added pre and post checks for installations

Vagrant/scripts/configure-AuditingPolicyGPOs.ps1

@@ -1,13 +1,49 @@
 # Purpose: Installs the GPOs for the custom WinEventLog auditing policy.
 Write-Host "Configuring auditing policy GPOS..."
-Write-Host "Importing Domain Controller Enhanced Auditing Policy..."
-Import-GPO -BackupGpoName 'Domain Controllers Enhanced Auditing Policy' -Path "c:\vagrant\resources\GPO\Domain_Controllers_Enhanced_Auditing_Policy" -TargetName 'Domain Controllers Enhanced Auditing Policy' -CreateIfNeeded
-New-GPLink -Name 'Domain Controllers Enhanced Auditing Policy' -Target "ou=Domain Controllers,dc=windomain,dc=local" -Enforced yes
+$GPOName = 'Domain Controllers Enhanced Auditing Policy'
+$OU = "ou=Domain Controllers,dc=windomain,dc=local"
+Write-Host "Importing $GPOName..."
+Import-GPO -BackupGpoName $GPOName -Path "c:\vagrant\resources\GPO\Domain_Controllers_Enhanced_Auditing_Policy" -TargetName $GPOName -CreateIfNeeded
+$gpLinks = $null
+$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
+$GPO = Get-GPO -Name $GPOName
+If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path)
+{
+    New-GPLink -Name $GPOName -Target $OU -Enforced yes
+}
+else
+{
+    Write-Host "GpLink $GPOName already linked on $OU. Moving On."
+}
+$GPOName = 'Servers Enhanced Auditing Policy'
+$OU = "ou=Servers,dc=windomain,dc=local"
+Write-Host "Importing $GPOName..."
+Import-GPO -BackupGpoName $GPOName -Path "c:\vagrant\resources\GPO\Servers_Enhanced_Auditing_Policy" -TargetName $GPOName -CreateIfNeeded
+$gpLinks = $null
+$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
+$GPO = Get-GPO -Name $GPOName
+If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path)
+{
+    New-GPLink -Name $GPOName -Target $OU -Enforced yes
+}
+else
+{
+    Write-Host "GpLink $GPOName already linked on $OU. Moving On."
+}
 
-Write-Host "Importing Servers Enhanced Auditing Policy..."
-Import-GPO -BackupGpoName 'Servers Enhanced Auditing Policy' -Path "c:\vagrant\resources\GPO\Servers_Enhanced_Auditing_Policy" -TargetName 'Servers Enhanced Auditing Policy' -CreateIfNeeded
-New-GPLink -Name 'Servers Enhanced Auditing Policy' -Target "ou=Servers,dc=windomain,dc=local" -Enforced yes
+$GPOName = 'Workstations Enhanced Auditing Policy'
+$OU = "ou=Workstations,dc=windomain,dc=local" 
+Write-Host "Importing $GPOName..."
+Import-GPO -BackupGpoName $GPOName -Path "c:\vagrant\resources\GPO\Workstations_Enhanced_Auditing_Policy" -TargetName $GPOName -CreateIfNeeded
+$gpLinks = $null
+$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
+$GPO = Get-GPO -Name $GPOName
+If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path)
+{
+    New-GPLink -Name $GPOName -Target $OU -Enforced yes
+}
+else
+{
+    Write-Host "GpLink $GPOName already linked on $OU. Moving On."
+}
 
-Write-Host "Importing Workstations Enhanced Auditing Policy..."
-Import-GPO -BackupGpoName 'Workstations Enhanced Auditing Policy' -Path "c:\vagrant\resources\GPO\Workstations_Enhanced_Auditing_Policy" -TargetName 'Workstations Enhanced Auditing Policy' -CreateIfNeeded
-New-GPLink -Name 'Workstations Enhanced Auditing Policy' -Target "ou=Workstations,dc=windomain,dc=local" -Enforced yes

Vagrant/scripts/configure-ou.ps1

@@ -2,10 +2,23 @@
 Write-Host "Sleeping for 30 seconds, then creating Server and Workstation OUs"
 Start-Sleep 30
 Write-Host "Creating Servers OU"
-New-ADOrganizationalUnit -Name "Servers" -Server "dc.windomain.local"
+if (!([ADSI]::Exists("LDAP://OU=Servers,DC=windomain,DC=local")))
+{    
+    New-ADOrganizationalUnit -Name "Servers" -Server "dc.windomain.local"
+}
+else
+{
+    Write-Host "Servers OU already exists. Moving On."
+}
 Write-Host "Creating Workstations OU"
-New-ADOrganizationalUnit -Name "Workstations" -Server "dc.windomain.local"
-
+if (!([ADSI]::Exists("LDAP://OU=Workstations,DC=windomain,DC=local")))
+{
+    New-ADOrganizationalUnit -Name "Workstations" -Server "dc.windomain.local"
+}
+else
+{
+    Write-Host "Workstations OU already exists. Moving On."
+}
 # Sysprep breaks auto-login. Let's restore it here:
 Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -Value 1
 Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Value "vagrant"

Vagrant/scripts/configure-powershelllogging.ps1

@@ -1,6 +1,39 @@
 # Purpose: Install the GPO that specifies the WEF collector
 Write-Host "Importing the GPO to enable Powershell Module, ScriptBlock and Transcript logging..."
 Import-GPO -BackupGpoName 'Powershell Logging' -Path "c:\vagrant\resources\GPO\powershell_logging" -TargetName 'Powershell Logging' -CreateIfNeeded
-New-GPLink -Name 'Powershell Logging' -Target "dc=windomain,dc=local" -Enforced yes
-New-GPLink -Name 'Powershell Logging' -Target "ou=Domain Controllers,dc=windomain,dc=local" -Enforced yes
+$OU = "ou=Workstations,dc=windomain,dc=local" 
+$gPLinks = $null
+$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
+$GPO = Get-GPO -Name 'Powershell Logging'
+If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path)
+{
+    New-GPLink -Name 'Powershell Logging' -Target $OU -Enforced yes
+}
+else
+{
+    Write-Host "Powershell Loggin was already linked at $OU. Moving On."
+}
+$OU = "ou=Servers,dc=windomain,dc=local" 
+$gPLinks = $null
+$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
+$GPO = Get-GPO -Name 'Powershell Logging'
+If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path)
+{
+    New-GPLink -Name 'Powershell Logging' -Target $OU -Enforced yes
+}
+else
+{
+    Write-Host "Powershell Loggin was already linked at $OU. Moving On."
+}
+$OU = "ou=Domain Controllers,dc=windomain,dc=local"
+$gPLinks = $null
+$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
+If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path)
+{
+    New-GPLink -Name 'Powershell Logging' -Target $OU -Enforced yes
+}
+else
+{
+    Write-Host "Powershell Loggin was already linked at $OU. Moving On."
+}
 gpupdate /force

Vagrant/scripts/configure-pslogstranscriptsshare.ps1

@@ -1,7 +1,10 @@
 # Purpose: Configure an SMB share for Powershell transcription logs to be written to
 # Source: https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/
 Write-Host "Configuring the Powershell Transcripts Share"
-md c:\pslogs
+If (-not (Test-Path c:\pslogs))
+{
+    md c:\pslogs
+}
 
 
 ## Kill all inherited permissions
@@ -39,4 +42,7 @@ $acl | Set-Acl c:\pslogs\
 
 ## Create the SMB Share, granting Everyone the right to read and write files. Specific
 ## actions will actually be enforced by the ACL on the file folder.
-New-SmbShare -Name pslogs -Path c:\pslogs -ChangeAccess Everyone
+if ((Get-SmbShare -Name pslogs -ea silent) -eq $null)
+{
+    New-SmbShare -Name pslogs -Path c:\pslogs -ChangeAccess Everyone
+}

Vagrant/scripts/configure-wef-gpo.ps1

@@ -1,14 +1,71 @@
 # Purpose: Installs the GPOs needed to specify a Windows Event Collector and makes certain event channels readable by Event Logger
 Write-Host "Importing the GPO to specify the WEF collector"
-Import-GPO -BackupGpoName 'Windows Event Forwarding Server' -Path "c:\vagrant\resources\GPO\wef_configuration" -TargetName 'Windows Event Forwarding Server' -CreateIfNeeded
-New-GPLink -Name 'Windows Event Forwarding Server' -Target "dc=windomain,dc=local" -Enforced yes
-New-GPLink -Name 'Windows Event Forwarding Server' -Target "ou=Domain Controllers,dc=windomain,dc=local" -Enforced yes
+$GPOName = 'Windows Event Forwarding Server'
+Import-GPO -BackupGpoName $GPOName -Path "c:\vagrant\resources\GPO\wef_configuration" -TargetName $GPOName -CreateIfNeeded
+$gpLinks = $null
+$OU = "OU=Servers,dc=windomain,dc=local"
+$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
+$GPO = Get-GPO -Name $GPOName
+If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path)
+{
+    New-GPLink -Name $GPOName -Target $OU -Enforced yes
+}
+else
+{
+    Write-Host "GpLink $GPOName already linked on $OU. Moving On."
+}
+$OU = "ou=Domain Controllers,dc=windomain,dc=local"
+$gpLinks = $null
+$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
+$GPO = Get-GPO -Name $GPOName
+If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path)
+{
+    New-GPLink -Name $GPOName -Target $OU -Enforced yes
+}
+else
+{
+    Write-Host "GpLink $GPOName already linked on $OU. Moving On."
+}
+
 Write-Host "Importing the GPO to modify ACLs on Custom Event Channels"
-Import-GPO -BackupGPOName 'Custom Event Channel Permissions' -Path "c:\vagrant\resources\GPO\wef_configuration" -TargetName 'Custom Event Channel Permissions' -CreateIfNeeded
-New-GPLink -Name 'Custom Event Channel Permissions' -Target "dc=windomain,dc=local" -Enforced yes
-New-GPLink -Name 'Custom Event Channel Permissions' -Target "ou=Domain Controllers,dc=windomain,dc=local" -Enforced yes
-New-GPLink -Name 'Custom Event Channel Permissions' -Target "ou=Servers,dc=windomain,dc=local" -Enforced yes
-New-GPLink -Name 'Custom Event Channel Permissions' -Target "ou=Workstations,dc=windomain,dc=local" -Enforced yes
+
+$GPOName = 'Custom Event Channel Permissions'
+Import-GPO -BackupGpoName $GPOName -Path "c:\vagrant\resources\GPO\wef_configuration" -TargetName $GPOName -CreateIfNeeded
+$gpLinks = $null
+$OU = "OU=Servers,dc=windomain,dc=local"
+$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
+$GPO = Get-GPO -Name $GPOName
+If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path)
+{
+    New-GPLink -Name $GPOName -Target $OU -Enforced yes
+}
+else
+{
+    Write-Host "GpLink $GPOName already linked on $OU. Moving On."
+}
+$OU = "ou=Domain Controllers,dc=windomain,dc=local"
+$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
+$GPO = Get-GPO -Name $GPOName
+If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path)
+{
+    New-GPLink -Name $GPOName -Target $OU -Enforced yes
+}
+else
+{
+    Write-Host "GpLink $GPOName already linked on $OU. Moving On."
+}
+$OU = "ou=Workstations,dc=windomain,dc=local" 
+$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
+$GPO = Get-GPO -Name $GPOName
+If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path)
+{
+    New-GPLink -Name $GPOName -Target $OU -Enforced yes
+}
+else
+{
+    Write-Host "GpLink $GPOName already linked on $OU. Moving On."
+}
+
 gpupdate /force
 # Enable WinRM
 Write-Host "Enabling WinRM"

Vagrant/scripts/download_palantir_osquery.ps1

@@ -2,8 +2,15 @@
 Write-Host "Downloading and unzipping the Palantir osquery Repo from Github..."
 
 $osqueryRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\osquery-Master.zip'
-
-# GitHub requires TLS 1.2 as of 2/1/2018
-[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-Invoke-WebRequest -Uri "https://github.com/palantir/osquery-configuration/archive/master.zip" -OutFile $osqueryRepoPath
-Expand-Archive -path "$osqueryRepoPath" -destinationpath 'c:\Users\vagrant\AppData\Local\Temp' -Force
+if (-not (Test-Path $osqueryRepoPath))
+{
+    # GitHub requires TLS 1.2 as of 2/1/2018
+    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+    Invoke-WebRequest -Uri "https://github.com/palantir/osquery-configuration/archive/master.zip" -OutFile $osqueryRepoPath
+    Expand-Archive -path "$osqueryRepoPath" -destinationpath 'c:\Users\vagrant\AppData\Local\Temp' -Force
+}
+else 
+{
+    Write-Host "$osqueryRepoPath already exists. Moving On."
+}
+Write-Host "Palantir OSQuery download complete!"

Vagrant/scripts/download_palantir_wef.ps1

@@ -4,7 +4,15 @@ Write-Host "Downloading and unzipping the Palantir Windows Event Forwarding Repo
 
 $wefRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\wef-Master.zip'
 
-# GitHub requires TLS 1.2 as of 2/1/2018
-[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-Invoke-WebRequest -Uri "https://github.com/palantir/windows-event-forwarding/archive/master.zip" -OutFile $wefRepoPath
-Expand-Archive -path "$wefRepoPath" -destinationpath 'c:\Users\vagrant\AppData\Local\Temp' -Force
+If (-not (Test-Path $wefRepoPath))
+{
+    # GitHub requires TLS 1.2 as of 2/1/2018
+    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+    Invoke-WebRequest -Uri "https://github.com/palantir/windows-event-forwarding/archive/master.zip" -OutFile $wefRepoPath
+    Expand-Archive -path "$wefRepoPath" -destinationpath 'c:\Users\vagrant\AppData\Local\Temp' -Force
+}
+else
+{
+    Write-Host "$wefRepoPath already exists. Moving On."
+}
+Write-Host "Palantir WEF download complete!"

Vagrant/scripts/install-autorunstowineventlog.ps1

@@ -1,7 +1,19 @@
 # Purpose: Installs AutorunsToWinEventLog from the Palantir WEF repo: (https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog)
 # TL;DR - Logs all entries from Autoruns to the Windows event log to be indexed by Splunk
 Write-Host "Installing AutorunsToWinEventLog..."
-cd "c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\AutorunsToWinEventLog"
-.\Install.ps1
-Write-Host "AutorunsToWinEventLog installed. Starting the scheduled task. Future runs will begin at 11am"
-Start-ScheduledTask -TaskName "AutorunsToWinEventLog"
+If ((Get-ScheduledTask -TaskName "AutorunsToWinEventLog" -ea silent) -eq $null)
+{
+    cd "c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\AutorunsToWinEventLog"
+    .\Install.ps1
+    Write-Host "AutorunsToWinEventLog installed. Starting the scheduled task. Future runs will begin at 11am"
+    Start-ScheduledTask -TaskName "AutorunsToWinEventLog"
+    $Tsk = Get-ScheduledTask -TaskName "AutorunsToWinEventLog"
+    if ($Tsk.State -ne "Running")
+    {
+        throw "AutorunsToWinEventLog scheduled tasks wasn't running after starting it"
+    }
+}
+else 
+{
+    Write-Host "AutorunsToWinEventLog already installed. Moving On."
+}

Vagrant/scripts/install-caldera-agent.ps1

@@ -1,16 +1,17 @@
 # Purpose: Installs the Caldera agent on the host
 
-# Add /etc/hosts entry
-Add-Content "c:\windows\system32\drivers\etc\hosts" "        192.168.38.5    logger"
+if (-not (Test-Path 'C:\Program Files\cagent\cagent.exe'))
+{
+  # Add /etc/hosts entry
+  Add-Content "c:\windows\system32\drivers\etc\hosts" "        192.168.38.5    logger"
 
-# Make the directory
-New-Item "c:\Program Files\cagent" -type directory
+  # Make the directory
+  New-Item "c:\Program Files\cagent" -type directory
 
-# Install Visual Studio 2015 C++ Redistributable
-choco install -y vcredist2015
+  # Install Visual Studio 2015 C++ Redistributable
+  choco install -y vcredist2015
 
-# Download cagent and start the service
-If (-not (Test-Path "C:\Program Files\cagent\cagent.exe")) {
+  # Download cagent and start the service
   Write-Host "Downloading Caldera Agent (cagent.exe)"
   $cagentPath = "C:\Program Files\cagent\cagent.exe"
   $cagentConfPath = "C:\Program Files\cagent\conf.yml"
@@ -21,8 +22,12 @@ If (-not (Test-Path "C:\Program Files\cagent\cagent.exe")) {
   # https://stackoverflow.com/questions/34331206/ignore-ssl-warning-with-powershell-downloadstring
   [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;(New-Object System.Net.WebClient).DownloadFile('https://logger:8888/conf.yml', $cagentConfPath)
   Start-Process -FilePath $cagentPath -ArgumentList '--startup', 'auto', 'install' -Wait
-  Start-Process -FilePath $cagentPath -ArgumentList 'start' -Wait
+  Start-Process -FilePath $cagentPath -ArgumentList 'start' -Wait  
 } Else {
   Write-Host "Caldera Agent is already installed. Moving on."
 }
+If ((Get-Service -name cagent).Status -ne "Running")
+{
+  throw "Caldera Agent service not running"
+}
 Write-Host "Cagent installation complete!"

Vagrant/scripts/install-inputsconf.ps1

@@ -1,16 +1,31 @@
 # Purpose: Configures the inputs.conf for the Splunk forwarders on the Windows hosts
 
 Write-Host "Setting up Splunk Inputs for Sysmon & osquery"
+
 $inputsPath = "C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf"
+$currentContent = get-content $inputsPath
+$targetContent = get-content c:\vagrant\resources\splunk_forwarder\inputs.conf
 
-Write-Host "Stopping the Splunk forwarder"
-Stop-Service splunkforwarder
+if ($currentContent -ne $targetContent)
+{
+    Write-Host "Stopping the Splunk forwarder"
+    Stop-Service splunkforwarder
 
-Write-Host "Deleting the default configuration"
-Remove-Item $inputsPath
+    Write-Host "Deleting the default configuration"
+    Remove-Item $inputsPath
 
-Write-Host "Copying over the custom configuration"
-Copy-Item c:\vagrant\resources\splunk_forwarder\inputs.conf $inputsPath
+    Write-Host "Copying over the custom configuration"
+    Copy-Item c:\vagrant\resources\splunk_forwarder\inputs.conf $inputsPath
 
-Write-Host "Starting the Splunk forwarder"
-Start-Service splunkforwarder
+    Write-Host "Starting the Splunk forwarder"
+    Start-Service splunkforwarder
+}
+else 
+{
+    Write-Host "Splunk forwarder already configured. Moving on." 
+}
+If ((Get-Service -name splunkforwarder).Status -ne "Running")
+{
+    throw "splunkforwarder service was not running."
+}
+Write-Host "Splunk forwarder installation complete!"

Vagrant/scripts/install-microsoft-ata.ps1

@@ -104,11 +104,30 @@ Invoke-Command -computername dc -Credential (new-object pscredential("windomain\
     }
     [System.Net.ServicePointManager]::ServerCertificateValidationCallback = [SSLValidator]::GetDelegate()
     
-    Invoke-WebRequest -uri https://wef/api/management/softwareUpdates/gateways/deploymentPackage -UseBasicParsing -OutFile "$env:temp\gatewaysetup.zip" -Credential (new-object pscredential("wef\vagrant",(convertto-securestring -AsPlainText -Force -String "vagrant")))
-    Expand-Archive -Path "$env:temp\gatewaysetup.zip" -DestinationPath "$env:temp\gatewaysetup" -Force
-    
-    Set-Location "$env:temp\gatewaysetup"
-    Start-Process -Wait -FilePath ".\Microsoft ATA Gateway Setup.exe" -ArgumentList "/q NetFrameworkCommandLineArguments=`"/q`" ConsoleAccountName=`"wef\vagrant`" ConsoleAccountPassword=`"vagrant`""
+    If (-not (Test-Path "$env:temp\gatewaysetup.zip"))
+    {
+        Invoke-WebRequest -uri https://wef/api/management/softwareUpdates/gateways/deploymentPackage -UseBasicParsing -OutFile "$env:temp\gatewaysetup.zip" -Credential (new-object pscredential("wef\vagrant",(convertto-securestring -AsPlainText -Force -String "vagrant")))
+        Expand-Archive -Path "$env:temp\gatewaysetup.zip" -DestinationPath "$env:temp\gatewaysetup" -Force
+    }
+    else
+    {
+        Write-Host "[$env:computername] Gateway setup already downloaded. Moving On."
+    }
+    if (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics"))
+    {
+        Set-Location "$env:temp\gatewaysetup"    
+        Start-Process -Wait -FilePath ".\Microsoft ATA Gateway Setup.exe" -ArgumentList "/q NetFrameworkCommandLineArguments=`"/q`" ConsoleAccountName=`"wef\vagrant`" ConsoleAccountPassword=`"vagrant`""
+    }
+    else 
+    {
+        Write-Host "[$env:computername] ATA Gateway already installed. Moving On."
+    }
+    Write-Host "Sleeping 5 minutes to allow ATA gateway to start up..."
+    Start-Sleep -Seconds 300
+    If ((Get-Service "ATAGateway").Status -ne "Running")
+    {
+        throw "ATA lightweight gateway not running"
+    }
     # Disable invalid web requests to endpoints with invalid SSL certs again
     [System.Net.ServicePointManager]::ServerCertificateValidationCallback = $null
 }
@@ -120,4 +139,9 @@ $config[0].Configuration.DirectoryServicesResolverConfiguration.UpdateDirectoryE
 Invoke-RestMethod -Uri "https://localhost/api/management/systemProfiles/gateways/$($config[0].Id)" -UseDefaultCredentials -UseBasicParsing -Method Post -ContentType "application/json" -Body ($config[0] | convertto-json -depth 99)
 
 # Disable invalid web requests to endpoints with invalid SSL certs again
-[System.Net.ServicePointManager]::ServerCertificateValidationCallback = $null
+[System.Net.ServicePointManager]::ServerCertificateValidationCallback = $null
+
+If ((Get-Service -name "ATACenter").Status -ne "Running")
+{
+    throw "MS ATA service was not running."
+}

Vagrant/scripts/install-osquery.ps1

@@ -36,5 +36,9 @@ If (-not ($service)) {
   Start-Service osqueryd
 }
 else {
-  Write-Host "osquery is already installed"
+  Write-Host "osquery is already installed. Moving On."
+}
+If ((Get-Service -name osqueryd).Status -ne "Running")
+{
+  throw "osqueryd service was not running"
 }

Vagrant/scripts/install-splunkuf.ps1

@@ -10,4 +10,8 @@ If (-not (Test-Path "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"))
 } Else {
   Write-Host "Splunk is already installed. Moving on."
 }
+If ((Get-Service -name splunkforwarder).Status -ne "Running")
+{
+  throw "Splunk forwarder service not running"
+}
 Write-Host "Splunk installation complete!"

Vagrant/scripts/install-utilities.ps1

@@ -21,8 +21,14 @@ apm install language-docker
 
 # Disable Windows Defender realtime scanning before downloading Mimikatz
 If ($env:computername -eq "WIN10") {
-  set-MpPreference -DisableRealtimeMonitoring $true
+  If (Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender")
+  {
+    Remove-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Recurse -Force
+  }
+  gpupdate /force | Out-String
   Set-MpPreference -ExclusionPath C:\commander.exe, C:\Tools
+  set-MpPreference -DisableRealtimeMonitoring $true
+  
 }
 
 # Purpose: Downloads and unzips a copy of the latest Mimikatz trunk
@@ -31,6 +37,19 @@ Write-Host "Determining latest release of Mimikatz..."
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 $tag = (Invoke-WebRequest "https://api.github.com/repos/gentilkiwi/mimikatz/releases" -UseBasicParsing | ConvertFrom-Json)[0].tag_name
 $mimikatzDownloadUrl = "https://github.com/gentilkiwi/mimikatz/releases/download/$tag/mimikatz_trunk.zip"
+
 $mimikatzRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\mimikatz_trunk.zip'
-Invoke-WebRequest -Uri "$mimikatzDownloadUrl" -OutFile $mimikatzRepoPath
-Expand-Archive -path "$mimikatzRepoPath" -destinationpath 'c:\Tools\Mimikatz' -Force
+if (-not (Test-Path $mimikatzRepoPath))
+{
+  Invoke-WebRequest -Uri "$mimikatzDownloadUrl" -OutFile $mimikatzRepoPath
+  Expand-Archive -path "$mimikatzRepoPath" -destinationpath 'c:\Tools\Mimikatz' -Force
+}
+else
+{
+  Write-Host "Mimikatz was already installed. Moving On."
+}
+# Enable realtime monitoring again, now that exclusion is set for mimikatz
+If ($env:computername -eq "WIN10") {
+  set-MpPreference -DisableRealtimeMonitoring $false
+}
+Write-Host "Utilties installation complete!"

Vagrant/scripts/install-wefsubscriptions.ps1

@@ -4,24 +4,37 @@
 Write-Host "Installing WEF Subscriptions"
 
 Write-Host "Copying Custom Event Channels DLL"
-Copy-Item c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\windows-event-channels\CustomEventChannels.dll c:\windows\system32
-Copy-Item c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\windows-event-channels\CustomEventChannels.man c:\windows\system32
+if (-not (Test-Path "$env:windir\system32\CustomEventChannels.dll"))
+{
+    Copy-Item c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\windows-event-channels\CustomEventChannels.dll "$env:windir\system32"
+    Copy-Item c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\windows-event-channels\CustomEventChannels.man "$env:windir\system32"
 
-Write-Host "Installing Custom Event Channels Manifest"
-wevtutil im "c:\windows\system32\CustomEventChannels.man"
-Write-Host "Resizing Channels to 4GB"
-$xml = wevtutil el | select-string -pattern "WEC"
-foreach ($subscription in $xml) { wevtutil sl $subscription /ms:4294967296 }
+    Write-Host "Installing Custom Event Channels Manifest"
+    wevtutil im "c:\windows\system32\CustomEventChannels.man"
+    Write-Host "Resizing Channels to 4GB"
+    $xml = wevtutil el | select-string -pattern "WEC"
+    foreach ($subscription in $xml) { wevtutil sl $subscription /ms:4294967296 }
 
-Write-Host "Starting the Windows Event Collector Service"
-net start wecsvc
+    Write-Host "Starting the Windows Event Collector Service"
+    net start wecsvc
 
-Write-Host "Creating custom event subscriptions"
-cd c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions
-cmd /c "for /r %i in (*.xml) do wecutil cs %i"
+    Write-Host "Creating custom event subscriptions"
+    cd c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions
+    cmd /c "for /r %i in (*.xml) do wecutil cs %i"
 
-Write-Host "Enabling custom event subscriptions"
-cmd /c "for /r %i in (*.xml) do wecutil ss %~ni /e:true"
+    Write-Host "Enabling custom event subscriptions"
+    cmd /c "for /r %i in (*.xml) do wecutil ss %~ni /e:true"
 
-Write-Host "Enabling WecUtil Quick Config"
-wecutil qc /q:true
+    Write-Host "Enabling WecUtil Quick Config"
+    wecutil qc /q:true
+}
+else 
+{
+    Write-Host "WEF Subscriptions already installed, moving on"
+    net start wecsvc
+}
+Start-Sleep -Seconds 60
+if ((Get-Service -Name wecsvc).Status -ne "Running")
+{
+    throw "Windows Event Collector service was not running"
+}