Merge pull request #6 from clong/master

Syncing with upstream repo

Azure/Ansible/roles/wef/tasks/main.yml

@@ -92,6 +92,15 @@
 
 - debug: msg="{{ pstranscriptshare.stdout_lines }}"
 
+- name: Installing the EVTX Event Samples
+  win_shell: ".\\install-evtx-attack-samples.ps1"
+  args:
+    chdir: 'c:\vagrant\scripts'
+  register: evtxeventsamples
+  failed_when: "'Exception' in evtxeventsamples.stdout"
+
+- debug: msg="{{ evtxeventsamples.stdout_lines }}"
+
 - name: Installing Microsoft Advanced Threat Analytics
   win_shell: ".\\install-microsoft-ata.ps1"
   args:

Azure/README.md

@@ -85,6 +85,7 @@ If you run into any issues along the way, please open an issue on Github and I'l
 * If an Ansible playbook fails (and they sometimes do), you can pick up where it left off with `ansible-playbook -vvv detectionlab.yml --tags="hostname-goes-here" --start-at-task="taskname"`
 * "Installing Red Team Tooling" hangs if AV isn't disabled successfully
 * It seems like sometimes the logger provisioning "errors" somewhere and causes the box to become tained, despite the provision being successful. Work around this by untainting it: `terraform untaint azurerm_virtual_machine.dc`
+* If running Ansible causes a `fork()` related error message, set the following environment variable before running Ansible: `export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES`. More on this [here](https://github.com/clong/DetectionLab/issues/543).
 
 ## Future work required
 * It probably makes sense to abstract all of the logic in `bootstrap.sh` into individual Ansible tasks

Azure/Terraform/main.tf

@@ -266,8 +266,10 @@ resource "azurerm_virtual_machine" "logger" {
     }
     inline = [
       "sudo add-apt-repository universe && sudo apt-get -qq update && sudo apt-get -qq install -y git",
+      "sudo sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/g' /etc/ssh/sshd_config && sudo service ssh restart",
       "echo 'logger' | sudo tee /etc/hostname && sudo hostnamectl set-hostname logger",
       "sudo adduser --disabled-password --gecos \"\" vagrant && echo 'vagrant:vagrant' | sudo chpasswd",
+      "echo 'vagrant:vagrant' | sudo chpasswd",
       "sudo mkdir /home/vagrant/.ssh && sudo cp /home/ubuntu/.ssh/authorized_keys /home/vagrant/.ssh/authorized_keys && sudo chown -R vagrant:vagrant /home/vagrant/.ssh",
       "echo 'vagrant    ALL=(ALL:ALL) NOPASSWD:ALL' | sudo tee -a /etc/sudoers",
       "sudo git clone https://github.com/clong/DetectionLab.git /opt/DetectionLab",

Azure/build_ansible_inventory.sh

@@ -1,4 +1,4 @@
-#! /bin/bash
+#! /usr/bin/env bash
 
 # This script is used to populate the Azure Ansible inventory.yml with 
 # the results of "terraform output"

ESXi/Packer/ubuntu1804_esxi.json

@@ -90,8 +90,8 @@
         "esxi_password": "",
         "headless": "false",
         "guest_additions_url": "",
-        "iso_checksum": "sha256:e2ecdace33c939527cbc9e8d23576381c493b071107207d2040af72595f8990b",
-        "iso_name": "ubuntu-18.04.4-server-amd64.iso",
+        "iso_checksum": "sha256:8c5fc24894394035402f66f3824beb7234b757dd2b5531379cb310cedfdf0996",
+        "iso_name": "ubuntu-18.04.5-server-amd64.iso",
         "memory": "4096",
         "mirror": "http://cdimage.ubuntu.com",
         "mirror_directory": "ubuntu/releases/18.04.4/release",

ESXi/README.md

@@ -23,6 +23,15 @@ NOTE: This is an early release and it's possible that certain features may not w
 
 1. **(5 Minutes)** Edit the variables in `DetectionLab/ESXi/Packer/variables.json` to match your ESXi configuration. The `esxi_network_with_dhcp_and_internet` variable refers to any ESXi network that will be able to provide DHCP and internet access to the VM while it's being built in Packer.
 
+Note: As per ESXI 7.x, built-in VNC server has been removed from distribution (https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-vcenter-server-70-release-notes.html). If you are using ESXI 7.x, you need to:
+* Upgrade Packer to 1.6.3+, we need to use `vnc_over_websocket` instead of old vnc configuration : [see packer issue](https://github.com/hashicorp/packer/issues/8984), [changelog](https://github.com/hashicorp/packer/blob/master/CHANGELOG.md)
+* Add two config to windows_10_esxi.json, windows_2016_esxi.json, ubuntu1804_esxi.json like this:
+```
+"vnc_over_websocket": true,
+"insecure_connection": true,
+```
+Ref: https://www.virtuallyghetto.com/2020/10/quick-tip-vmware-iso-builder-for-packer-now-supported-with-esxi-7-0.html
+
 2. **(45 Minutes)** From the `DetectionLab/ESXi/Packer` directory, run:
 * `PACKER_CACHE_DIR=../../Packer/packer_cache packer build -var-file variables.json windows_10_esxi.json`
 * `PACKER_CACHE_DIR=../../Packer/packer_cache packer build -var-file variables.json windows_2016_esxi.json`
@@ -41,7 +50,7 @@ These commands can be run in parallel from three separate terminal sessions.
 8. **(3 Minute)s** Edit `DetectionLab/ESXi/resources/01-netcfg.yaml`. These are the IP addresses that will be applied to the logger network interfaces. These should be be able to be found in your ESXi console or from the Terraform outputs.
 9. **(3 Minute)** Before running any Ansible playbooks, I highly recommend taking snapshots of all your VMs! If anything goes wrong with provisioning, you can simply restore the snapshot and easily debug the issue.
 10. Change your directory to `DetectionLab/ESXi/Ansible`
-11. **(30 Minutes)** Run `ansible-playbook -vvv detectionlab.yml` 
+11. **(30 Minutes)** Run `ansible-playbook -vvv detectionlab.yml` - If running Ansible causes a `fork()` related error message, set the following environment variable before running Ansible: `export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES`. More on this [here](https://github.com/clong/DetectionLab/issues/543).
 12. If all goes well, you should see the following and your lab is complete!
 ![Ansible](https://github.com/clong/DetectionLab/blob/master/img/esxi_ansible.png?raw=true)
 

ESXi/ansible/roles/dc/tasks/main.yml

@@ -10,10 +10,10 @@
   when: res.reboot_required
 
 - name: Set HostOnly IP Address
-  win_shell: "New-NetIPAddress –InterfaceAlias Ethernet2 –AddressFamily IPv4 -IPAddress 192.168.38.102 –PrefixLength 24 -DefaultGateway 192.168.38.1"
+  win_shell: "New-NetIPAddress –InterfaceAlias Ethernet1 –AddressFamily IPv4 -IPAddress 192.168.38.102 –PrefixLength 24 -DefaultGateway 192.168.38.1"
 
 - name: Set DNS Address
-  win_shell: "Set-DnsClientServerAddress -InterfaceAlias Ethernet2 -ServerAddresses 127.0.0.1,8.8.8.8"
+  win_shell: "Set-DnsClientServerAddress -InterfaceAlias Ethernet1 -ServerAddresses 127.0.0.1,8.8.8.8"
 
 - name: Install git
   win_chocolatey:

ESXi/ansible/roles/logger/tasks/main.yml

@@ -219,11 +219,6 @@
       /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/link-analysis-app-for-splunk_161.tgz -auth 'admin:changeme'
       /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_144.tgz -auth 'admin:changeme'
 
-      ## Fix a bug with the ThreatHunting App (https://github.com/olafhartong/ThreatHunting/pull/57)
-      mv /opt/splunk/etc/apps/ThreatHunting/lookups/sysmonevencodes.csv /opt/splunk/etc/apps/ThreatHunting/lookups/sysmoneventcodes.csv
-      sed -i 's/= sysmoneventcode /= sysmoneventcodes.csv /g' /opt/splunk/etc/apps/ThreatHunting/default/props.conf
-      sed -i 's/sysmoneventcode.csv/sysmoneventcodes.csv/g' /opt/splunk/etc/apps/ThreatHunting/default/props.conf
-
       # Install the Maxmind license key for the ASNgen App
       if [ ! -z $MAXMIND_LICENSE ]; then
         mkdir /opt/splunk/etc/apps/TA-asngen/local 
@@ -231,8 +226,17 @@
         sed -i "s/license_key =/license_key = $MAXMIND_LICENSE/g" /opt/splunk/etc/apps/TA-asngen/local/asngen.conf
       fi
 
+      # Replace the props.conf for Sysmon TA and Windows TA
+      # Removed all the 'rename = xmlwineventlog' directives
+      # I know youre not supposed to modify files in "default",
+      # but for some reason adding them to "local" wasnt working
+      cp /vagrant/resources/splunk_server/windows_ta_props.conf /opt/splunk/etc/apps/Splunk_TA_windows/default/props.conf
+      cp /vagrant/resources/splunk_server/sysmon_ta_props.conf /opt/splunk/etc/apps/TA-microsoft-sysmon/default/props.conf
+
       # Add custom Macro definitions for ThreatHunting App
       cp /vagrant/resources/splunk_server/macros.conf /opt/splunk/etc/apps/ThreatHunting/default/macros.conf
+      # Fix props.conf in ThreatHunting App
+      sed -i 's/EVAL-host_fqdn = Computer/EVAL-host_fqdn = ComputerName/g' /opt/splunk/etc/apps/ThreatHunting/default/props.conf
       # Fix Windows TA macros
       mkdir /opt/splunk/etc/apps/Splunk_TA_windows/local
       cp /opt/splunk/etc/apps/Splunk_TA_windows/default/macros.conf /opt/splunk/etc/apps/Splunk_TA_windows/local
@@ -263,8 +267,6 @@
       dismissedInstrumentationOptInVersion = 4
       notification_python_3_impact = false
       display.page.home.dashboardId = /servicesNS/nobody/search/data/ui/views/logger_dashboard' > /opt/splunk/etc/users/admin/user-prefs/local/user-prefs.conf
-      # Disable the instrumentation popup
-      echo -e "showOptInModal = 0\noptInVersionAcknowledged = 4" >>/opt/splunk/etc/apps/splunk_instrumentation/local/telemetry.conf
       # Enable SSL Login for Splunk
       echo -e "[settings]\nenableSplunkWebSSL = true" >/opt/splunk/etc/system/local/web.conf
       # Copy over the Logger Dashboard
@@ -275,8 +277,6 @@
       # Reboot Splunk to make changes take effect
         /opt/splunk/bin/splunk restart
         /opt/splunk/bin/splunk enable boot-start
-        # Generate the ASN lookup table
-        /opt/splunk/bin/splunk search "|asngen | outputlookup asn" -auth 'admin:changeme'
       fi
   register: install_splunk
   changed_when: "'The Splunk web interface is at https://logger:8000' in install_splunk.stdout"

ESXi/ansible/roles/wef/tasks/main.yml

@@ -11,11 +11,11 @@
 
 # This needs to be made idempodent
 - name: Set HostOnly IP Address
-  win_shell: "New-NetIPAddress –InterfaceAlias Ethernet2 –AddressFamily IPv4 -IPAddress 192.168.38.103 –PrefixLength 24 -DefaultGateway 192.168.38.1"
+  win_shell: "New-NetIPAddress –InterfaceAlias Ethernet1 –AddressFamily IPv4 -IPAddress 192.168.38.103 –PrefixLength 24 -DefaultGateway 192.168.38.1"
 
 # This needs to be made idempodent
 - name: Set HostOnly DNS Address
-  win_shell: "Set-DnsClientServerAddress -InterfaceAlias Ethernet2 -ServerAddresses 192.168.38.102,8.8.8.8"
+  win_shell: "Set-DnsClientServerAddress -InterfaceAlias Ethernet1 -ServerAddresses 192.168.38.102,8.8.8.8"
 
 - name: Install git
   win_chocolatey:
@@ -106,6 +106,15 @@
 
 - debug: msg="{{ pstranscriptshare.stdout_lines }}"
 
+- name: Installing the EVTX Event Samples
+  win_shell: ".\\install-evtx-attack-samples.ps1"
+  args:
+    chdir: 'c:\vagrant\scripts'
+  register: evtxeventsamples
+  failed_when: "'Exception' in evtxeventsamples.stdout"
+
+- debug: msg="{{ evtxeventsamples.stdout_lines }}"
+
 - name: Installing Microsoft Advanced Threat Analytics
   win_shell: ".\\install-microsoft-ata.ps1"
   args:

ESXi/ansible/roles/win10/tasks/main.yml

@@ -10,10 +10,10 @@
   when: res.reboot_required
 
 - name: Set HostOnly IP Address
-  win_shell: "New-NetIPAddress –InterfaceAlias Ethernet2 –AddressFamily IPv4 -IPAddress 192.168.38.104 –PrefixLength 24 -DefaultGateway 192.168.38.1"
+  win_shell: "New-NetIPAddress –InterfaceAlias Ethernet1 –AddressFamily IPv4 -IPAddress 192.168.38.104 –PrefixLength 24 -DefaultGateway 192.168.38.1"
 
 - name: Set HostOnly DNS Address
-  win_shell: "Set-DnsClientServerAddress -InterfaceAlias Ethernet2 -ServerAddresses 192.168.38.102,8.8.8.8"
+  win_shell: "Set-DnsClientServerAddress -InterfaceAlias Ethernet1 -ServerAddresses 192.168.38.102,8.8.8.8"
 
 - name: Install git
   win_chocolatey:

ESXi/main.tf

@@ -86,12 +86,6 @@ resource "esxi_guest" "dc" {
     mac_address     = "00:50:56:a1:b1:c2"
     nic_type        = "e1000"
   }
-  # OPTIONAL: You can comment out this interface stanza if your vm_network provides internet access
-  network_interfaces {
-    virtual_network = var.nat_network
-    mac_address     = "00:50:56:a1:b1:c3"
-    nic_type        = "e1000"
-  }
   # This is the local network that will be used for 192.168.38.x addressing
   network_interfaces {
     virtual_network = var.hostonly_network
@@ -121,12 +115,6 @@ resource "esxi_guest" "wef" {
     mac_address     = "00:50:56:a1:b2:c2"
     nic_type        = "e1000"
   }
-  # OPTIONAL: You can comment out this interface stanza if your vm_network provides internet access
-  network_interfaces {
-    virtual_network = var.nat_network
-    mac_address     = "00:50:56:a1:b3:c3"
-    nic_type        = "e1000"
-  }
   # This is the local network that will be used for 192.168.38.x addressing
   network_interfaces {
     virtual_network = var.hostonly_network
@@ -156,12 +144,6 @@ resource "esxi_guest" "win10" {
     mac_address     = "00:50:56:a2:b1:c2"
     nic_type        = "e1000"
   }
-  # OPTIONAL: You can comment out this interface stanza if your vm_network provides internet access
-  network_interfaces {
-    virtual_network = var.nat_network
-    mac_address     = "00:50:56:a2:b1:c3"
-    nic_type        = "e1000"
-  }
   # This is the local network that will be used for 192.168.38.x addressing
   network_interfaces {
     virtual_network = var.hostonly_network

ESXi/variables.tf

@@ -22,10 +22,6 @@ variable "vm_network" {
   default = "VM Network"
 }
 
-variable "nat_network" {
-  default = "NAT Network"
-}
-
 variable "hostonly_network" {
   default = "HostOnly Network"
 }

ESXi/versions.tf

@@ -0,0 +1,8 @@
+terraform {                                                                                                                                                                                                         
+  required_providers {                                                                                                                                                                                              
+    esxi = {                                                                                                                                                                                                        
+      source = "josenk/esxi"                                                                                                                                                                                        
+      version = "1.8.0"                                                                                                                                                                                             
+    }
+  }
+}

HyperV/bootstrap.sh

@@ -1,4 +1,4 @@
-#! /bin/bash
+#! /usr/bin/env bash
 
 # Override existing DNS Settings using netplan, but don't do it for Terraform builds
 if ! curl -s 169.254.169.254 --connect-timeout 2 >/dev/null; then

Packer/scripts/download-microsoft-ata.ps1

@@ -0,0 +1,44 @@
+# Purpose: Downloads, installs and configures Microsft ATA 1.9
+$title = "Microsoft ATA 1.9"
+$downloadUrl = "http://download.microsoft.com/download/4/9/1/491394D1-3F28-4261-ABC6-C836A301290E/ATA1.9.iso"
+$fileHash = "DC1070A9E8F84E75198A920A2E00DDC3CA8D12745AF64F6B161892D9F3975857" # Use Get-FileHash on a correct downloaded file to get the hash
+
+# Enable web requests to endpoints with invalid SSL certs (like self-signed certs)
+If (-not("SSLValidator" -as [type])) {
+    add-type -TypeDefinition @"
+using System;
+using System.Net;
+using System.Net.Security;
+using System.Security.Cryptography.X509Certificates;
+
+public static class SSLValidator {
+    public static bool ReturnTrue(object sender,
+        X509Certificate certificate,
+        X509Chain chain,
+        SslPolicyErrors sslPolicyErrors) { return true; }
+
+    public static RemoteCertificateValidationCallback GetDelegate() {
+        return new RemoteCertificateValidationCallback(SSLValidator.ReturnTrue);
+    }
+}
+"@
+}
+[System.Net.ServicePointManager]::ServerCertificateValidationCallback = [SSLValidator]::GetDelegate()
+
+
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading $title..."
+# Disabling the progress bar speeds up IWR https://github.com/PowerShell/PowerShell/issues/2138
+$ProgressPreference = 'SilentlyContinue'
+Invoke-WebRequest -Uri $downloadUrl -OutFile "c:\$title.iso"
+$actualHash = (Get-FileHash -Algorithm SHA256 -Path "c:\$title.iso").Hash
+If (-not ($actualHash -eq $fileHash)) {
+    Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso was not downloaded correctly: hash from downloaded file: $actualHash, should've been: $fileHash. Re-trying using BitsAdmin now..."
+    Remove-Item -Path "c:\$title.iso" -Force
+    bitsadmin /Transfer ATA $downloadUrl "c:\$title.iso"
+    $actualHash = (Get-FileHash -Algorithm SHA256 -Path "c:\$title.iso").Hash
+    If (-not ($actualHash -eq $fileHash)) {
+        Throw "$title.iso was not downloaded correctly after a retry: hash from downloaded file: $actualHash, should've been: $fileHash - Giving up."
+    }
+}
+
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Microsoft ATA sucessfully downloaded to c:\$title.iso !"

Packer/scripts/vm-guest-tools.ps1

@@ -38,7 +38,16 @@ if ("$env:PACKER_BUILDER_TYPE" -eq "vmware-iso") {
     }
 
     cmd /c "C:\PROGRA~1\7-Zip\7z.exe" x "C:\Windows\Temp\windows.iso" -oC:\Windows\Temp\VMWare
-    cmd /c C:\Windows\Temp\VMWare\setup.exe /S /v"/qn REBOOT=R\"
+    cmd /c C:\Windows\Temp\VMWare\setup.exe /S /v "/qn REBOOT=R"
+    $software = "VMware Tools";
+    $installed = (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where { $_.DisplayName -eq $software }) -ne $null
+
+    If (-Not $installed) {
+        Write-Host "'$software' did not install successfully. Quitting.";
+        exit 1
+    } Else {
+        Write-Host "'$software' was installed successfully."
+    }
 
     Remove-Item -Force "C:\Windows\Temp\vmware-tools.tar"
     Remove-Item -Force "C:\Windows\Temp\windows.iso"

Packer/windows_2016.json

@@ -143,7 +143,8 @@
       "type": "powershell",
       "scripts": [
         "./scripts/vm-guest-tools.ps1",
-        "./scripts/debloat-windows.ps1"
+        "./scripts/debloat-windows.ps1",
+        "./scripts/download-microsoft-ata.ps1"
       ]
     },
     {

README.md

@@ -100,6 +100,7 @@ A sizable percentage of this code was borrowed and adapted from [Stefan Scherer]
 * [Velociraptor](https://github.com/Velocidex/velociraptor)
 * [BadBlood](https://github.com/davidprowe/BadBlood)
 * [PurpleSharp](https://github.com/mvelazc0/PurpleSharp)
+* [EVTX-ATTACK-SAMPLES](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES)
 
 # DetectionLab Sponsors
 #### Lated updated: 9/16/2020

Vagrant/Vagrantfile

@@ -136,6 +136,7 @@ Vagrant.configure("2") do |config|
     cfg.vm.provision "shell", path: "scripts/install-windows_ta.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-evtx-attack-samples.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
@@ -170,7 +171,7 @@ Vagrant.configure("2") do |config|
       lv.graphics_type = "spice"
       lv.video_type = "qxl"
       lv.input :type => "tablet", :bus => "usb"
-      override.vm.box = "../Boxes/windows_2016_libvirt.box" 
+      override.vm.box = "../Boxes/windows_2016_libvirt.box"
       lv.video_vram = 32768
       lv.memory = 2048
       lv.cpus = 2

Vagrant/bootstrap.sh

@@ -1,4 +1,4 @@
-#! /bin/bash
+#! /usr/bin/env bash
 
 # Override existing DNS Settings using netplan, but don't do it for Terraform builds
 if ! curl -s 169.254.169.254 --connect-timeout 2 >/dev/null; then
@@ -154,6 +154,7 @@ install_splunk() {
     /opt/splunk/bin/splunk add index zeek -auth 'admin:changeme'
     /opt/splunk/bin/splunk add index suricata -auth 'admin:changeme'
     /opt/splunk/bin/splunk add index threathunting -auth 'admin:changeme'
+    /opt/splunk/bin/splunk add index evtx_attack_samples -auth 'admin:changeme'
     /opt/splunk/bin/splunk install app /vagrant/resources/splunk_forwarder/splunk-add-on-for-microsoft-windows_700.tgz -auth 'admin:changeme'
     /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-microsoft-sysmon_1062.tgz -auth 'admin:changeme'
     /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/asn-lookup-generator_110.tgz -auth 'admin:changeme'

Vagrant/post_build_checks.sh

@@ -1,4 +1,4 @@
-#! /bin/bash
+#! /usr/bin/env bash
 
 # This script is meant to verify that DetectionLab was built successfully.
 # Only MacOS and Linux are supported. Use post_build_checks.ps1 for Windows.

Vagrant/prepare.sh

@@ -1,4 +1,4 @@
-#! /bin/bash
+#! /usr/bin/env bash
 
 # This script is meant to verify that your system is configured to 
 # build DetectionLab successfully.

Vagrant/resources/GPO/rdp_users/manifest.xml

@@ -1 +1 @@
-<Backups xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" xmlns:mfst="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" mfst:version="1.0"><BackupInst><GPOGuid><![CDATA[{4EC18B73-0966-463C-BD39-72D0903AFE65}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{46037b97-c619-4c8b-b901-d264bbccc4c0}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2019-04-26T03:18:07]]></BackupTime><ID><![CDATA[{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}]]></ID><Comment><![CDATA[Allows windomain\vagrant to RDP to hosts]]></Comment><GPODisplayName><![CDATA[Allow Domain Users RDP]]></GPODisplayName></BackupInst></Backups>
+<Backups xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" xmlns:mfst="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" mfst:version="1.0"><BackupInst><GPOGuid><![CDATA[{D3AAF869-5E70-4C9E-BC4D-F7F86C450D5B}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{ff161336-72cc-4bd4-90ae-42bf968987b9}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2020-09-28T11:54:01]]></BackupTime><ID><![CDATA[{02BF61B9-4ECA-4D86-B20B-323CF53B1E9F}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Allow Domain Users RDP]]></GPODisplayName></BackupInst></Backups>

Vagrant/resources/GPO/rdp_users/{02BF61B9-4ECA-4D86-B20B-323CF53B1E9F}/Backup.xml

@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Copyright (c) Microsoft Corporation.  All rights reserved. --><GroupPolicyBackupScheme bkp:version="2.0" bkp:type="GroupPolicyBackupTemplate" xmlns:bkp="http://www.microsoft.com/GroupPolicy/GPOOperations" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations">
+    <GroupPolicyObject><SecurityGroups><Group><Sid/><SamAccountName><![CDATA[Remote Desktop Users]]></SamAccountName><Type><![CDATA[Unknown]]></Type><NetBIOSDomainName/><DnsDomainName/><UPN/></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-3036387054-737866085-3744588598-1000]]></Sid><SamAccountName><![CDATA[vagrant]]></SamAccountName><Type><![CDATA[User]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[vagrant@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-3036387054-737866085-3744588598-519]]></Sid><SamAccountName><![CDATA[Enterprise Admins]]></SamAccountName><Type><![CDATA[UniversalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Enterprise Admins@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-3036387054-737866085-3744588598-512]]></Sid><SamAccountName><![CDATA[Domain Admins]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Domain Admins@windomain.local]]></UPN></Group><Group><Sid><![CDATA[S-1-5-21-3036387054-737866085-3744588598-513]]></Sid><SamAccountName><![CDATA[Domain Users]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Domain Users@windomain.local]]></UPN></Group></SecurityGroups><FilePaths/><GroupPolicyCoreSettings><ID><![CDATA[{D3AAF869-5E70-4C9E-BC4D-F7F86C450D5B}]]></ID><Domain><![CDATA[windomain.local]]></Domain><SecurityDescriptor>01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 ee 96 fb b4 65 f1 fa 2b 36 e3 31 df e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 ee 96 fb b4 65 f1 fa 2b 36 e3 31 df 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 ee 96 fb b4 65 f1 fa 2b 36 e3 31 df 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00</SecurityDescriptor><DisplayName><![CDATA[Allow Domain Users RDP]]></DisplayName><Options><![CDATA[0]]></Options><UserVersionNumber><![CDATA[131074]]></UserVersionNumber><MachineVersionNumber><![CDATA[196611]]></MachineVersionNumber><MachineExtensionGuids><![CDATA[[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]]]></MachineExtensionGuids><UserExtensionGuids/><WMIFilter/></GroupPolicyCoreSettings> 
+        <GroupPolicyExtension bkp:ID="{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" bkp:DescName="Registry">
+            
+            
+            <FSObjectFile bkp:Path="%GPO_FSPATH%\Adm\*.*" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{D3AAF869-5E70-4C9E-BC4D-F7F86C450D5B}\Adm\*.*"/>
+        </GroupPolicyExtension>
+        
+        
+        
+        
+        <GroupPolicyExtension bkp:ID="{827D319E-6EAC-11D2-A4EA-00C04F79F83A}" bkp:DescName="Security">
+            <FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\SecEdit\GptTmpl.inf" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{D3AAF869-5E70-4C9E-BC4D-F7F86C450D5B}\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf" bkp:ReEvaluateFunction="SecurityValidateSettings" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf"/>
+        </GroupPolicyExtension>
+        
+        
+        
+        
+    <GroupPolicyExtension bkp:ID="{F15C46CD-82A0-4C2D-A210-5D0D3182A418}" bkp:DescName="Unknown Extension"><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Applications" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{D3AAF869-5E70-4C9E-BC4D-F7F86C450D5B}\Machine\Applications" bkp:Location="DomainSysvol\GPO\Machine\Applications"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{D3AAF869-5E70-4C9E-BC4D-F7F86C450D5B}\Machine\microsoft" bkp:Location="DomainSysvol\GPO\Machine\microsoft"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{D3AAF869-5E70-4C9E-BC4D-F7F86C450D5B}\Machine\microsoft\windows nt" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\SecEdit" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{D3AAF869-5E70-4C9E-BC4D-F7F86C450D5B}\Machine\microsoft\windows nt\SecEdit" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{D3AAF869-5E70-4C9E-BC4D-F7F86C450D5B}\Machine\Scripts" bkp:Location="DomainSysvol\GPO\Machine\Scripts"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Shutdown" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{D3AAF869-5E70-4C9E-BC4D-F7F86C450D5B}\Machine\Scripts\Shutdown" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Shutdown"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Startup" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{D3AAF869-5E70-4C9E-BC4D-F7F86C450D5B}\Machine\Scripts\Startup" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Startup"/></GroupPolicyExtension></GroupPolicyObject>
+</GroupPolicyBackupScheme>

Vagrant/resources/GPO/rdp_users/{02BF61B9-4ECA-4D86-B20B-323CF53B1E9F}/bkupInfo.xml

@@ -0,0 +1 @@
+<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{D3AAF869-5E70-4C9E-BC4D-F7F86C450D5B}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{ff161336-72cc-4bd4-90ae-42bf968987b9}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2020-09-28T11:54:01]]></BackupTime><ID><![CDATA[{02BF61B9-4ECA-4D86-B20B-323CF53B1E9F}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Allow Domain Users RDP]]></GPODisplayName></BackupInst>

Vagrant/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/Backup.xml

@@ -1,20 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?><!-- Copyright (c) Microsoft Corporation.  All rights reserved. --><GroupPolicyBackupScheme bkp:version="2.0" bkp:type="GroupPolicyBackupTemplate" xmlns:bkp="http://www.microsoft.com/GroupPolicy/GPOOperations" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations">
-    <GroupPolicyObject><SecurityGroups><Group><Sid/><SamAccountName><![CDATA[Remote Desktop Users]]></SamAccountName><Type><![CDATA[Unknown]]></Type><NetBIOSDomainName/><DnsDomainName/><UPN/></Group><Group><Sid><![CDATA[S-1-5-21-2442050065-1280348291-2767644839-1000]]></Sid><SamAccountName><![CDATA[vagrant]]></SamAccountName><Type><![CDATA[User]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[vagrant@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-2442050065-1280348291-2767644839-519]]></Sid><SamAccountName><![CDATA[Enterprise Admins]]></SamAccountName><Type><![CDATA[UniversalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Enterprise Admins@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-2442050065-1280348291-2767644839-512]]></Sid><SamAccountName><![CDATA[Domain Admins]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Domain Admins@windomain.local]]></UPN></Group></SecurityGroups><FilePaths/><GroupPolicyCoreSettings><ID><![CDATA[{4EC18B73-0966-463C-BD39-72D0903AFE65}]]></ID><Domain><![CDATA[windomain.local]]></Domain><SecurityDescriptor>01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 11 ba 8e 91 83 90 50 4c a7 e8 f6 a4 e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 11 ba 8e 91 83 90 50 4c a7 e8 f6 a4 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 11 ba 8e 91 83 90 50 4c a7 e8 f6 a4 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00</SecurityDescriptor><DisplayName><![CDATA[Allow Domain Users RDP]]></DisplayName><Options><![CDATA[0]]></Options><UserVersionNumber><![CDATA[0]]></UserVersionNumber><MachineVersionNumber><![CDATA[327685]]></MachineVersionNumber><MachineExtensionGuids><![CDATA[[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]]]></MachineExtensionGuids><UserExtensionGuids/><WMIFilter/></GroupPolicyCoreSettings> 
-        <GroupPolicyExtension bkp:ID="{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" bkp:DescName="Registry">
-            
-            
-            <FSObjectFile bkp:Path="%GPO_FSPATH%\Adm\*.*" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{4EC18B73-0966-463C-BD39-72D0903AFE65}\Adm\*.*"/>
-        </GroupPolicyExtension>
-        
-        
-        
-        
-        <GroupPolicyExtension bkp:ID="{827D319E-6EAC-11D2-A4EA-00C04F79F83A}" bkp:DescName="Security">
-            <FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\SecEdit\GptTmpl.inf" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{4EC18B73-0966-463C-BD39-72D0903AFE65}\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf" bkp:ReEvaluateFunction="SecurityValidateSettings" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf"/>
-        </GroupPolicyExtension>
-        
-        
-        
-        
-    <GroupPolicyExtension bkp:ID="{F15C46CD-82A0-4C2D-A210-5D0D3182A418}" bkp:DescName="Unknown Extension"><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Microsoft" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{4EC18B73-0966-463C-BD39-72D0903AFE65}\Machine\Microsoft" bkp:Location="DomainSysvol\GPO\Machine\Microsoft"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Microsoft\Windows NT" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{4EC18B73-0966-463C-BD39-72D0903AFE65}\Machine\Microsoft\Windows NT" bkp:Location="DomainSysvol\GPO\Machine\Microsoft\Windows NT"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Microsoft\Windows NT\SecEdit" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{4EC18B73-0966-463C-BD39-72D0903AFE65}\Machine\Microsoft\Windows NT\SecEdit" bkp:Location="DomainSysvol\GPO\Machine\Microsoft\Windows NT\SecEdit"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{4EC18B73-0966-463C-BD39-72D0903AFE65}\Machine\Scripts" bkp:Location="DomainSysvol\GPO\Machine\Scripts"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Shutdown" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{4EC18B73-0966-463C-BD39-72D0903AFE65}\Machine\Scripts\Shutdown" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Shutdown"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Startup" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{4EC18B73-0966-463C-BD39-72D0903AFE65}\Machine\Scripts\Startup" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Startup"/></GroupPolicyExtension></GroupPolicyObject>
-</GroupPolicyBackupScheme>

Vagrant/resources/GPO/rdp_users/{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}/bkupInfo.xml

@@ -1 +0,0 @@
-<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{4EC18B73-0966-463C-BD39-72D0903AFE65}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{46037b97-c619-4c8b-b901-d264bbccc4c0}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2019-04-26T03:18:07]]></BackupTime><ID><![CDATA[{87A41109-E0FA-4D74-BE50-9ED009D4BAAF}]]></ID><Comment><![CDATA[Allows windomain\vagrant to RDP to hosts]]></Comment><GPODisplayName><![CDATA[Allow Domain Users RDP]]></GPODisplayName></BackupInst>

Vagrant/scripts/configure-rdp-user-gpo.ps1

@@ -1,6 +1,6 @@
 # Purpose: Install the GPO that allows windomain\vagrant to RDP
 Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Importing the GPO to allow windomain/vagrant to RDP..."
-Import-GPO -BackupGpoName 'Allow Domain Users RDP' -Path "c:\vagrant\resources\GPO\rdp_users" -TargetName 'Allow Domain Users RDP' -CreateIfNeeded
+Import-GPO -BackupGpoName 'Allow Domain Users RDP' -Path "c:\vagrant\resources\GPO\rdp_users" -MigrationTable "c:\vagrant\resources\GPO\rdp_users\rdp_users.migtable" -TargetName 'Allow Domain Users RDP' -CreateIfNeeded
 
 $OU = "ou=Workstations,dc=windomain,dc=local"
 $gPLinks = $null

Vagrant/scripts/install-botsv2.sh

@@ -1,4 +1,4 @@
-#! /bin/bash
+#! /usr/bin/env bash
 
     # Thanks to @MHaggis for this addition!
     # It is recommended to only uncomment the attack-only dataset comment block.

Vagrant/scripts/install-botsv3.sh

@@ -1,4 +1,4 @@
-#! /bin/bash
+#! /usr/bin/env bash
 
 #Thanks to @MHaggis for this addition!
 #More information on BOTSv3 can be found at https://github.com/splunk/botsv3

Vagrant/scripts/install-evtx-attack-samples.ps1

@@ -0,0 +1,70 @@
+# Purpose: Downloads and indexes the EVTX samples from https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/ into Splunk
+
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Indexing EVTX Attack Samples into Splunk..."
+
+# Disabling the progress bar speeds up IWR https://github.com/PowerShell/PowerShell/issues/2138
+$ProgressPreference = 'SilentlyContinue'
+# GitHub requires TLS 1.2 as of 2/27
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+
+$inputsConf = "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf"
+
+# Download and unzip a copy of EVTX Attack Samples
+$evtxAttackDownloadUrl = "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/archive/master.zip"
+$evtxAttackRepoPath = "C:\Users\vagrant\AppData\Local\Temp\evtxattack.zip"
+If (-not (Test-Path "C:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master")) {
+    Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading EVTX Attack Samples"
+    Invoke-WebRequest -Uri "$evtxAttackDownloadUrl" -OutFile "$evtxAttackRepoPath"
+    Expand-Archive -path "$evtxAttackRepoPath" -destinationpath 'c:\Tools\EVTX-ATTACK-SAMPLES' -Force
+    # Add stanzas to Splunk inputs.conf to index the evtx files
+    # Huge thanks to https://www.cloud-response.com/2019/07/importing-windows-event-log-files-into.html for showing how to do this!
+    If (!(Select-String -Path $inputsConf -Pattern "evtx_attack_sample")) {
+        Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Splunk inputs.conf has not yet been modified. Adding stanzas for these evtx files now..."
+        Add-Content -Path "$inputsConf" -Value '
+[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\AutomatedTestingTools\*.evtx]
+index = evtx_attack_samples
+sourcetype = preprocess-winevt
+
+[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Command and Control\*.evtx]
+index = evtx_attack_samples
+sourcetype = preprocess-winevt
+
+[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Credential Access\*.evtx]
+index = evtx_attack_samples
+sourcetype = preprocess-winevt
+
+[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Defense Evasion\*.evtx]
+index = evtx_attack_samples
+sourcetype = preprocess-winevt
+
+[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Discovery\*.evtx]
+index = evtx_attack_samples
+sourcetype = preprocess-winevt
+
+[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Execution\*.evtx]
+index = evtx_attack_samples
+sourcetype = preprocess-winevt
+
+[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Lateral Movement\*.evtx]
+index = evtx_attack_samples
+sourcetype = preprocess-winevt
+
+[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Other\*.evtx]
+index = evtx_attack_samples
+sourcetype = preprocess-winevt
+
+[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Persistence\*.evtx]
+index = evtx_attack_samples
+sourcetype = preprocess-winevt
+
+[monitor://c:\Tools\EVTX-ATTACK-SAMPLES\EVTX-ATTACK-SAMPLES-master\Privilege Escalation\*.evtx]
+index = evtx_attack_samples
+sourcetype = preprocess-winevt'
+        # Restart the forwarder to pick up changes
+        Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Restarting the Splunk Forwarder..."
+        Restart-Service SplunkForwarder
+        Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Done! Look in 'index=EVTX-ATTACK-SAMPLES' in Splunk to query these samples."
+    }
+} Else {
+    Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) EVTX attack samples were already installed. Moving On."
+}

Vagrant/scripts/install-microsoft-ata.ps1

@@ -28,14 +28,14 @@ public static class SSLValidator {
 If (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center"))
 {
     $download = $false
-    If (-not (Test-Path "$env:temp\$title.iso"))
+    If (-not (Test-Path "c:\$title.iso"))
     {
         Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso doesn't exist yet, downloading..."
         $download = $true
     }
     Else
     {
-        $actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash
+        $actualHash = (Get-FileHash -Algorithm SHA256 -Path "c:\$title.iso").Hash
         If (-not ($actualHash -eq $fileHash))
         {
             Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso exists, but the hash did not validate successfully. Downloading a new copy..."
@@ -47,21 +47,21 @@ If (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center
         Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading $title..."
         # Disabling the progress bar speeds up IWR https://github.com/PowerShell/PowerShell/issues/2138
         $ProgressPreference = 'SilentlyContinue'
-        Invoke-WebRequest -Uri $downloadUrl -OutFile "$env:temp\$title.iso"
-        $actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash
+        Invoke-WebRequest -Uri $downloadUrl -OutFile "c:\$title.iso"
+        $actualHash = (Get-FileHash -Algorithm SHA256 -Path "c:\$title.iso").Hash
         If (-not ($actualHash -eq $fileHash))
         {
             Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso was not downloaded correctly: hash from downloaded file: $actualHash, should've been: $fileHash. Re-trying using BitsAdmin now..."
-            Remove-Item -Path "$env:temp\$title.iso" -Force
-            bitsadmin /Transfer ATA $downloadUrl "$env:temp\$title.iso"
-            $actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash
+            Remove-Item -Path "c:\$title.iso" -Force
+            bitsadmin /Transfer ATA $downloadUrl "c:\$title.iso"
+            $actualHash = (Get-FileHash -Algorithm SHA256 -Path "c:\$title.iso").Hash
             If (-not ($actualHash -eq $fileHash))
             {
                 Throw "$title.iso was not downloaded correctly after a retry: hash from downloaded file: $actualHash, should've been: $fileHash - Giving up."
             }
         }
     }
-    $Mount = Mount-DiskImage -ImagePath "$env:temp\$title.iso" -StorageType ISO -Access ReadOnly -PassThru
+    $Mount = Mount-DiskImage -ImagePath "c:\$title.iso" -StorageType ISO -Access ReadOnly -PassThru
     $Volume = $Mount | Get-Volume
     Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing $title"
     $Install = Start-Process -Wait -FilePath ($Volume.DriveLetter + ":\Microsoft ATA Center Setup.exe") -ArgumentList "/q --LicenseAccepted NetFrameworkCommandLineArguments=`"/q`" --EnableMicrosoftUpdate" -PassThru

Vagrant/scripts/install-utilities.ps1

@@ -3,7 +3,7 @@
 If (-not (Test-Path "C:\ProgramData\chocolatey")) {
   [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
   Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing Chocolatey"
-  iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))
+  Invoke-Expression ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))
 } else {
   Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Chocolatey is already installed."
 }

Vagrant/scripts/join-domain.ps1

@@ -1,13 +1,16 @@
 # Purpose: Joins a Windows host to the windomain.local domain which was created with "create-domain.ps1".
 # Source: https://github.com/StefanScherer/adfs2
 
+$hostsFile = "c:\Windows\System32\drivers\etc\hosts"
+
 Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Joining the domain..."
 
 Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) First, set DNS to DC to join the domain..."
 $newDNSServers = "192.168.38.102"
 $adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.IPAddress -match "192.168.38."}
 # Don't do this in Azure. If the network adatper description contains "Hyper-V", this won't apply changes.
-$adapters | ForEach-Object {if (!($_.Description).Contains("Hyper-V")) {$_.SetDNSServerSearchOrder($newDNSServers)}}
+# Specify the DC as a WINS server to help with connectivity as well
+$adapters | ForEach-Object {if (!($_.Description).Contains("Hyper-V")) {$_.SetDNSServerSearchOrder($newDNSServers); $_.SetWINSServer($newDNSServers, "")}}
 
 Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Now join the domain..."
 $hostname = $(hostname)
@@ -18,6 +21,10 @@ $DomainCred = New-Object System.Management.Automation.PSCredential $user, $pass
 # Place the computer in the correct OU based on hostname
 If ($hostname -eq "wef") {
   Add-Computer -DomainName "windomain.local" -credential $DomainCred -OUPath "ou=Servers,dc=windomain,dc=local" -PassThru
+  # Attempt to fix Issue #517
+  Set-ItemProperty -LiteralPath 'HKLM:\SYSTEM\CurrentControlSet\Control' -Name 'WaitToKillServiceTimeout' -Value '500' -Type String -Force -ea SilentlyContinue
+  New-ItemProperty -LiteralPath 'HKCU:\Control Panel\Desktop' -Name 'AutoEndTasks' -Value 1 -PropertyType DWord -Force -ea SilentlyContinue
+  Set-ItemProperty -LiteralPath 'HKLM:\SYSTEM\CurrentControlSet\Control\SessionManager\Power' -Name 'HiberbootEnabled' -Value 0 -Type DWord -Force -ea SilentlyContinue
 } ElseIf ($hostname -eq "win10") {
   Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Adding Win10 to the domain. Sometimes this step times out. If that happens, just run 'vagrant reload win10 --provision'" #debug
   Add-Computer -DomainName "windomain.local" -credential $DomainCred -OUPath "ou=Workstations,dc=windomain,dc=local"
@@ -25,6 +32,7 @@ If ($hostname -eq "wef") {
   Add-Computer -DomainName "windomain.local" -credential $DomainCred -PassThru
 }
 
+# Set auto login
 Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -Value 1
 Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Value "vagrant"
 Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Value "vagrant"
@@ -36,8 +44,6 @@ Stop-Service wuauserv
 Set-Service TrustedInstaller -StartupType Disabled
 Stop-Service TrustedInstaller
 
-
-
 # Uninstall Windows Defender from WEF
 # This command isn't supported on WIN10
 If ($hostname -ne "win10" -And (Get-Service -Name WinDefend -ErrorAction SilentlyContinue).status -eq 'Running') {
@@ -50,4 +56,4 @@ If ($hostname -ne "win10" -And (Get-Service -Name WinDefend -ErrorAction Silentl
     Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Windows Defender did not uninstall successfully..."
     Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) We'll try again during install-red-team.ps1"
   }
-}
+}

ci/build_machine_bootstrap.sh

@@ -1,4 +1,4 @@
-#! /bin/bash
+#! /usr/bin/env bash
 
 # This script is run on the Packet.net baremetal server for CI tests.
 # While building, the server will start a webserver on Port 80 that contains
@@ -110,7 +110,101 @@ if [ $BOXES_PRESENT -eq 1 ]; then
   sed -i 's#"detectionlab/win10"#"/mnt/windows_10_virtualbox.box"#g' /opt/DetectionLab/Vagrant/Vagrantfile
 fi
 
+# Recreate a barebones version of the build script so we have some sense of return codes
+cat << 'EOF' > /opt/DetectionLab/build.sh
+#! /usr/bin/env bash
+
+# Brings up a single host using Vagrant
+vagrant_up_host() {
+  HOST="$1"
+  (echo >&2 "Attempting to bring up the $HOST host using Vagrant")
+  cd "$DL_DIR"/Vagrant || exit 1
+  $(which vagrant) up "$HOST" &> "$DL_DIR/Vagrant/vagrant_up_$HOST.log"
+  echo "$?"
+}
+
+# Attempts to reload and re-provision a host if the intial "vagrant up" fails
+vagrant_reload_host() {
+  HOST="$1"
+  cd "$DL_DIR"/Vagrant || exit 1
+  # Attempt to reload the host if the vagrant up command didn't exit cleanly
+  $(which vagrant) reload "$HOST" --provision >>"$DL_DIR/Vagrant/vagrant_up_$HOST.log" 2>&1
+  echo "$?"
+}
+
+# A series of checks to ensure important services are responsive after the build completes.
+post_build_checks() {
+  # If the curl operation fails, we'll just leave the variable equal to 0
+  # This is needed to prevent the script from exiting if the curl operation fails
+  SPLUNK_CHECK=$(curl -ks -m 2 https://192.168.38.105:8000/en-US/account/login?return_to=%2Fen-US%2F | grep -c 'This browser is not supported by Splunk' || echo "")
+  FLEET_CHECK=$(curl -ks -m 2 https://192.168.38.105:8412 | grep -c 'Kolide Fleet' || echo "")
+  ATA_CHECK=$(curl --fail --write-out "%{http_code}" -ks https://192.168.38.103 -m 2)
+  [[ $ATA_CHECK == 401 ]] && ATA_CHECK=1
+
+  BASH_MAJOR_VERSION=$(/bin/bash --version | grep 'GNU bash' | grep -oi version\.\.. | cut -d ' ' -f 2 | cut -d '.' -f 1)
+  # Associative arrays are only supported in bash 4 and up
+  if [ "$BASH_MAJOR_VERSION" -ge 4 ]; then
+    declare -A SERVICES
+    SERVICES=(["splunk"]="$SPLUNK_CHECK" ["fleet"]="$FLEET_CHECK" ["ms_ata"]="$ATA_CHECK")
+    for SERVICE in "${!SERVICES[@]}"; do
+      if [ "${SERVICES[$SERVICE]}" -lt 1 ]; then
+        (echo >&2 "Warning: $SERVICE failed post-build tests and may not be functioning correctly.")
+      fi
+    done
+  else
+    if [ "$SPLUNK_CHECK" -lt 1 ]; then
+      (echo >&2 "Warning: Splunk failed post-build tests and may not be functioning correctly.")
+    fi
+    if [ "$FLEET_CHECK" -lt 1 ]; then
+      (echo >&2 "Warning: Fleet failed post-build tests and may not be functioning correctly.")
+    fi
+    if [ "$ATA_CHECK" -lt 1 ]; then
+      (echo >&2 "Warning: MS ATA failed post-build tests and may not be functioning correctly.")
+    fi
+  fi
+}
+
+build_vagrant_hosts() {
+  LAB_HOSTS=("logger" "dc" "wef" "win10")
+
+  # Vagrant up each box and attempt to reload one time if it fails
+  for VAGRANT_HOST in "${LAB_HOSTS[@]}"; do
+    RET=$(vagrant_up_host "$VAGRANT_HOST")
+    if [ "$RET" -eq 0 ]; then
+      (echo >&2 "Good news! $VAGRANT_HOST was built successfully!")
+    fi
+    # Attempt to recover if the intial "vagrant up" fails
+    if [ "$RET" -ne 0 ]; then
+      (echo >&2 "Something went wrong while attempting to build the $VAGRANT_HOST box.")
+      (echo >&2 "Attempting to reload and reprovision the host...")
+      RETRY_STATUS=$(vagrant_reload_host "$VAGRANT_HOST")
+      if [ "$RETRY_STATUS" -eq 0 ]; then
+        (echo >&2 "Good news! $VAGRANT_HOST was built successfully after a reload!")
+      else
+        (echo >&2 "Failed to bring up $VAGRANT_HOST after a reload. Exiting.")
+        exit 1
+      fi
+    fi
+  done
+}
+
+main() {
+  # Get location of build.sh
+  # https://stackoverflow.com/questions/59895/getting-the-source-directory-of-a-bash-script-from-within
+  DL_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+  # Build and Test Vagrant hosts 
+  cd Vagrant
+  build_vagrant_hosts
+  post_build_checks
+}
+
+main
+exit 0
+EOF
+chmod +x /opt/DetectionLab/build.sh
+
 # Start the build in a tmux session
 sn=tmuxsession
 tmux new-session -s "$sn" -d
-tmux send-keys -t "$sn:0" 'cd /opt/DetectionLab/Vagrant && vagrant up | tee -a vagrant_up_all.log && echo "success" > /var/www/html/index.html || echo "failed" > /var/www/html/index.html; umount /mnt && /usr/local/bin/packet-block-storage-detach' Enter
+tmux send-keys -t "$sn:0" 'cd /opt/DetectionLab && ./build.sh && echo "success" > /var/www/html/index.html || echo "failed" > /var/www/html/index.html; umount /mnt && /usr/local/bin/packet-block-storage-detach' Enter

ci/manual_machine_bootstrap.sh

@@ -1,4 +1,4 @@
-#! /bin/bash
+#! /usr/bin/env bash
 
 # This script is used to manually prepare an Ubuntu 16.04 server for DetectionLab building
 export DEBIAN_FRONTEND=noninteractive
@@ -40,8 +40,8 @@ sed -i 's/vb.gui = true/vb.gui = false/g' Vagrantfile
 # Install Packer
 mkdir /opt/packer
 cd /opt/packer || exit 1
-wget --progress=bar:force https://releases.hashicorp.com/packer/1.6.0/packer_1.6.0_linux_amd64.zip
-unzip packer_1.6.0_linux_amd64.zip
+wget --progress=bar:force https://releases.hashicorp.com/packer/1.6.3/packer_1.6.3_linux_amd64.zip
+unzip packer_1.6.3_linux_amd64.zip
 cp packer /usr/local/bin/packer
 
 # Make the Packer images headless

ci/manual_machine_bootstrap_vmware.sh

@@ -1,4 +1,4 @@
-#! /bin/bash
+#! /usr/bin/env bash
 
 # This script is used to manually prepare an Ubuntu 16.04 server for DetectionLab building
 
@@ -14,9 +14,9 @@ apt-get install -y linux-headers-"$(uname -r)" build-essential unzip git ufw apa
 pip install awscli --upgrade --user
 cp /root/.local/bin/aws /usr/local/bin/aws && chmod +x /usr/local/bin/aws
 
-wget -O VMware-Workstation-Full-15.5.6-16341506.x86_64.bundle "https://download3.vmware.com/software/wkst/file/VMware-Workstation-Full-15.5.6-16341506.x86_64.bundle"
-chmod +x VMware-Workstation-Full-15.5.6-16341506.x86_64.bundle
-sudo sh VMware-Workstation-Full-15.5.6-16341506.x86_64.bundle --console --required --eulas-agreed --set-setting vmware-workstation serialNumber $SERIALNUMBER
+wget -O VMware-Workstation-Full-16.0.0-16894299.x86_64.bundle "https://download3.vmware.com/software/wkst/file/VMware-Workstation-Full-16.0.0-16894299.x86_64.bundle"
+chmod +x VMware-Workstation-Full-16.0.0-16894299.x86_64.bundle
+sudo sh VMware-Workstation-Full-16.0.0-16894299.x86_64.bundle --console --required --eulas-agreed --set-setting vmware-workstation serialNumber $SERIALNUMBER
 
 # Set up firewall
 ufw allow ssh
@@ -37,8 +37,8 @@ vagrant plugin install vagrant-reload
 vagrant plugin install vagrant-vmware-desktop
 echo $LICENSEFILE | base64 -d > /tmp/license.lic
 vagrant plugin license vagrant-vmware-desktop /tmp/license.lic
-wget --progress=bar:force "https://releases.hashicorp.com/vagrant-vmware-utility/1.0.11/vagrant-vmware-utility_1.0.11_x86_64.deb"
-dpkg -i vagrant-vmware-utility_1.0.11_x86_64.deb
+wget --progress=bar:force "https://releases.hashicorp.com/vagrant-vmware-utility/1.0.12/vagrant-vmware-utility_1.0.12_x86_64.deb"
+dpkg -i vagrant-vmware-utility_1.0.12_x86_64.deb
 
 # Make the Vagrant instances headless
 cd /opt/DetectionLab/Vagrant || exit 1
@@ -47,8 +47,8 @@ sed -i 's/v.gui = true/v.gui = false/g' Vagrantfile
 # Install Packer
 mkdir /opt/packer
 cd /opt/packer || exit 1
-wget --progress=bar:force https://releases.hashicorp.com/packer/1.6.0/packer_1.6.0_linux_amd64.zip
-unzip packer_1.6.0_linux_amd64.zip
+wget --progress=bar:force https://releases.hashicorp.com/packer/1.6.3/packer_1.6.3_linux_amd64.zip
+unzip packer_1.6.3_linux_amd64.zip
 cp packer /usr/local/bin/packer
 
 # Make the Packer images headless
@@ -56,3 +56,12 @@ cd /opt/DetectionLab/Packer || exit 1
 for file in *.json; do
   sed -i 's/"headless": false,/"headless": true,/g' "$file";
 done
+
+echo '# This file is automatically generated.
+# Hand-editing this file is not recommended.
+network0.name = "Bridged"
+network0.device = "vmnet0"
+network1.name = "HostOnly"
+network1.device = "vmnet1"
+network2.name = "NAT"
+network2.device = "vmnet8"' > /etc/vmware/netmap.conf