Merge branch 'osquery_refactor' of https://github.com/clong/detectionlab into osquery_refactor

README.md

@@ -25,16 +25,16 @@ NOTE: This lab has not been hardened in any way and runs with default vagrant cr
 
 ## Primary Lab Features:
 * Microsoft Advanced Threat Analytics (https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics) is installed on the WEF machine, with the lightweight ATA gateway installed on the DC
-* Splunk forwarders are pre-installed and all indexes are pre-created. Technology add-ons for Windows are also preconfigured.
+* A Splunk forwarder is pre-installed and all indexes are pre-created. Technology add-ons are also preconfigured.
 * A custom Windows auditing configuration is set via GPO to include command line process auditing and additional OS-level logging
 * [Palantir's Windows Event Forwarding](http://github.com/palantir/windows-event-forwarding)  subscriptions and custom channels are implemented
 * Powershell transcript logging is enabled. All logs are saved to `\\wef\pslogs`
 * osquery comes installed on each host and is pre-configured to connect to a [Fleet](https://kolide.co/fleet) server via TLS. Fleet is preconfigured with the configuration from [Palantir's osquery Configuration](https://github.com/palantir/osquery-configuration)
-* Sysmon is installed and configured using SwiftOnSecurity’s open-sourced configuration
+* Sysmon is installed and configured using [Olaf Hartong's open-sourced Sysmon configuration](https://github.com/olafhartong/sysmon-modular)
 * All autostart items are logged to Windows Event Logs via [AutorunsToWinEventLog](https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog)
 * SMBv1 Auditing is enabled
 
-## Requirements
+## Requirements for VMware or Virtualbox
 * 55GB+ of free disk space
 * 16GB+ of RAM
 * Packer 1.3.2 or newer
@@ -48,6 +48,7 @@ NOTE: This lab has not been hardened in any way and runs with default vagrant cr
 Please view the quickstart guides based on the operating system you are using. The AWS/Terraform DetectionLab can be launched from any operating system.
 
 * [AWS via Terraform](https://github.com/clong/DetectionLab/wiki/Quickstart---AWS-(Terraform))
+* [Azure via Terraform & Ansible](https://github.com/clong/DetectionLab/tree/master/Azure)
 * [MacOS](https://github.com/clong/DetectionLab/wiki/Quickstart---MacOS)
 * [Windows](https://github.com/clong/DetectionLab/wiki/Quickstart---Windows)
 * [Linux](https://github.com/clong/DetectionLab/wiki/Quickstart-Linux)

Vagrant/scripts/fix-windows-expiration.ps1

@@ -18,7 +18,12 @@ if ($regex.Matches.Value -eq "grace time expired") {
   # If activation was successful, the regex should match 90 or 180 (Win10 or Win2016)
   $regex = cscript c:\windows\system32\slmgr.vbs /dlv | select-string -Pattern "\((\d+) day\(s\)"
 }  
-$days_left = $regex.Matches.Groups[1].Value
+try {
+  $days_left = $regex.Matches.Groups[1].Value
+} catch {
+  Write-Host "Unable to successfully parse the output from slmgr, not rearming"
+  $days_left = 90
+}
 
 if ($days_left -as [int] -lt 30) {
   write-host "Less than 30 days remaining before Windows expiration. Attempting to rearm..."

Vagrant/scripts/install-microsoft-ata.ps1

@@ -113,6 +113,7 @@ Invoke-Command -computername dc -Credential (new-object pscredential("windomain\
 
     If (-not (Test-Path "$env:temp\gatewaysetup.zip"))
     {
+        Write-Host "[$env:computername] ATA Gateway not yet downloaded. Downloading now..."
         Invoke-WebRequest -uri https://wef/api/management/softwareUpdates/gateways/deploymentPackage -UseBasicParsing -OutFile "$env:temp\gatewaysetup.zip" -Credential (new-object pscredential("wef\vagrant",(convertto-securestring -AsPlainText -Force -String "vagrant")))
         Expand-Archive -Path "$env:temp\gatewaysetup.zip" -DestinationPath "$env:temp\gatewaysetup" -Force
     }
@@ -122,17 +123,20 @@ Invoke-Command -computername dc -Credential (new-object pscredential("windomain\
     }
     if (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics"))
     {
+        Write-Host "[$env:computername] ATA Gateway not yet installed. Attempting to install now..."
         Set-Location "$env:temp\gatewaysetup"
         Start-Process -Wait -FilePath ".\Microsoft ATA Gateway Setup.exe" -ArgumentList "/q NetFrameworkCommandLineArguments=`"/q`" ConsoleAccountName=`"wef\vagrant`" ConsoleAccountPassword=`"vagrant`""
+        Write-Host "[$env:computername] ATA Gateway installation complete!"
     }
     else
     {
         Write-Host "[$env:computername] ATA Gateway already installed. Moving On."
     }
+    Write-Host "[$env:computername] Waiting for the ATA Gateway service to start..."
     (Get-Service ATAGateway).WaitForStatus('Running', '00:10:00')
     If ((Get-Service "ATAGateway").Status -ne "Running")
     {
-        throw "ATA lightweight gateway not running"
+        throw "ATA Gateway service failed to start on DC"
     }
     # Disable invalid web requests to endpoints with invalid SSL certs again
     [System.Net.ServicePointManager]::ServerCertificateValidationCallback = $null