.memory = 2048
+      v.cpus = 2
+      v.gui = true
+    end
+
     cfg.vm.provider "virtualbox" do |vb, override|
       vb.gui = true
       vb.customize ["modifyvm", :id, "--memory", 2048]
@@ -118,8 +141,10 @@ Vagrant.configure("2") do |config|
   config.vm.define "win10" do |cfg|
     cfg.vm.box = "../Boxes/windows_10_virtualbox.box"
     cfg.vm.hostname = "win10"
-
     cfg.vm.communicator = "winrm"
+    cfg.winrm.basic_auth_only = true
+    cfg.winrm.timeout = 300
+    cfg.winrm.retry_limit = 20
     cfg.vm.network :private_network, ip: "192.168.38.4", gateway: "192.168.38.1", dns: "192.168.38.2"
 
     cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.4 -dns 192.168.38.2"
@@ -146,6 +171,15 @@ Vagrant.configure("2") do |config|
       v.gui = true
     end
 
+    cfg.vm.provider "vmware_desktop" do |v, override|
+      override.vm.box = "../Boxes/windows_10_vmware.box"
+      v.vmx["gui.fullscreenatpoweron"] = "FALSE"
+      v.vmx["gui.viewModeAtPowerOn"] = "windowed"
+      v.memory = 2048
+      v.cpus = 1
+      v.gui = true
+    end
+
     cfg.vm.provider "virtualbox" do |vb, override|
       vb.gui = true
       vb.customize ["modifyvm", :id, "--memory", 2048]
diff --git a/Vagrant/bootstrap.sh b/Vagrant/bootstrap.sh
index 0c0b95d..5fa90f2 100644
--- a/Vagrant/bootstrap.sh
+++ b/Vagrant/bootstrap.sh
@@ -8,6 +8,22 @@ echo "deb http://repo.mongodb.org/apt/ubuntu "$(lsb_release -sc)"/mongodb-org/3.
 apt-get update
 apt-get install -y jq whois build-essential git docker docker-compose unzip mongodb-org
 
+# Fix static IP if it's not set correctly
+ETH1_IP=$(ifconfig eth1 | grep 'inet addr' | cut -d ':' -f 2 | cut -d ' ' -f 1)
+if [ "$ETH1_IP" != "192.168.38.5" ]; then
+  echo "Incorrect IP Address settings detected. Attempting to fix."
+  ifdown eth1
+  ip addr flush dev eth1
+  ifup eth1
+  ETH1_IP=$(ifconfig eth1 | grep 'inet addr' | cut -d ':' -f 2 | cut -d ' ' -f 1)
+  if [ "$ETH1_IP" == "192.168.38.5" ]; then
+    echo "The static IP has been fixed and set to 192.168.38.5"
+  else
+    echo "Failed to fix the broken static IP for eth1. Exiting because this will cause problems with other VMs."
+    exit 1
+  fi
+fi
+
 # Install Python 3.6.4
 echo "Installing Python v3.6.4..."
 wget https://www.python.org/ftp/python/3.6.4/Python-3.6.4.tgz
@@ -41,9 +57,9 @@ else
   # Get Splunk.com into the DNS cache. Sometimes resolution randomly fails during wget below
   dig @8.8.8.8 splunk.com
   # Download Splunk
-  wget --progress=bar:force -O splunk-7.0.2-03bbabbd5c0f-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.0.2&product=splunk&filename=splunk-7.0.2-03bbabbd5c0f-linux-2.6-amd64.deb&wget=true'
-  dpkg -i splunk-7.0.2-03bbabbd5c0f-linux-2.6-amd64.deb
-  /opt/splunk/bin/splunk start --accept-license
+  wget --progress=bar:force -O splunk-7.1.1-8f0ead9ec3db-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.1.1&product=splunk&filename=splunk-7.1.1-8f0ead9ec3db-linux-2.6-amd64.deb&wget=true'
+  dpkg -i splunk-7.1.1-8f0ead9ec3db-linux-2.6-amd64.deb
+  /opt/splunk/bin/splunk start --accept-license --answer-yes --no-prompt --seed-passwd changeme
   /opt/splunk/bin/splunk add index wineventlog -auth 'admin:changeme'
   /opt/splunk/bin/splunk add index osquery -auth 'admin:changeme'
   /opt/splunk/bin/splunk add index osquery-status -auth 'admin:changeme'
@@ -73,6 +89,7 @@ git clone https://github.com/kolide/kolide-quickstart.git
 cd kolide-quickstart
 cp /vagrant/resources/fleet/server.* .
 sed -i 's/ -it//g' demo.sh
+sed -i 's#kolide/fleet:latest#kolide/fleet:1.0.8#g' docker-compose.yml
 ./demo.sh up simple
 # Set the enrollment secret to match what we deploy to Windows hosts
 docker run --rm --network=kolidequickstart_default mysql:5.7 mysql -h mysql -u kolide --password=kolide -e 'update app_configs set osquery_enroll_secret = "enrollmentsecret" where id=1;' --batch kolide
diff --git a/Vagrant/scripts/configure-wef-gpo.ps1 b/Vagrant/scripts/configure-wef-gpo.ps1
index bc4ed20..6861e06 100644
--- a/Vagrant/scripts/configure-wef-gpo.ps1
+++ b/Vagrant/scripts/configure-wef-gpo.ps1
@@ -54,7 +54,7 @@ else
 {
     Write-Host "GpLink $GPOName already linked on $OU. Moving On."
 }
-$OU = "ou=Workstations,dc=windomain,dc=local" 
+$OU = "ou=Workstations,dc=windomain,dc=local"
 $gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
 $GPO = Get-GPO -Name $GPOName
 If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path)
@@ -67,7 +67,3 @@ else
 }
 
 gpupdate /force
-# Enable WinRM
-Write-Host "Enabling WinRM"
-winrm qc /q:true
-Write-Host "Rebooting to make settings take effect..."
diff --git a/Vagrant/scripts/download_palantir_osquery.ps1 b/Vagrant/scripts/download_palantir_osquery.ps1
index 8018732..a699c63 100644
--- a/Vagrant/scripts/download_palantir_osquery.ps1
+++ b/Vagrant/scripts/download_palantir_osquery.ps1
@@ -1,4 +1,5 @@
 # Purpose: Downloads and unzips a copy of the Palantir osquery Github Repo. These configs are added to the Fleet server in bootstrap.sh.
+# The items from this config file are used later in install-osquery.ps1
 Write-Host "Downloading and unzipping the Palantir osquery Repo from Github..."
 
 $osqueryRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\osquery-Master.zip'
@@ -9,8 +10,8 @@ if (-not (Test-Path $osqueryRepoPath))
     Invoke-WebRequest -Uri "https://github.com/palantir/osquery-configuration/archive/master.zip" -OutFile $osqueryRepoPath
     Expand-Archive -path "$osqueryRepoPath" -destinationpath 'c:\Users\vagrant\AppData\Local\Temp' -Force
 }
-else 
+else
 {
     Write-Host "$osqueryRepoPath already exists. Moving On."
 }
-Write-Host "Palantir OSQuery download complete!"
\ No newline at end of file
+Write-Host "Palantir osquery config download complete!"
diff --git a/Vagrant/scripts/download_palantir_wef.ps1 b/Vagrant/scripts/download_palantir_wef.ps1
index 8d026f2..14dade2 100644
--- a/Vagrant/scripts/download_palantir_wef.ps1
+++ b/Vagrant/scripts/download_palantir_wef.ps1
@@ -15,4 +15,4 @@ else
 {
     Write-Host "$wefRepoPath already exists. Moving On."
 }
-Write-Host "Palantir WEF download complete!"
\ No newline at end of file
+Write-Host "Palantir WEF download complete!"
diff --git a/Vagrant/scripts/fix-second-network.ps1 b/Vagrant/scripts/fix-second-network.ps1
index 705386f..d716ae7 100755
--- a/Vagrant/scripts/fix-second-network.ps1
+++ b/Vagrant/scripts/fix-second-network.ps1
@@ -1,31 +1,28 @@
 # Source: https://github.com/StefanScherer/adfs2
 param ([String] $ip, [String] $dns)
 
-if (Test-Path C:\Users\vagrant\enable-winrm-after-customization.bat) {
-  Write-Host "Nothing to do in vCloud."
-  exit 0
-}
 if (! (Test-Path 'C:\Program Files\VMware\VMware Tools')) {
   Write-Host "Nothing to do for other providers than VMware."
   exit 0
 }
+Write-Host "Setting IP address and DNS information for the second network adapter"
 
 $subnet = $ip -replace "\.\d+$", ""
-
+write-host "debug 1"
 $name = (Get-NetIPAddress -AddressFamily IPv4 `
    | Where-Object -FilterScript { ($_.IPAddress).StartsWith($subnet) } `
    ).InterfaceAlias
-
+write-host "debug 2"
 if (!$name) {
   $name = (Get-NetIPAddress -AddressFamily IPv4 `
      | Where-Object -FilterScript { ($_.IPAddress).StartsWith("169.254.") } `
      ).InterfaceAlias
 }
-
+write-host "debug 3"
 if ($name) {
   Write-Host "Set IP address to $ip of interface $name"
   & netsh.exe int ip set address "$name" static $ip 255.255.255.0 "$subnet.1"
-
+write-host "debug 4"
   if ($dns) {
     Write-Host "Set DNS server address to $dns of interface $name"
     & netsh.exe interface ipv4 add dnsserver "$name" address=$dns index=1
diff --git a/Vagrant/scripts/install-autorunstowineventlog.ps1 b/Vagrant/scripts/install-autorunstowineventlog.ps1
index 5df09a4..c93bc52 100644
--- a/Vagrant/scripts/install-autorunstowineventlog.ps1
+++ b/Vagrant/scripts/install-autorunstowineventlog.ps1
@@ -3,8 +3,7 @@
 Write-Host "Installing AutorunsToWinEventLog..."
 If ((Get-ScheduledTask -TaskName "AutorunsToWinEventLog" -ea silent) -eq $null)
 {
-    cd "c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\AutorunsToWinEventLog"
-    .\Install.ps1
+    . c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\AutorunsToWinEventLog\Install.ps1
     Write-Host "AutorunsToWinEventLog installed. Starting the scheduled task. Future runs will begin at 11am"
     Start-ScheduledTask -TaskName "AutorunsToWinEventLog"
     $Tsk = Get-ScheduledTask -TaskName "AutorunsToWinEventLog"
@@ -13,7 +12,7 @@ If ((Get-ScheduledTask -TaskName "AutorunsToWinEventLog" -ea silent) -eq $null)
         throw "AutorunsToWinEventLog scheduled tasks wasn't running after starting it"
     }
 }
-else 
+else
 {
     Write-Host "AutorunsToWinEventLog already installed. Moving On."
 }
diff --git a/Vagrant/scripts/install-caldera-agent.ps1 b/Vagrant/scripts/install-caldera-agent.ps1
index ead4bf0..ba8b562 100644
--- a/Vagrant/scripts/install-caldera-agent.ps1
+++ b/Vagrant/scripts/install-caldera-agent.ps1
@@ -1,7 +1,6 @@
 # Purpose: Installs the Caldera agent on the host
 
-if (-not (Test-Path 'C:\Program Files\cagent\cagent.exe'))
-{
+If (-not (Test-Path 'C:\Program Files\cagent\cagent.exe')) {
   # Add /etc/hosts entry
   Add-Content "c:\windows\system32\drivers\etc\hosts" "        192.168.38.5    logger"
 
@@ -21,13 +20,15 @@ if (-not (Test-Path 'C:\Program Files\cagent\cagent.exe'))
   # Ignore SSL warning for conf file download
   # https://stackoverflow.com/questions/34331206/ignore-ssl-warning-with-powershell-downloadstring
   [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;(New-Object System.Net.WebClient).DownloadFile('https://logger:8888/conf.yml', $cagentConfPath)
+  If (-not (Test-Path "$cagentConfPath" )) {
+    Write-Host "Caldera Agent configuration failed. Unable to retrieve config from logger"
+  }
   Start-Process -FilePath $cagentPath -ArgumentList '--startup', 'auto', 'install' -Wait
-  Start-Process -FilePath $cagentPath -ArgumentList 'start' -Wait  
+  Start-Process -FilePath $cagentPath -ArgumentList 'start' -Wait
 } Else {
   Write-Host "Caldera Agent is already installed. Moving on."
 }
-If ((Get-Service -name cagent).Status -ne "Running")
-{
+If ((Get-Service -name cagent).Status -ne "Running") {
   throw "Caldera Agent service not running"
 }
 Write-Host "Cagent installation complete!"
diff --git a/Vagrant/scripts/install-splunkuf.ps1 b/Vagrant/scripts/install-splunkuf.ps1
index 2c8449a..925d067 100755
--- a/Vagrant/scripts/install-splunkuf.ps1
+++ b/Vagrant/scripts/install-splunkuf.ps1
@@ -1,12 +1,12 @@
 # Purpose: Installs a Splunk Universal Forwader on the host
 
 If (-not (Test-Path "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe")) {
-  Write-Host "Downloading Splunk"
-  $msiFile = $env:Temp + "\splunkforwarder-6.5.2-67571ef4b87d-x64-release.msi"
+  Write-Host "Downloading Splunk Universal Forwarder"
+  $msiFile = $env:Temp + "\splunkforwarder-7.1.0-2e75b3406c5b-x64-release.msi"
 
   Write-Host "Installing & Starting Splunk"
-  (New-Object System.Net.WebClient).DownloadFile('https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=windows&version=6.5.2&product=universalforwarder&filename=splunkforwarder-6.5.2-67571ef4b87d-x64-release.msi&wget=true', $msiFile)
-  Start-Process -FilePath "c:\windows\system32\msiexec.exe" -ArgumentList '/i', "$msiFile", 'RECEIVING_INDEXER="192.168.38.5:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_APP_ENABLE=1 AGREETOLICENSE=Yes SERVICESTARTTYPE=1 LAUNCHSPLUNK=1 /quiet' -Wait
+  (New-Object System.Net.WebClient).DownloadFile('https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=windows&version=7.1.0&product=universalforwarder&filename=splunkforwarder-7.1.0-2e75b3406c5b-x64-release.msi&wget=true', $msiFile)
+  Start-Process -FilePath "c:\windows\system32\msiexec.exe" -ArgumentList '/i', "$msiFile", 'RECEIVING_INDEXER="192.168.38.5:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_APP_ENABLE=1 AGREETOLICENSE=Yes SERVICESTARTTYPE=1 LAUNCHSPLUNK=1 SPLUNKPASSWORD=changeme /quiet' -Wait
 } Else {
   Write-Host "Splunk is already installed. Moving on."
 }
diff --git a/Vagrant/scripts/install-sysinternals.ps1 b/Vagrant/scripts/install-sysinternals.ps1
index 20379b4..20695d3 100755
--- a/Vagrant/scripts/install-sysinternals.ps1
+++ b/Vagrant/scripts/install-sysinternals.ps1
@@ -24,23 +24,32 @@ $sysmonPath = "C:\Tools\Sysinternals\Sysmon64.exe"
 $tcpviewPath = "C:\Tools\Sysinternals\Tcpview.exe"
 $sysmonConfigPath = "$sysmonDir\sysmonConfig.xml"
 
+Write-Host "Downloading Autoruns64.exe..."
 Invoke-WebRequest -Uri "https://live.sysinternals.com/Autoruns64.exe" -OutFile $autorunsPath
+Write-Host "Downloading Procmon.exe..."
 Invoke-WebRequest -Uri "https://live.sysinternals.com/Procmon.exe" -OutFile $procmonPath
+Write-Host "Downloading PsExec64.exe..."
 Invoke-WebRequest -Uri "https://live.sysinternals.com/PsExec64.exe" -OutFile $psexecPath
+Write-Host "Downloading procexp64.exe..."
 Invoke-WebRequest -Uri "https://live.sysinternals.com/procexp64.exe" -OutFile $procexpPath
+Write-Host "Downloading Sysmon64.exe..."
 Invoke-WebRequest -Uri "https://live.sysinternals.com/Sysmon64.exe" -Outfile $sysmonPath
+Write-Host "Downloading Tcpview.exe..."
 Invoke-WebRequest -Uri "https://live.sysinternals.com/Tcpview.exe" -Outfile $tcpviewPath
 Copy-Item $sysmonPath $sysmonDir
 
 # Download SwiftOnSecurity's Sysmon config
+Write-Host "Downloading SwiftOnSecurity's Sysmon config..."
 Invoke-WebRequest -Uri "https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml" -Outfile "$sysmonConfigPath"
+# Alternative: Download Olaf Hartong's Sysmon config (more CPU intensive)
+#Invoke-WebRequest -Uri "https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml" -Outfile "$sysmonConfigPath"
 
-# Convert Sysmon config schema from 3.30 to 4.0 per GitHub Issue #38
-(Get-Content $sysmonConfigPath) -replace 'schemaversion="3.30"', 'schemaversion="4.00"' | Set-Content $sysmonConfigPath
-
-# Convert Schema from 3.30 to 4.0 per GitHub Issue #38
-(Get-Content $sysmonConfigPath) -replace 'schemaversion="3.30"', 'schemaversion="4.00"' | Set-Content $sysmonConfigPath
-
-# Startup Sysmon
+# Start Sysmon
 Write-Host "Starting Sysmon..."
 Start-Process -FilePath "$sysmonDir\Sysmon64.exe" -ArgumentList "-accepteula -i $sysmonConfigPath"
+Write-Host "Verifying that the Sysmon service is running..."
+Start-Sleep 5 # Give the service time to start
+If ((Get-Service -name Sysmon64).Status -ne "Running")
+{
+  throw "The Sysmon service did not start successfully"
+}
diff --git a/Vagrant/scripts/install-utilities.ps1 b/Vagrant/scripts/install-utilities.ps1
index 7b222fd..a302d4e 100755
--- a/Vagrant/scripts/install-utilities.ps1
+++ b/Vagrant/scripts/install-utilities.ps1
@@ -3,24 +3,21 @@
 If (-not (Test-Path "C:\ProgramData\chocolatey")) {
   Write-Host "Installing Chocolatey"
   iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))
-}
-else {
+} else {
   Write-Host "Chocolatey is already installed."
 }
 
-Write-Host "Installing atom, Notepad++, Chrome, WinRar, and Mimikatz."
-choco install -y atom
+Write-Host "Installing Notepad++, Chrome, WinRar, PowerSploit and Mimikatz."
+If ($(hostname) -eq "win10") {
+  # Because the Windows10 start menu sucks
+  choco install -y classic-shell -installArgs ADDLOCAL=ClassicStartMenu
+}
 choco install -y NotepadPlusPlus
 choco install -y GoogleChrome
 choco install -y WinRar
-Write-Host $env:LOCALAPPDATA
-$env:PATH="$env:PATH;$env:LOCALAPPDATA\atom\bin"
-apm install language-powershell
-apm install language-batch
-apm install language-docker
 
 # Disable Windows Defender realtime scanning before downloading Mimikatz
-If ($env:computername -eq "WIN10") {
+If ($env:computername -eq "win10") {
   If (Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender")
   {
     Remove-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Recurse -Force
@@ -28,7 +25,7 @@ If ($env:computername -eq "WIN10") {
   gpupdate /force | Out-String
   Set-MpPreference -ExclusionPath C:\commander.exe, C:\Tools
   set-MpPreference -DisableRealtimeMonitoring $true
-  
+
 }
 
 # Purpose: Downloads and unzips a copy of the latest Mimikatz trunk
@@ -37,7 +34,6 @@ Write-Host "Determining latest release of Mimikatz..."
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 $tag = (Invoke-WebRequest "https://api.github.com/repos/gentilkiwi/mimikatz/releases" -UseBasicParsing | ConvertFrom-Json)[0].tag_name
 $mimikatzDownloadUrl = "https://github.com/gentilkiwi/mimikatz/releases/download/$tag/mimikatz_trunk.zip"
-
 $mimikatzRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\mimikatz_trunk.zip'
 if (-not (Test-Path $mimikatzRepoPath))
 {
@@ -48,8 +44,19 @@ else
 {
   Write-Host "Mimikatz was already installed. Moving On."
 }
-# Enable realtime monitoring again, now that exclusion is set for mimikatz
-If ($env:computername -eq "WIN10") {
-  set-MpPreference -DisableRealtimeMonitoring $false
+
+# Download and unzip a copy of PowerSploit
+Write-Host "Downloading Powersploit..."
+# GitHub requires TLS 1.2 as of 2/27
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+$powersploitDownloadUrl = "https://github.com/PowerShellMafia/PowerSploit/archive/master.zip"
+$powersploitRepoPath = "C:\Users\vagrant\AppData\Local\Temp\powersploit.zip"
+if (-not (Test-Path $powersploitRepoPath)) {
+  Invoke-WebRequest -Uri "$powersploitDownloadUrl" -OutFile $powersploitRepoPath
+  Expand-Archive -path "$powersploitRepoPath" -destinationpath 'c:\Tools\PowerSploit' -Force
+  Copy-Item "c:\Tools\PowerSploit\PowerSploit-master\*" "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" -Recurse -Force
+} else {
+  Write-Host "PowerSploit was already installed. Moving On."
 }
-Write-Host "Utilties installation complete!"
\ No newline at end of file
+
+Write-Host "Utilties installation complete!"
diff --git a/build.sh b/build.sh
index 7754755..10ae118 100755
--- a/build.sh
+++ b/build.sh
@@ -233,7 +233,7 @@ vagrant_up_host() {
   HOST="$1"
   (echo >&2 "Attempting to bring up the $HOST host using Vagrant")
   cd "$DL_DIR"/Vagrant || exit 1
-  VAGRANT_LOG=info $(which vagrant) up "$HOST" --provider="$PROVIDER" 3>&1 1>&2 2>&3 | tee -a "$DL_DIR/Vagrant/vagrant_build.log"
+  $(which vagrant) up "$HOST" --provider="$PROVIDER" 2> "$DL_DIR/Vagrant/vagrant_up_$HOST.log"
   echo "$?"
 }
 
@@ -373,6 +373,7 @@ choose_md5_tool() {
 
 # Downloads pre-built Packer boxes from detectionlab.network to save time during CI builds
 download_boxes() {
+  choose_md5_tool
   if [ "$PROVIDER" == "virtualbox" ]; then
     wget "https://www.detectionlab.network/windows_2016_virtualbox.box" -O "$DL_DIR"/Boxes/windows_2016_virtualbox.box
     wget "https://www.detectionlab.network/windows_10_virtualbox.box" -O "$DL_DIR"/Boxes/windows_10_virtualbox.box

From 4ac14cb432248d4a07c4a3136cc28618375d2c4d Mon Sep 17 00:00:00 2001
From: Chris Long <clong@cl0ng.com>
Date: Sun, 24 Jun 2018 13:29:13 -0700
Subject: [PATCH 2/3] Fixing 7zip download and packer build ordering

---
 Packer/scripts/vm-guest-tools.bat | 4 ++--
 Packer/windows_10.json            | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Packer/scripts/vm-guest-tools.bat b/Packer/scripts/vm-guest-tools.bat
index 137d4da..aa1a74d 100755
--- a/Packer/scripts/vm-guest-tools.bat
+++ b/Packer/scripts/vm-guest-tools.bat
@@ -1,8 +1,8 @@
 if not exist "C:\Windows\Temp\7z920-x64.msi" (
-    powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://www.7-zip.org/a/7z920-x64.msi', 'C:\Windows\Temp\7z920-x64.msi')" <NUL
+    powershell -Command "Start-Sleep 5; Invoke-WebRequest -Uri 'https://astuteinternet.dl.sourceforge.net/project/sevenzip/7-Zip/9.20/7z920-x64.msi' -Outfile 'C:\Windows\Temp\7z920-x64.msi'" <NUL
 )
 if not exist "C:\Windows\Temp\7z920-x64.msi" (
-    powershell -Command "Start-Sleep 5 ; (New-Object System.Net.WebClient).DownloadFile('http://www.7-zip.org/a/7z920-x64.msi', 'C:\Windows\Temp\7z920-x64.msi')" <NUL
+    powershell -Command "Start-Sleep 5; Invoke-WebRequest -Uri 'http://www.7-zip.org/a/7z920-x64.msi' -Outfile 'C:\Windows\Temp\7z920-x64.msi')" <NUL
 )
 msiexec /qb /i C:\Windows\Temp\7z920-x64.msi
 
diff --git a/Packer/windows_10.json b/Packer/windows_10.json
index 831fe6a..5360cfe 100644
--- a/Packer/windows_10.json
+++ b/Packer/windows_10.json
@@ -135,8 +135,8 @@
       "type": "powershell",
       "scripts": [
         "./scripts/debloat-windows.ps1",
-        "./scripts/MakeWindows10GreatAgain.ps1",
-        "./scripts/rearm-windows.ps1"
+        "./scripts/rearm-windows.ps1",
+        "./scripts/MakeWindows10GreatAgain.ps1"
       ]
     },
     {

From a10572287271f630abf33a8342219c147c2d737e Mon Sep 17 00:00:00 2001
From: Chris Long <clong@cl0ng.com>
Date: Tue, 26 Jun 2018 23:48:11 -0700
Subject: [PATCH 3/3] Adding some small fixes

---
 Packer/scripts/debloat-windows.ps1       |  3 +++
 Packer/scripts/vm-guest-tools.bat        |  7 ++++++-
 Vagrant/Vagrantfile                      |  3 ++-
 Vagrant/scripts/configure-ou.ps1         |  7 +++----
 Vagrant/scripts/fix-second-network.ps1   |  8 +++-----
 Vagrant/scripts/install-sysinternals.ps1 | 21 ++++++++++++---------
 6 files changed, 29 insertions(+), 20 deletions(-)

diff --git a/Packer/scripts/debloat-windows.ps1 b/Packer/scripts/debloat-windows.ps1
index bae63da..686943c 100755
--- a/Packer/scripts/debloat-windows.ps1
+++ b/Packer/scripts/debloat-windows.ps1
@@ -14,6 +14,9 @@ if ($env:PACKER_BUILDER_TYPE -And $($env:PACKER_BUILDER_TYPE).startsWith("hyperv
   #. $env:TEMP\Debloat-Windows-10-master\scripts\block-telemetry.ps1
   #Write-Host Disable services
   #. $env:TEMP\Debloat-Windows-10-master\scripts\disable-services.ps1
+  Write-host Disable Windows Defender
+  #. $env:TEMP\Debloat-Windows-10-master\scripts\disable-windows-defender.ps1
+  Uninstall-WindowsFeature Windows-Defender-Features
   Write-host Optimize Windows Update
   . $env:TEMP\Debloat-Windows-10-master\scripts\optimize-windows-update.ps1
   #Write-host Disable Windows Update
diff --git a/Packer/scripts/vm-guest-tools.bat b/Packer/scripts/vm-guest-tools.bat
index aa1a74d..35a4860 100755
--- a/Packer/scripts/vm-guest-tools.bat
+++ b/Packer/scripts/vm-guest-tools.bat
@@ -18,7 +18,7 @@ if exist "C:\Users\vagrant\windows.iso" (
 )
 
 if not exist "C:\Windows\Temp\windows.iso" (
-    powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://softwareupdate.vmware.com/cds/vmw-desktop/ws/14.1.1/7528167/windows/packages/tools-windows.tar', 'C:\Windows\Temp\vmware-tools.tar')" <NUL
+    powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://softwareupdate.vmware.com/cds/vmw-desktop/ws/14.1.2/8497320/windows/packages/tools-windows.tar', 'C:\Windows\Temp\vmware-tools.tar')" <NUL
     cmd /c ""C:\Program Files\7-Zip\7z.exe" x C:\Windows\Temp\vmware-tools.tar -oC:\Windows\Temp"
     FOR /r "C:\Windows\Temp" %%a in (VMware-tools-windows-*.iso) DO REN "%%~a" "windows.iso"
     rd /S /Q "C:\Program Files (x86)\VMWare"
@@ -27,6 +27,11 @@ if not exist "C:\Windows\Temp\windows.iso" (
 cmd /c ""C:\Program Files\7-Zip\7z.exe" x "C:\Windows\Temp\windows.iso" -oC:\Windows\Temp\VMWare"
 cmd /c C:\Windows\Temp\VMWare\setup.exe /S /v"/qn REBOOT=R\"
 
+sc query vmtools > NUL
+IF ERRORLEVEL 1060 cmd /c C:\Windows\Temp\VMWare\setup.exe /S /v"/qn REBOOT=R\"
+sc query vmtools > NUL
+IF ERRORLEVEL 1060 ECHO "Unable to install VMware Tools." & exit /b 1
+
 rd /Q "C:\Windows\Temp\vmware-tools.tar"
 rd /Q "C:\Windows\Temp\windows.iso"
 rd /S /Q "C:\Windows\Temp\VMware"
diff --git a/Vagrant/Vagrantfile b/Vagrant/Vagrantfile
index d268b86..722ef4f 100644
--- a/Vagrant/Vagrantfile
+++ b/Vagrant/Vagrantfile
@@ -31,7 +31,7 @@ Vagrant.configure("2") do |config|
   config.vm.define "dc" do |cfg|
     cfg.vm.box = "../Boxes/windows_2016_virtualbox.box"
     cfg.vm.hostname = "dc"
-
+    cfg.vm.boot_timeout = 600
     # use the plaintext WinRM transport and force it to use basic authentication.
     # NB this is needed because the default negotiate transport stops working
     #    after the domain controller is installed.
@@ -89,6 +89,7 @@ Vagrant.configure("2") do |config|
   config.vm.define "wef" do |cfg|
     cfg.vm.box = "../Boxes/windows_2016_virtualbox.box"
     cfg.vm.hostname = "wef"
+    cfg.vm.boot_timeout = 600
     cfg.vm.communicator = "winrm"
     cfg.winrm.basic_auth_only = true
     cfg.winrm.timeout = 300
diff --git a/Vagrant/scripts/configure-ou.ps1 b/Vagrant/scripts/configure-ou.ps1
index 07ae82f..dc4e589 100644
--- a/Vagrant/scripts/configure-ou.ps1
+++ b/Vagrant/scripts/configure-ou.ps1
@@ -1,9 +1,8 @@
 # Purpose: Sets up the Server and Workstations OUs
-Write-Host "Sleeping for 30 seconds, then creating Server and Workstation OUs"
-Start-Sleep 30
-Write-Host "Creating Servers OU"
+Write-Host "Creating Server and Workstation OUs..."
+Write-Host "Creating Servers OU..."
 if (!([ADSI]::Exists("LDAP://OU=Servers,DC=windomain,DC=local")))
-{    
+{
     New-ADOrganizationalUnit -Name "Servers" -Server "dc.windomain.local"
 }
 else
diff --git a/Vagrant/scripts/fix-second-network.ps1 b/Vagrant/scripts/fix-second-network.ps1
index d716ae7..a032d15 100755
--- a/Vagrant/scripts/fix-second-network.ps1
+++ b/Vagrant/scripts/fix-second-network.ps1
@@ -5,24 +5,22 @@ if (! (Test-Path 'C:\Program Files\VMware\VMware Tools')) {
   Write-Host "Nothing to do for other providers than VMware."
   exit 0
 }
-Write-Host "Setting IP address and DNS information for the second network adapter"
+Write-Host "Setting IP address and DNS information for the Ethernet1 interface"
+Write-Host "If this step times out, it's because vagrant is connecting to the VM on the wrong interface"
+Write-Host "See https://github.com/clong/DetectionLab/issues/114 for more information"
 
 $subnet = $ip -replace "\.\d+$", ""
-write-host "debug 1"
 $name = (Get-NetIPAddress -AddressFamily IPv4 `
    | Where-Object -FilterScript { ($_.IPAddress).StartsWith($subnet) } `
    ).InterfaceAlias
-write-host "debug 2"
 if (!$name) {
   $name = (Get-NetIPAddress -AddressFamily IPv4 `
      | Where-Object -FilterScript { ($_.IPAddress).StartsWith("169.254.") } `
      ).InterfaceAlias
 }
-write-host "debug 3"
 if ($name) {
   Write-Host "Set IP address to $ip of interface $name"
   & netsh.exe int ip set address "$name" static $ip 255.255.255.0 "$subnet.1"
-write-host "debug 4"
   if ($dns) {
     Write-Host "Set DNS server address to $dns of interface $name"
     & netsh.exe interface ipv4 add dnsserver "$name" address=$dns index=1
diff --git a/Vagrant/scripts/install-sysinternals.ps1 b/Vagrant/scripts/install-sysinternals.ps1
index 20695d3..00df8c5 100755
--- a/Vagrant/scripts/install-sysinternals.ps1
+++ b/Vagrant/scripts/install-sysinternals.ps1
@@ -24,25 +24,28 @@ $sysmonPath = "C:\Tools\Sysinternals\Sysmon64.exe"
 $tcpviewPath = "C:\Tools\Sysinternals\Tcpview.exe"
 $sysmonConfigPath = "$sysmonDir\sysmonConfig.xml"
 
+
+# Microsoft likes TLSv1.2 as well
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 Write-Host "Downloading Autoruns64.exe..."
-Invoke-WebRequest -Uri "https://live.sysinternals.com/Autoruns64.exe" -OutFile $autorunsPath
+(New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Autoruns64.exe', $autorunsPath)
 Write-Host "Downloading Procmon.exe..."
-Invoke-WebRequest -Uri "https://live.sysinternals.com/Procmon.exe" -OutFile $procmonPath
+(New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Procmon.exe', $procmonPath)
 Write-Host "Downloading PsExec64.exe..."
-Invoke-WebRequest -Uri "https://live.sysinternals.com/PsExec64.exe" -OutFile $psexecPath
+(New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/PsExec64.exe', $psexecPath)
 Write-Host "Downloading procexp64.exe..."
-Invoke-WebRequest -Uri "https://live.sysinternals.com/procexp64.exe" -OutFile $procexpPath
+(New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/procexp64.exe', $procexpPath)
 Write-Host "Downloading Sysmon64.exe..."
-Invoke-WebRequest -Uri "https://live.sysinternals.com/Sysmon64.exe" -Outfile $sysmonPath
+(New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Sysmon64.exe', $sysmonPath)
 Write-Host "Downloading Tcpview.exe..."
-Invoke-WebRequest -Uri "https://live.sysinternals.com/Tcpview.exe" -Outfile $tcpviewPath
+(New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Tcpview.exe', $tcpviewPath)
 Copy-Item $sysmonPath $sysmonDir
 
 # Download SwiftOnSecurity's Sysmon config
 Write-Host "Downloading SwiftOnSecurity's Sysmon config..."
-Invoke-WebRequest -Uri "https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml" -Outfile "$sysmonConfigPath"
-# Alternative: Download Olaf Hartong's Sysmon config (more CPU intensive)
-#Invoke-WebRequest -Uri "https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml" -Outfile "$sysmonConfigPath"
+(New-Object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml', "$sysmonConfigPath")
+# Alternative: Download Olaf Hartongs Sysmon config (more CPU intensive)
+# (New-Object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml, "$sysmonConfigPath"
 
 # Start Sysmon
 Write-Host "Starting Sysmon..."