Adding Olaf's Threat Hunting App. Fixes. Updates.

Vagrant/bootstrap.sh

@@ -84,8 +84,8 @@ install_splunk() {
     # Get Splunk.com into the DNS cache. Sometimes resolution randomly fails during wget below
     dig @8.8.8.8 splunk.com
     # Download Splunk
-    wget --progress=bar:force -O splunk-7.1.2-a0c72a66db66-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.1.2&product=splunk&filename=splunk-7.1.2-a0c72a66db66-linux-2.6-amd64.deb&wget=true'
-    dpkg -i splunk-7.1.2-a0c72a66db66-linux-2.6-amd64.deb
+    wget --progress=bar:force -O splunk-7.2.1-be11b2c46e23-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.1&product=splunk&filename=splunk-7.2.1-be11b2c46e23-linux-2.6-amd64.deb&wget=true'
+    dpkg -i splunk-7.2.1-be11b2c46e23-linux-2.6-amd64.deb
     /opt/splunk/bin/splunk start --accept-license --answer-yes --no-prompt --seed-passwd changeme
     /opt/splunk/bin/splunk add index wineventlog -auth 'admin:changeme'
     /opt/splunk/bin/splunk add index osquery -auth 'admin:changeme'
@@ -94,9 +94,17 @@ install_splunk() {
     /opt/splunk/bin/splunk add index powershell -auth 'admin:changeme'
     /opt/splunk/bin/splunk add index bro -auth 'admin:changeme'
     /opt/splunk/bin/splunk add index suricata -auth 'admin:changeme'
+    /opt/splunk/bin/splunk add index threathunting -auth 'admin:changeme'
     /opt/splunk/bin/splunk install app /vagrant/resources/splunk_forwarder/splunk-add-on-for-microsoft-windows_500.tgz -auth 'admin:changeme'
     /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/add-on-for-microsoft-sysmon_800.tgz -auth 'admin:changeme'
     /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/asn-lookup-generator_012.tgz -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/force-directed-app-for-splunk_200.tgz  -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/punchcard-custom-visualization_130.tgz  -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/sankey-diagram-custom-visualization_130.tgz  -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_11.tgz  -auth 'admin:changeme'
+    # Add custom Macro definitions for ThreatHunting App
+    cp /vagrant/resources/splunk_server/macros.conf /opt/splunk/etc/apps/ThreatHunting/local
+
     # Add a Splunk TCP input on port 9997
     echo -e "[splunktcp://9997]\nconnection_host = ip" > /opt/splunk/etc/apps/search/local/inputs.conf
     # Add props.conf and transforms.conf
@@ -105,6 +113,7 @@ install_splunk() {
     cp /opt/splunk/etc/system/default/limits.conf /opt/splunk/etc/system/local/limits.conf
     # Bump the memtable limits to allow for the ASN lookup table
     sed -i.bak 's/max_memtable_bytes = 10000000/max_memtable_bytes = 30000000/g' /opt/splunk/etc/system/local/limits.conf
+
     # Skip Splunk Tour and Change Password Dialog
     touch /opt/splunk/etc/.ui_login
     # Enable SSL Login for Splunk

Vagrant/resources/fleet/server.crt

@@ -1,17 +1,17 @@
 -----BEGIN CERTIFICATE-----
-MIICnjCCAYYCCQD3m5L/nC/akjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZr
-b2xpZGUwHhcNMTcxMTAxMjAxMDIxWhcNMTgxMTAxMjAxMDIxWjARMQ8wDQYDVQQD
-DAZrb2xpZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDahfD8pVJN
-KSdE+GoYIPsteyHvyQXXGcCIlrt+EFI5TXKBcHE8Vyyi1xw7hTpGKA3DGbLBf43E
-j26w7NS0hGhbJHwjx5EBujWhDskbH8GTzhQllVoYOOwuU85MWiISQOAWhaytIFYg
-6wnBaA0EtNEOeYPD1J5t1Bt4k9pwS+ATJxAag9BSesMdmU6Uz2zCxSavsDMGepiv
-kaOAzT4Bhy3aVhq56mNayLT2fCdmyEyKlou9gUzteY0dp010ZNfqyxgcsnhogUij
-6LaEsVzsxDRH7HFPtCeGBb8CjnnPhMbAU9nzhn+9EEtiIUvN0Dl0G/DmgziTpKgD
-EEmddbqEK6g9AgMBAAEwDQYJKoZIhvcNAQELBQADggEBALVH183jm9WeKXd3Uhqn
-jyOZ8H4+RhaADm4rkABmVHUAIoqLQOfpnTuvcp/eiAAUBNaRk8B5T+yWosx+IP4u
-SUoRR949zdn5kd/BkoHE5rcJh169goJlKLtKGXkPyCRgcakXC/kDSZtWrIyw/vYu
-6WYjScDLiEDlgVQQuEdI3S5lDm9D0UMvCmiVsUyWYcTic2WgO9vaOErWS5UQMaPV
-crzxIJKxd1eK0++gdyiwWwakWBtHpDQnpjamfFBqltvXKdpY1cIVJsyXROlZ6xNk
-NqbzMLDLt/4zvGjG88zrpwqU2egigX2VkAgOMa8BEnnkvZMuCcgoYkCXbY3CXsts
-YOM=
+MIICnjCCAYYCCQCwK8/9PtNo1TANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZr
+b2xpZGUwHhcNMTgxMjExMDg0NjUxWhcNMjEwOTA2MDg0NjUxWjARMQ8wDQYDVQQD
+DAZrb2xpZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDO6RiMkjD1
+LJmcTR3oiUXrN4Kz+2KWCm3RrM6UanxhmVG12DrX1VPzsFkmzPdc74LKVUqPFJfV
+oAt3U2RQ4oPmMdS9yuvYz9NprbZ8Qe+Toue5reUqyDU9RQhoiYMuCvIdoOS35Zg4
+gHrP8fMkDNLSE3egqHNxtQ0lCTHiIOB3+Lr2MDiuSLP2WM+JLc7tt95Vg4zAU0VG
+38Q/SfET3OhCUIOu2OR/XlpqbKORRHqrc7/0wzuZGxSsw+bei8d/OOfKdvL3WhFd
+35F0OduEa0PGphKt0ePT6R2NtjtGg5GIQ3QhC222qAeYXLOOeNIS2RB42h6rr/Fr
+vXUl/Gj4HGxNAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJu06ushu+H4gBzH65pR
+caBkH7OKbmOUxmVwkZMmHGaTWnHvUmvSNaR70466Sd25YHn1MyNmi3rI0h2LwUjU
+wEXoDbQRUpbKrF410L114D5g5lZ78eMRXN5ItzJluGVHOpdBWCJslpvoksW7ovPD
+awbD2hPNDIOAjVTXC3fgyEST+VSLripjhg6yhgZWVYRNgfcjDl3IG3AIg3Gpr7mu
+ClqTYP27vL4EYTIp+waYhYIc/CEI/lao7/X++5Gp2bJsMscFuSfJDJ3kLvbCebyL
+1GSnkKbtokUFqsDWnG9IoodHCSL/lj8fhTeXJZsi5Zky9yZC7BiIKmGn5/vcOTO6
+oDs=
 -----END CERTIFICATE-----

Vagrant/resources/fleet/server.key

@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEA2oXw/KVSTSknRPhqGCD7LXsh78kF1xnAiJa7fhBSOU1ygXBx
-PFcsotccO4U6RigNwxmywX+NxI9usOzUtIRoWyR8I8eRAbo1oQ7JGx/Bk84UJZVa
-GDjsLlPOTFoiEkDgFoWsrSBWIOsJwWgNBLTRDnmDw9SebdQbeJPacEvgEycQGoPQ
-UnrDHZlOlM9swsUmr7AzBnqYr5GjgM0+AYct2lYauepjWsi09nwnZshMipaLvYFM
-7XmNHadNdGTX6ssYHLJ4aIFIo+i2hLFc7MQ0R+xxT7QnhgW/Ao55z4TGwFPZ84Z/
-vRBLYiFLzdA5dBvw5oM4k6SoAxBJnXW6hCuoPQIDAQABAoIBAGaidD5lc5NUGeKV
-/laY3wBMjfLuarTNnpVInoUmK0hIrNhItJaPpyJQgC0gdO9Qjq4s2r1xKGfCqk2k
-3n5ulgkAyOGRMPUrvVaI+EGqF6RRLTs9u5QW4C8eI43O46PJHrbVT/X8cxeA7RMO
-yNaGCo6O2ilXKpYRAloOr5EAwhyb5OeNrxe/XkngzU2/Sy/XPqqa/gUZGReJzEW1
-/M/iJULNSo2smKftdzDkiSVxH4x5En3q/ri7EUs6NMJZ9V7mUI7LJABeDOBYNta6
-e43b9f6sVfoecFU71FmrXx6QUvUJATNUPEqCwQqp4LfmUrv/Rnty/d39ktQqkpkV
-u4CQ700CgYEA9c6WoE7sK+M4ySmnc08ol0RxoUX4gp9oHbIUe+8fN4al6uLawvc1
-zgPjsev9kMGsw9Ejm2ID+PcuyQirJcE+MkT6Jdj6S39hE0umnFfxytF8vssqVcrG
-bSWS3fLgQ+5k7/IbWFJiQxRW7Y/4qjlOqeHE9tAbPMUyH+viT6nu6w8CgYEA45W3
-fSHVrr72h7WettUwb/dJLSjIj7MbMcMGrq2bStwHkZikXr1tgBtxFBTiOoc2p1JK
-+bII0cilAyobp1wk6spOt501QeciYxnCgHBuenC4TDmzPdgwQvBOHQoMe8oS/ZBd
-SwGpuEBCfBnODnDrWNgAye9rxV1pAXwUTns45/MCgYEAqhLbs2WIEUGxS7ZvbuAp
-ZKhturlwHejvoARUGgA0aDXY3PFDjbyAVN/qDnQLSLpIsGAnM96Ygw18KIq/6GqR
-fzSso71CSTSEVVZ1nB1ZZgyWNGjcDOo1atWhjcH7m+T5n++zLeQqquEK2GpSEm1+
-WRqmLmOFRQHoEaAjQR2B+s8CgYBe5WvISpZuMgRcHBgdBpIW7dbedLYEbVt2iWq8
-5XjuYwbo5+wJ8RS6qTaid/7JBt58MG1A5sKUrwRXaHR1eY+PM2JVX8D4ROdqyS/4
-HGmEtoGyjxC1RfMBxm/b3ffMmjsG7e5ouz3IrUrLsnrgPKd1uUPC8AlRF50UWGej
-PfBBjwKBgDqk/kpJ7aYfJB/lB5F+v+V1YucNyCgxj6cQ/aiBxOq3pN7wi8/vra2K
-/cGiz4JWrSS3PeUmiu7eCsYbItxyi1yjNOcfI1/gJTjm8Mgoh7WT39a8IfPefsLD
-MpJ3ISw+VcV1Vcr8g7/LsZZNfRcTVEZbCWSdPH69KgdDn8vLU1O0
+MIIEowIBAAKCAQEAzukYjJIw9SyZnE0d6IlF6zeCs/tilgpt0azOlGp8YZlRtdg6
+19VT87BZJsz3XO+CylVKjxSX1aALd1NkUOKD5jHUvcrr2M/Taa22fEHvk6Lnua3l
+Ksg1PUUIaImDLgryHaDkt+WYOIB6z/HzJAzS0hN3oKhzcbUNJQkx4iDgd/i69jA4
+rkiz9ljPiS3O7bfeVYOMwFNFRt/EP0nxE9zoQlCDrtjkf15aamyjkUR6q3O/9MM7
+mRsUrMPm3ovHfzjnynby91oRXd+RdDnbhGtDxqYSrdHj0+kdjbY7RoORiEN0IQtt
+tqgHmFyzjnjSEtkQeNoeq6/xa711Jfxo+BxsTQIDAQABAoIBACil/G+pTLrtzyO4
+trZ3OWgzWJcZPM3zMI3voAniPZtC7p2F5FGAlGSccXdA7xuv5gbv6JzhU87hCT+g
+/2Uwiu8PPRcoJVtLwOHTAbW5kmJzr4h31DyqZmMqC7PVyBKkjdoqQKSsE1KOUxJF
+Gxoq9sPUlTzXuw5Mnk93Vfhxswd+WFaajrwnZWV+nWG436Y6QtrP241E5AS+SrPo
+CoaiXPNsvJjdGlF6yRYyUCYlZKQItPXjGgTI+TC3gfiZHwv6y86ylBHT5uObIDeu
+hvc1pVOf73vPLrpwvqmY/6y+RLzMqPByyuas/8V/RrZScDKgA0FQ1fL6IHxC6yim
+DFhL6cECgYEA8pTZ0VE2UdYuXTxvkiGsdgebkh3kxiy25PwjSzW18q7WThoZrErv
++ggzYY6DKLH430lbmVeDUl9yBasr8AeJMgI+lcxDkqUyUJiWJEQtW2pLVjcv3JHE
+0ixK5knzEEDsZUZa9DsCx3PVmylJw64qk+QnRjFXfxkTo+nWpbZrxTECgYEA2lsd
+tY0blBM9xpRHYu58C7muMLwm7hlgxpAlG7lFQAYr7XOghAx7r+sDoAzx0f7w5/mQ
+y2W9vKlJeaU0nzwohsSIt7/bU81+lx3MBtR2DEjsTRTF4zJ760HFf4raFZGEeiS4
+j2e5Z02lVXw+5J3m8DJkjxyNtIwPGHJEKiquAd0CgYB7baWOzaW36iTZJ+EVF7Eq
+tSBBLpizBRliVbCXmhKkErXUM4+QjOih7f5Gyz6NPFEHO8oxsceN6CaaH8hRb2Qt
+X9r8WVyghxGc1KbAeTgi5WjDy3y83CarUgIiPspAIOindy7cShJV7ehn9JAl0r6z
+VUlue7irYNUPd/HRi4o2YQKBgHrPXHpMDwLNf6U8qJngACyoFmyaplqsM136nKRn
+I6fK0NIQgmtCih57U+Kk5S1y8hPGrcV4R6rgm86rOFmHAFQsHakbY0RTA6wCuknt
+HSfzq9P+pv4N2tyKdYYylk4jNhtso9EkSYbsiNz3sHfsx4K5FQ3YxWqSi7r4KZZ9
+wriRAoGBAK6huxSeKGqwh/w/QNmdMQPgJU2nso4ZAQZ0hrvhq0frwMRzfrdVktCB
+KfxwCasNgyg7faVoAPlzAiraNkRnPHGRYqnXs2qX0rf3KU1VT6974dU2j8tOhBQ9
+qr+nDCPe9thRzkGZcRNIQllznWVo0iwi+yXew0jxBPLhxIMVbx1c
 -----END RSA PRIVATE KEY-----

Vagrant/resources/splunk_server/macros.conf

@@ -0,0 +1,71 @@
+[sysmon]
+definition = index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
+iseval = 0
+
+[windows-app]
+definition = index=wineventlog source="WinEventLog:Application"
+iseval = 0
+
+[powershell]
+definition = index=powershell OR (index=wineventlog source="WinEventLog:Windows PowerShell" OR source="WinEventLog:Microsoft-Windows-PowerShell/Operational")
+iseval = 0
+
+[windows-security]
+definition = index=wineventlog source="WinEventLog:Security"
+iseval = 0
+
+[pan_threat]
+definition = index=pan_logs sourcetype="pan:threat"
+iseval = 0
+
+[domain]
+definition = WINDOMAIN
+iseval = 0
+
+[windows]
+definition = index=wineventlog source="WinEventLog:System" OR source="WinEventLog:Security"
+iseval = 0
+
+[windows-system]
+definition = index=wineventlog source="WinEventLog:System"
+iseval = 0
+
+[no-domain]
+definition = "WINDOMAIN\\*"
+iseval = 0
+
+[process_create_whitelist]
+definition = search NOT [| inputlookup threathunting_process_create_whitelist.csv | fields mitre_technique_id host_fqdn user_name process_path process_parent_path process_command_line hash_sha256]
+iseval = 0
+
+[network_whitelist]
+definition = search NOT [| inputlookup threathunting_network_whitelist.csv | fields mitre_technique_id host_fqdn user_name dst_ip	dst_port src_ip process_path]
+iseval = 0
+
+[process_access_whitelist]
+definition = search NOT [| inputlookup threathunting_process_access_whitelist.csv | fields mitre_technique_id host_fqdn process_path target_process_path process_granted_access]
+iseval = 0
+
+[image_load_whitelist]
+definition = search NOT [| inputlookup threathunting_image_load_whitelist.csv | fields mitre_technique_id host_fqdn process_path driver_loaded driver_is_signed driver_signature driver_signatureStatus]
+iseval = 0
+
+[file_access_whitelist]
+definition = search NOT [| inputlookup threathunting_file_access_whitelist.csv | fields mitre_technique_id host_fqdn process_path file_path]
+iseval = 0
+
+[registry_whitelist]
+definition = search NOT [| inputlookup threathunting_registry_whitelist.csv | fields mitre_technique_id host_fqdn event_type process_path registry_key_path registry_key_details]
+iseval = 0
+
+[pipe_created_whitelist]
+definition = search NOT [| inputlookup threathunting_pipe_created_whitelist.csv | fields mitre_technique_id host_fqdn process_path pipe_name]
+iseval = 0
+
+[wmi_whitelist]
+definition = search NOT [| inputlookup threathunting_wmi_whitelist.csv | fields mitre_technique_id host_fqdn process_path pipe_name]
+iseval = 0
+
+[remote_thread_whitelist]
+definition = search NOT [| inputlookup threathunting_remote_thread_whitelist.csv | fields mitre_technique_id host_fqdn process_name target_process_path target_process_address]
+iseval = 0

Vagrant/scripts/install-sysinternals.ps1

@@ -41,11 +41,12 @@ Write-Host "Downloading Tcpview.exe..."
 (New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Tcpview.exe', $tcpviewPath)
 Copy-Item $sysmonPath $sysmonDir
 
-# Download SwiftOnSecurity's Sysmon config
-Write-Host "Downloading SwiftOnSecurity's Sysmon config..."
-(New-Object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml', "$sysmonConfigPath")
-# Alternative: Download Olaf Hartongs Sysmon config (more CPU intensive)
-# (New-Object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml, "$sysmonConfigPath"
+# Download Olaf Hartongs Sysmon config
+Write-Host "Downloading Olaf Hartong's Sysmon config..."
+(New-Object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml', "$sysmonConfigPath")
+# Alternative: Download SwiftOnSecurity's Sysmon config
+# Write-Host "Downloading SwiftOnSecurity's Sysmon config..."
+# (New-Object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml', "$sysmonConfigPath")
 
 # Start Sysmon
 Write-Host "Starting Sysmon..."

Vagrant/scripts/join-domain.ps1

@@ -27,3 +27,10 @@ If ($hostname -eq "wef") {
 Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -Value 1
 Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Value "vagrant"
 Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Value "vagrant"
+
+# Stop Windows Update
+Write-Host "Disabling Windows Updates and Windows Module Services"
+Set-Service wuauserv -StartupType Disabled
+Stop-Service wuauserv
+Set-Service TrustedInstaller -StartupType Disabled
+Stop-Service TrustedInstaller

build.ps1

@@ -108,37 +108,37 @@ function check_vagrant {
 
 # Returns false if not installed or true if installed
 function check_virtualbox_installed {
-  Write-Verbose '[check_virtualbox_installed] Running..'
+  Write-Host '[check_virtualbox_installed] Running..'
   if (install_checker -Name "VirtualBox") {
-    Write-Verbose '[check_virtualbox_installed] Virtualbox found.'
+    Write-Host '[check_virtualbox_installed] Virtualbox found.'
     return $true
   }
   else {
-    Write-Verbose '[check_virtualbox_installed] Virtualbox not found.'
+    Write-Host '[check_virtualbox_installed] Virtualbox not found.'
     return $false
   }
 }
 function check_vmware_workstation_installed {
-  Write-Verbose '[check_vmware_workstation_installed] Running..'
+  Write-Host '[check_vmware_workstation_installed] Running..'
   if (install_checker -Name "VMware Workstation") {
-    Write-Verbose '[check_vmware_workstation_installed] VMware Workstation found.'
+    Write-Host '[check_vmware_workstation_installed] VMware Workstation found.'
     return $true
   }
   else {
-    Write-Verbose '[check_vmware_workstation_installed] VMware Workstation not found.'
+    Write-Host '[check_vmware_workstation_installed] VMware Workstation not found.'
     return $false
   }
 }
 
 function check_vmware_vagrant_plugin_installed {
-  Write-Verbose '[check_vmware_vagrant_plugin_installed] Running..'
+  Write-Host '[check_vmware_vagrant_plugin_installed] Running..'
   if (vagrant plugin list | Select-String 'vagrant-vmware-desktop') {
-    Write-Verbose 'The vagrant VMware Workstation plugin is no longer supported.'
-    Write-Verbose 'Please upgrade to the VMware Desktop plugin: https://www.vagrantup.com/docs/vmware/installation.html'
+    Write-Host 'The vagrant VMware Workstation plugin is no longer supported.'
+    Write-Host 'Please upgrade to the VMware Desktop plugin: https://www.vagrantup.com/docs/vmware/installation.html'
     return $false
   }
   if (vagrant plugin list | Select-String 'vagrant-vmware-desktop') {
-    Write-Verbose '[check_vmware_vagrant_plugin_installed] Vagrant VMware Desktop plugin found.'
+    Write-Host '[check_vmware_vagrant_plugin_installed] Vagrant VMware Desktop plugin found.'
     return $true
   }
   else {
@@ -178,7 +178,7 @@ function list_providers {
 }
 
 function download_boxes {
-  Write-Verbose '[download_boxes] Running..'
+  Write-Host '[download_boxes] Running..'
   if ($PackerProvider -eq 'virtualbox') {
     $win10Hash = '94c1ff7264e67af3d7df6d19275086ac'
     $win2016Hash = '2a0b5dbc432e27a0223da026cc1f378b'
@@ -192,9 +192,9 @@ function download_boxes {
   $win2016Filename = "windows_2016_$PackerProvider.box"
 
   $wc = New-Object System.Net.WebClient
-  Write-Verbose "[download_boxes] Downloading $win10Filename"
+  Write-Host "[download_boxes] Downloading $win10Filename"
   $wc.DownloadFile("https://www.detectionlab.network/$win10Filename", "$DL_DIR\Boxes\$win10Filename")
-  Write-Verbose "[download_boxes] Downloading $win2016Filename"
+  Write-Host "[download_boxes] Downloading $win2016Filename"
   $wc.DownloadFile("https://www.detectionlab.network/$win2016Filename", "$DL_DIR\Boxes\$win2016Filename")
   $wc.Dispose()
 
@@ -207,12 +207,12 @@ function download_boxes {
     break
   }
 
-  Write-Verbose "[download_boxes] Getting filehash for: $win10Filename"
+  Write-Host "[download_boxes] Getting filehash for: $win10Filename"
   $win10Filehash = (Get-FileHash -Path "$DL_DIR\Boxes\$win10Filename" -Algorithm MD5).Hash
-  Write-Verbose "[download_boxes] Getting filehash for: $win2016Filename"
+  Write-Host "[download_boxes] Getting filehash for: $win2016Filename"
   $win2016Filehash = (Get-FileHash -Path "$DL_DIR\Boxes\$win2016Filename" -Algorithm MD5).Hash
 
-  Write-Verbose '[download_boxes] Checking Filehashes..'
+  Write-Host '[download_boxes] Checking Filehashes..'
   if ($win10hash -ne $win10Filehash) {
     Write-Error 'Hash mismatch on windows_10_virtualbox.box'
     break
@@ -221,18 +221,18 @@ function download_boxes {
     Write-Error 'Hash mismatch on windows_2016_virtualbox.box'
     break
   }
-  Write-Verbose '[download_boxes] Finished.'
+  Write-Host '[download_boxes] Finished.'
 }
 
 function preflight_checks {
-  Write-Verbose '[preflight_checks] Running..'
+  Write-Host '[preflight_checks] Running..'
   # Check to see that no boxes exist
   if (-Not ($VagrantOnly)) {
-    Write-Verbose '[preflight_checks] Checking if Packer is installed'
+    Write-Host '[preflight_checks] Checking if Packer is installed'
     check_packer
 
     # Check Packer Version against known bad
-    Write-Verbose '[preflight_checks] Checking for bad packer version..'
+    Write-Host '[preflight_checks] Checking for bad packer version..'
     [System.Version]$PackerVersion = $(& $PackerPath "--version")
     [System.Version]$PackerKnownBad = 1.1.2
 
@@ -241,16 +241,16 @@ function preflight_checks {
       break
     }
   }
-  Write-Verbose '[preflight_checks] Checking if Vagrant is installed'
+  Write-Host '[preflight_checks] Checking if Vagrant is installed'
   check_vagrant
 
-  Write-Verbose '[preflight_checks] Checking for pre-existing boxes..'
+  Write-Host '[preflight_checks] Checking for pre-existing boxes..'
   if ((Get-ChildItem "$DL_DIR\Boxes\*.box").Count -gt 0) {
     Write-Host 'You seem to have at least one .box file present in the Boxes directory already. If you would like fresh boxes downloaded, please remove all files from the Boxes directory and re-run this script.'
   }
 
   # Check to see that no vagrant instances exist
-  Write-Verbose '[preflight_checks] Checking for vagrant instances..'
+  Write-Host '[preflight_checks] Checking for vagrant instances..'
   $CurrentDir = Get-Location
   Set-Location "$DL_DIR\Vagrant"
   if (($(vagrant status) | Select-String -Pattern "not[ _]created").Count -ne 4) {
@@ -260,7 +260,7 @@ function preflight_checks {
   Set-Location $CurrentDir
 
   # Check available disk space. Recommend 80GB free, warn if less
-  Write-Verbose '[preflight_checks] Checking disk space..'
+  Write-Host '[preflight_checks] Checking disk space..'
   $drives = Get-PSDrive | Where-Object {$_.Provider -like '*FileSystem*'}
   $drivesList = @()
 
@@ -279,7 +279,7 @@ function preflight_checks {
   }
 
   # Ensure the vagrant-reload plugin is installed
-  Write-Verbose '[preflight_checks] Checking if vagrant-reload is installed..'
+  Write-Host '[preflight_checks] Checking if vagrant-reload is installed..'
   if (-Not (vagrant plugin list | Select-String 'vagrant-reload')) {
     Write-Output 'The vagrant-reload plugin is required and not currently installed. This script will attempt to install it now.'
     (vagrant plugin install 'vagrant-reload')
@@ -288,7 +288,7 @@ function preflight_checks {
       break
     }
   }
-  Write-Verbose '[preflight_checks] Finished.'
+  Write-Host '[preflight_checks] Finished.'
 }
 
 function packer_build_box {
@@ -296,12 +296,12 @@ function packer_build_box {
     [string]$Box
   )
 
-  Write-Verbose "[packer_build_box] Running for $Box"
+  Write-Host "[packer_build_box] Running for $Box"
   $CurrentDir = Get-Location
   Set-Location "$DL_DIR\Packer"
   Write-Output "Using Packer to build the $BOX Box. This can take 90-180 minutes depending on bandwidth and hardware."
   &$PackerPath @('build', "--only=$PackerProvider-iso", "$box.json")
-  Write-Verbose "[packer_build_box] Finished for $Box. Got exit code: $LASTEXITCODE"
+  Write-Host "[packer_build_box] Finished for $Box. Got exit code: $LASTEXITCODE"
 
   if ($LASTEXITCODE -ne 0) {
     Write-Error "Something went wrong while attempting to build the $BOX box."
@@ -312,7 +312,7 @@ function packer_build_box {
 }
 
 function move_boxes {
-  Write-Verbose "[move_boxes] Running.."
+  Write-Host "[move_boxes] Running.."
   Move-Item -Path $DL_DIR\Packer\*.box -Destination $DL_DIR\Boxes
   if (-Not (Test-Path "$DL_DIR\Boxes\windows_10_$PackerProvider.box")) {
     Write-Error "Windows 10 box is missing from the Boxes directory. Qutting."
@@ -322,20 +322,21 @@ function move_boxes {
     Write-Error "Windows 2016 box is missing from the Boxes directory. Qutting."
     break
   }
-  Write-Verbose "[move_boxes] Finished."
+  Write-Host "[move_boxes] Finished."
 }
 
 function vagrant_up_host {
   param(
     [string]$VagrantHost
   )
-  Write-Verbose "[vagrant_up_host] Running for $VagrantHost"
+  Write-Host "[vagrant_up_host] Running for $VagrantHost"
   Write-Host "Attempting to bring up the $VagrantHost host using Vagrant"
   $CurrentDir = Get-Location
   Set-Location "$DL_DIR\Vagrant"
-  &vagrant.exe @('up', $VagrantHost, '--provider', "$ProviderName")
+  set VAGRANT_LOG=info
+  &vagrant.exe @('up', $VagrantHost, '--provider', "$ProviderName") 2>&1 | Out-File -FilePath ".\vagrant_up_$VagrantHost.log"
   Set-Location $CurrentDir
-  Write-Verbose "[vagrant_up_host] Finished for $VagrantHost. Got exit code: $LASTEXITCODE"
+  Write-Host "[vagrant_up_host] Finished for $VagrantHost. Got exit code: $LASTEXITCODE"
   return $LASTEXITCODE
 }
 
@@ -343,12 +344,12 @@ function vagrant_reload_host {
   param(
     [string]$VagrantHost
   )
-  Write-Verbose "[vagrant_reload_host] Running for $VagrantHost"
+  Write-Host "[vagrant_reload_host] Running for $VagrantHost"
   $CurrentDir = Get-Location
   Set-Location "$DL_DIR\Vagrant"
-  &vagrant.exe @('reload', $VagrantHost, '--provision') | Out-Null
+  &vagrant.exe @('reload', $VagrantHost, '--provision') 2>&1 | Out-File -FilePath ".\vagrant_up_$VagrantHost.log" -Append
   Set-Location $CurrentDir
-  Write-Verbose "[vagrant_reload_host] Finished for $VagrantHost. Got exit code: $LASTEXITCODE"
+  Write-Host "[vagrant_reload_host] Finished for $VagrantHost. Got exit code: $LASTEXITCODE"
   return $LASTEXITCODE
 }
 
@@ -359,7 +360,7 @@ function download {
     [switch]$SuccessOn401
 
   )
-  Write-Verbose "[download] Running for $URL, looking for $PatternToMatch"
+  Write-Host "[download] Running for $URL, looking for $PatternToMatch"
   [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
   [Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"
 
@@ -368,11 +369,11 @@ function download {
   {
     $result = $wc.DownloadString($URL)
     if ($result -like "*$PatternToMatch*") {
-      Write-Verbose "[download] Found $PatternToMatch at $URL"
+      Write-Host "[download] Found $PatternToMatch at $URL"
       return $true
     }
     else {
-      Write-Verbose "[download] Could not find $PatternToMatch at $URL"
+      Write-Host "[download] Could not find $PatternToMatch at $URL"
       return $false
     }
   }
@@ -384,7 +385,7 @@ function download {
     }
     else
     {
-      Write-Verbose "Error occured on webrequest: $_"
+      Write-Host "Error occured on webrequest: $_"
       return $false
     }
 
@@ -393,21 +394,21 @@ function download {
 
 function post_build_checks {
 
-  Write-Verbose '[post_build_checks] Running Caldera Check.'
+  Write-Host '[post_build_checks] Running Caldera Check.'
   $CALDERA_CHECK = download -URL 'https://192.168.38.105:8888' -PatternToMatch '<title>CALDERA</title>'
-  Write-Verbose "[post_build_checks] Cladera Result: $CALDERA_CHECK"
+  Write-Host "[post_build_checks] Cladera Result: $CALDERA_CHECK"
 
-  Write-Verbose '[post_build_checks] Running Splunk Check.'
+  Write-Host '[post_build_checks] Running Splunk Check.'
   $SPLUNK_CHECK = download -URL 'https://192.168.38.105:8000/en-US/account/login?return_to=%2Fen-US%2F' -PatternToMatch 'This browser is not supported by Splunk'
-  Write-Verbose "[post_build_checks] Splunk Result: $SPLUNK_CHECK"
+  Write-Host "[post_build_checks] Splunk Result: $SPLUNK_CHECK"
 
-  Write-Verbose '[post_build_checks] Running Fleet Check.'
+  Write-Host '[post_build_checks] Running Fleet Check.'
   $FLEET_CHECK = download -URL 'https://192.168.38.105:8412' -PatternToMatch 'Kolide Fleet'
-  Write-Verbose "[post_build_checks] Fleet Result: $FLEET_CHECK"
+  Write-Host "[post_build_checks] Fleet Result: $FLEET_CHECK"
 
-  Write-Verbose '[post_build_checks] Running MS ATA Check.'
+  Write-Host '[post_build_checks] Running MS ATA Check.'
   $ATA_CHECK = download -URL 'https://192.168.38.103' -SuccessOn401
-  Write-Verbose "[post_build_checks] ATA Result: $ATA_CHECK"
+  Write-Host "[post_build_checks] ATA Result: $ATA_CHECK"
 
 
   if ($CALDERA_CHECK -eq $false) {
@@ -455,26 +456,26 @@ else {
 
 # Vagrant up each box and attempt to reload one time if it fails
 forEach ($VAGRANT_HOST in $LAB_HOSTS) {
-  Write-Verbose "[main] Running vagrant_up_host for: $VAGRANT_HOST"
+  Write-Host "[main] Running vagrant_up_host for: $VAGRANT_HOST"
   $result = vagrant_up_host -VagrantHost $VAGRANT_HOST
-  Write-Verbose "[main] vagrant_up_host finished. Exitcode: $result"
+  Write-Host "[main] vagrant_up_host finished. Exitcode: $result"
   if ($result -eq '0') {
     Write-Output "Good news! $VAGRANT_HOST was built successfully!"
   }
   else {
     Write-Warning "Something went wrong while attempting to build the $VAGRANT_HOST box."
     Write-Output "Attempting to reload and reprovision the host..."
-    Write-Verbose "[main] Running vagrant_reload_host for: $VAGRANT_HOST"
+    Write-Host "[main] Running vagrant_reload_host for: $VAGRANT_HOST"
     $retryResult = vagrant_reload_host -VagrantHost $VAGRANT_HOST
     if ($retryResult -ne 0) {
       Write-Error "Failed to bring up $VAGRANT_HOST after a reload. Exiting"
       break
     }
   }
-  Write-Verbose "[main] Finished for: $VAGRANT_HOST"
+  Write-Host "[main] Finished for: $VAGRANT_HOST"
 }
 
 
-Write-Verbose "[main] Running post_build_checks"
+Write-Host "[main] Running post_build_checks"
 post_build_checks
-Write-Verbose "[main] Finished post_build_checks"
+Write-Host "[main] Finished post_build_checks"